[go: up one dir, main page]

CN100581163C - Safety processing device and method for public key operation data - Google Patents

Safety processing device and method for public key operation data Download PDF

Info

Publication number
CN100581163C
CN100581163C CN200610034790A CN200610034790A CN100581163C CN 100581163 C CN100581163 C CN 100581163C CN 200610034790 A CN200610034790 A CN 200610034790A CN 200610034790 A CN200610034790 A CN 200610034790A CN 100581163 C CN100581163 C CN 100581163C
Authority
CN
China
Prior art keywords
public key
input data
key calculation
data
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200610034790A
Other languages
Chinese (zh)
Other versions
CN1859413A (en
Inventor
王海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200610034790A priority Critical patent/CN100581163C/en
Publication of CN1859413A publication Critical patent/CN1859413A/en
Priority to PCT/CN2007/000986 priority patent/WO2007109997A1/en
Application granted granted Critical
Publication of CN100581163C publication Critical patent/CN100581163C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides public key operational data safety process equipment and method, suitable for information safety field. Said safety process equipment includes system data interface module used for receiving system bus public key calculation input data, transmitting calculation control signal, outputting calculation result; interface data memory module used for storing said system data interface module received public key calculation input data and calculation result; at least sub data interface module used for receiving local bus public key calculation input data; at least one sub-interface data memory module used for storing said sub data interface module received public key calculation input data; and public key calculation processing module used for reading said interface data memory module and sub-interface data memory module stored public key calculation input data, according to said calculation control signal executing public key calculation and outputting calculation result. The present invention can raise public key calculation input data security and enhance equipment application flexibility.

Description

A kind of safety processing device of public key operation data and method
Technical field
The invention belongs to information security field, relate in particular to a kind of safety processing device and method of public key operation data.
Background technology
In recent years, network security problem receives publicity day by day.Since internet and most of packet switching network all be based upon Internet Protocol (Internet Protocol, IP) on, so will solve the safety problem of these networks, safety problem that at first must solution IP agreement.Internet protocol secure (Internet ProtocolSecurity, IPSec), (Security Socket Layer, SSL) etc. agreement is the common scheme that solves IP protocol communication safety to SSL.(Internet Key Exchangeprotocol IKE) also is a kind of common scheme of the Internet Key Exchange and negotiation to internet key exchange.In the IKE agreement, usually (Digital Sign Algorithm DSA) waits authentication and the cipher key change that communicates both sides for the cryptographic algorithm that uses public-key RSA (Revest-Shamir-Adleman Algorithm), Diffie-Hellman D-H (by a kind of Diffie-Hellman of Diffie and Hellman two people design) and Digital Signature Algorithm.
Safe processing chip is meant that mainly having PKI quickens IPSec process chip, the SSL process chip of function or have the IKE association process chip that PKI quickens function.Existing a kind of IKE that has PKI acceleration function assists the process chip structure as shown in Figure 1, comprises system data interface module 101, interface data memory module 102 and public key calculation processing module 103.Wherein, system data interface module 101 is finished the input and output of public key calculation input data, sends the s operation control signal to public key calculation processing module 103; Interface data memory module 102 storage of public keys computings input data, dateout and intermediate operations result; The public key calculation input data of public key calculation processing module 103 fetch interface data memory modules 102 storages are finished IKE agreement public key calculation commonly used according to the s operation control signal, comprise RSA, D-H and DSA etc.
Details are as follows for concrete data handling procedure:
At first, system data interface module 101 arrives interface data memory module 102 with the public key calculation input storage that receives;
Secondly, system data interface module 101 sends the control signal that begins operational order and relevant arithmetic type to public key calculation processing module 103, and for example RSA computing, D-H computing, DSA computing, Montgomery Algorithm and mould add computing etc.;
Once more, public key calculation processing module 103 is according to arithmetic type, and the public key calculation input data in the docking port data memory module 102 are carried out the corresponding public key computing, after computing is finished, operation result is written back to interface data memory module 102, and 101 computings of reporting system data interface module are finished;
At last, system data interface module 101 will be stored in the operation result output in the interface data memory module 102.
In this implementation, the public key calculation input data of input safety chip all can appear on the system bus, because various application programs and remote terminal in some cases can access of system bus, make the crucial public key calculation input data that appear on the system bus to be stolen, fail safe is lower.In addition, have only a data input interface, cause the application flexibility of chip lower.
Summary of the invention
The object of the present invention is to provide a kind of safety processing device of public key operation data, the public key calculation input data that are intended to solve input safety chip in the prior art all appear on the system bus, make crucial public key calculation input data have the risk that is stolen, fail safe is lower and have only a data input interface, causes the lower problem of chip flexibility.
Another object of the present invention is to provide a kind of security processing of public key operation data.
The object of the present invention is achieved like this: a kind of safety processing device of public key operation data, and described safety processing device comprises:
The system data interface module is used for receiving system bus public key computing input data, sends the s operation control signal, the output operation result;
The interface data memory module is used to store public key calculation input data and the operation result that described system data interface module receives;
At least one subdata interface module is used to receive the public key calculation input data of local bus, and the public key calculation input data of described local bus are from being positioned at local portable storage device;
At least one sub-interface data memory module is used to store the public key calculation input data that described subdata interface module receives; And
The public key calculation processing module is used to read the public key calculation input data of described interface data memory module and the storage of sub-interface data memory module, carries out public key calculation according to described s operation control signal, the output operation result;
The public key calculation input data of described system bus are non-key public key calculation input data, and the public key calculation input data of described local bus are crucial public key calculation input data.
Described interface data memory module and sub-interface data memory module are separate physical storage.
Described interface data memory module and sub-interface data memory module are separate logical memory space in the physical storage.
Described s operation control signal packet contains the input parameter attribute information, is used to indicate the memory location of public key calculation input data.
A kind of security processing of public key operation data, described method comprises:
Receive and storage system bus public key computing input data;
Receive and store the public key calculation input data of local bus, the public key calculation input data of described local bus are from being positioned at local portable storage device;
Read the public key calculation input data of described system bus and the public key calculation input data of local bus, carry out public key calculation according to the s operation control signal, the output operation result.
The public key calculation input data of described system bus and the public key calculation input data of local bus are stored in separate physical storage respectively;
The public key calculation input data of described system bus are non-key public key calculation input data, and the public key calculation input data of described local bus are crucial public key calculation input data.
The public key calculation input data of described system bus and the public key calculation input data of local bus are stored in separate logical memory space in the physical storage respectively.
Described s operation control signal packet contains the input parameter attribute information, is used to indicate the memory location of public key calculation input data.
The present invention is by increasing a plurality of subdata interfaces and corresponding memory module on the basis of existing safe processing chip, make different public key calculation input data from different data-interface inputs, improve crucial public key calculation input safety of data, and strengthened the application flexibility of safe processing chip.
Description of drawings
Fig. 1 is the structure chart of existing safe processing chip;
Fig. 2 is the structure chart of safe processing chip in the one embodiment of the invention;
Fig. 3 is that of safe processing chip provided by the invention uses example schematic diagram.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
The present invention is by a plurality of subdata interface modules of increase on the basis of existing safe processing chip, and corresponding sub-interface data memory module, and different public key calculation is imported data by different data-interface input safe processing chips.
As one embodiment of the present of invention, be example with the sub-interface data memory module that increases a sub-data interface module and correspondence, the structure of safe processing chip is described.As shown in Figure 2, except system data interface module 101, interface data memory module 102 and public key calculation processing module 103, safe processing chip also comprises subdata interface module 104 and sub-interface data memory module 105.
Interface data memory module 102 and sub-interface data memory module 105 are on-chip memories of the same type, and implementation method is identical, and difference is the level of security difference of the data deposited.In the present invention, the non-key public key calculation input storage of system bus is in interface data memory module 102, and the crucial public key calculation input data of local bus, for example key data, identity authentication data etc. store in the sub-interface data memory module 105.
In one embodiment of the invention, interface data memory module 102 and sub-interface data memory module 105 can be a physical storage physically, but logically be two separate memory spaces, guarantee system data interface module 101 can only access interface data memory module 102 in the data of storage, subdata interface module 104 can only be visited the data of storage in the sub-interface data memory module 105.
In another embodiment of the present invention, also interface data memory module 102 and sub-interface data memory module 105 can be configured to two separate physical storages.
Subdata interface module 104 is connected with local bus, the passage of safe processing chip and extraneous swap data is provided, by some general purpose interface bus, for example pci bus, usb bus and Intel Local Bus bus etc. are converted to and meet the interface that sub-interface data memory module 105 requires, for example on-chip SRAM interface etc. receives the input of crucial public key calculation input data in the public key calculation.
Fig. 3 shows a kind of typical case of the present invention and uses.Wherein, there are the crucial public key calculation input data relevant in the portable storage device with identification or important application, native processor is used to read the crucial public key calculation input data of portable storage device through the local bus input, be sent to sub-interface data memory module 105 by subdata interface module 104, notify the primary processor data to be ready to complete simultaneously.Public key calculation processing module 103 is carried out public key calculation according to the s operation control signal fetch interface data memory module 102 of system data interface module 101 and the data in the sub-interface data memory module 105, store operation result into interface data memory module 102, by 101 outputs of system data interface module.
Details are as follows for concrete data handling procedure:
At first, subdata interface module 104 reads the crucial public key calculation input data of external portable memory device through the local bus input, store in the sub-interface data memory module 105, again by system data interface module 101 with the non-key public key calculation input storage of the system bus that receives to interface data memory module 102;
Secondly, after receiving that sub-interface data memory module 105 data that native processor is sent are ready to complete signal, system data interface module 101 sends the s operation control signals to public key calculation processing module 103, promptly begins operational order and arithmetic type, and information such as input parameter attribute.The input parameter attribute is used to refer to the memory location of public key calculation input data, for example 1 represents interface data memory module 102,2 to represent sub-interface data memory module 105 etc.;
Once more, public key calculation processing module 103 is according to arithmetic type and input parameter attribute, input data in docking port data memory module 102 and the sub-interface data memory module 105 are carried out the corresponding public key computing, after computing is finished, the write-back operation result is to interface data memory module 102, and 101 computings of reporting system data interface module are finished;
At last, system data interface module 101 operation result that will be stored in the interface data memory module 102 is exported from chip.
Need to prove in actual applications, can be according to environment and application need, arrange the memory location of public key calculation input data flexibly, improve the application flexibility of chip, the key-encrypting key data of can checking on are simultaneously dispatched by the subdata interface module, to improve the fail safe of system, reduce the risk that crucial public key calculation input data are stolen.
In the present invention, also more subdata interface module and corresponding interface data memory module can be set in safe processing chip, receive respectively and the public key calculation input data of storing different level of securitys or different application, specific implementation is same as described above, repeats no more.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.

Claims (8)

1, a kind of safety processing device of public key operation data is characterized in that, described safety processing device comprises:
The system data interface module is used for receiving system bus public key computing input data, sends the s operation control signal, the output operation result;
The interface data memory module is used to store public key calculation input data and the operation result that described system data interface module receives;
At least one subdata interface module is used to receive the public key calculation input data of local bus, and the public key calculation input data of described local bus are from being positioned at local portable storage device;
At least one sub-interface data memory module is used to store the public key calculation input data that described subdata interface module receives; And
The public key calculation processing module is used to read the public key calculation input data of described interface data memory module and the storage of sub-interface data memory module, carries out public key calculation according to described s operation control signal, the output operation result;
The public key calculation input data of described system bus are non-key public key calculation input data, and the public key calculation input data of described local bus are crucial public key calculation input data.
2, safety processing device as claimed in claim 1 is characterized in that, described interface data memory module and sub-interface data memory module are separate physical storage.
3, safety processing device as claimed in claim 1 is characterized in that, described interface data memory module and sub-interface data memory module are separate logical memory space in the physical storage.
4, safety processing device as claimed in claim 1 is characterized in that, described s operation control signal packet contains the input parameter attribute information, is used to indicate the memory location of public key calculation input data.
5, a kind of security processing of public key operation data is characterized in that, described method comprises:
Receive and storage system bus public key computing input data;
Receive and store the public key calculation input data of local bus, the public key calculation input data of described local bus are from being positioned at local portable storage device;
Read the public key calculation input data of described system bus and the public key calculation input data of local bus, carry out public key calculation according to the s operation control signal, the output operation result;
The public key calculation input data of described system bus are non-key public key calculation input data, and the public key calculation input data of described local bus are crucial public key calculation input data.
6, security processing as claimed in claim 5 is characterized in that, the public key calculation input data of described system bus and the public key calculation input data of local bus are stored in separate physical storage respectively.
7, security processing as claimed in claim 5 is characterized in that, the public key calculation input data of described system bus and the public key calculation input data of local bus are stored in separate logical memory space in the physical storage respectively.
8, security processing as claimed in claim 5 is characterized in that, described s operation control signal packet contains the input parameter attribute information, is used to indicate the memory location of public key calculation input data.
CN200610034790A 2006-03-28 2006-03-28 Safety processing device and method for public key operation data Expired - Fee Related CN100581163C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200610034790A CN100581163C (en) 2006-03-28 2006-03-28 Safety processing device and method for public key operation data
PCT/CN2007/000986 WO2007109997A1 (en) 2006-03-28 2007-03-27 Device, method and system of data security processing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610034790A CN100581163C (en) 2006-03-28 2006-03-28 Safety processing device and method for public key operation data

Publications (2)

Publication Number Publication Date
CN1859413A CN1859413A (en) 2006-11-08
CN100581163C true CN100581163C (en) 2010-01-13

Family

ID=37298275

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610034790A Expired - Fee Related CN100581163C (en) 2006-03-28 2006-03-28 Safety processing device and method for public key operation data

Country Status (2)

Country Link
CN (1) CN100581163C (en)
WO (1) WO2007109997A1 (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69805155T2 (en) * 1998-01-14 2002-09-05 Irdeto Access B.V., Hoofddorp Integrated circuit and chip card with such a circuit
US7289632B2 (en) * 2003-06-03 2007-10-30 Broadcom Corporation System and method for distributed security
US8028164B2 (en) * 2004-03-19 2011-09-27 Nokia Corporation Practical and secure storage encryption
CN1331017C (en) * 2005-03-23 2007-08-08 联想(北京)有限公司 Safety chip

Also Published As

Publication number Publication date
CN1859413A (en) 2006-11-08
WO2007109997A1 (en) 2007-10-04

Similar Documents

Publication Publication Date Title
CN106022080B (en) A kind of data ciphering method based on the cipher card of PCIe interface and the cipher card
CN100454321C (en) USB device with data memory and intelligent secret key and control method thereof
CN105099711B (en) A kind of small cipher machine and data ciphering method based on ZYNQ
US10372628B2 (en) Cross-domain security in cryptographically partitioned cloud
CN108491727B (en) Safety processor integrating general calculation, trusted calculation and password calculation
CN109644129A (en) The thread ownership of key for hardware-accelerated password
CN100550030C (en) On portable terminal host, add the method for credible platform
CN106326751A (en) Trusted DeltaOS and implementing method thereof
CN206611427U (en) A kind of key storage management system based on trust computing device
CN108038392A (en) A kind of smart card encryption method
CN102024115B (en) Computer with user security subsystem
CN117932685A (en) Privacy data processing method and related equipment based on longitudinal federal learning
CN107248910A (en) Method for security protection and equipment
CN110321725A (en) A kind of method and device for preventing from distorting system data and clock
CN100581163C (en) Safety processing device and method for public key operation data
CN108874714A (en) A kind of secure communication device based on chip
CN102739396A (en) Co-processor applied in information security
EP4354329A1 (en) Boot verification method and related apparatus
CN205232389U (en) Frequency encoding and decoding SOC chip is looked to safe sound
CN105844147A (en) Application attestation method and apparatus
CN117195326A (en) Big data encryption storage method
CN2914500Y (en) Portable and reliable platform module
CN108322308B (en) Hardware implementation system of digital signature algorithm for identity authentication
CN103902921A (en) File encryption method and system
CN113962174A (en) Software and hardware compatible method based on information security chip of Internet of things

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100113