[go: up one dir, main page]

CN108256346B - Key data protection method, encryption protection device and embedded system device - Google Patents

Key data protection method, encryption protection device and embedded system device Download PDF

Info

Publication number
CN108256346B
CN108256346B CN201611240729.1A CN201611240729A CN108256346B CN 108256346 B CN108256346 B CN 108256346B CN 201611240729 A CN201611240729 A CN 201611240729A CN 108256346 B CN108256346 B CN 108256346B
Authority
CN
China
Prior art keywords
code
decryption code
data
encrypted
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611240729.1A
Other languages
Chinese (zh)
Other versions
CN108256346A (en
Inventor
吴燕静
王茂义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Communications Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Hangzhou Information Technology Co Ltd, China Mobile Communications Corp filed Critical China Mobile Hangzhou Information Technology Co Ltd
Priority to CN201611240729.1A priority Critical patent/CN108256346B/en
Publication of CN108256346A publication Critical patent/CN108256346A/en
Application granted granted Critical
Publication of CN108256346B publication Critical patent/CN108256346B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种关键数据的保护方法,包括:获取嵌入式系统装置共享的公钥;根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据;根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置;本发明同时还公开了一种加密保护装置、嵌入式系统装置及关键数据的保护系统。

Figure 201611240729

The invention discloses a method for protecting key data, comprising: obtaining a public key shared by embedded system devices; encrypting key data to be protected according to a first encryption code to obtain ciphertext data, obtaining a first decryption code; the first decryption code is used to decrypt the ciphertext data; the first decryption code is encrypted according to the public key and the second encryption code to obtain an encrypted first decryption code, and obtain a second decryption code according to the second encryption code; the second decryption code is used to decrypt the encrypted first decryption code; the ciphertext data, the encrypted first decryption code and The second decryption code is sent to the embedded system device; the invention also discloses an encryption protection device, an embedded system device and a protection system for key data.

Figure 201611240729

Description

关键数据的保护方法、加密保护装置及嵌入式系统装置Key data protection method, encryption protection device and embedded system device

技术领域technical field

本发明涉及嵌入式系统数据安全领域,尤其涉及一种关键数据的保护方法、加密保护装置及嵌入式系统装置。The invention relates to the field of embedded system data security, in particular to a key data protection method, an encryption protection device and an embedded system device.

背景技术Background technique

随着信息化、智能化、网络化的发展,嵌入式系统以其操作简单、体积小、功耗低、可靠性高以及良好的移植性等优点被广泛地应用于家庭、工业、商业、办公、医疗等社会的各个方面,占据了越来越重要的地位;对嵌入式系统中的关键数据进行保护也显得尤为重要。With the development of informatization, intelligence, and networking, embedded systems are widely used in home, industry, business, and office for their advantages of simple operation, small size, low power consumption, high reliability, and good portability. , medical and other aspects of society, occupy an increasingly important position; it is also particularly important to protect the key data in embedded systems.

目前,对嵌入式系统中关键数据的保护方法主要包括:使用闪存Flash作为配置数据存储器或采用Flash分块保存配置数据的方法、在嵌入式系统中建立快闪NAND Flash嵌入式文件系统(Yet Another Flash File System,YAFFS2)并对NAND Flash进行分区的方法、采用静态随机存取存储器(Static Random Access Memory,SRAM)作为系统内存存储数据并采用电池备份的方法、采用动态随机存取存储器(Dynamic Random Access Memory,DRAM)作为系统内存来存储数据并用非易失性存储器作为永久数据保存媒介的方法;使用这些方法对嵌入式系统中的关键数据进行保护时,加解密代码很容易被逆向破解,从而导致关键数据被轻易获取,安全性较低。At present, the protection methods for key data in embedded systems mainly include: using flash memory as configuration data storage or using Flash to store configuration data in blocks, establishing a flash NAND Flash embedded file system in the embedded system (Yet Another Flash File System, YAFFS2) and the method of partitioning NAND Flash, using Static Random Access Memory (SRAM) as system memory to store data and using battery backup method, using Dynamic Random Access Memory (Dynamic Random Access Memory) Access Memory, DRAM) as system memory to store data and use non-volatile memory as a permanent data storage medium; when using these methods to protect key data in embedded systems, the encryption and decryption codes are easily reversed. As a result, key data is easily obtained and the security is low.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明实施例期望提供一种关键数据的保护方法、加密保护装置及嵌入式系统装置,以实现对嵌入式系统中关键数据的保护,提高数据的安全性。In view of this, embodiments of the present invention are expected to provide a key data protection method, an encryption protection device, and an embedded system device, so as to protect key data in an embedded system and improve data security.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, the technical scheme of the present invention is achieved in this way:

本发明提供一种关键数据的保护方法,所述方法包括:The present invention provides a method for protecting key data, the method comprising:

获取嵌入式系统装置共享的公钥;Obtain the public key shared by the embedded system device;

根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据;The key data to be protected is encrypted according to the first encryption code to obtain ciphertext data, and the first decryption code is obtained according to the first encryption code; the first decryption code is used to decrypt the ciphertext data;

根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;The first decryption code is encrypted according to the public key and the second encryption code to obtain an encrypted first decryption code, and a second decryption code is obtained according to the second encryption code; the second decryption code uses in decrypting the encrypted first decryption code;

将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置。The ciphertext data, the encrypted first decryption code and the second decryption code are sent to the embedded system device.

上述方案中,所述第二加密代码为非对称加密代码;In the above scheme, the second encryption code is an asymmetric encryption code;

所述获取嵌入式系统装置共享的公钥,包括:The obtaining the public key shared by the embedded system devices includes:

通过串口获取所述嵌入式系统装置共享的所述公钥;Obtain the public key shared by the embedded system device through a serial port;

所述将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置,包括:The sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device includes:

将所述密文数据、所述加密后的第一解密代码及所述第二解密代码烧录至所述嵌入式系统装置的闪存Flash中。The ciphertext data, the encrypted first decryption code and the second decryption code are programmed into the flash memory of the embedded system device.

本发明提供一种关键数据的保护方法,所述方法包括:The present invention provides a method for protecting key data, the method comprising:

根据自身的固有特征标识符生成私钥,并利用非对称密钥生成法将所述私钥派生出对应的公钥;Generate a private key according to its own inherent characteristic identifier, and use the asymmetric key generation method to derive the corresponding public key from the private key;

将所述公钥共享给加密保护装置;sharing the public key with the encryption protection device;

存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;所述第一解密代码用于解密所述密文数据。Store the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the second decryption code; the second decryption code is used to decrypt the encrypted first decryption code; the first decryption code A code is used to decrypt the ciphertext data.

上述方案中,所述在存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码之后,所述方法还包括:In the above solution, after storing the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the second decryption code, the method further includes:

在内存中对所述密文数据进行解密,得到待保护的关键数据;Decrypt the ciphertext data in the memory to obtain the key data to be protected;

在得到所述待保护的关键数据之后,执行清空操作;After obtaining the key data to be protected, perform a clearing operation;

所述在内存中对所述密文数据进行解密,得到待保护的关键数据,包括:Decrypting the ciphertext data in the memory to obtain key data to be protected, including:

在内存中调用应用程序编程接口API函数动态获取所述私钥;dynamically obtain the private key by calling an application programming interface API function in memory;

根据所述私钥及所述第二解密代码对所述加密后的第一解密代码进行解密操作,得到第一解密代码;Perform a decryption operation on the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;

利用所述第一解密代码对所述密文数据进行解密操作,得到所述待保护的关键数据。The ciphertext data is decrypted by using the first decryption code to obtain the key data to be protected.

上述方案中,所述根据自身的固有特征标识符生成私钥,包括:In the above solution, generating a private key according to its own inherent characteristic identifier includes:

根据自身的固有特征标识符利用哈希算法生成私钥;其中,所述固有特征标识符包括:供应商身份标识Vendor ID、序列号SN;Utilize a hash algorithm to generate a private key according to its own inherent characteristic identifier; wherein, the inherent characteristic identifier includes: Vendor ID, serial number SN;

所述将所述公钥共享给加密保护装置,包括:The sharing of the public key to the encryption protection device includes:

通过串口将所述公钥共享给所述加密保护装置;sharing the public key with the encryption protection device through the serial port;

所述存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码,包括:The storage of the ciphertext data, the encrypted first decryption code and the second decryption code sent by the encryption protection device includes:

将所述加密保护装置烧录的密文数据、加密后的第一解密代码及第二解密代码存储在闪存Flash中。The ciphertext data burned by the encryption protection device, the encrypted first decryption code and the second decryption code are stored in the flash memory.

本发明提供一种加密保护装置,所述装置包括:The present invention provides an encryption protection device, the device includes:

获取模块,用于获取嵌入式系统装置共享的公钥;an acquisition module for acquiring the public key shared by the embedded system device;

第一加密模块,用于根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据;The first encryption module is used to encrypt the key data to be protected according to the first encryption code to obtain ciphertext data, and obtain the first decryption code according to the first encryption code; the first decryption code is used to decrypt the ciphertext data;

第二加密模块,用于根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;A second encryption module, configured to encrypt the first decryption code according to the public key and the second encryption code, obtain an encrypted first decryption code, and obtain a second decryption code according to the second encryption code; The second decryption code is used to decrypt the encrypted first decryption code;

发送模块,用于将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置。A sending module, configured to send the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.

上述方案中,所述第二加密代码为非对称加密代码;In the above scheme, the second encryption code is an asymmetric encryption code;

所述获取模块,具体用于通过串口获取所述嵌入式系统装置共享的所述公钥;The obtaining module is specifically configured to obtain the public key shared by the embedded system device through a serial port;

所述发送模块,具体用于将所述密文数据、所述加密后的第一解密代码及所述第二解密代码烧录至所述嵌入式系统装置的闪存Flash中。The sending module is specifically configured to burn the ciphertext data, the encrypted first decryption code and the second decryption code into the flash memory of the embedded system device.

本发明提供一种嵌入式系统装置,所述装置包括:The present invention provides an embedded system device, the device includes:

生成模块,用于根据自身的固有特征标识符生成私钥,并利用非对称密钥生成法将所述私钥派生出对应的公钥;A generation module is used to generate a private key according to its own inherent characteristic identifier, and use the asymmetric key generation method to derive the corresponding public key from the private key;

共享模块,用于将所述公钥共享给加密保护装置;a sharing module, used for sharing the public key to the encryption protection device;

存储模块,用于存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;所述第一解密代码用于解密所述密文数据。a storage module, configured to store the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the second decryption code; the second decryption code is used to decrypt the encrypted first decryption code; The first decryption code is used to decrypt the ciphertext data.

上述方案中,所述装置还包括:In the above scheme, the device also includes:

解密模块,用于在内存中对所述密文数据进行解密,得到待保护的关键数据;a decryption module for decrypting the ciphertext data in memory to obtain key data to be protected;

清空模块,用于在得到所述待保护的关键数据之后,执行清空操作;an emptying module for performing an emptying operation after obtaining the key data to be protected;

所述解密模块,具体用于:The decryption module is specifically used for:

在内存中调用应用程序编程接口API函数动态获取所述私钥;dynamically obtain the private key by calling an application programming interface API function in memory;

根据所述私钥及所述第二解密代码对所述加密后的第一解密代码进行解密操作,得到第一解密代码;Perform a decryption operation on the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;

利用所述第一解密代码对所述密文数据进行解密操作,得到所述待保护的关键数据。The ciphertext data is decrypted by using the first decryption code to obtain the key data to be protected.

上述方案中,所述生成模块,具体用于根据自身的固有特征标识符利用哈希算法生成私钥;其中,所述固有特征标识符包括:供应商身份标识Vendor ID、序列号SN;In the above scheme, the generation module is specifically configured to utilize a hash algorithm to generate a private key according to its own inherent characteristic identifier; wherein, the inherent characteristic identifier includes: vendor ID, serial number SN;

所述共享模块,具体用于通过串口将所述公钥共享给所述加密保护装置;The sharing module is specifically configured to share the public key to the encryption protection device through a serial port;

所述存储模块,具体用于将所述加密保护装置烧录的密文数据、加密后的第一解密代码及第二解密代码存储在闪存Flash中。The storage module is specifically configured to store the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the second decryption code in the flash memory.

本发明提供一种关键数据的保护系统,其特征在于,所述系统包括如上述方案中所述的加密保护装置及如上述方案中所述的嵌入式系统装置。The present invention provides a key data protection system, characterized in that the system includes the encryption protection device described in the above solution and the embedded system device described in the above solution.

本发明实施例所提供的关键数据的保护方法、加密保护装置及嵌入式系统装置,通过获取嵌入式系统装置共享的公钥;根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据;根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置;实现了对嵌入式系统中关键数据的保护,提高了数据的安全性。The key data protection method, encryption protection device, and embedded system device provided by the embodiments of the present invention obtain ciphertext data by obtaining the public key shared by the embedded system device; encrypting the key data to be protected according to the first encryption code , and obtain the first decryption code according to the first encryption code; the first decryption code is used to decrypt the ciphertext data; the first decryption code is encrypted according to the public key and the second encryption code, Obtain the encrypted first decryption code, and obtain the second decryption code according to the second encryption code; the second decryption code is used to decrypt the encrypted first decryption code; The encrypted first decryption code and the second decryption code are sent to the embedded system device; protection of key data in the embedded system is realized, and data security is improved.

附图说明Description of drawings

图1为本发明关键数据的保护方法实施例一的流程图;1 is a flowchart of Embodiment 1 of a method for protecting key data of the present invention;

图2为本发明关键数据的保护方法实施例二的流程图;2 is a flowchart of Embodiment 2 of a method for protecting key data of the present invention;

图3为本发明关键数据的保护方法实施例三的流程图;3 is a flowchart of Embodiment 3 of a method for protecting key data of the present invention;

图4为本发明关键数据的保护方法中密钥对的生成方式示意图;FIG. 4 is a schematic diagram of a generation mode of a key pair in the method for protecting key data of the present invention;

图5为本发明关键数据的保护方法实施例中PC机加密保护平台对待保护的关键数据及数据解密代码进行加密操作的示意图;Fig. 5 is the schematic diagram of the encryption operation of the key data to be protected and the data decryption code performed by the PC encryption protection platform in the embodiment of the protection method for key data of the present invention;

图6为本发明关键数据的保护方法实施例中嵌入式系统装置中数据及代码的存储示意图;6 is a schematic diagram of storage of data and codes in an embedded system device in an embodiment of a method for protecting key data of the present invention;

图7为本发明关键数据的保护方法实施例中在嵌入式系统装置内存中对加密后的数据解密代码及密文数据进行解密操作的示意图;7 is a schematic diagram of decrypting encrypted data decryption code and ciphertext data in an embedded system device memory in an embodiment of a method for protecting key data of the present invention;

图8为本发明加密保护装置实施例的结构示意图;8 is a schematic structural diagram of an embodiment of an encryption protection device according to the present invention;

图9为本发明嵌入式系统装置实施例的结构示意图;FIG. 9 is a schematic structural diagram of an embodiment of an embedded system device according to the present invention;

图10为本发明关键数据的保护系统实施例的结构示意图。FIG. 10 is a schematic structural diagram of an embodiment of a protection system for key data of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.

实施例一Example 1

图1为本发明关键数据的保护方法实施例一的流程图;如图1所示,本发明实施例提供的关键数据的保护方法应用在加密保护装置上,可以包括如下步骤:FIG. 1 is a flowchart of Embodiment 1 of a method for protecting key data of the present invention; as shown in FIG. 1 , the method for protecting key data provided by an embodiment of the present invention is applied to an encryption protection device, and may include the following steps:

步骤101:获取嵌入式系统装置共享的公钥。Step 101: Obtain the public key shared by the embedded system devices.

加密保护装置通过串口连接嵌入式系统装置,获取由嵌入式系统装置共享的公钥。The encryption protection device is connected to the embedded system device through the serial port, and obtains the public key shared by the embedded system device.

步骤102:根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据。Step 102: Encrypt key data to be protected according to the first encryption code to obtain ciphertext data, and obtain a first decryption code according to the first encryption code; the first decryption code is used to decrypt the ciphertext data.

加密保护装置获取到嵌入式系统装置共享的公钥之后,首先根据第一加密代码对待保护的关键数据进行加密操作,得到密文数据,并根据所述第一加密代码得到第一解密代码;其中,所述第一解密代码用于解密所述密文数据。After acquiring the public key shared by the embedded system device, the encryption protection device firstly performs an encryption operation on the key data to be protected according to the first encryption code to obtain ciphertext data, and obtains the first decryption code according to the first encryption code; wherein , the first decryption code is used to decrypt the ciphertext data.

例如,加密保护装置为个人计算机(Personal Computer,PC)加密保护平台,PC加密保护平台获取到嵌入式系统装置共享的公钥之后,通过第一加密代码对待保护的关键数据进行加密操作,获得密文数据;同时,由该第一加密代码得到用于解密该密文数据的第一解密代码。For example, the encryption protection device is a personal computer (Personal Computer, PC) encryption protection platform. After the PC encryption protection platform obtains the public key shared by the embedded system device, it encrypts the key data to be protected by using the first encryption code to obtain the encryption At the same time, the first decryption code for decrypting the ciphertext data is obtained from the first encryption code.

步骤103:根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码。Step 103: Encrypt the first decryption code according to the public key and the second encryption code to obtain an encrypted first decryption code, and obtain a second decryption code according to the second encryption code; The decryption code is used to decrypt the encrypted first decryption code.

获取到公钥的加密保护装置在对待保护的关键数据进行加密,得到密文数据,并根据第一加密代码得到第一解密代码之后,根据获取到的公钥及第二加密代码对得到的第一解密代码进行加密操作,得到加密后的第一解密代码;同时,由第二加密代码得到第二解密代码;其中,得到的第二解密代码用于解密加密后的第一解密代码;所述第二加密代码为非对称加密代码。The encryption protection device that has obtained the public key encrypts the key data to be protected, obtains ciphertext data, and obtains the first decryption code according to the first encryption code, and then pairs the obtained first decryption code according to the obtained public key and the second encryption code. A decrypted code is encrypted to obtain an encrypted first decrypted code; at the same time, a second decrypted code is obtained from the second encrypted code; wherein, the obtained second decrypted code is used to decrypt the encrypted first decrypted code; the described The second encryption code is an asymmetric encryption code.

例如,获取到公钥的PC加密保护平台根据该公钥及非对称加密代码对用于解密密文数据的第一解密代码进行加密操作,得到加密后的第一解密代码,并由非对称加密代码确定出第二解密代码,该第二解密代码则用于解密加密后的第一解密代码。For example, the PC encryption protection platform that has obtained the public key performs an encryption operation on the first decryption code used to decrypt the ciphertext data according to the public key and the asymmetric encryption code, and obtains the encrypted first decryption code, which is encrypted by the asymmetric encryption code. The code determines a second decryption code, and the second decryption code is used to decrypt the encrypted first decryption code.

步骤104:将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置。Step 104: Send the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.

加密保护装置在获取到密文数据、加密后的第一解密代码及第二解密代码之后,通过串口将得到的密文数据、加密后的第一解密代码以及第二解密代码烧录至嵌入式系统装置的闪存Flash中,即将得到的密文数据、加密后的第一解密代码以及第二解密代码存储在嵌入式系统装置的Flash中。After obtaining the ciphertext data, the encrypted first decryption code and the second decryption code, the encryption protection device burns the obtained ciphertext data, the encrypted first decryption code and the second decryption code into the embedded device through the serial port. In the flash memory of the system device, the ciphertext data to be obtained, the encrypted first decryption code and the second decryption code are stored in the Flash of the embedded system device.

本发明实施例提供的关键数据的保护方法,加密保护装置通过获取嵌入式系统装置共享的公钥;根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据;根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置;不仅对待保护的关键数据进行了加密,而且对解密密文数据的第一解密代码进行了加密保护,实现了对嵌入式系统中关键数据的双重保护,使得破解关键数据的难度更高,提高了数据的安全性。In the method for protecting key data provided by the embodiment of the present invention, the encryption protection device obtains the public key shared by the embedded system device; encrypts the key data to be protected according to the first encryption code to obtain ciphertext data, and according to the first encryption code The encrypted code obtains a first decryption code; the first decryption code is used to decrypt the ciphertext data; the first decryption code is encrypted according to the public key and the second encryption code to obtain the encrypted first decryption code code, and obtain a second decryption code according to the second encryption code; the second decryption code is used to decrypt the encrypted first decryption code; decrypt the ciphertext data, the encrypted first decryption code The code and the second decryption code are sent to the embedded system device; not only the key data to be protected is encrypted, but also the first decryption code for decrypting the ciphertext data is encrypted and protected, which realizes the protection of the embedded system. The double protection of key data makes it more difficult to crack key data and improves data security.

实施例二Embodiment 2

图2为本发明关键数据的保护方法实施例二的流程图;如图2所示,本发明实施例提供的关键数据的保护方法应用在嵌入式系统装置上,可以包括如下步骤:FIG. 2 is a flowchart of Embodiment 2 of the method for protecting key data of the present invention; as shown in FIG. 2 , the method for protecting key data provided by the embodiment of the present invention is applied to an embedded system device, and may include the following steps:

步骤201:根据自身的固有特征标识符生成私钥,并利用非对称密钥生成法将所述私钥派生出对应的公钥。Step 201: Generate a private key according to its own inherent characteristic identifier, and derive a corresponding public key from the private key by using an asymmetric key generation method.

嵌入式系统装置根据自身的固有特征标识符,如供应商身份标识(Vendor ID)、序列号(Serial Number,SN)等,利用特定的算法,如哈希Hash算法生成私钥,并利用非对称密钥生成法将该私钥派生出对应的公钥。The embedded system device uses a specific algorithm, such as a Hash algorithm, to generate a private key according to its own inherent characteristic identifiers, such as Vendor ID (Vendor ID), Serial Number (SN), etc., and uses asymmetric The key generation method derives the corresponding public key from the private key.

例如,嵌入式系统装置根据自身固有的SN,利用Hash算法计算获得一个值作为私钥,同时利用非对称密钥生成法将该私钥派生出对应的公钥。For example, the embedded system device uses the Hash algorithm to calculate and obtain a value as a private key according to its own inherent SN, and at the same time uses the asymmetric key generation method to derive the corresponding public key from the private key.

步骤202:将所述公钥共享给加密保护装置。Step 202: Share the public key with the encryption protection device.

嵌入式系统装置生成私钥及对应的公钥后,通过串口将生成的公钥共享给加密保护装置,使加密保护装置能够根据该公钥对解密密文数据的解密代码进行加密。After the embedded system device generates the private key and the corresponding public key, the generated public key is shared with the encryption protection device through the serial port, so that the encryption protection device can encrypt the decryption code for decrypting the ciphertext data according to the public key.

步骤203:存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;所述第一解密代码用于解密所述密文数据。Step 203: Store the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the second decryption code; the second decryption code is used to decrypt the encrypted first decryption code; the The first decryption code is used to decrypt the ciphertext data.

嵌入式系统装置将公钥共享给加密保护装置之后,将加密保护装置烧录的密文数据、加密后的第一解密代码以及第二解密代码存储在Flash中;其中,第二解密代码用于解密加密后的第一解密代码;第一解密代码用于解密密文数据。After the embedded system device shares the public key with the encryption protection device, the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the second decryption code are stored in the Flash; wherein the second decryption code is used for Decrypt the encrypted first decryption code; the first decryption code is used to decrypt the ciphertext data.

嵌入式系统装置将加密保护装置烧录的密文数据、加密后的第一解密代码及第二解密代码存储到Flash中之后,为了获得待保护的关键数据,则需要在内存中对密文数据进行解密,在得到待保护的关键数据并使用完该数据之后,执行清空操作。After the embedded system device stores the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the second decryption code in the Flash, in order to obtain the key data to be protected, the ciphertext data needs to be stored in the memory. Decryption is performed, and after the key data to be protected is obtained and the data is used, the clearing operation is performed.

具体的,嵌入式系统装置在需要对密文数据进行解密操作时,首先在内存中调用应用程序编程接口(Application Programming Interface,API)函数动态获取根据自身的固有特征标识符生成的私钥,然后根据该私钥及第二解密代码对加密后的第一解密代码进行解密操作,得到第一解密代码;再利用得到的第一解密代码对密文数据进行解密操作,得到待保护的关键数据;在得到待保护的关键数据并使用完该数据之后执行清空操作,实现对密文数据的解密操作。Specifically, when the embedded system device needs to decrypt the ciphertext data, it firstly calls the Application Programming Interface (API) function in the memory to dynamically obtain the private key generated according to its own inherent feature identifier, and then Perform a decryption operation on the encrypted first decryption code according to the private key and the second decryption code to obtain the first decryption code; then use the obtained first decryption code to decrypt the ciphertext data to obtain the key data to be protected; After the key data to be protected is obtained and the data is used, the clearing operation is performed to realize the decryption operation of the ciphertext data.

本发明实施例提供的关键数据的保护方法,嵌入式系统装置通过根据自身的固有特征标识符生成私钥,并利用非对称密钥生成法将所述私钥派生出对应的公钥;将所述公钥共享给加密保护装置;存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;所述第一解密代码用于解密所述密文数据;实现了对嵌入式系统中关键数据的保护,使用于解密密文数据的第一解密代码在Flash中以密文的形式存储,使得破解关键数据的难度更高,提高了数据的安全性。In the protection method for key data provided by the embodiment of the present invention, the embedded system device generates a private key according to its own inherent characteristic identifier, and uses the asymmetric key generation method to derive the corresponding public key from the private key; The public key is shared with the encryption protection device; the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the second decryption code are stored; the second decryption code is used to decrypt the encrypted first decryption code. a decryption code; the first decryption code is used to decrypt the ciphertext data; the protection of key data in the embedded system is realized, and the first decryption code used to decrypt the ciphertext data is displayed in the Flash in the form of ciphertext Storage makes it more difficult to crack key data and improves data security.

实施例三Embodiment 3

图3为本发明关键数据的保护方法实施例三的流程图;应用于加密保护装置与嵌入式系统装置的交互,加密保护装置为PC机加密保护平台,其中,PC机加密保护平台与嵌入式系统装置相互独立,两者通过串口进行数据交互;本实施例中的第一加密代码为数据加密代码,用Code表示;待保护的关键数据用Data表示,密文数据用EData表示;第一解密代码为数据解密代码,用DCode表示;第二加密代码为非对称加密代码,用EC表示;加密后的数据解密代码用EDCode表示;第二解密代码为用于解密EDCode的解密代码,称为解密代码,用DEC表示;如图3所示,本发明实施例提供的关键数据的保护方法可以包括如下步骤:3 is a flowchart of Embodiment 3 of the protection method for key data of the present invention; it is applied to the interaction between an encryption protection device and an embedded system device, and the encryption protection device is a PC encryption protection platform, wherein the PC encryption protection platform and the embedded system The system devices are independent of each other, and the two exchange data through the serial port; the first encryption code in this embodiment is a data encryption code, which is represented by Code; the key data to be protected is represented by Data, and the ciphertext data is represented by EData; the first decryption code is represented by EData; The code is the data decryption code, which is represented by DCode; the second encryption code is the asymmetric encryption code, which is represented by EC; the encrypted data decryption code is represented by EDCode; the second decryption code is the decryption code used to decrypt the EDCode, which is called decryption The code is represented by DEC; as shown in FIG. 3 , the method for protecting key data provided by the embodiment of the present invention may include the following steps:

步骤301:嵌入式系统装置根据自身的固有特征标识符生成私钥Skey,并利用非对称密钥生成法将私钥Skey派生出对应的公钥Pkey。Step 301 : The embedded system device generates a private key Skey according to its own inherent characteristic identifier, and uses an asymmetric key generation method to derive the corresponding public key Pkey from the private key Skey.

每一个嵌入式系统装置均有一些不同于其他设备的软硬件标识符,如供应商ID、SN等,嵌入式系统装置首先根据自身的这些固有特征标识符利用特定的算法,如Hash算法,生成私钥,并利用非对称密钥生成法将该私钥派生出对应的公钥。Each embedded system device has some software and hardware identifiers that are different from other devices, such as vendor ID, SN, etc. The embedded system device first uses a specific algorithm, such as Hash algorithm, to generate private key, and use the asymmetric key generation method to derive the corresponding public key from the private key.

图4为本发明关键数据的保护方法中密钥对的生成方式示意图;如图4所示,在嵌入式系统装置中,操作系统利用嵌入式系统装置的固有特征标识符通过特定算法,如Hash算法,计算获得一个值作为非对称加密算法中的私钥Skey;然后按照非对称密钥的生成方法获得Skey对应的公钥Pkey,完成密钥对(即Skey和Pkey)的生成。FIG. 4 is a schematic diagram of the generation method of the key pair in the method for protecting key data of the present invention; as shown in FIG. 4 , in the embedded system device, the operating system uses the inherent feature identifier of the embedded system device to pass a specific algorithm, such as Hash Algorithm, calculate and obtain a value as the private key Skey in the asymmetric encryption algorithm; then obtain the public key Pkey corresponding to the Skey according to the asymmetric key generation method, and complete the generation of the key pair (ie Skey and Pkey).

步骤302:嵌入式系统装置将公钥Pkey共享给PC机加密保护平台。Step 302: The embedded system device shares the public key Pkey to the PC encryption protection platform.

嵌入式系统装置利用自身的固有特征标识符生成私钥Skey并派生出公钥Pkey后,与PC机加密保护平台通过串口连接,将生成的Pkey共享给PC机加密保护平台,而生成的Skey则直接存储在嵌入式系统装置中。After the embedded system device uses its own inherent characteristic identifier to generate the private key Skey and derives the public key Pkey, it is connected to the PC encryption protection platform through the serial port, and the generated Pkey is shared with the PC encryption protection platform, while the generated Skey is Stored directly in the embedded system device.

步骤303:PC机加密保护平台根据数据加密代码Code对待保护的关键数据Data进行加密,得到密文数据EData,并根据数据加密代码Code得到数据解密代码DCode。Step 303: The PC encryption protection platform encrypts the key data Data to be protected according to the data encryption code Code to obtain the ciphertext data EData, and obtains the data decryption code DCode according to the data encryption code Code.

获取到Pkey的PC机加密保护平台首先根据数据加密代码Code(第一加密代码)对需要进行保护的关键数据Data进行加密操作,获得密文形式的待保护的关键数据,即密文数据EData;同时,PC机加密保护平台根据数据加密代码Code确定出用于解密EData的数据解密代码DCode(第一解密代码)。The PC encryption protection platform that obtains the Pkey first performs encryption operation on the key data Data that needs to be protected according to the data encryption code Code (first encryption code), and obtains the key data to be protected in the form of ciphertext, namely the ciphertext data EData; At the same time, the PC encryption protection platform determines the data decryption code DCode (first decryption code) for decrypting the EData according to the data encryption code Code.

步骤304:PC机加密保护平台根据公钥Pkey及非对称加密代码EC对数据解密代码DCode进行加密,得到加密后的数据解密代码EDCode,并根据非对称加密代码EC得到解密代码DEC。Step 304: The PC encryption protection platform encrypts the data decryption code DCode according to the public key Pkey and the asymmetric encryption code EC, obtains the encrypted data decryption code EDCode, and obtains the decryption code DEC according to the asymmetric encryption code EC.

获取到Pkey的PC机加密保护平台使用该Pkey,并根据非对称加密代码EC(第二加密代码)对数据解密代码DCode(第一解密代码)按照非对称加密算法进行加密操作,得到加密后的数据解密代码EDCode;同时,PC机加密保护平台根据非对称加密代码EC得到用于解密EDCode的解密代码DEC(第二解密代码)。The PC encryption protection platform that obtains the Pkey uses the Pkey, and encrypts the data decryption code DCode (the first decryption code) according to the asymmetric encryption algorithm according to the asymmetric encryption code EC (the second encryption code), and obtains the encrypted data. Data decryption code EDCode; at the same time, the PC encryption protection platform obtains the decryption code DEC (second decryption code) for decrypting the EDCode according to the asymmetric encryption code EC.

图5为本发明关键数据的保护方法实施例中PC机加密保护平台对待保护的关键数据及数据解密代码进行加密操作的示意图;如图5所示,在PC机加密保护平台上,首先对需要保护的关键数据,即待保护的关键数据Data通过数据加密代码Code进行加密操作,获得密文形式的数据,即密文数据EData;在对待保护的关键数据Data进行加密之后,得到公钥Pkey的PC机加密保护平台使用该密钥,并利用选定的非对称加密代码EC对数据解密代码DCode进行加密操作,获得加密后的数据解密代码EDCode,即利用选定的非对称加密算法,如RSA加密算法、Elgamal算法、背包算法等对数据解密代码DCode进行加密操作;其中,非对称加密代码EC对应的解密代码为DEC。Fig. 5 is the schematic diagram that the PC encryption protection platform performs encryption operation on the key data to be protected and the data decryption code in the protection method embodiment of the key data of the present invention; The key data to be protected, that is, the key data to be protected, is encrypted through the data encryption code Code to obtain data in the form of ciphertext, that is, the ciphertext data EData; after encrypting the key data to be protected, the public key Pkey is obtained. The PC encryption protection platform uses this key, and uses the selected asymmetric encryption code EC to encrypt the data decryption code DCode to obtain the encrypted data decryption code EDCode, that is, using the selected asymmetric encryption algorithm, such as RSA The encryption algorithm, the Elgamal algorithm, the knapsack algorithm, etc. perform encryption operations on the data decryption code DCode; wherein, the decryption code corresponding to the asymmetric encryption code EC is DEC.

步骤305:PC机加密保护平台将获得的密文数据EData、加密后的数据解密代码EDCode及解密代码DEC烧录至嵌入式系统装置的Flash中。Step 305: The PC encryption protection platform burns the obtained ciphertext data EData, the encrypted data decryption code EDCode and the decryption code DEC into the Flash of the embedded system device.

PC机加密保护平台在对待保护的关键数据Data及数据解密代码DCode进行加密操作,获得密文数据EData、加密后的数据解密代码EDCode及解密代码DEC之后,将密文数据EData、加密后的数据解密代码EDCode及解密代码DEC通过串口烧录至嵌入式系统装置的Flash中,进行存储。The PC encryption protection platform performs encryption operations on the key data Data to be protected and the data decryption code DCode, and obtains the ciphertext data EData, the encrypted data decryption code EDCode and the decryption code DEC, and then encrypts the ciphertext data EData and encrypted data. The decryption code EDCode and the decryption code DEC are burned into the Flash of the embedded system device through the serial port for storage.

步骤306:嵌入式系统装置在内存中调用API函数动态获取私钥Skey。Step 306: The embedded system device dynamically obtains the private key Skey by calling an API function in the memory.

PC机加密保护平台在将密文数据EData、加密后的数据解密代码EDCode及解密代码DEC烧录至嵌入式系统装置之后,为了获得原始的关键数据,即为了获得待保护的关键数据Data,嵌入式系统装置首先需要在内存中调用API函数来动态获取存储于嵌入式系统装置中的私钥Skey。After the PC encryption protection platform burns the ciphertext data EData, the encrypted data decryption code EDCode and the decryption code DEC to the embedded system device, in order to obtain the original key data, that is, in order to obtain the key data Data to be protected, embedded The embedded system device first needs to call the API function in the memory to dynamically obtain the private key Skey stored in the embedded system device.

步骤307:嵌入式系统装置根据私钥Skey及解密代码DEC对加密后的数据解密代码EDCode进行解密操作,得到数据解密代码DCode。Step 307: The embedded system device performs a decryption operation on the encrypted data decryption code EDCode according to the private key Skey and the decryption code DEC to obtain the data decryption code DCode.

嵌入式系统装置在获取到私钥Skey之后,在内存中调用解密代码DEC并利用该私钥Skey对加密后的数据解密代码EDCode进行解密操作,获得加密之前的数据解密代码DCode。After acquiring the private key Skey, the embedded system device calls the decryption code DEC in the memory and uses the private key Skey to decrypt the encrypted data decryption code EDCode to obtain the data decryption code DCode before encryption.

步骤308:嵌入式系统装置利用数据解密代码DCode对密文数据EData进行解密操作,得到待保护的关键数据Data。Step 308: The embedded system device uses the data decryption code DCode to decrypt the ciphertext data EData to obtain the key data Data to be protected.

嵌入式系统装置在获得数据解密代码DCode之后,在内存中调用密文数据EData,并利用数据解密代码DCode对该密文数据EData进行解密操作,得到待保护的关键数据Data。After obtaining the data decryption code DCode, the embedded system device calls the ciphertext data EData in the memory, and uses the data decryption code DCode to decrypt the ciphertext data EData to obtain the key data Data to be protected.

步骤309:嵌入式系统装置执行清空操作。Step 309: The embedded system device performs a clearing operation.

嵌入式系统装置在得到待保护的关键数据Data之后,内存在使用完Data后立即执行清空操作,并不会对Data进行保留。After the embedded system device obtains the key data Data to be protected, the memory immediately performs an emptying operation after using the Data, and does not retain the Data.

图6为本发明关键数据的保护方法实施例中嵌入式系统装置中数据及代码的存储示意图;如图6所示,嵌入式系统装置中有内存及Flash两种存储介质,内存在嵌入式系统装置中可以用做文件系统的存储介质,它在掉电的情况下不能保持原有数据不变,所以基于内存的文件系统只能是临时的文件系统,用来保存临时的文件;内存的好处是只存在内存之中的动态变化,重启系统不会产生垃圾;Flash也是嵌入式系统装置中最常用的文件系统存储介质,与内存不同的是,它在掉电的时候可以保持文件不丢失;因此,在本发明中,密文数据EData、加密后的数据解密代码EDCode及解密代码DEC均保存在Flash中,当对代码及数据进行解密的时候均是在内存中运行完成的,并且运行完毕后立即执行清空操作。6 is a schematic diagram of storage of data and codes in an embedded system device in an embodiment of a method for protecting key data of the present invention; as shown in FIG. 6 , there are two storage media of memory and Flash in the embedded system device, and the memory is stored in the embedded system The device can be used as the storage medium of the file system. It cannot keep the original data unchanged in the case of power failure, so the memory-based file system can only be a temporary file system, which is used to save temporary files; the benefits of memory There are only dynamic changes in memory, and restarting the system will not generate garbage; Flash is also the most commonly used file system storage medium in embedded system devices. Unlike memory, it can keep files from being lost when power is lost; Therefore, in the present invention, the ciphertext data EData, the encrypted data decryption code EDCode and the decryption code DEC are all stored in the Flash, and when the code and data are decrypted, they are all run in the memory, and the operation is completed. Immediately after the clearing operation is performed.

图7为本发明关键数据的保护方法实施例中在嵌入式系统装置内存中对加密后的数据解密代码及密文数据进行解密操作的示意图;如图7所示,为获得原始的关键数据,即待保护的关键数据Data,首先,在内存中先调用API函数来获取私钥Skey;再调用解密代码DEC并根据获取到的私钥Skey对加密后的数据解密代码EDCode进行解密操作,获得加密前的数据解密代码,即获得DCode;然后,在内存中通过调用数据解密代码DCode对密文数据EData进行解密操作,获得明文数据,即待保护的关键数据Data;在使用完待保护的关键数据Data之后,内存将进行清空操作,并不会对Data进行保留。7 is a schematic diagram of decrypting encrypted data decryption code and ciphertext data in the memory of an embedded system device in an embodiment of a method for protecting key data of the present invention; as shown in FIG. 7 , in order to obtain the original key data, That is, the key data Data to be protected, first, call the API function in the memory to obtain the private key Skey; then call the decryption code DEC and decrypt the encrypted data decryption code EDCode according to the obtained private key Skey to obtain the encrypted data The previous data decryption code is obtained DCode; then, the ciphertext data EData is decrypted by calling the data decryption code DCode in the memory to obtain plaintext data, that is, the key data to be protected Data; after the key data to be protected is used up After Data, the memory will be emptied, and Data will not be retained.

在上述过程中,PC机加密保护平台不仅对待保护的关键数据进行了加密保护,而且对解密密文数据的数据解密代码(即DCode)进行了非对称加密操作,使数据解密代码在Flash中以密文的形式进行存储;同时,该非对称加密操作所使用的私钥生成方法是直接在嵌入式系统装置中由其特定的软硬件标识符根据一定的算法计算生成的,只有在嵌入式系统装置内存中需要对密文数据进行解密的时候,才会通过调用相关的API函数从嵌入式系统装置中来实现动态获取;因此,对于攻击者来说,获取私钥的值并不容易,密钥的安全保密性较高,增加了破解关键数据的难度。In the above process, the PC encryption protection platform not only encrypts and protects the key data to be protected, but also performs an asymmetric encryption operation on the data decryption code (ie DCode) for decrypting the ciphertext data, so that the data decryption code can be displayed in Flash as At the same time, the private key generation method used in the asymmetric encryption operation is directly generated by its specific software and hardware identifier according to a certain algorithm in the embedded system device, and only in the embedded system When the ciphertext data needs to be decrypted in the device memory, it can be dynamically obtained from the embedded system device by calling the relevant API functions; therefore, it is not easy for an attacker to obtain the value of the private key, and the encrypted The security and confidentiality of the key are high, which increases the difficulty of cracking key data.

本发明实施例提供的关键数据的保护方法,通过嵌入式系统装置根据自身的固有特征标识符生成私钥Skey,并利用非对称密钥生成法将私钥Skey派生出对应的公钥Pkey;嵌入式系统装置将公钥Pkey共享给PC机加密保护平台;PC机加密保护平台根据数据加密代码Code对待保护的关键数据Data进行加密,得到密文数据EData及数据解密代码DCode;PC机加密保护平台根据公钥Pkey及非对称加密代码EC对数据解密代码DCode进行加密,得到加密后的数据解密代码EDCode及解密代码DEC;PC机加密保护平台将获得的密文数据EData、加密后的数据解密代码EDCode及解密代码DEC烧录至嵌入式系统装置的Flash中;嵌入式系统装置在内存中调用API函数动态获取私钥Skey;嵌入式系统装置根据私钥Skey及解密代码DEC对加密后的数据解密代码EDCode进行解密操作,得到数据解密代码DCode;嵌入式系统装置利用数据解密代码DCode对密文数据EData进行解密操作,得到待保护的关键数据Data;嵌入式系统装置执行清空操作;不仅对待保护的关键数据进行了加密,而且对解密密文数据的数据解密代码进行了加密,通过软件方式实现了数据的二重加密保护,提高了数据的安全性,其实现成本较硬件实现来说更低。In the method for protecting key data provided by the embodiment of the present invention, a private key Skey is generated by an embedded system device according to its own inherent characteristic identifier, and a corresponding public key Pkey is derived from the private key Skey by using an asymmetric key generation method; The system device shares the public key Pkey to the PC encryption protection platform; the PC encryption protection platform encrypts the key data Data to be protected according to the data encryption code Code, and obtains the ciphertext data EData and data decryption code DCode; PC encryption protection platform Encrypt the data decryption code DCode according to the public key Pkey and the asymmetric encryption code EC, and obtain the encrypted data decryption code EDCode and decryption code DEC; the PC encryption protection platform will obtain the ciphertext data EData and encrypted data decryption code. The EDCode and the decryption code DEC are burned into the Flash of the embedded system device; the embedded system device calls the API function in the memory to dynamically obtain the private key Skey; the embedded system device decrypts the encrypted data according to the private key Skey and the decryption code DEC The code EDCode is decrypted to obtain the data decryption code DCode; the embedded system device uses the data decryption code DCode to decrypt the ciphertext data EData to obtain the key data Data to be protected; the embedded system device performs an emptying operation; The key data is encrypted, and the data decryption code for decrypting the ciphertext data is encrypted. The double encryption protection of the data is realized by software, and the security of the data is improved, and the implementation cost is lower than that of hardware implementation.

实施例四Embodiment 4

图8为本发明加密保护装置实施例的结构示意图;如图8所示,本发明实施例提供的加密保护装置08包括:获取模块81、第一加密模块82、第二加密模块83、发送模块84;其中,FIG. 8 is a schematic structural diagram of an embodiment of an encryption protection device according to the present invention; as shown in FIG. 8 , an encryption protection device 08 provided by an embodiment of the present invention includes: an acquisition module 81 , a first encryption module 82 , a second encryption module 83 , and a sending module 84; of which,

所述获取模块81,用于获取嵌入式系统装置共享的公钥;The obtaining module 81 is used to obtain the public key shared by the embedded system devices;

所述第一加密模块82,用于根据第一加密代码对待保护的关键数据进行加密,得到密文数据,并根据所述第一加密代码得到第一解密代码;所述第一解密代码用于解密所述密文数据;The first encryption module 82 is configured to encrypt the key data to be protected according to the first encryption code to obtain ciphertext data, and obtain the first decryption code according to the first encryption code; the first decryption code is used for decrypt the ciphertext data;

所述第二加密模块83,用于根据所述公钥及第二加密代码对所述第一解密代码进行加密,得到加密后的第一解密代码,并根据所述第二加密代码得到第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;The second encryption module 83 is configured to encrypt the first decryption code according to the public key and the second encryption code to obtain the encrypted first decryption code, and obtain the second decryption code according to the second encryption code. decryption code; the second decryption code is used to decrypt the encrypted first decryption code;

所述发送模块84,用于将所述密文数据、所述加密后的第一解密代码及所述第二解密代码发送至所述嵌入式系统装置。The sending module 84 is configured to send the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.

进一步的,所述第二加密代码为非对称加密代码;Further, the second encryption code is an asymmetric encryption code;

所述获取模块81,具体用于通过串口获取所述嵌入式系统装置共享的所述公钥;The obtaining module 81 is specifically configured to obtain the public key shared by the embedded system device through a serial port;

所述发送模块84,具体用于将所述密文数据、所述加密后的第一解密代码及所述第二解密代码烧录至所述嵌入式系统装置的闪存Flash中。The sending module 84 is specifically configured to burn the ciphertext data, the encrypted first decryption code and the second decryption code into the flash memory of the embedded system device.

本实施例的加密保护装置,可以用于执行上述所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The encryption protection device in this embodiment can be used to implement the technical solutions of the method embodiments shown above, and the implementation principles and technical effects thereof are similar, which will not be repeated here.

在实际应用中,所述加密保护装置08的获取模块81、第一加密模块82、第二加密模块83、发送模块84均可由位于加密保护装置08中的中央处理器(Central ProcessingUnit,CPU)、微处理器(Micro Processor Unit,MPU)、数字信号处理器(Digital SignalProcessor,DSP)或现场可编程门阵列(Field Programmable Gate Array,FPGA)等实现。In practical applications, the acquisition module 81 , the first encryption module 82 , the second encryption module 83 , and the sending module 84 of the encryption protection device 08 can all be composed of a central processing unit (Central Processing Unit, CPU) located in the encryption protection device 08 , A microprocessor (Micro Processor Unit, MPU), a digital signal processor (Digital Signal Processor, DSP) or a Field Programmable Gate Array (Field Programmable Gate Array, FPGA) etc. are implemented.

实施例五Embodiment 5

图9为本发明嵌入式系统装置实施例的结构示意图;如图9所示,本发明实施例提供的嵌入式系统装置09包括:生成模块91、共享模块92、存储模块93;其中,FIG. 9 is a schematic structural diagram of an embodiment of an embedded system device of the present invention; as shown in FIG. 9 , an embedded system device 09 provided by an embodiment of the present invention includes: a generation module 91 , a sharing module 92 , and a storage module 93 ; wherein,

所述生成模块91,用于根据自身的固有特征标识符生成私钥,并利用非对称密钥生成法将所述私钥派生出对应的公钥;The generating module 91 is used to generate a private key according to its own inherent characteristic identifier, and use the asymmetric key generation method to derive the corresponding public key from the private key;

所述共享模块92,用于将所述公钥共享给加密保护装置;The sharing module 92 is configured to share the public key with an encryption protection device;

所述存储模块93,用于存储所述加密保护装置发送来的密文数据、加密后的第一解密代码及第二解密代码;所述第二解密代码用于解密所述加密后的第一解密代码;所述第一解密代码用于解密所述密文数据。The storage module 93 is used to store the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the second decryption code; the second decryption code is used to decrypt the encrypted first decryption code. Decryption code; the first decryption code is used to decrypt the ciphertext data.

进一步的,所述装置09还包括:解密模块94、清空模块95;其中,Further, the device 09 further includes: a decryption module 94 and an emptying module 95; wherein,

所述解密模块94,用于在内存中对所述密文数据进行解密,得到待保护的关键数据;The decryption module 94 is used to decrypt the ciphertext data in the memory to obtain the key data to be protected;

所述清空模块95,用于在得到所述待保护的关键数据之后,执行清空操作;The clearing module 95 is used to perform clearing operation after obtaining the key data to be protected;

所述解密模块94,具体用于:The decryption module 94 is specifically used for:

在内存中调用应用程序编程接口API函数动态获取所述私钥;dynamically obtain the private key by calling an application programming interface API function in memory;

根据所述私钥及所述第二解密代码对所述加密后的第一解密代码进行解密操作,得到第一解密代码;Perform a decryption operation on the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;

利用所述第一解密代码对所述密文数据进行解密操作,得到所述待保护的关键数据。The ciphertext data is decrypted by using the first decryption code to obtain the key data to be protected.

进一步的,所述生成模块91,具体用于根据自身的固有特征标识符利用哈希算法生成私钥;其中,所述固有特征标识符包括:供应商身份标识Vendor ID、序列号SN;Further, the generation module 91 is specifically configured to utilize a hash algorithm to generate a private key according to its own inherent characteristic identifier; wherein, the inherent characteristic identifier includes: a vendor ID, a serial number SN;

所述共享模块92,具体用于通过串口将所述公钥共享给所述加密保护装置;The sharing module 92 is specifically configured to share the public key with the encryption protection device through a serial port;

所述存储模块93,具体用于将所述加密保护装置烧录的密文数据、加密后的第一解密代码及第二解密代码存储在闪存Flash中。The storage module 93 is specifically configured to store the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the second decryption code in the flash memory.

本实施例的嵌入式系统装置,可以用于执行上述所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The embedded system apparatus of this embodiment can be used to execute the technical solutions of the method embodiments shown above, and the implementation principles and technical effects thereof are similar, and details are not described herein again.

在实际应用中,所述嵌入式系统装置09的生成模块91、共享模块92、存储模块93、解密模块94、清空模块95均可由位于嵌入式系统装置09中的中央处理器(CentralProcessing Unit,CPU)、微处理器(Micro Processor Unit,MPU)、数字信号处理器(Digital Signal Processor,DSP)或现场可编程门阵列(Field Programmable GateArray,FPGA)等实现。In practical applications, the generation module 91 , the sharing module 92 , the storage module 93 , the decryption module 94 , and the clearing module 95 of the embedded system device 09 can all be controlled by a central processing unit (Central Processing Unit, CPU) located in the embedded system device 09 ), Micro Processor Unit (MPU), Digital Signal Processor (Digital Signal Processor, DSP) or Field Programmable Gate Array (Field Programmable Gate Array, FPGA) etc.

实施例六Embodiment 6

图10为本发明关键数据的保护系统实施例的结构示意图;如图10所示,本发明实施例提供的关键数据的保护系统010包括:加密保护装置0101、嵌入式系统装置0102;其中,FIG. 10 is a schematic structural diagram of an embodiment of a protection system for key data of the present invention; as shown in FIG. 10 , a protection system 010 for key data provided by an embodiment of the present invention includes: an encryption protection device 0101 and an embedded system device 0102; wherein,

所述加密保护装置0101采用如上述实施例所述的加密保护装置;The encryption protection device 0101 adopts the encryption protection device described in the above embodiment;

所述嵌入式系统装置0102采用如上述实施例所述的嵌入式系统装置。The embedded system device 0102 adopts the embedded system device described in the above embodiments.

本实施例的关键数据的保护系统,可以用于执行上述所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The key data protection system in this embodiment can be used to implement the technical solutions of the method embodiments shown above, and its implementation principles and technical effects are similar, and details are not described herein again.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, optical storage, and the like.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (9)

1. A method for protecting critical data, the method comprising:
acquiring a public key shared by an embedded system device;
encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
encrypting the first decryption code according to the public key and a second encryption code to obtain an encrypted first decryption code, and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code; the second encrypted code is an asymmetric encrypted code;
sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device, including:
and burning the ciphertext data, the encrypted first decryption code and the second decryption code into a Flash memory Flash of the embedded system device.
2. The method of claim 1,
the acquiring the public key shared by the embedded system device comprises the following steps:
and acquiring the public key shared by the embedded system device through a serial port.
3. A method for protecting critical data, the method comprising:
generating a private key according to the inherent characteristic identifier of the private key, and deriving a corresponding public key from the private key by using an asymmetric key generation method;
sharing the public key to an encryption protection device;
the encrypted data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code are stored; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data;
decrypting the ciphertext data in the memory to obtain key data to be protected;
after the key data to be protected are obtained, performing emptying operation;
the decrypting the ciphertext data in the memory to obtain the key data to be protected includes:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
4. The method of claim 3, wherein generating the private key according to the intrinsic characteristic identifier of the private key comprises:
generating a private key by utilizing a Hash algorithm according to the inherent characteristic identifier of the private key; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing the public key to the encryption protection device includes:
sharing the public key to the encryption protection device through a serial port;
the storing of the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code includes:
and storing the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code in a Flash memory Flash.
5. An encryption protection apparatus, comprising:
the acquisition module is used for acquiring a public key shared by the embedded system device;
the first encryption module is used for encrypting the key data to be protected according to a first encryption code to obtain ciphertext data and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
the second encryption module is used for encrypting the first decryption code according to the public key and the second encryption code to obtain an encrypted first decryption code and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code; the second encrypted code is an asymmetric encrypted code;
and the sending module is used for sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device, and is specifically used for burning the ciphertext data, the encrypted first decryption code and the second decryption code into a Flash memory Flash of the embedded system device.
6. The apparatus of claim 5,
the obtaining module is specifically configured to obtain the public key shared by the embedded system device through a serial port.
7. An embedded system apparatus, the apparatus comprising:
the generating module is used for generating a private key according to the inherent characteristic identifier of the generating module and deriving a corresponding public key from the private key by using an asymmetric key generating method;
the sharing module is used for sharing the public key to the encryption protection device;
the storage module is used for storing the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data;
the decryption module is used for decrypting the ciphertext data in the memory to obtain key data to be protected;
the clearing module is used for executing clearing operation after the key data to be protected are obtained;
the decryption module is specifically configured to:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
8. The apparatus according to claim 7, wherein the generating module is specifically configured to generate a private key according to its own inherent characteristic identifier by using a hash algorithm; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing module is specifically configured to share the public key to the encryption protection device through a serial port;
the storage module is specifically configured to store the ciphertext data burned by the encryption protection device, the encrypted first decryption code, and the encrypted second decryption code in a Flash memory Flash.
9. A system for the protection of critical data, the system comprising an encryption protection device according to claim 5 or 6 and an embedded system device according to any one of claims 7 to 8.
CN201611240729.1A 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device Active CN108256346B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611240729.1A CN108256346B (en) 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611240729.1A CN108256346B (en) 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device

Publications (2)

Publication Number Publication Date
CN108256346A CN108256346A (en) 2018-07-06
CN108256346B true CN108256346B (en) 2020-12-01

Family

ID=62719048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611240729.1A Active CN108256346B (en) 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device

Country Status (1)

Country Link
CN (1) CN108256346B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109753770A (en) * 2019-01-07 2019-05-14 北京地平线机器人技术研发有限公司 Determine method and device, method for burn-recording and device, the electronic equipment of burning data
CN113268717A (en) * 2021-04-08 2021-08-17 东信和平科技股份有限公司 SE-based code program protection method, device and storage medium
CN113326512B (en) * 2021-05-21 2025-05-30 深圳矽递科技股份有限公司 Electronic device and MCU firmware protection method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1465008A (en) * 2001-02-16 2003-12-31 索尼株式会社 Data processing method and its apparatus
CN103678174A (en) * 2012-09-11 2014-03-26 联想(北京)有限公司 Data safety method, storage device and data safety system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6643775B1 (en) * 1997-12-05 2003-11-04 Jamama, Llc Use of code obfuscation to inhibit generation of non-use-restricted versions of copy protected software applications
CN101320410B (en) * 2008-05-20 2010-09-08 北京深思洛克软件技术股份有限公司 Copyright protection method of embedded system
SG11201508726VA (en) * 2013-04-25 2015-11-27 Treebox Solutions Pte Ltd Method and system for exchanging encrypted messages between computing devices in a communication network
CN104866738B (en) * 2014-02-25 2019-04-26 北京娜迦信息科技发展有限公司 A kind of program code guard method and device
CN104486355A (en) * 2014-12-30 2015-04-01 大连楼兰科技股份有限公司 Method and device for preventing codes from being maliciously tampered with

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1465008A (en) * 2001-02-16 2003-12-31 索尼株式会社 Data processing method and its apparatus
CN103678174A (en) * 2012-09-11 2014-03-26 联想(北京)有限公司 Data safety method, storage device and data safety system

Also Published As

Publication number Publication date
CN108256346A (en) 2018-07-06

Similar Documents

Publication Publication Date Title
CN109040090B (en) A data encryption method and device
CN109510703B (en) Data encryption and decryption method and device
US9325642B2 (en) Randomness for encryption operations
WO2016173264A1 (en) Electronic data protection method and device, and terminal device
CN109034796B (en) Alliance chain-based transaction supervision method, electronic device and readable storage medium
JP2013531436A5 (en)
CN110661748B (en) Log encryption method, log decryption method and log encryption device
CN113346998B (en) Key update and file sharing method, device, device, and computer storage medium
WO2016086788A1 (en) Method and apparatus for encrypting/decrypting data on mobile terminal
CN104468095A (en) Data transmission method and device
CN104205117A (en) Device file encryption and decryption method and device
WO2018213744A3 (en) Reducing compromise of sensitive data in virtual machine
CN113609522B (en) Data authorization and data access method and device
CN104866784A (en) BIOS encryption-based safety hard disk, and data encryption and decryption method
CN108810022A (en) A kind of encryption method, decryption method and device
JP2014085674A5 (en)
CN108256346B (en) Key data protection method, encryption protection device and embedded system device
CN110213052A (en) Data processing method and device
CN113347144A (en) Method, system, equipment and storage medium for reciprocal data encryption
CN115982761A (en) Sensitive information processing method, device, electronic device and storage medium
CN107425959A (en) A kind of method for realizing encryption, system, client and service end
US20160315761A1 (en) Operator lifting in cryptographic algorithm
WO2016078382A1 (en) Hsm enciphered message synchronization implementation method, apparatus and system
CN111131158A (en) Single byte symmetric encryption and decryption method, device and readable medium
CN105357665A (en) Encryption method for sensitive data of mobile phone and off-line decryption method based on same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310012 building A01, 1600 yuhangtang Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province

Applicant after: CHINA MOBILE (HANGZHOU) INFORMATION TECHNOLOGY Co.,Ltd.

Applicant after: China Mobile Communications Corp.

Address before: 310012, No. 14, building three, Chang Torch Hotel, No. 259, Wensanlu Road, Xihu District, Zhejiang, Hangzhou

Applicant before: CHINA MOBILE (HANGZHOU) INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: China Mobile Communications Corp.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant