[go: up one dir, main page]

CN113420309B - Lightweight data protection system based on national secret algorithm - Google Patents

Lightweight data protection system based on national secret algorithm Download PDF

Info

Publication number
CN113420309B
CN113420309B CN202110747218.3A CN202110747218A CN113420309B CN 113420309 B CN113420309 B CN 113420309B CN 202110747218 A CN202110747218 A CN 202110747218A CN 113420309 B CN113420309 B CN 113420309B
Authority
CN
China
Prior art keywords
key
encryption
ciphertext
decryption
encryption card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110747218.3A
Other languages
Chinese (zh)
Other versions
CN113420309A (en
Inventor
钟立钊
郑欣
徐迎晖
熊晓明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chipeye Microelectronics Foshan Ltd
Guangdong University of Technology
Original Assignee
Chipeye Microelectronics Foshan Ltd
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chipeye Microelectronics Foshan Ltd, Guangdong University of Technology filed Critical Chipeye Microelectronics Foshan Ltd
Priority to CN202110747218.3A priority Critical patent/CN113420309B/en
Publication of CN113420309A publication Critical patent/CN113420309A/en
Application granted granted Critical
Publication of CN113420309B publication Critical patent/CN113420309B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/76Architectures of general purpose stored program computers
    • G06F15/78Architectures of general purpose stored program computers comprising a single central processing unit
    • G06F15/7807System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于国密算法的轻量化数据保护系统,包括硬件部分的加密卡以及软件部分的嵌入式固件程序以及上位机软件,其中:所述加密卡采用安全芯片作为主控芯片,同时承担加解密的运算任务,加密卡的数据通信与电路供电都依靠USB接口实现;所述嵌入式固件程序的二进制文件存储到加密卡的Flash中,供安全芯片执行;而上位机软件是在上位机中运行,通过USB转串口的方式来实现与加密卡的通信。本发明设计的两级密钥管理方案,既保证了密钥的安全,防止因密钥被盗取而带来安全威胁,也为用户的使用带来便利;在低成本的条件下,达到明显的使用上的简便性与安全性,提供计算机本地的文件进行加解密、数字签名与验证的轻量化的服务。

Figure 202110747218

The invention discloses a lightweight data protection system based on a national secret algorithm, comprising an encryption card in a hardware part, an embedded firmware program in a software part, and upper computer software, wherein: the encryption card adopts a security chip as the main control chip, At the same time, it undertakes the computing task of encryption and decryption, and the data communication and circuit power supply of the encryption card are realized by the USB interface; the binary file of the embedded firmware program is stored in the Flash of the encryption card for the execution of the security chip; and the host computer software is in the It runs in the host computer, and realizes the communication with the encryption card through the way of USB to serial port. The two-level key management scheme designed by the invention not only ensures the security of the key, prevents the security threat caused by the theft of the key, but also brings convenience to the use of the user; under the condition of low cost, it can achieve obvious Simple and secure in use, providing lightweight services for encryption and decryption, digital signature and verification of local files on the computer.

Figure 202110747218

Description

基于国密算法的轻量化数据保护系统Lightweight data protection system based on national secret algorithm

技术领域technical field

本发明涉及信息安全技术领域,具体涉及一种基于国密算法的轻量化数据保护系统。The invention relates to the technical field of information security, in particular to a lightweight data protection system based on a national secret algorithm.

背景技术Background technique

目前,数据保护可以由软件或硬件构成的加密系统实现。通过软件实现的加密系统,是指利用软件程序来实现对数据的加解密保护。虽然其开发成本较低、维护方便,但占用较多的计算机资源,加密程序易被监测和篡改,密钥管理困难,因此安全性并不高。而且,用硬件实现的加密运算速度比软件的要快数倍。Currently, data protection can be implemented by an encryption system consisting of software or hardware. The encryption system implemented by software refers to the use of software programs to realize the encryption and decryption protection of data. Although its development cost is low and maintenance is convenient, it occupies more computer resources, the encryption program is easy to be monitored and tampered with, and the key management is difficult, so the security is not high. Moreover, the encryption operation speed implemented by hardware is several times faster than that of software.

举例说明,软件加密的实现方式可以是在Windows系统下基于文件过滤驱动的个人数据安全保护系统,其加解密运算均由软件实现。也有一些是通过软硬件结合实现的文件加密系统,由USB Key对密钥进行管理和加密会话密钥,但实际上也是通过软件对文件进行加解密。For example, the software encryption may be implemented by a file filtering-driven personal data security protection system under Windows system, and the encryption and decryption operations are all implemented by software. There are also some file encryption systems that are implemented through a combination of software and hardware. The USB Key manages the key and encrypts the session key, but in fact, it also encrypts and decrypts files through software.

通过硬件实现的加密系统,是指利用能执行密码算法的专用硬件设备来对数据进行保护。外界难以干预硬件设备的运算过程,也不能直接访问其中的敏感信息,只能通过预先定义好的接口来调用硬件设备的功能。与软件相比,硬件的加密系统在抵抗外部攻击、保护密钥的安全、加解密运算速度等方面有着更大的优势。硬件实现的加密系统有以下常见的实例。The encryption system implemented by hardware refers to the use of special hardware devices that can execute cryptographic algorithms to protect data. It is difficult for the outside world to intervene in the computing process of the hardware device, and it cannot directly access the sensitive information in it. The functions of the hardware device can only be called through a predefined interface. Compared with software, hardware encryption system has greater advantages in resisting external attacks, protecting the security of keys, and speed of encryption and decryption operations. Hardware-implemented cryptosystems have the following common examples.

(1)针对硬盘中的数据进行加密,提供数据的完整性验证与身份认证。(2)基于USBKey的加密系统,利用USB Key内置的安全芯片进行身份验证、数据加解密运算和完整性验证。(1) Encrypt the data in the hard disk to provide data integrity verification and identity authentication. (2) The encryption system based on USB Key uses the built-in security chip of USB Key to perform identity verification, data encryption and decryption operations and integrity verification.

现有技术的缺点:Disadvantages of the prior art:

首先,用软件实现加密的技术。它的缺点是占用较多的计算机CPU资源,这是因为加密算法是很复杂的运算,需要CPU的大量参与,尤其是当加密需求爆发的时候会出问题。另外,它的加密程序易被监测和篡改,因为它没有一个相对隔离的安全环境,会有计算机病毒侵犯的危险,安全性并不高。再者,软件实现的加密,它的速度相对而言是很慢的,这是因为它是用CPU来运算的,相对于专门用硬件芯片电路实现的加密算法而言,它相当慢,要慢几个数量级。First, the encryption technology is implemented in software. Its disadvantage is that it takes up more computer CPU resources. This is because the encryption algorithm is a very complex operation and requires a lot of CPU participation, especially when the encryption demand explodes. In addition, its encryption program is easy to be monitored and tampered with, because it does not have a relatively isolated security environment, there is a danger of computer virus invasion, and the security is not high. Furthermore, the speed of software-implemented encryption is relatively slow, because it is operated by CPU. Compared with the encryption algorithm implemented by hardware chip circuit, it is quite slow and slower. several orders of magnitude.

然后,用硬件实现的加密技术。它的安全性是很高的,也有很多的应用方式,就像我在背景介绍里面提到的,有用FPGA的,有用安全芯片的,形式上也有很多变化。不过,能够纯粹地加密计算机本地的文件的实现方案,目前是挺少的,而且它的成本、简便程度,通常还是个问题。Then, use hardware-implemented encryption techniques. Its security is very high, and there are many application methods. As I mentioned in the background introduction, there are many changes in the form of FPGA and security chips. However, there are currently very few implementations that can purely encrypt files local to the computer, and its cost and simplicity are usually still a problem.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种基于国密算法的轻量化数据保护系统,在低成本的条件下,达到明显的使用上的简便性与安全性。The purpose of the present invention is to provide a lightweight data protection system based on a national secret algorithm, which achieves obvious simplicity and safety in use under the condition of low cost.

为了实现上述任务,本发明采用以下技术方案:In order to realize the above-mentioned tasks, the present invention adopts the following technical solutions:

一种基于国密算法的轻量化数据保护系统,包括硬件部分的加密卡以及软件部分的嵌入式固件程序以及上位机软件,其中:A lightweight data protection system based on a national secret algorithm, comprising an encryption card in the hardware part, an embedded firmware program in the software part, and host computer software, wherein:

所述加密卡采用安全芯片作为主控芯片,同时承担加解密的运算任务,加密卡的数据通信与电路供电都依靠USB接口实现;加密卡包括:The encryption card adopts the security chip as the main control chip, and undertakes the operation task of encryption and decryption at the same time. The data communication and circuit power supply of the encryption card are realized by the USB interface; the encryption card includes:

安全芯片,该芯片中集成了CPU与国密SM2、SM3、SM4算法的运算加速核,具有真随机数发生器,以及串口、SPI通信接口;电源管理模块,用于对外部输入的电压进行转换,以供给安全芯片和其他模块、接口使用;USB转串口模块,用于实现上位机与安全芯片之间的通信,而USB也作为供电接口;EEPROM模块,是用户的账户与密钥数据的存储器;Flash模块,是嵌入式固件程序的存储器;JTAG接口,是调试接口,用于下载固件与调试程序;Security chip, which integrates the CPU and the computing acceleration core of the national secret SM2, SM3, and SM4 algorithms, has a true random number generator, as well as serial and SPI communication interfaces; power management module, used to convert external input voltages , to supply the security chip and other modules and interfaces; the USB to serial port module is used to realize the communication between the host computer and the security chip, and the USB is also used as the power supply interface; the EEPROM module is the memory of the user's account and key data ;Flash module, which is the memory of embedded firmware program; JTAG interface, is the debugging interface, used for downloading firmware and debugging program;

所述嵌入式固件程序的二进制文件存储到加密卡的Flash中,供安全芯片执行;而上位机软件是在上位机中运行,通过USB转串口的方式来实现与加密卡的通信,其中:The binary file of the embedded firmware program is stored in the Flash of the encryption card for the execution of the security chip; and the host computer software is run in the host computer, and the communication with the encryption card is realized by means of USB to serial port, wherein:

嵌入式固件程序包括顶层模块与底层模块,顶层模块包含加密卡工作函数;加密卡工作函数用于实现保护系统的连接与断开、为用户提供注册、登录、重置、加解密服务;底层模块包含多种驱动程序,包括SM2、SM3、SM4运算加速核的驱动、串口与GPIO驱动、随机数发生器驱动和利用IIC读写EEPROM模块的驱动;顶层模块通过不断地调用底层模块,来实现完整的工作流程;The embedded firmware program includes a top-level module and a bottom-level module. The top-level module contains the encryption card work function; the encryption card work function is used to realize the connection and disconnection of the protection system, and to provide users with registration, login, reset, encryption and decryption services; the bottom module Contains a variety of drivers, including SM2, SM3, SM4 operation acceleration core driver, serial port and GPIO driver, random number generator driver and driver using IIC to read and write EEPROM module; the top-level module continuously calls the bottom-level module to achieve complete workflow;

密钥管理方法包括:Key management methods include:

用户需先在加密卡上注册账户,并自定义一个数字范围在0~9之间的8位数的PIN码,该PIN码既作为用户的登录密码,也用于身份验证与密钥管理;The user needs to register an account on the encryption card first, and customize an 8-digit PIN code in the range of 0 to 9. The PIN code is not only used as the user's login password, but also used for authentication and key management;

加密卡将所述PIN码连续进行两次SM3运算,分别得到256位的第一次运算的消息摘要与第二次运算的消息摘要;之后,先把第二次的消息摘要存放进EEPROM模块中,作为以后用户登录时的PIN码比对标准;The encryption card continuously performs two SM3 operations on the PIN code, respectively obtaining a 256-bit message digest of the first operation and a message digest of the second operation; after that, the second message digest is first stored in the EEPROM module , as the PIN code comparison standard when the user logs in in the future;

加密卡生成一对随机的SM2的公私钥,接着,用PIN码的第一次SM3运算得到的消息摘要的前128位作为对称密钥来对SM2的私钥进行SM4算法加密,而SM2的公钥不做加密处理;再将SM2的公钥明文以及加密得到的SM2私钥密文存放进EEPROM模块中;The encryption card generates a random pair of SM2 public and private keys, and then uses the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code as the symmetric key to encrypt the SM2 private key with the SM4 algorithm, and the SM2 public key is encrypted. The key is not encrypted; then the plaintext of the public key of SM2 and the ciphertext of the encrypted private key of SM2 are stored in the EEPROM module;

加密卡随机生成一个SM4的对称密钥,利用PIN码第一次SM3运算得到的消息摘要的前128位对该SM4对称密钥进行SM4算法加密,最后,将加密得到的SM4对称密钥的密文存放进EEPROM模块中。The encryption card randomly generates an SM4 symmetric key, uses the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code to encrypt the SM4 symmetric key with the SM4 algorithm, and finally encrypts the encrypted SM4 symmetric key. The file is stored in the EEPROM module.

进一步地,所述上位机软件分为五个面板:控制面板、登录面板、加密面板、解密面板与文件展示面板,其中:Further, the host computer software is divided into five panels: a control panel, a login panel, an encryption panel, a decryption panel and a file display panel, wherein:

所述控制面板用于配置通信端口、选择连接/断开设备以及进入/退出加密模式;登录面板用于提供用户登录界面并显示登录状态;加密面板用于选择明文文件的路径、保存密文的路径、保存SM2公钥的路径以及保存SM2数字签名的路径,同时控制加密的开始;解密面板用于选择密文文件的路径、SM2数字签名的路径、SM2公钥的路径以及保存明文文件的路径,同时控制解密的开始;文件展示面板用于展示加密前的明文/加密后的密文以及解密前的密文/解密后的明文。The control panel is used to configure the communication port, choose to connect/disconnect the device, and enter/exit the encryption mode; the login panel is used to provide the user login interface and display the login status; the encryption panel is used to select the path of the plaintext file, save the ciphertext file The path, the path to save the SM2 public key, and the path to save the SM2 digital signature, and control the start of encryption; the decryption panel is used to select the path of the ciphertext file, the path of the SM2 digital signature, the path of the SM2 public key, and the path to save the plaintext file. , and control the start of decryption; the file display panel is used to display the plaintext before encryption/encrypted ciphertext and the ciphertext before decryption/decrypted plaintext.

进一步地,密钥的管理分为两级,PIN码的第一次SM3运算得到的消息摘要的前128位,即是第一级密钥;而随机生成的SM2私钥、SM4对称密钥,即是第二级密钥;一级密钥对二级密钥进行加密,再对密钥的密文进行保存;而在需要使用二级密钥的时候,就要先将密钥的密文取出,用一级密钥进行解密后才能使用。Further, the management of the key is divided into two levels. The first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are the first-level key; and the randomly generated SM2 private key and SM4 symmetric key, That is, the second-level key; the first-level key encrypts the second-level key, and then saves the ciphertext of the key; and when the second-level key needs to be used, the ciphertext of the key must be encrypted first. Take it out and decrypt it with the primary key before it can be used.

进一步地,加解密和数字签名与验证的流程为:Further, the process of encryption and decryption and digital signature and verification is as follows:

在加密卡中,明文先通过SM4加密生成密文,然后由SM3算法产生密文的消息摘要,再对消息摘要进行SM2数字签名,最后将数字签名与密文一并发送到上位机;In the encryption card, the plaintext is first encrypted by SM4 to generate the ciphertext, and then the message digest of the ciphertext is generated by the SM3 algorithm, and then the SM2 digital signature is performed on the message digest, and finally the digital signature and the ciphertext are sent to the host computer together;

在验证签名时,先对数字签名通过SM2签名验证算法得到原始密文的消息摘要,然后对接收到的密文通过SM3算法得到消息摘要,再对上述两个消息摘要进行对比,如果相同则验证成功,并对密文进行SM4解密而得到明文,将明文发送给上位机;反之则验证失败,不进行后续解密。When verifying the signature, first obtain the message digest of the original ciphertext through the SM2 signature verification algorithm for the digital signature, and then obtain the message digest of the received ciphertext through the SM3 algorithm, and then compare the above two message digests, and verify if they are the same. If successful, SM4 decrypts the ciphertext to obtain the plaintext, and sends the plaintext to the upper computer; otherwise, the verification fails, and subsequent decryption is not performed.

进一步地,上位机运行之初只显示控制面板,用户必须连接设备、注册(首次使用需要或者重置之后首次使用需要)、成功登录,才能进行加解密;用户可使用重置功能来清除加密卡的所有账户与密钥数据。Further, at the beginning of the operation of the host computer, only the control panel is displayed. The user must connect the device, register (needed for the first use or after reset), and successfully log in to perform encryption and decryption; the user can use the reset function to clear the encryption card. All account and key data for .

进一步地,所述安全芯片采用佛山芯珠微电子有限公司的物联网安全芯片CE2343P7。Further, the security chip adopts the IoT security chip CE2343P7 of Foshan Xinzhu Microelectronics Co., Ltd.

进一步地,所述嵌入式固件程序还包括板级支持包,板级支持包用于提供固件运行的环境。Further, the embedded firmware program further includes a board-level support package, and the board-level support package is used to provide an environment for the firmware to run.

与现有技术相比,本发明具有以下技术特点:Compared with the prior art, the present invention has the following technical characteristics:

1.本发明系统首先是一个硬件的加密方案,包含了软件、硬件两部分的设计,硬件加密的优点它都有,它的最大的目的就是要在低成本的条件下,达到明显的使用上的简便性与安全性,它专注于只为计算机本地的文件进行加解密、数字签名与验证的轻量化的服务。并且,本发明是完全基于中国的商用密码算法SM2、SM3与SM4来设计的,它没有用到国外的加密算法,在国家安全上具有意义,毕竟密码算法不是外国的,而是中国自己的,而对于支持我们中国国产的加密算法的推广上也具有意义,而且现在的同类产品的设计,很少、几乎没有是完全基于国密算法来设计的。1. The system of the present invention is first a hardware encryption scheme, including the design of software and hardware. It has the advantages of hardware encryption. Its biggest purpose is to achieve obvious use under the condition of low cost. Its simplicity and security, it focuses on lightweight services that only encrypt, decrypt, digitally sign and verify local files on the computer. Moreover, the present invention is completely designed based on Chinese commercial cryptographic algorithms SM2, SM3 and SM4. It does not use foreign cryptographic algorithms, which has significance in national security. After all, cryptographic algorithms are not foreign, but China's own. It is also meaningful to support the promotion of our domestically produced encryption algorithms, and the designs of current similar products are seldom or almost entirely based on national encryption algorithms.

2.本发明基于中国商用密码算法SM2、SM3、SM4,设计了非常简单有效的两级密钥管理方案,既保证了密钥的安全,防止因密钥被盗取而带来安全威胁,也为用户的使用带来便利。设计了非常实用,安全的文件加解密、数字签名与验证的流程方案;设计了加密卡的完整的硬件电路,以及与加密卡一同配合工作的软件,以轻量化作为目标,实现了简单有效的双因子身份认证方案(加密卡本身、PIN码,这两者构成双因子身份认证的方案),确保了用户身份的唯一性,方便使用和管理。2. The present invention designs a very simple and effective two-level key management scheme based on Chinese commercial cryptographic algorithms SM2, SM3, and SM4, which not only ensures the security of the key, but also prevents security threats from being stolen due to the key being stolen. Bring convenience to users. Designed a very practical and safe file encryption and decryption, digital signature and verification process scheme; designed the complete hardware circuit of the encryption card and the software that works together with the encryption card. The two-factor authentication scheme (encrypted card itself and PIN code, which constitute a two-factor authentication scheme) ensures the uniqueness of the user's identity and is convenient for use and management.

附图说明Description of drawings

图1为本发明的整体设计框架图;Fig. 1 is the overall design frame diagram of the present invention;

图2为加密卡硬件电路的原理图;Fig. 2 is the schematic diagram of the hardware circuit of the encryption card;

图3为加密卡的PCB图;Figure 3 is the PCB diagram of the encryption card;

图4为软件的总体设计框架图;Figure 4 is the overall design framework diagram of the software;

图5为上位机软件的界面图;Fig. 5 is the interface diagram of the host computer software;

图6为密钥管理流程图;Fig. 6 is the key management flow chart;

图7为加密和数字签名生成的流程图;Fig. 7 is the flow chart of encryption and digital signature generation;

图8为数字签名验证和解密的流程图。Figure 8 is a flow chart of digital signature verification and decryption.

具体实施方式Detailed ways

本发明提供的基于国密算法的轻量化数据保护系统的功能性需求有以下四点:The functional requirements of the lightweight data protection system based on the national secret algorithm provided by the present invention have the following four points:

(1)加解密的需求。基于国密算法对计算机中的文件数据利用专用的硬件进行加解密运算,保证数据的安全。(1) Requirements for encryption and decryption. Based on the national secret algorithm, the file data in the computer is encrypted and decrypted using special hardware to ensure the security of the data.

(2)数字签名与验证。在用户对文件数据加密之后,生成对应的数字签名。在用户对数据进行解密之前,需要对相应的数字签名进行验证,确认数据的来源与完整性,从而确保该数据是由用户自己加密得到的,并且没有被篡改或破坏。(2) Digital signature and verification. After the user encrypts the file data, a corresponding digital signature is generated. Before the user decrypts the data, the corresponding digital signature needs to be verified to confirm the origin and integrity of the data, so as to ensure that the data is encrypted by the user and has not been tampered with or destroyed.

(3)用户身份验证。需要对操作该系统的用户进行身份验证,只有通过了验证的用户才能正常使用系统对数据进行加解密、数字签名等操作。(3) User authentication. Users who operate the system need to be authenticated, and only users who have passed the authentication can use the system to encrypt and decrypt data, digitally sign, and other operations.

(4)密钥管理功能。该文件加解密系统需要有密钥存储、管理的功能,用户的SM2私钥、SM4对称密钥只能存储于加密硬件设备内,不可导出,确保密钥的安全。而且用户的账户信息也需要进行管理,并保存于加密硬件设备中。(4) Key management function. The file encryption and decryption system needs to have the function of key storage and management. The user's SM2 private key and SM4 symmetric key can only be stored in the encryption hardware device and cannot be exported to ensure the security of the key. Moreover, user account information also needs to be managed and stored in encrypted hardware devices.

该系统还需要实现以下2点非功能性需求:The system also needs to implement the following 2 non-functional requirements:

(1)容易操作。需要实现一个简洁、易操作的用户界面,且运行稳定,提高用户的使用体验。(1) Easy to operate. It is necessary to implement a concise and easy-to-operate user interface with stable operation and improve user experience.

(2)低成本、轻量化。在保证系统安全性与实用性的情况下,降低设计的成本与复杂性。(2) Low cost and light weight. Reduce the cost and complexity of the design while ensuring the security and practicability of the system.

整体设计划分:Overall design division:

为了满足上述的设计需求,确定本系统由加密硬件设备(后文简称为加密卡)、嵌入式固件程序,还有上位机软件共同组成。本系统利用SM4算法实现对文件数据的加解密;利用SM2算法并配合SM3算法实现数字签名与验证,满足对数据的来源与完整性验证的需求;通过设置用户的个人识别密码(Personal Identification Number,PIN)实现对用户的身份认证;通过设计两级的密钥管理机制,并将密钥加密后存储于加密卡的存储器EEPROM中,实现密钥管理的功能;通过设计合理流畅的图形用户界面,实现操作的简便性。In order to meet the above design requirements, it is determined that the system is composed of encryption hardware devices (hereinafter referred to as encryption cards), embedded firmware programs, and upper computer software. This system uses SM4 algorithm to encrypt and decrypt file data; uses SM2 algorithm and cooperates with SM3 algorithm to realize digital signature and verification to meet the needs of data source and integrity verification; PIN) to realize the identity authentication of the user; by designing a two-level key management mechanism, and encrypting the key and storing it in the memory EEPROM of the encryption card, the function of key management is realized; by designing a reasonable and smooth graphical user interface, Ease of operation is achieved.

具体设计的划分如下:The specific design is divided as follows:

(1)设计加密卡的硬件电路。(1) Design the hardware circuit of the encryption card.

(2)设计加密卡的嵌入式固件程序,根据所选的主控安全芯片的硬件资源和板级开发包来编写加密卡的程序,实现对数据的加解密、数字签名与验证、密钥管理、身份认证等功能。(2) Design the embedded firmware program of the encryption card, and write the program of the encryption card according to the selected hardware resources of the main control security chip and the board-level development kit to realize the encryption and decryption of data, digital signature and verification, and key management. , identity authentication and other functions.

(3)设计具有图形用户界面的上位机软件,以配合加密卡的工作,方便用户操作。(3) The upper computer software with graphical user interface is designed to cooperate with the work of the encryption card and facilitate user operation.

按上述的整体设计划分,确定本系统由硬件与软件共同组成,具体的设计框架如图1所示。According to the above overall design division, it is determined that the system is composed of hardware and software. The specific design framework is shown in Figure 1.

加密卡的硬件电路设计:Hardware circuit design of encryption card:

结合低成本、轻量化的设计目标,加密卡由安全芯片作为主控芯片,同时该芯片承担加解密的运算任务。数据通信与电路供电都依靠USB接口实现。加密卡的硬件电路具体包括以下六个部分:Combined with the design goals of low cost and light weight, the encryption card uses the security chip as the main control chip, and the chip undertakes the computing tasks of encryption and decryption. Both data communication and circuit power supply rely on the USB interface. The hardware circuit of the encryption card specifically includes the following six parts:

(1)主控安全芯片,选用佛山芯珠微电子有限公司的物联网安全芯片CE2343P7。该芯片中集成了CPU与国密SM2、SM3、SM4算法的运算加速核,具有真随机数发生器,以及串口、SPI等通信接口。(1) The main control security chip adopts the IoT security chip CE2343P7 of Foshan Xinzhu Microelectronics Co., Ltd. The chip integrates the CPU and the computing acceleration core of the national secret SM2, SM3, and SM4 algorithms, has a true random number generator, and communication interfaces such as serial ports and SPI.

(2)电源管理模块,对外部输入的电压进行转换,以供给其他模块使用。(2) The power management module converts the externally input voltage to supply other modules for use.

(3)USB转串口模块,实现上位机与安全芯片之间的通信,而USB也作为供电接口。(3) The USB to serial port module realizes the communication between the host computer and the security chip, and the USB also serves as the power supply interface.

(4)EEPROM模块,是用户的账户与密钥数据的存储器。(4) The EEPROM module is the storage of the user's account and key data.

(5)Flash模块,是嵌入式固件程序的存储器。(5) The Flash module is the memory of the embedded firmware program.

(6)JTAG接口,是调试接口,用于下载固件与调试程序。(6) The JTAG interface is a debugging interface for downloading firmware and debugging programs.

加密卡硬件电路的原理图设计如图2所示:The schematic design of the encryption card hardware circuit is shown in Figure 2:

根据上述电路,生成PCB图并进行布局布线等设计,最终的PCB图(正面)如图3所示;加密卡PCB的长宽约为52mm与28mm,小体积,方便携带。According to the above circuit, the PCB diagram is generated and the layout and wiring are designed. The final PCB diagram (front) is shown in Figure 3; the length and width of the encryption card PCB are about 52mm and 28mm, which are small in size and easy to carry.

软件设计:software design:

软件的总体设计:The overall design of the software:

本系统的软件由嵌入式固件程序和上位机软件组成,在实际应用时将嵌入式固件程序的二进制文件存储到加密卡的Flash中,供安全芯片执行;而上位机软件是在上位机中运行,通过USB转串口的方式来实现与加密卡的通信。软件的总体设计框架如图4所示。The software of this system consists of embedded firmware program and host computer software. In actual application, the binary file of the embedded firmware program is stored in the Flash of the encryption card for the security chip to execute; and the host computer software is run in the host computer. , to realize the communication with the encryption card by means of USB to serial port. The overall design framework of the software is shown in Figure 4.

在嵌入式固件程序中分为顶层模块与底层模块,顶层模块是主要包含了加密卡工作函数的Main函数。加密卡工作函数能够实现设备的连接与断开、为用户提供注册、登录、重置、加解密(包含数字签名与验证)服务。底层模块主要是各种驱动程序,包括SM2、SM3、SM4运算加速核的驱动、串口与GPIO驱动、随机数发生器驱动和利用IIC读写EEPROM的驱动等。板级支持包提供了固件运行的环境。顶层模块通过不断地调用底层模块,来实现完整的工作流程。The embedded firmware program is divided into a top-level module and a bottom-level module. The top-level module is the Main function that mainly includes the encryption card work function. The encryption card work function can realize the connection and disconnection of the device, and provide users with registration, login, reset, encryption and decryption (including digital signature and verification) services. The underlying modules are mainly various drivers, including SM2, SM3, SM4 arithmetic acceleration core drivers, serial port and GPIO drivers, random number generator drivers, and drivers for reading and writing EEPROM using IIC. The board support package provides the environment in which the firmware runs. The top-level module implements a complete workflow by continuously calling the bottom-level module.

上位机软件基于MATLAB的GUIDE工具实现,具有简洁的图形用户界面,分为五个面板:控制面板、登录面板、加密面板、解密面板与文件展示面板,如图5所示的是运行时的控制面板、加密面板与文件展示面板:The host computer software is implemented based on the GUIDE tool of MATLAB, with a simple graphical user interface, divided into five panels: control panel, login panel, encryption panel, decryption panel and file display panel, as shown in Figure 5 is the runtime control Panel, encryption panel and file display panel:

所述控制面板用于配置通信端口、选择连接/断开设备以及进入/退出加密模式;登录面板用于提供用户登录界面并显示登录状态;加密面板用于选择明文文件的路径、保存密文的路径、保存SM2公钥的路径以及保存SM2数字签名的路径,同时控制加密的开始;解密面板用于选择密文文件的路径、SM2数字签名的路径、SM2公钥的路径以及保存明文文件的路径,同时控制解密的开始;文件展示面板用于展示加密前的明文/加密后的密文以及解密前的密文/解密后的明文。The control panel is used to configure the communication port, choose to connect/disconnect the device, and enter/exit the encryption mode; the login panel is used to provide the user login interface and display the login status; the encryption panel is used to select the path of the plaintext file, save the ciphertext file The path, the path to save the SM2 public key, and the path to save the SM2 digital signature, and control the start of encryption; the decryption panel is used to select the path of the ciphertext file, the path of the SM2 digital signature, the path of the SM2 public key, and the path to save the plaintext file. , and control the start of decryption; the file display panel is used to display the plaintext before encryption/encrypted ciphertext and the ciphertext before decryption/decrypted plaintext.

上位机运行之初只显示控制面板,用户必须连接设备、注册(首次使用需要或者重置之后首次使用需要)、成功登录,才能进行加解密。另外,用户可使用重置功能来清除加密卡的所有账户与密钥数据。文件展示面板可以查看加密前后与解密前后的文本数据。At the beginning of the operation of the host computer, only the control panel is displayed. The user must connect the device, register (needed for the first use or the first use after reset), and successfully log in to perform encryption and decryption. In addition, the user can use the reset function to clear all account and key data of the encrypted card. The file display panel can view the text data before and after encryption and decryption.

密钥管理与身份认证方案:Key management and authentication scheme:

本系统基于SM4算法对数据进行加解密以及基于SM2算法进行数字签名与验证。那么必然会产生一个SM4对称密钥与一对SM2公私钥。密钥由加密卡的安全芯片中的真随机数发生器生成,保证了密钥的不可预测性。为了保护系统与密钥的安全,设计了巧妙简单的两级密钥管理方案,并采用双因子身份认证的方法。具体的密钥管理流程如图6所示。The system encrypts and decrypts data based on SM4 algorithm and performs digital signature and verification based on SM2 algorithm. Then an SM4 symmetric key and a pair of SM2 public and private keys must be generated. The key is generated by a true random number generator in the security chip of the encryption card, which ensures the unpredictability of the key. In order to protect the security of the system and keys, an ingenious and simple two-level key management scheme is designed, and the method of two-factor authentication is adopted. The specific key management process is shown in Figure 6.

密钥管理流程描述如下:The key management process is described as follows:

步骤1,用户需先在加密卡上注册账户,并自定义一个数字范围在0~9之间的8位数的个人识别密码(PIN码)。该PIN码既作为用户的登录密码,也用于身份验证与密钥管理。Step 1, the user needs to register an account on the encryption card first, and customize an 8-digit personal identification password (PIN code) with a number range between 0 and 9. The PIN code is not only used as the user's login password, but also used for authentication and key management.

步骤2,加密卡将该PIN码连续进行两次SM3运算,分别得到256位的第一次运算的消息摘要与第二次运算的消息摘要。在这之后,先把第二次的消息摘要存放进EEPROM中,作为以后用户登录时的PIN码比对标准。Step 2: The encryption card performs two consecutive SM3 operations on the PIN code to obtain a 256-bit message digest of the first operation and a message digest of the second operation, respectively. After this, the second message digest is stored in the EEPROM first, as the PIN code comparison standard when the user logs in later.

步骤3,加密卡生成一对随机的SM2的公私钥。接着,用PIN码的第一次SM3运算得到的消息摘要的前128位作为对称密钥来对SM2的私钥进行SM4算法加密。而SM2的公钥不做加密处理。再将SM2的公钥明文以及加密得到的SM2私钥密文存放进EEPROM中。Step 3, the encryption card generates a pair of random SM2 public and private keys. Next, use the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code as the symmetric key to encrypt the private key of SM2 with the SM4 algorithm. The public key of SM2 is not encrypted. Then store the SM2 public key plaintext and the encrypted SM2 private key ciphertext into the EEPROM.

步骤4,加密卡随机生成一个SM4的对称密钥。利用PIN码第一次SM3运算得到的消息摘要的前128位对该SM4对称密钥进行SM4算法加密。最后,将加密得到的SM4对称密钥的密文存放进EEPROM中。Step 4, the encryption card randomly generates a symmetric key of SM4. The first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are used to encrypt the SM4 symmetric key with the SM4 algorithm. Finally, the ciphertext of the encrypted SM4 symmetric key is stored in the EEPROM.

总体来说,密钥的管理分为两级,PIN码的第一次SM3运算得到的消息摘要的前128位,即是第一级密钥;而随机生成的SM2私钥、SM4对称密钥,即是第二级密钥。一级密钥对二级密钥进行加密,再对密钥的密文进行保存;而在需要使用二级密钥的时候,就要先将密钥的密文取出,用一级密钥进行解密后才能使用。In general, the key management is divided into two levels. The first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are the first-level key; and the randomly generated SM2 private key and SM4 symmetric key , which is the second-level key. The primary key encrypts the secondary key, and then saves the ciphertext of the key; when the secondary key needs to be used, the ciphertext of the key must be taken out first, and the primary key is used for It can only be used after decryption.

这种方案有以下三个优点:This scheme has the following three advantages:

(1)在轻量化前提下,保证了所有密钥的安全。基于SM3算法的单向特性,无法从PIN码的第二次的消息摘要反向推导得到第一次的消息摘要或者PIN码。(1) Under the premise of light weight, the security of all keys is guaranteed. Based on the one-way characteristic of the SM3 algorithm, the first message digest or the PIN code cannot be obtained by reverse derivation from the second message digest of the PIN code.

(2)双因子身份认证,有效保证系统的安全。用户必须同时拥有加密卡、PIN码,才能正常使用该系统。(2) Two-factor authentication, effectively ensuring the security of the system. The user must have both an encryption card and a PIN code in order to use the system normally.

(3)提供了良好的用户使用体验。用户只需记忆一个8位的PIN码,并保管好加密卡硬件设备,简单方便。(3) Provides a good user experience. Users only need to memorize an 8-digit PIN code and keep the encryption card hardware device, which is simple and convenient.

加解密和数字签名与验证的流程:The process of encryption and decryption and digital signature and verification:

本设计综合运用国密SM2、SM3、SM4算法。在加密卡中,明文先通过SM4加密生成密文,然后由SM3算法产生密文的消息摘要,再对消息摘要进行SM2数字签名,最后将数字签名与密文一并发送到上位机。整个流程如图7所示。This design comprehensively uses the national secret SM2, SM3 and SM4 algorithms. In the encryption card, the plaintext is encrypted by SM4 to generate the ciphertext, and then the message digest of the ciphertext is generated by the SM3 algorithm, and then the SM2 digital signature is performed on the message digest, and finally the digital signature and the ciphertext are sent to the host computer. The whole process is shown in Figure 7.

在验证签名时,先对数字签名通过SM2签名验证算法得到原始密文的消息摘要,然后对接收到的密文通过SM3算法得到消息摘要,再对上述两个消息摘要进行对比,如果相同则验证成功,并对密文进行SM4解密而得到明文,将明文发送给上位机;反之则验证失败,不进行后续解密。整个流程如图8所示。When verifying the signature, first obtain the message digest of the original ciphertext through the SM2 signature verification algorithm for the digital signature, and then obtain the message digest of the received ciphertext through the SM3 algorithm, and then compare the above two message digests, and verify if they are the same. If successful, SM4 decrypts the ciphertext to obtain the plaintext, and sends the plaintext to the upper computer; otherwise, the verification fails, and subsequent decryption is not performed. The whole process is shown in Figure 8.

以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围,均应包含在本申请的保护范围之内。The above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The recorded technical solutions are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the application, and should be included in the application. within the scope of protection.

Claims (7)

1.一种基于国密算法的轻量化数据保护系统,其特征在于,包括硬件部分的加密卡以及软件部分的嵌入式固件程序以及上位机软件,其中:1. a lightweight data protection system based on national secret algorithm, is characterized in that, comprises the encryption card of hardware part and the embedded firmware program of software part and the host computer software, wherein: 所述加密卡采用安全芯片作为主控芯片,同时承担加解密的运算任务,加密卡的数据通信与电路供电都依靠USB接口实现;加密卡包括:The encryption card adopts the security chip as the main control chip, and undertakes the operation task of encryption and decryption at the same time. The data communication and circuit power supply of the encryption card are realized by the USB interface; the encryption card includes: 安全芯片,所述安全芯片中集成了CPU与国密SM2、SM3、SM4算法的运算加速核,具有真随机数发生器,以及串口、SPI通信接口;电源管理模块,用于对外部输入的电压进行转换,以供给安全芯片和其他模块、接口使用;USB转串口模块,用于实现上位机与安全芯片之间的通信,而USB也作为供电接口;EEPROM模块,是用户的账户与密钥数据的存储器;Flash模块,是嵌入式固件程序的存储器;JTAG接口,是调试接口,用于下载固件与调试程序;A security chip, which integrates the CPU and the computing acceleration core of the National Secret SM2, SM3, and SM4 algorithms, has a true random number generator, and a serial port and SPI communication interface; a power management module, used for external input voltage It is converted to supply the security chip and other modules and interfaces; the USB to serial port module is used to realize the communication between the host computer and the security chip, and the USB is also used as the power supply interface; the EEPROM module is the user's account and key data The flash module is the memory of the embedded firmware program; the JTAG interface is the debugging interface for downloading firmware and debugging programs; 所述嵌入式固件程序的二进制文件存储到加密卡的Flash中,供安全芯片执行;而上位机软件是在上位机中运行,通过USB转串口的方式来实现与加密卡的通信,其中:The binary file of the embedded firmware program is stored in the Flash of the encryption card for the execution of the security chip; and the host computer software is run in the host computer, and the communication with the encryption card is realized by means of USB to serial port, wherein: 嵌入式固件程序包括顶层模块与底层模块,顶层模块包含加密卡工作函数;加密卡工作函数用于实现保护系统的连接与断开、为用户提供注册、登录、重置、加解密服务;底层模块包含多种驱动程序,包括SM2、SM3、SM4运算加速核的驱动、串口与GPIO驱动、随机数发生器驱动和利用IIC读写EEPROM模块的驱动;顶层模块通过不断地调用底层模块,来实现完整的工作流程;The embedded firmware program includes a top-level module and a bottom-level module. The top-level module contains the encryption card work function; the encryption card work function is used to realize the connection and disconnection of the protection system, and to provide users with registration, login, reset, encryption and decryption services; the bottom module Contains a variety of drivers, including SM2, SM3, SM4 operation acceleration core driver, serial port and GPIO driver, random number generator driver and driver using IIC to read and write EEPROM module; the top-level module continuously calls the bottom-level module to achieve complete workflow; 密钥管理方法包括:Key management methods include: 用户需先在加密卡上注册账户,并自定义一个数字范围在0~9之间的8位数的PIN码,该PIN码既作为用户的登录密码,也用于身份验证与密钥管理;The user needs to register an account on the encryption card first, and customize an 8-digit PIN code in the range of 0 to 9. The PIN code is not only used as the user's login password, but also used for authentication and key management; 加密卡将所述PIN码先执行一次SM3运算,然后对运算结果再执行一次SM3运算,分别得到256位的第一次运算的消息摘要与第二次运算的消息摘要;之后,先把第二次的消息摘要存放进EEPROM模块中,作为以后用户登录时的PIN码比对标准;The encryption card first performs an SM3 operation on the PIN code, and then performs an SM3 operation on the operation result to obtain a 256-bit message digest of the first operation and a message digest of the second operation; The next message digest is stored in the EEPROM module, as the PIN code comparison standard when the user logs in later; 加密卡生成一对随机的SM2的公私钥,接着,用PIN码的第一次SM3运算得到的消息摘要的前128位作为对称密钥来对SM2的私钥进行SM4算法加密,而SM2的公钥不做加密处理;再将SM2的公钥明文以及加密得到的SM2私钥密文存放进EEPROM模块中;The encryption card generates a random pair of SM2 public and private keys, and then uses the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code as the symmetric key to encrypt the SM2 private key with the SM4 algorithm, and the SM2 public key is encrypted. The key is not encrypted; then the plaintext of the public key of SM2 and the ciphertext of the encrypted private key of SM2 are stored in the EEPROM module; 加密卡随机生成一个SM4的对称密钥,利用PIN码第一次SM3运算得到的消息摘要的前128位对该SM4对称密钥进行SM4算法加密,最后,将加密得到的SM4对称密钥的密文存放进EEPROM模块中。The encryption card randomly generates an SM4 symmetric key, uses the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code to encrypt the SM4 symmetric key with the SM4 algorithm, and finally encrypts the encrypted SM4 symmetric key. The file is stored in the EEPROM module. 2.根据权利要求1所述的基于国密算法的轻量化数据保护系统,其特征在于,所述上位机软件分为五个面板:控制面板、登录面板、加密面板、解密面板与文件展示面板,其中:2. The lightweight data protection system based on a national secret algorithm according to claim 1, wherein the host computer software is divided into five panels: a control panel, a login panel, an encryption panel, a decryption panel and a file display panel ,in: 所述控制面板用于配置通信端口、选择连接/断开设备以及进入/退出加密模式;登录面板用于提供用户登录界面并显示登录状态;加密面板用于选择明文文件的路径、保存密文的路径、保存SM2公钥的路径以及保存SM2数字签名的路径,同时控制加密的开始;解密面板用于选择密文文件的路径、SM2数字签名的路径、SM2公钥的路径以及保存明文文件的路径,同时控制解密的开始;文件展示面板用于展示加密前的明文/加密后的密文以及解密前的密文/解密后的明文。The control panel is used to configure the communication port, choose to connect/disconnect the device, and enter/exit the encryption mode; the login panel is used to provide the user login interface and display the login status; the encryption panel is used to select the path of the plaintext file, save the ciphertext The path, the path to save the SM2 public key, and the path to save the SM2 digital signature, and control the start of encryption; the decryption panel is used to select the path of the ciphertext file, the path of the SM2 digital signature, the path of the SM2 public key, and the path of the plaintext file. , and control the start of decryption; the file display panel is used to display the plaintext before encryption/encrypted ciphertext and the ciphertext before decryption/decrypted plaintext. 3.根据权利要求1所述的基于国密算法的轻量化数据保护系统,其特征在于,密钥的管理分为两级,PIN码的第一次SM3运算得到的消息摘要的前128位,即是第一级密钥;而随机生成的SM2私钥、SM4对称密钥,即是第二级密钥;一级密钥对二级密钥进行加密,再对密钥的密文进行保存;而在需要使用二级密钥的时候,就要先将密钥的密文取出,用一级密钥进行解密后才能使用。3. the lightweight data protection system based on national secret algorithm according to claim 1, is characterized in that, the management of key is divided into two levels, the first 128 bits of the message digest that the first SM3 operation of PIN code obtains, It is the first-level key; and the randomly generated SM2 private key and SM4 symmetric key are the second-level key; the first-level key encrypts the second-level key, and then saves the ciphertext of the key When the secondary key needs to be used, the ciphertext of the key must be taken out first and decrypted with the primary key before it can be used. 4.根据权利要求1所述的基于国密算法的轻量化数据保护系统,其特征在于,加解密和数字签名与验证的流程为:4. the lightweight data protection system based on national secret algorithm according to claim 1, is characterized in that, the flow process of encryption and decryption and digital signature and verification is: 在加密卡中,明文先通过SM4加密生成密文,然后由SM3算法产生密文的消息摘要,再对消息摘要进行SM2数字签名,最后将数字签名与密文一并发送到上位机;In the encryption card, the plaintext is first encrypted by SM4 to generate the ciphertext, and then the message digest of the ciphertext is generated by the SM3 algorithm, and then the SM2 digital signature is performed on the message digest, and finally the digital signature and the ciphertext are sent to the host computer together; 在验证签名时,先对数字签名通过SM2签名验证算法得到原始密文的消息摘要,然后对接收到的密文通过SM3算法得到消息摘要,再对上述两个消息摘要进行对比,如果相同则验证成功,并对密文进行SM4解密而得到明文,将明文发送给上位机;反之则验证失败,不进行后续解密。When verifying the signature, first obtain the message digest of the original ciphertext through the SM2 signature verification algorithm for the digital signature, and then obtain the message digest of the received ciphertext through the SM3 algorithm, and then compare the above two message digests, and verify if they are the same. If it succeeds, SM4 decrypts the ciphertext to obtain the plaintext, and sends the plaintext to the upper computer; otherwise, the verification fails, and subsequent decryption is not performed. 5.根据权利要求1所述的基于国密算法的轻量化数据保护系统,其特征在于,上位机运行之初只显示控制面板,用户必须连接设备、注册、成功登录,才能进行加解密;用户可使用重置功能来清除加密卡的所有账户与密钥数据;其中,首次使用或者重置之后首次使用需要进行注册。5. The lightweight data protection system based on the national secret algorithm according to claim 1, is characterized in that, at the beginning of the operation of the host computer, only the control panel is displayed, and the user must connect the device, register, and log in successfully to perform encryption and decryption; The reset function can be used to clear all account and key data of the encrypted card; among them, registration is required for the first use or the first use after reset. 6.根据权利要求1所述的基于国密算法的轻量化数据保护系统,其特征在于,所述安全芯片采用佛山芯珠微电子有限公司的物联网安全芯片CE2343P7。6 . The lightweight data protection system based on a national secret algorithm according to claim 1 , wherein the security chip adopts the IoT security chip CE2343P7 of Foshan Xinzhu Microelectronics Co., Ltd. 7 . 7.根据权利要求1所述的基于国密算法的轻量化数据保护系统,其特征在于,所述嵌入式固件程序还包括板级支持包,板级支持包用于提供固件运行的环境。7 . The lightweight data protection system based on a national secret algorithm according to claim 1 , wherein the embedded firmware program further comprises a board-level support package, and the board-level support package is used to provide an environment for the firmware to run. 8 .
CN202110747218.3A 2021-07-01 2021-07-01 Lightweight data protection system based on national secret algorithm Active CN113420309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110747218.3A CN113420309B (en) 2021-07-01 2021-07-01 Lightweight data protection system based on national secret algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110747218.3A CN113420309B (en) 2021-07-01 2021-07-01 Lightweight data protection system based on national secret algorithm

Publications (2)

Publication Number Publication Date
CN113420309A CN113420309A (en) 2021-09-21
CN113420309B true CN113420309B (en) 2022-05-17

Family

ID=77720043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110747218.3A Active CN113420309B (en) 2021-07-01 2021-07-01 Lightweight data protection system based on national secret algorithm

Country Status (1)

Country Link
CN (1) CN113420309B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114154185B (en) * 2021-12-06 2025-03-21 浪潮云信息技术股份公司 A data encryption storage method based on national secret algorithm
CN114640510B (en) * 2022-03-02 2023-07-04 宁波三星医疗电气股份有限公司 Method for communication by adopting separated encryption server
CN114996724B (en) * 2022-04-25 2024-05-03 麒麟软件有限公司 Safe operating system based on cryptographic algorithm module
CN114978714B (en) * 2022-05-24 2023-11-10 中国科学院大学 Lightweight data bus encryption and secure transmission method based on RISC-V
CN115550042B (en) * 2022-10-08 2023-06-20 江南信安(北京)科技有限公司 Signature verification server for realizing national encryption algorithm based on security chip
CN116886356B (en) * 2023-07-04 2024-02-02 广州链融信息技术有限公司 Chip-level transparent file encryption storage system, method and equipment
CN117077220B (en) * 2023-10-18 2024-01-23 北京金科联信数据科技有限公司 Multi-physical interface and multi-chip embedded type cipher module device
CN119051846A (en) * 2024-07-11 2024-11-29 浙江大学 U shield equipment based on post quantum password
CN119167408B (en) * 2024-11-22 2025-03-04 芯昇科技有限公司 Firmware plaintext encryption method, chip, device, medium and product

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358110A (en) * 2017-07-24 2017-11-17 山东华芯半导体有限公司 Mobile terminal USB flash disk based on the close safety chip of state and its communication means with Android device
CN109672521A (en) * 2018-12-26 2019-04-23 贵州华芯通半导体技术有限公司 Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation
CN109726598A (en) * 2018-12-10 2019-05-07 佛山芯珠微电子有限公司 Embedded-type security encryption chip based on Cloud Server
CN112865969A (en) * 2021-02-07 2021-05-28 广东工业大学 Encryption method and device for data encryption card

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148057A1 (en) * 2006-12-19 2008-06-19 Ohanae, Inc. Security token
CN110414244B (en) * 2018-04-28 2023-07-21 阿里巴巴集团控股有限公司 Encryption card, electronic equipment and encryption service method
SG11201908938PA (en) * 2019-03-29 2019-10-30 Alibaba Group Holding Ltd Cryptography chip with identity verification
CN110879880B (en) * 2019-10-24 2021-09-28 南京东科优信网络安全技术研究院有限公司 Password device for user to autonomously control data security level protection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358110A (en) * 2017-07-24 2017-11-17 山东华芯半导体有限公司 Mobile terminal USB flash disk based on the close safety chip of state and its communication means with Android device
CN109726598A (en) * 2018-12-10 2019-05-07 佛山芯珠微电子有限公司 Embedded-type security encryption chip based on Cloud Server
CN109672521A (en) * 2018-12-26 2019-04-23 贵州华芯通半导体技术有限公司 Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation
CN112865969A (en) * 2021-02-07 2021-05-28 广东工业大学 Encryption method and device for data encryption card

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
The Software/Hardware Co-design and Implementation of SM2/3/4 Encryption/Decryption and Digital Signature System;Xin Zheng et.al;《 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS 》;20201031;全文 *
基于FPGA的高速加密卡设计与实现;彭阳等;《电子科技》;20130615(第06期);全文 *
用SM2算法芯片实现嵌入式系统的安全设计;王振;《单片机与嵌入式系统应用》;20120401(第04期);全文 *

Also Published As

Publication number Publication date
CN113420309A (en) 2021-09-21

Similar Documents

Publication Publication Date Title
CN113420309B (en) Lightweight data protection system based on national secret algorithm
US10491379B2 (en) System, device, and method of secure entry and handling of passwords
CN102646077B (en) A kind of method of the full disk encryption based on credible password module
US8683232B2 (en) Secure user/host authentication
CN101551784B (en) Method and device for encrypting data in ATA memory device with USB interface
CN112560058B (en) SSD partition encryption storage system based on intelligent password key and implementation method thereof
WO2017041603A1 (en) Data encryption method and apparatus, mobile terminal, and computer storage medium
CN105426775B (en) A kind of method and system for protecting smart mobile phone information security
CN102419805B (en) Terminal equipment and method for encrypting user information
CN112651036B (en) Identity authentication method based on collaborative signature and computer readable storage medium
CN107908574B (en) Safety protection method for solid-state disk data storage
CN109951295B (en) Key processing and using method, device, equipment and medium
CN102163267A (en) Solid state disk as well as method and device for secure access control thereof
US20220100865A1 (en) Platform security mechanism
CN102768716A (en) Memory card and reading, data encryption, key generation and password changing method thereof
CN110233729B (en) Encrypted solid-state disk key management method based on PUF
WO2023240866A1 (en) Cipher card and root key protection method therefor, and computer readable storage medium
CN116886356B (en) Chip-level transparent file encryption storage system, method and equipment
CN115455497A (en) Computer hard disk data encryption system and method
TWI476629B (en) Data security and security systems and methods
CN107911221A (en) The key management method of solid-state disk data safety storage
CN102270182A (en) Encrypted mobile storage equipment based on synchronous user and host machine authentication
CN116881945B (en) Solid state disk encryption and decryption method and system based on TPCM and electronic equipment
CN201498001U (en) Credible calculation platform based on symmetrical key codes
CN114866228B (en) A method, system, storage medium and terminal for implementing soft password module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant