CN112182624A - Encryption method, encryption device, storage medium and electronic equipment - Google Patents
Encryption method, encryption device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN112182624A CN112182624A CN202011092789.XA CN202011092789A CN112182624A CN 112182624 A CN112182624 A CN 112182624A CN 202011092789 A CN202011092789 A CN 202011092789A CN 112182624 A CN112182624 A CN 112182624A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- encryption
- processed
- modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012545 processing Methods 0.000 claims description 21
- 230000006854 communication Effects 0.000 claims description 15
- 238000004891 communication Methods 0.000 claims description 14
- 230000000873 masking effect Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 2
- ZBMRKNMTMPPMMK-UHFFFAOYSA-N 2-amino-4-[hydroxy(methyl)phosphoryl]butanoic acid;azane Chemical compound [NH4+].CP(O)(=O)CCC(N)C([O-])=O ZBMRKNMTMPPMMK-UHFFFAOYSA-N 0.000 claims 1
- 230000008569 process Effects 0.000 abstract description 15
- 238000005336 cracking Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 8
- 238000010295 mobile communication Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 101100198507 Schizosaccharomyces pombe (strain 972 / ATCC 24843) rng2 gene Proteins 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides an encryption method, an encryption device, a computer readable storage medium and an electronic device, and relates to the technical field of information security. The encryption method comprises the following steps: selecting at least one first module and at least one second module from a plurality of preset encryption modules; wherein different encryption modules adopt different encryption algorithms; and controlling the first module to encrypt the data to be processed and controlling the second module to encrypt the interference data. The method and the device cover the power consumption information of the real encryption process, and increase the difficulty of an attacker in cracking the encryption information through power consumption analysis.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to an encryption method, an encryption apparatus, a computer-readable storage medium, and an electronic device.
Background
With the development of computer and communication technologies, people pay more and more attention to information security, for example, in mobile communication, users often need to send information related to personal privacy and property, and Data encryption is provided through a Packet Data Convergence Protocol (PDCP) layer, so that information security in a communication process can be ensured.
In the related art, the security engine of the PDCP entity encrypts data using algorithms such as Snow 3G (byte stream Encryption algorithm of 3G communication system), ZUC (grandma algorithm), AES (Advanced Encryption Standard), and the like. However, these algorithms cannot protect against energy analysis attacks, and an attacker can analyze the password by monitoring the power consumption information when the PDCP is encrypted or decrypted, thereby cracking the security engine and stealing data.
Disclosure of Invention
The disclosure provides an encryption method, an encryption device, a computer-readable storage medium and an electronic device, thereby solving the problem that the related art cannot protect against energy analysis attacks to a certain extent.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to a first aspect of the present disclosure, there is provided an encryption method comprising: selecting at least one first module and at least one second module from a plurality of preset encryption modules; wherein different encryption modules adopt different encryption algorithms; and controlling the first module to encrypt the data to be processed and controlling the second module to encrypt the interference data.
According to a second aspect of the present disclosure, there is provided an encryption apparatus comprising: a selection unit that selects at least one first module and at least one second module among a plurality of preset encryption modules; wherein different encryption modules adopt different encryption modes; and the control unit is used for controlling the first module to encrypt the data to be processed and controlling the second module to encrypt the interference data.
According to a third aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the encryption method of the first aspect described above and possible implementations thereof.
According to a fourth aspect of the present disclosure, there is provided an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the encryption method of the first aspect and possible embodiments thereof described above via execution of the executable instructions.
The technical scheme of the disclosure has the following beneficial effects:
when data to be processed is encrypted, the other encryption module is controlled to encrypt interference data, on one hand, power consumption information leaked to the outside during encryption is a superposition result of two encryption processes, real power consumption information is covered, and the difficulty of an attacker for analyzing and cracking the encryption information through power consumption is increased. On the other hand, the scheme is simultaneously suitable for hardware and software implementation, and is low in cost and high in usability.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is apparent that the drawings in the following description are only some embodiments of the present disclosure, and that other drawings can be obtained from those drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram showing a mobile terminal in the present exemplary embodiment;
FIG. 2 illustrates an architecture diagram of a security engine in the exemplary embodiment;
FIG. 3 shows a flow diagram of an encryption method in the present exemplary embodiment;
FIG. 4 illustrates a flow chart for selecting a first module and a second module in the exemplary embodiment;
FIG. 5 is a flow chart illustrating encryption by a first module in the exemplary embodiment;
FIG. 6 illustrates a schematic diagram of adding a mask guard in the present exemplary embodiment;
fig. 7 shows a flowchart of another first module performing encryption in the present exemplary embodiment;
FIG. 8 illustrates another schematic diagram of adding a masked guard in the present exemplary embodiment;
FIG. 9 illustrates an architecture diagram of another security engine in the exemplary embodiment;
fig. 10 shows a block diagram of the configuration of an encryption apparatus in the present exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In the related art, the PDCP security engine encrypts communication data mainly by key stream, which reveals power consumption information. If an attacker cracks KeyStream through power consumption analysis, the plaintext of communication data can be analyzed; in addition, under the condition of obtaining KeyStream, an attacker can easily crack a Key (secret Key) for starting the encryption algorithm, so that the whole algorithm is cracked.
In view of the foregoing, exemplary embodiments of the present disclosure provide an encryption method that may be deployed in a security engine to encrypt communication data, application data, and the like against an energy analysis attack.
In order to implement the above encryption method, an exemplary embodiment of the present disclosure provides an electronic device including: a processor; the memory is used for storing executable instructions of the processor and can also be used for storing application data. Wherein the processor may implement various program methods, such as the encryption method of the present exemplary embodiment, by executing the above-described executable instructions. The electronic equipment can be a smart phone, a tablet computer, a personal computer, intelligent wearable equipment and the like.
The structure of the electronic device is exemplarily described below by taking the mobile terminal 100 in fig. 1 as an example. It will be appreciated by those skilled in the art that the configuration of figure 1 can also be applied to fixed type devices, in addition to components specifically intended for mobile purposes.
As shown in fig. 1, the mobile terminal 100 may specifically include: a processor 110, an internal memory 121, an external memory interface 122, a USB (Universal Serial Bus) interface 130, a charging management Module 140, a power management Module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication Module 150, a wireless communication Module 160, an audio Module 170, a speaker 171, a receiver 172, a microphone 173, an earphone interface 174, a sensor Module 180, a display 190, a camera Module 191, an indicator 192, a motor 193, a key 194, and a SIM (Subscriber identity Module) card interface 195.
Processor 110 may include one or more processing units, such as: the Processor 110 may include an AP (Application Processor), a modem Processor, a GPU (Graphics Processing Unit), an ISP (Image Signal Processor), a controller, an encoder, a decoder, a DSP (Digital Signal Processor), a baseband Processor, and/or an NPU (Neural-Network Processing Unit), etc. The processor 110 may perform encryption processing on the data, for example, execute the encryption method in the present exemplary embodiment.
In some embodiments, processor 110 may include one or more interfaces through which connections are made to other components of mobile terminal 100.
The external memory interface 122 may be used to connect an external memory card. The internal memory 121 may be used to store computer-executable program codes, and may also store data (e.g., images, videos) created during use of the mobile terminal 100, and the like.
The USB interface 130 is an interface conforming to the USB standard specification, and may be used to connect a charger to charge the mobile terminal 100, or connect an earphone or other electronic devices.
The charging management module 140 is configured to receive charging input from a charger. While the charging management module 140 charges the battery 142, the power management module 141 may also supply power to the device; the power management module 141 may also monitor the status of the battery.
The wireless communication function of the mobile terminal 100 may be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, a modem processor, a baseband processor, and the like. The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The mobile communication module 150 may provide a solution including 2G/3G/4G/5G wireless communication applied on the mobile terminal 100. The Wireless Communication module 160 may provide Wireless Communication solutions including WLAN (Wireless Local Area network ) (e.g., WiFi (Wireless Fidelity, Wireless Fidelity) network), BT (Bluetooth), GNSS (Global Navigation Satellite System), FM (Frequency Modulation), NFC (Near Field Communication), IR (Infrared technology), and the like, which are applied to the mobile terminal 100.
The mobile terminal 100 may implement a display function through the GPU, the display screen 190, the AP, etc., may implement a photographing function through the ISP, the camera module 191, the encoder, the decoder, the GPU, the display screen 190, the AP, etc., and may implement an audio function through the audio module 170, the speaker 171, the receiver 172, the microphone 173, the earphone interface 174, the AP, etc.
The sensor module 180 may include a depth sensor 1801, a pressure sensor 1802, a gyroscope sensor 1803, a barometric pressure sensor 1804, and the like.
Indicator 192 may be an indicator light that may be used to indicate a state of charge, a change in charge, or a message, missed call, notification, etc. The motor 193 may generate a vibration cue, may also be used for touch vibration feedback, and the like. The keys 194 include a power-on key, a volume key, and the like.
The mobile terminal 100 may support one or more SIM card interfaces 195 for connecting a SIM card to enable mobile communication and voice calls.
Based on the electronic device, the exemplary embodiment of the present disclosure also provides an architecture of a security engine. The security engine refers to a component used for data encryption processing inside the electronic device, and may be a security engine of PDCP, for example. As shown in fig. 2, security engine 200 may include MUX (data selector) 210, hidden Control (hidden Control) module 220, Snow 3G module 230, ZUC module 240, AES module 250. The Snow 3G module 230, the ZUC module 240, and the AES module 250 are encryption modules that actually perform data processing. In the present exemplary embodiment, the security engine 200 may include a plurality of encryption modules, each using a different encryption algorithm for data encryption, including but not limited to the Snow 3G algorithm, the ZUC algorithm, and the AES algorithm shown in fig. 2.
It should be noted that, in network protocols such as PDCP, the security engine 200 may represent the bottom layer; the application layer refers to a layer containing encrypted data related services, and may be a generic term for upper layers of the security engine 200, for example, including a transport layer, a session layer, and the like.
The application layer inputs the Data to be processed into the security engine 200, and enters a Data transmission Path (Data Path) in the security engine 200. Selecting one or more encryption modules by the MUX 210 in the path, for example selecting the Snow 3G module 230, inputting the data to be processed into the module for encryption; meanwhile, the hidden control module 220 interferes with the power consumption information in the encryption process. And after encryption is finished, ciphertext data corresponding to the data to be processed is obtained and is output to the application layer through the data transmission path.
Fig. 3 shows an exemplary flow of an encryption method, which may include the following steps S310 and S320:
step S310, selecting at least one first module and at least one second module from a plurality of preset encryption modules; wherein, different encryption modules adopt different encryption algorithms;
step S320, controlling the first module to encrypt the data to be processed, and controlling the second module to encrypt the interference data.
According to the method, when the data to be processed is encrypted, the other encryption module is controlled to encrypt the interference data, on one hand, the power consumption information leaked to the outside during encryption is a superposition result of two encryption processes, so that the real power consumption information is covered, and the difficulty of an attacker for analyzing and cracking the encryption information through power consumption is increased. On the other hand, the scheme is simultaneously suitable for hardware and software implementation, and is low in cost and high in usability.
Each step in fig. 3 is explained in detail below.
In step S310, at least one first module and at least one second module are selected from a plurality of preset encryption modules.
The encryption module is an algorithm module actually performing data encryption processing, such as the Snow 3G module 230, the ZUC module 240, and the AES module 250 in fig. 2. In this exemplary embodiment, a plurality of encryption modules are arranged in the security engine, each module adopts different encryption algorithms, and a first module and a second module are selected from the modules, the first module is used for encrypting the data at this time, and the second module is used for generating interference information. Illustratively, the first module and the second module may be randomly selected among the encryption modules.
In an alternative embodiment, as shown with reference to fig. 4, step S310 may include the following steps S410 and S420:
step S410, selecting a first module from the plurality of encryption modules through a data selector in a security engine;
in step S420, a second module is selected from the encryption modules other than the first module by the hidden control module in the security engine.
That is, the first module is selected first, and then the second module is selected from the remaining encryption modules. The first module is used for data encryption, and can be selected by the data selector and actually started. The second module is used for generating interference information, and can be selected by the hidden control module and performs 'pseudo-starting'.
It should be noted that, the number of the first module and the second module is not limited in the present disclosure. For example, the data to be processed may be divided into a plurality of groups, and different groups of data may be encrypted by the plurality of first modules, respectively; or interference information is generated by a plurality of second modules so as to increase the difficulty of power consumption analysis.
In step S320, the first module is controlled to encrypt the data to be processed, and the second module is controlled to encrypt the interference data.
The interference data may be any data other than the data to be processed, such as random data, or data that needs to be encrypted in other applications. When the first module encrypts the data to be processed, the second module encrypts the interference data, and the power consumption of the two encryption processes are overlapped, so that the power consumption information of the first module in the encryption process is covered. Therefore, the external part cannot obtain the power consumption information of the encryption process of the data to be processed, and the power consumption analysis attack cannot be carried out.
In an alternative embodiment, the first random data may be generated as interference data, and the result of the second module encrypting the interference data is not actually used, which is equivalent to "idling" the second module, resulting in interfering power consumption. The first random data may be a true random number or a pseudo random number, and the disclosure is not particularly limited.
Further, the first random data may be generated according to the data to be processed, for example, the first random data may have the same or similar number of bits, data amount, complexity, and the like as the data to be processed. Exemplarily, the bit number, the data size and the complexity of the data to be processed are determined, then a certain margin is added to the bit number, the data size and the complexity of the data to be processed as a central value to obtain a bit number range, a data size range and a complexity range, and then first random data meeting the range is generated. Therefore, when the second module encrypts the interference data, power consumption with stronger interference can be generated.
For example, the first module is an AES module, the second module is a ZUC module, and when the AES module is started to encrypt the data to be processed, the ZUC module is also started to encrypt the first random data input by the application layer. If the attacker monitors the power consumption, the obtained result is the superposition result of the AES encryption power consumption curve and the ZUC encryption power consumption curve, and a single power consumption curve cannot be separated, so that the attack difficulty is increased.
In addition to the above mentioned masking of the true power consumption information by adding a disturbing encryption process, the present exemplary embodiment can also add disturbing information to the encryption algorithm itself, and two ways are provided below:
in the first way, referring to fig. 5, the encryption of the data to be processed can be realized by executing the following steps S510 and S520:
step S510, generating a key stream processed by a mask with the second random data as the mask;
step S520, encrypt the data to be processed by using the key stream to obtain the ciphertext data.
Taking the AES module as an example, the workflow of which can be illustrated with reference to fig. 6, the AES module may include a codec, an algorithm controller, and a key generator. Parameters related to the encryption algorithm, such as initial key, length, count, etc., may be input by the application layer. The key generator may generate a keystream from an initial key; then, the algorithm controller loads the code of the encryption algorithm; the data encryption process is performed by the codec. In practical application, a plaintext (Plain text) of data to be processed is input into a first module, the first module uses a group of random numbers (second random data) as a mask to mask a key stream generated by a key generator, specifically, an exclusive or operation can be performed on the second random data and the key stream to obtain the key stream subjected to the mask processing, and then the plaintext is encrypted to obtain ciphertext data (Cipher text) corresponding to the data to be processed, namely, Cipher text ^ KeyStream ^ RNG2, and RNG2 represents the second random data. The processing procedure of the AES module is completely applicable to other encryption modules.
In an alternative embodiment, the steps shown in fig. 5 may be performed by the first module separately, for example, the second random data and the data to be processed are input into the first module, and the first module performs masking processing on the key stream by using the second random data and then encrypts the data to be processed. In another alternative embodiment, the steps shown in fig. 5 may be performed by the first module and other modules together, for example, the first module generates a key stream, the mask processing module or the random data generating module that is additionally provided performs mask processing on the key stream with the second random data as a mask, and then inputs the masked key stream into the first module; the first module encrypts the data to be processed by using the key stream.
By introducing the mask, mask protection can be provided for the key stream, so that the information of the key stream cannot be leaked in the encryption process, and the difficulty of monitoring power consumption and attack cracking is further increased.
If the data to be processed is communication data, that is, data to be transmitted, normal use of the receiving end needs to be considered.
In an alternative embodiment, the ciphertext data may be unmasked by the mask (i.e., the second random data), and the unmasked ciphertext data may be transmitted. Generally, the sending end may store the second Random data, for example, store the second Random data in a specific register or a Random Access Memory (RAM), and after encryption is completed, read the second Random data and unmask the ciphertext data. Specifically, the second random data may be used to perform an exclusive or operation on the ciphertext data to obtain unmasked ciphertext data, and then the unmasked ciphertext data is sent to the receiving end. Therefore, after the receiving end receives the ciphertext data, the data can be normally decrypted through the key stream without the information of the mask.
The unmasking process may be performed in the security engine or by the application layer.
In an optional implementation manner, the sending end may also send ciphertext data and a mask. Generally, a random data path may be added between the sender and the receiver, and the path is used to transmit a mask (i.e., the second random data), and the receiver may decode the ciphertext data using the key stream and the second random data, i.e., Plain text ^ KeyStream RNG 2. Therefore, the transmitting end does not need to carry out unmasking, and the second random data does not need to be stored separately. In the transmission process of the ciphertext data, a layer of protection of the mask is added, and higher-level security guarantee can be provided. Further, in order to improve protection of the mask itself, the mask may be encrypted and then transmitted, for example, the sending end encrypts the mask by using a predetermined asymmetric encrypted public key, and then transmits the encrypted mask to the receiving end, and the receiving end decrypts the encrypted mask by using a corresponding private key to obtain the mask.
In a second way, referring to fig. 7, the following steps S710 and S720 can be executed to implement encryption of the data to be processed:
step S710, mask processing is carried out on the preset parameters of the first module through third random data;
and S720, generating a key stream by adopting the preset parameters subjected to mask processing, and encrypting the data to be processed by utilizing the key stream to obtain ciphertext data.
The preset parameter is one or more parameters used by an encryption algorithm, and is generally used for generating a key stream, including but not limited to: initial key, count, length, etc. And taking the third random data as a mask, and performing mask processing on the preset parameter, which is equivalent to adding a layer of mask protection in the encryption algorithm. Referring to fig. 8, taking an example that the preset parameter is an initial key, after the application layer inputs the set parameter to the AES module, the AES module performs an exclusive-or operation on the initial key through the third random data to generate an initial key with a mask, then generates a key stream by using the initial key with the mask, and encrypts the data to be processed by using the key stream. In the encryption process, mask protection is implemented from the stage of the initial secret key, and the protection means can cover links such as the generation of the secret key stream, the encryption of data to be processed and the like, so that more comprehensive protection is realized, and the difficulty of power consumption analysis attack is further increased.
In an alternative embodiment, the steps shown in fig. 7 may be performed by the first module separately, for example, the third random data and the data to be processed are input into the first module, the first module performs masking processing of the preset parameter by using the third random data, generates a key stream, and then encrypts the data to be processed. In another alternative embodiment, the steps shown in fig. 7 may be executed by the first module and other modules together, for example, after determining the preset parameter for generating the key stream, the application layer inputs the preset parameter into the mask processing module or the random data generating module, in the module, the third random data is used as a mask, the preset parameter is subjected to mask processing, and then the preset parameter after the mask processing is input into the first module; the first module generates a key stream by using the preset parameters and encrypts the data to be processed.
It should be understood that, in practical applications, the first or second mode can be selected according to specific requirements. In an optional implementation manner, the first and second manners may be further combined, that is, the preset parameter is masked by the third random data, and after the key stream is generated, the key stream is masked by the second random data, so that the double protection with higher security is realized.
The first, second, and third random data may be different random numbers independent of each other. Referring to fig. 9, based on the security engine 200 in fig. 2, a random data generating module 260 may be added, which may be disposed in the security engine 200, and directly output random data to each encryption module, such as generating first random data and outputting the first random data to a second module, generating second random data or third random data and outputting the second random data or the third random data to the first module. In addition, the random data generating module 260 may also be deployed in the application layer, and after the random data is generated, the random data is transmitted to the corresponding encryption module through a data port and a data transmission path between the application layer and the application engine 200. In an optional implementation manner, the random data generating module 260 may further perform a masking process, for example, taking the second random data as a mask, performing a masking process on the key stream generated by the first module, and taking the third random data as a mask, performing a masking process on the preset parameter of the first module.
Exemplary embodiments of the present disclosure also provide an encryption apparatus that may be deployed in a security engine. Referring to fig. 10, the encryption apparatus 1000 may include:
a selecting unit 1010 that selects at least one first module and at least one second module among a plurality of preset encryption modules; wherein, different encryption modules adopt different encryption modes;
a control unit 1020, configured to control the first module to encrypt the data to be processed, and control the second module to encrypt the interference data.
In an alternative embodiment, the interference data may be random data.
In an alternative embodiment, the control unit 1020 is further configured to:
and generating first random data according to the data to be processed to serve as interference data.
In an alternative embodiment, the control unit 1020 is configured to:
generating a key stream processed by the mask by taking the second random data as the mask;
and encrypting the data to be processed by utilizing the key stream to obtain ciphertext data.
In an optional implementation manner, the control unit 1020 is further configured to unmask the ciphertext data through the mask; the encryption device may further include an interaction unit configured to transmit the unmasked ciphertext data.
In an alternative embodiment, the encryption apparatus 1000 may further include an interaction unit for transmitting the ciphertext data and the mask.
In an alternative embodiment, the control unit 1020 is configured to:
masking preset parameters of the first module through third random data;
and generating a key stream by adopting the preset parameters subjected to mask processing, and encrypting the data to be processed by utilizing the key stream to obtain ciphertext data.
In an optional embodiment, the plurality of ciphering modules are located in a security engine of the packet data convergence protocol PDCP.
In an alternative embodiment, the selecting unit 1010 is configured to:
selecting, by a data selector in a security engine, a first module among a plurality of cryptographic modules;
a second module is selected from among the cryptographic modules other than the first module by a hidden control module in the security engine.
In an alternative embodiment, the encryption algorithm includes, but is not limited to, Snow 3G algorithm, ZUC algorithm, AES algorithm.
The specific details of each part in the above device have been described in detail in the method part embodiments, and thus are not described again.
Exemplary embodiments of the present disclosure also provide a computer-readable storage medium, which may be implemented as a program product including program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned "exemplary method" section of this specification, when the program product is run on the terminal device, for example, any one or more of the steps in fig. 3, fig. 4, fig. 5 or fig. 7 may be performed. The program product may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the following claims.
Claims (13)
1. An encryption method, comprising:
selecting at least one first module and at least one second module from a plurality of preset encryption modules; wherein different encryption modules adopt different encryption algorithms;
and controlling the first module to encrypt the data to be processed and controlling the second module to encrypt the interference data.
2. The method of claim 1, wherein the interference data comprises random data.
3. The method of claim 2, further comprising:
and generating first random data according to the data to be processed to serve as the interference data.
4. The method of claim 1, wherein the controlling the first module to encrypt the data to be processed comprises:
generating a key stream processed by the mask by taking the second random data as the mask;
and encrypting the data to be processed by utilizing the key stream to obtain ciphertext data.
5. The method of claim 4, further comprising:
and unmasking the ciphertext data through the mask, and sending the unmasked ciphertext data.
6. The method of claim 4, further comprising:
and transmitting the ciphertext data and the mask.
7. The method of claim 1, wherein the controlling the first module to encrypt the data to be processed comprises:
masking preset parameters of the first module through third random data;
and generating a key stream by adopting the preset parameters subjected to mask processing, and encrypting the data to be processed by utilizing the key stream to obtain ciphertext data.
8. The method of claim 1, wherein the plurality of ciphering modules are located in a security engine of a Packet Data Convergence Protocol (PDCP).
9. The method according to claim 8, wherein selecting at least one first module and at least one second module among a predetermined plurality of encryption modules comprises:
selecting, by a data selector in the security engine, the first module among the plurality of cryptographic modules;
selecting, by a hidden control module in the security engine, the second module among the cryptographic modules other than the first module.
10. The method according to any of claims 1 to 9, wherein the encryption algorithm comprises a byte stream encryption algorithm Snow 3G, grand buster algorithm ZUC, advanced encryption standard AES algorithm of a 3G communication system.
11. An encryption apparatus, comprising:
a selection unit that selects at least one first module and at least one second module among a plurality of preset encryption modules; wherein different encryption modules adopt different encryption modes;
and the control unit is used for controlling the first module to encrypt the data to be processed and controlling the second module to encrypt the interference data.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 10.
13. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any of claims 1 to 10 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011092789.XA CN112182624A (en) | 2020-10-13 | 2020-10-13 | Encryption method, encryption device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011092789.XA CN112182624A (en) | 2020-10-13 | 2020-10-13 | Encryption method, encryption device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112182624A true CN112182624A (en) | 2021-01-05 |
Family
ID=73949714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011092789.XA Pending CN112182624A (en) | 2020-10-13 | 2020-10-13 | Encryption method, encryption device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112182624A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113872752A (en) * | 2021-09-07 | 2021-12-31 | 哲库科技(北京)有限公司 | Security engine module, security engine device and communication equipment |
| CN114531239A (en) * | 2022-04-20 | 2022-05-24 | 广州万协通信息技术有限公司 | Data transmission method and system for multiple encryption keys |
| CN115102701A (en) * | 2022-08-25 | 2022-09-23 | 广州万协通信息技术有限公司 | Multi-chip data encryption and decryption processing method and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100563128B1 (en) * | 2004-12-14 | 2006-03-21 | 삼성에스디에스 주식회사 | Smart Card Password Algorithm Protection against Differential Power Analysis Attacks |
| CN101969376A (en) * | 2010-09-23 | 2011-02-09 | 北京航空航天大学 | Self-adaptive encryption system and method with semantic security |
| US20120269340A1 (en) * | 2011-04-22 | 2012-10-25 | Stu Jay | Hierarchical encryption/decryption device and method thereof |
| CN106027222A (en) * | 2016-06-30 | 2016-10-12 | 中国南方电网有限责任公司电网技术研究中心 | Smart card encryption method and device for preventing differential power analysis |
| US20170070483A1 (en) * | 2015-08-12 | 2017-03-09 | Plankwalk Corp. | System and Methods for Dynamically and Randomly Encrypting and Decrypting Data |
| CN107766725A (en) * | 2016-08-19 | 2018-03-06 | 国民技术股份有限公司 | The data transmission method and system of anti-template attack |
| CN108123792A (en) * | 2017-12-19 | 2018-06-05 | 武汉瑞纳捷电子技术有限公司 | A kind of power consumption method for scrambling of SM4 algorithms circuit |
| CN108460288A (en) * | 2018-04-02 | 2018-08-28 | 惠州学院 | Big data safe encryption method, device, storage medium and mobile terminal |
| CN109218295A (en) * | 2018-08-22 | 2019-01-15 | 平安科技(深圳)有限公司 | Document protection method, device, computer equipment and storage medium |
| CN109361507A (en) * | 2018-10-11 | 2019-02-19 | 杭州华澜微电子股份有限公司 | A kind of data ciphering method and encryption equipment |
| CN111199047A (en) * | 2019-12-31 | 2020-05-26 | 中移(杭州)信息技术有限公司 | Data encryption method, data decryption method, data encryption device, data decryption device, data encryption equipment and data encryption storage medium |
-
2020
- 2020-10-13 CN CN202011092789.XA patent/CN112182624A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100563128B1 (en) * | 2004-12-14 | 2006-03-21 | 삼성에스디에스 주식회사 | Smart Card Password Algorithm Protection against Differential Power Analysis Attacks |
| CN101969376A (en) * | 2010-09-23 | 2011-02-09 | 北京航空航天大学 | Self-adaptive encryption system and method with semantic security |
| US20120269340A1 (en) * | 2011-04-22 | 2012-10-25 | Stu Jay | Hierarchical encryption/decryption device and method thereof |
| US20170070483A1 (en) * | 2015-08-12 | 2017-03-09 | Plankwalk Corp. | System and Methods for Dynamically and Randomly Encrypting and Decrypting Data |
| CN106027222A (en) * | 2016-06-30 | 2016-10-12 | 中国南方电网有限责任公司电网技术研究中心 | Smart card encryption method and device for preventing differential power analysis |
| CN107766725A (en) * | 2016-08-19 | 2018-03-06 | 国民技术股份有限公司 | The data transmission method and system of anti-template attack |
| CN108123792A (en) * | 2017-12-19 | 2018-06-05 | 武汉瑞纳捷电子技术有限公司 | A kind of power consumption method for scrambling of SM4 algorithms circuit |
| CN108460288A (en) * | 2018-04-02 | 2018-08-28 | 惠州学院 | Big data safe encryption method, device, storage medium and mobile terminal |
| CN109218295A (en) * | 2018-08-22 | 2019-01-15 | 平安科技(深圳)有限公司 | Document protection method, device, computer equipment and storage medium |
| CN109361507A (en) * | 2018-10-11 | 2019-02-19 | 杭州华澜微电子股份有限公司 | A kind of data ciphering method and encryption equipment |
| CN111199047A (en) * | 2019-12-31 | 2020-05-26 | 中移(杭州)信息技术有限公司 | Data encryption method, data decryption method, data encryption device, data decryption device, data encryption equipment and data encryption storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 徐鹏;薛伟;: "抗差分功耗攻击的DES算法研究", 计算机仿真, no. 01, 15 January 2018 (2018-01-15), pages 282 - 286 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113872752A (en) * | 2021-09-07 | 2021-12-31 | 哲库科技(北京)有限公司 | Security engine module, security engine device and communication equipment |
| CN113872752B (en) * | 2021-09-07 | 2023-10-13 | 哲库科技(北京)有限公司 | Security engine module, security engine device, and communication apparatus |
| CN114531239A (en) * | 2022-04-20 | 2022-05-24 | 广州万协通信息技术有限公司 | Data transmission method and system for multiple encryption keys |
| CN114531239B (en) * | 2022-04-20 | 2022-08-12 | 广州万协通信息技术有限公司 | Data transmission method and system for multiple encryption keys |
| CN115102701A (en) * | 2022-08-25 | 2022-09-23 | 广州万协通信息技术有限公司 | Multi-chip data encryption and decryption processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| ES2836114T3 (en) | Information sending method, information reception method, device and system | |
| CN106162537B (en) | A kind of method, wireless telecom equipment and the terminal of safety certification connection | |
| CN105634737B (en) | Data transmission method, terminal and system | |
| CN112182624A (en) | Encryption method, encryption device, storage medium and electronic equipment | |
| CN111935166B (en) | Communication authentication method, system, electronic device, server, and storage medium | |
| US11671259B2 (en) | Neighbor awareness networking password authentication | |
| CN111327605B (en) | Method, terminal, server and system for transmitting private information | |
| WO2010023506A1 (en) | Methods, apparatuses, computer program products, and systems for providing secure pairing and association for wireless devices | |
| CN105024807A (en) | Data processing method and system | |
| US10601586B2 (en) | Method and apparatus for key management of end encrypted transmission | |
| CN105208028A (en) | Data transmission method and related device and equipment | |
| CN109246110A (en) | data sharing method and device | |
| CN108292347A (en) | A kind of user property matching process and terminal | |
| CN116962067A (en) | Information encryption method, device and equipment | |
| CN115051790B (en) | A data encryption method, a data decryption method and device, and a storage medium | |
| EP4109811A1 (en) | Secure device equipped with quantum-random-number-based quantum encryption chip and secure communication service provision method using same | |
| KR102308247B1 (en) | Encryption communication device equipped with quantum encryption chip based a quantum random number and method of providing encryption communication service using the same | |
| CN113505364B (en) | Password protection method, electronic device and computer-readable storage medium | |
| CN109450899A (en) | Key management method and device, electronic equipment, storage medium | |
| CN112667992A (en) | Authentication method, authentication device, storage medium, and electronic apparatus | |
| CN111062025B (en) | Application data processing method and related device | |
| CN113961931A (en) | Adb tool using method and device and electronic equipment | |
| CN104080080B (en) | A kind of data handling system of voice call | |
| CN106385684A (en) | Method and device for sharing wireless network and accessing wireless network | |
| CN110996088B (en) | Video processing method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |