CN106301774B - Security chip, encryption key generation method and encryption method thereof - Google Patents

Security chip, encryption key generation method and encryption method thereof Download PDF

Info

Publication number
CN106301774B
CN106301774B CN201510288423.2A CN201510288423A CN106301774B CN 106301774 B CN106301774 B CN 106301774B CN 201510288423 A CN201510288423 A CN 201510288423A CN 106301774 B CN106301774 B CN 106301774B
Authority
CN
China
Prior art keywords
key
module
encryption
safety chip
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510288423.2A
Other languages
Chinese (zh)
Other versions
CN106301774A (en
Inventor
张晓楠
涂志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chenxin Technology Co ltd
Original Assignee
Chen Core Technology Co Ltd
Datang Semiconductor Design Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chen Core Technology Co Ltd, Datang Semiconductor Design Co Ltd filed Critical Chen Core Technology Co Ltd
Priority to CN201510288423.2A priority Critical patent/CN106301774B/en
Publication of CN106301774A publication Critical patent/CN106301774A/en
Application granted granted Critical
Publication of CN106301774B publication Critical patent/CN106301774B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of safety chip, including primary processor, outer memory module and encryption/decryption module, and the encryption/decryption module includes algoritic module, storage inside module and control module.Dedicated encryption/decryption module is arranged by portion in the chip to manage key and enciphering and deciphering algorithm in the present invention.The encryption/decryption module has hardware random number, by generating unique root key of the random number as chip in production process, is stored in individual storage region, which can only be used by encryption/decryption module, and primary processor can not read the root key.The encryption key generation method and encryption method of safety chip provided by the invention, it requires when subsequent applications generate key using encryption/decryption module, and there is root key to carry out encryption storage to the key of generation automatically, guarantee that the data of every terminal can only be read by the terminal, substantially increases the safety of terminal.

Description

安全芯片、其加密密钥生成方法和加密方法Security chip, encryption key generation method and encryption method thereof

技术领域technical field

本发明涉及领域安全通信领域,尤其涉及一种安全芯片、其加密密钥生成方法和加密方法。The invention relates to the field of secure communication, in particular to a security chip, an encryption key generation method and an encryption method thereof.

背景技术Background technique

当前苹果和三星所暴漏出来的隐私安全短板,为国产加密手机打开了一个潜在的市场,一时间安全也成为国产手机厂商齐齐布局谋变的重点,成为国产手机的特色。具体来说主要涉及两个方面:一是以安卓系统所暴漏出来的信息安全问题已愈发的被人们所重视;二是基于国家安全及网络安全,个别城市要求官员全部改用国产品牌智能手机,这意味着未来会有更多单位加入到手机安全行列。自国外厂商纷纷发布安全手机策略后,国产手机厂商已纷纷转提升安全等级,转向安全加密市场。这主要是因为智能手机的信息安全越来越受到用户和业界的广泛关注。The current privacy and security shortcomings exposed by Apple and Samsung have opened up a potential market for domestic encrypted mobile phones. For a while, security has also become the focus of domestic mobile phone manufacturers' plans to change, and has become a feature of domestic mobile phones. Specifically, it mainly involves two aspects: First, the information security issues exposed by the Android system have been paid more and more attention by people; second, based on national security and network security, some cities require officials to switch to domestic brand smart phones. Mobile phones, which means that more units will join the ranks of mobile phone security in the future. Since foreign manufacturers released security mobile phone strategies one after another, domestic mobile phone manufacturers have turned to upgrade the security level and turn to the security encryption market. This is mainly because the information security of smartphones has attracted more and more attention from users and the industry.

现在的安全手机策略的关键是加密技术,加密技术的实现方式主要有两种形式:软件加密和硬件加密。软件加密主要是针对应用层,密码存储在应用空间,加密算法由软件实现,软件加密比较容易部署,不依赖于特定硬件。硬件加密主要是依赖于硬件算法加速器,密钥可以存储在外部存储空间或芯片的eFuse内,加密效率比较高,需要依赖于硬件平台。The key to the current secure mobile phone strategy is encryption technology, which can be implemented in two main forms: software encryption and hardware encryption. Software encryption is mainly aimed at the application layer. The password is stored in the application space, and the encryption algorithm is implemented by software. Software encryption is relatively easy to deploy and does not depend on specific hardware. Hardware encryption mainly depends on the hardware algorithm accelerator. The key can be stored in the external storage space or in the eFuse of the chip. The encryption efficiency is relatively high and it depends on the hardware platform.

加密的根源在于密码的保护,如果密码泄露,将造成无法估量的损失。目前商用的加密终端密钥可由用户自定义或由硬件随机数生成密钥明文存储在片内或片外存储器,如果终端被root,恶意软件可以轻松获取到密钥。因此,现有加密技术的密钥的安全性仍然不够高,恶意软件窃取用户密钥的现象时有发生。The root of encryption lies in the protection of passwords. If the passwords are leaked, it will cause immeasurable losses. Currently commercial encrypted terminal keys can be customized by users or generated by hardware random numbers and stored in plaintext on-chip or off-chip memory. If the terminal is rooted, malicious software can easily obtain the key. Therefore, the security of the key of the existing encryption technology is still not high enough, and the phenomenon of malicious software stealing the user's key occurs from time to time.

发明内容Contents of the invention

为解决现有技术存在的问题,本发明提供一种安全芯片,包括主处理器、外部存储模块和加解密模块;所述加解密模块包括:In order to solve the problems existing in the prior art, the present invention provides a security chip, including a main processor, an external storage module and an encryption and decryption module; the encryption and decryption module includes:

算法模块,用以根据加密算法生成用于对数据进行加密的初始密钥;An algorithm module, used to generate an initial key for encrypting data according to an encryption algorithm;

内部存储模块,包含根密钥,所述内部存储模块仅能被控制模块访问;an internal storage module containing a root key, said internal storage module being accessible only by the control module;

控制模块,用于调用所述根密钥至所述算法模块以对所述初始密钥进行加密,生成加密密钥并存储于所述外部存储模块中;所述控制模块还用于调用所述根密钥至所述算法模块以对所述外部存储模块中的加密密钥进行解密,还原为所述初始密钥。The control module is used to call the root key to the algorithm module to encrypt the initial key, generate an encryption key and store it in the external storage module; the control module is also used to call the The root key is sent to the algorithm module to decrypt the encrypted key in the external storage module and restore it to the initial key.

可选的,所述初始密钥包含公钥和私钥,对所述初始密钥加密的步骤中仅对所述私钥进行加密,对所述加密密钥解密的步骤中仅对所述私钥进行解密。Optionally, the initial key includes a public key and a private key, and only the private key is encrypted in the step of encrypting the initial key, and only the private key is encrypted in the step of decrypting the encryption key. key to decrypt.

可选的,所述算法模块包括RSA模块,通过所述RSA模块生成所述初始密钥。Optionally, the algorithm module includes an RSA module, and the initial key is generated by the RSA module.

可选的,所述算法模块包括AES模块,用于根据所述根密钥对所述初始密钥进行加密。Optionally, the algorithm module includes an AES module, configured to encrypt the initial key according to the root key.

可选的,所述安全芯片还包括随机数生成模块,用于生成随机数以作为所述根密钥。Optionally, the security chip further includes a random number generating module, configured to generate a random number as the root key.

可选的,所述控制模块包含状态寄存器,用于通过初始化状态标识表示所述根密钥已经生成。Optionally, the control module includes a status register, which is used to indicate that the root key has been generated by initializing a status flag.

本发明还提供一种安全芯片的加密密钥生成方法,包括以下步骤:The present invention also provides a method for generating an encryption key for a security chip, comprising the following steps:

主处理器发送加密密钥生成请求至加解密模块;The main processor sends an encryption key generation request to the encryption and decryption module;

控制模块调用算法模块,所述算法模块生成初始密钥;The control module calls the algorithm module, and the algorithm module generates an initial key;

控制模块传递根密钥至所述算法模块,所述算法模块对所述初始密钥加密,生成加密密钥并存储于所述外部存储模块中。The control module transmits the root key to the algorithm module, and the algorithm module encrypts the initial key to generate an encryption key and store it in the external storage module.

可选的,所述加密密钥通过所述控制模块存储于所述外部存储模块中。Optionally, the encryption key is stored in the external storage module through the control module.

本发明还提供一种安全芯片的加密方法,包括The present invention also provides an encryption method for a security chip, comprising

进行上述的加密密钥生成步骤;Carry out the above-mentioned encryption key generation step;

主处理器发送加密请求及待加密数据至加解密模块;The main processor sends the encryption request and the data to be encrypted to the encryption and decryption module;

控制模块调用算法模块;The control module calls the algorithm module;

所述算法模块读取所述根密钥及所述外部存储模块中的加密密钥,对所述加密密钥进行解密,还原所述初始密钥;以及The algorithm module reads the root key and the encryption key in the external storage module, decrypts the encryption key, and restores the initial key; and

算法模块利用初始密钥对数据进行加密。The algorithm module uses the initial key to encrypt the data.

可选的,所述算法模块包括HASH模块,用于对加密的数据计算报文摘要,并添加到所述加密数据的信息首部。Optionally, the algorithm module includes a HASH module, configured to calculate a message digest for the encrypted data, and add it to the information header of the encrypted data.

本发明提供一种安全芯片,包括主处理器、外部存储模块和加解密模块,通过在芯片内部设置专用的加解密模块,管理密钥和加解密算法。该加解密模块并具有硬件随机数,通过生产过程中生成随机数作为芯片的唯一根密钥,存储在单独的存储区域,该根密钥只能由加解密模块使用,主处理器无法读取该根密钥。而后续应用生成密钥都需要使用加解密模块,并有根密钥自动对生成的密钥(或者非对称算法的私钥)进行加密存储,保证每部终端的数据只能被该终端读取,大大提高了终端的安全性。The invention provides a security chip, which includes a main processor, an external storage module and an encryption and decryption module, and manages keys and encryption and decryption algorithms by setting a dedicated encryption and decryption module inside the chip. The encryption and decryption module also has hardware random numbers, which are generated during the production process as the unique root key of the chip and stored in a separate storage area. This root key can only be used by the encryption and decryption module, and the main processor cannot read it. the root key. Subsequent applications need to use encryption and decryption modules to generate keys, and have root keys to automatically encrypt and store the generated keys (or private keys of asymmetric algorithms), ensuring that the data of each terminal can only be read by the terminal , greatly improving the security of the terminal.

附图说明Description of drawings

图1为本发明一实施例所述安全芯片的结构示意图。FIG. 1 is a schematic structural diagram of a security chip according to an embodiment of the present invention.

图2为结合本发明一实施例所述安全芯片结构的加密密钥生成方法示意图。Fig. 2 is a schematic diagram of a method for generating an encryption key combined with the structure of the security chip according to an embodiment of the present invention.

图3为结合本发明一实施例所述安全芯片结构的加密方法示意图。Fig. 3 is a schematic diagram of an encryption method combined with the security chip structure according to an embodiment of the present invention.

具体实施方式Detailed ways

以下结合附图和具体实施例对本发明作进一步详细说明。根据下面说明和权利要求书,本发明的优点和特征将更清楚。需说明的是,附图均采用非常简化的形式且均使用非精准的比率,仅用以方便、明晰地辅助说明本发明实施例的目的。The present invention will be described in further detail below in conjunction with the accompanying drawings and specific embodiments. Advantages and features of the present invention will be apparent from the following description and claims. It should be noted that the drawings are all in a very simplified form and use imprecise ratios, which are only used to facilitate and clearly assist the purpose of illustrating the embodiments of the present invention.

如图1所示,本发明所述的安全芯片包括主处理器100、外部存储模块200和加解密模块300;所述加解密模块300包括:As shown in Figure 1, the security chip of the present invention includes a main processor 100, an external storage module 200 and an encryption and decryption module 300; the encryption and decryption module 300 includes:

算法模块320,用以根据加密算法生成用于对数据进行加密的初始密钥;An algorithm module 320, configured to generate an initial key for encrypting data according to an encryption algorithm;

内部存储模块330,包含根密钥,内部存储模块330仅能被控制模块310访问;An internal storage module 330, including a root key, the internal storage module 330 can only be accessed by the control module 310;

控制模块310,用于调用所述根密钥至所述算法模块320以对所述初始密钥进行加密,生成加密密钥并存储于所述外部存储模块中200;所述控制模块310还用于调用所述根密钥至所述算法模块320以对所述外部存储模块200中的加密密钥进行解密,还原为所述初始密钥。The control module 310 is used to call the root key to the algorithm module 320 to encrypt the initial key, generate an encryption key and store it in the external storage module 200; the control module 310 also uses Then call the root key to the algorithm module 320 to decrypt the encrypted key in the external storage module 200 and restore it to the initial key.

其中,算法模块320中可以存在多种具体的加密算法,例如RSA模块322,通过所述RSA模块322生成所述初始密钥。此时,RSA模块322生成的初始密钥为密钥对,包括公钥和私钥,对所述初始密钥加密的步骤中仅对所述私钥进行加密,对所述加密密钥解密的步骤中仅对所述私钥进行解密。There may be multiple specific encryption algorithms in the algorithm module 320 , such as the RSA module 322 , and the initial key is generated through the RSA module 322 . At this time, the initial key generated by the RSA module 322 is a key pair, including a public key and a private key. In the step of encrypting the initial key, only the private key is encrypted, and the encrypted key is decrypted. In the step, only the private key is decrypted.

算法模块320例如还包含AES模块325,用于根据所述根密钥对所述初始密钥进行加密,以生成加密密钥。如前所述,在本实施例中,初始密钥加密的步骤中仅对所述私钥进行加密。The algorithm module 320, for example, further includes an AES module 325, configured to encrypt the initial key according to the root key to generate an encryption key. As mentioned above, in this embodiment, only the private key is encrypted in the step of encrypting the initial key.

在本发明的安全芯片生产之时,即会进行加解密模块300的初始化进程以生成上述的根密钥并存储在内部存储模块330之中。其中,所述控制模块310包含状态寄存器,用于通过初始化状态标识表示所述根密钥已经生成并存储在内部存储模块330之中;控制模块310还包括随机数生成模块(RNG模块321),用于生成随机数以作为所述根密钥。When the security chip of the present invention is produced, the encryption and decryption module 300 will be initialized to generate the root key and stored in the internal storage module 330 . Wherein, the control module 310 includes a status register, which is used to indicate that the root key has been generated and stored in the internal storage module 330 through an initialization status identifier; the control module 310 also includes a random number generation module (RNG module 321), Used to generate a random number as the root key.

加解密模块300的具体初始化步骤如下:The specific initialization steps of the encryption and decryption module 300 are as follows:

(1)主处理器100向加解密模块300发送指令,读取控制模块310的状态寄存器(state_register)查询加解密模块300是否已经初始化,如果已完成初始化则进入(4),否则进入(2);(1) The main processor 100 sends instructions to the encryption and decryption module 300, reads the state register (state_register) of the control module 310 and inquires whether the encryption and decryption module 300 has been initialized, if the initialization has been completed, then enter (4), otherwise enter (2) ;

(2)加解密控制模块触发RNG模块321,产生指定位数的随机数作为芯片的唯一根密钥(RootKey),保存在内部存储模块330,内部存储模块330只能由控制模块310访问。(2) The encryption and decryption control module triggers the RNG module 321 to generate a random number of specified digits as the unique root key (RootKey) of the chip, which is stored in the internal storage module 330, and the internal storage module 330 can only be accessed by the control module 310.

(3)写入状态寄存器(state_register)初始化状态标识,该标识只能被写一次。(3) Write the state register (state_register) to initialize the state flag, which can only be written once.

(4)向主处理器310返回初始化结束标示,结束。(4) Return an initialization end flag to the main processor 310, and end.

本发明还提供上述安全芯片的加密密钥生成方法,包括The present invention also provides an encryption key generation method for the above security chip, including

主处理器100发送加密密钥生成请求至加解密模块300;The main processor 100 sends an encryption key generation request to the encryption and decryption module 300;

控制模块310调用算法模块320,使所述算法模块320生成初始密钥;The control module 310 calls the algorithm module 320, so that the algorithm module 320 generates an initial key;

控制模块310传递根密钥至所述算法模块320,算法模块320对所述初始密钥加密,生成加密密钥并存储于所述外部存储模块200之中。The control module 310 transmits the root key to the algorithm module 320 , and the algorithm module 320 encrypts the initial key to generate an encryption key and store it in the external storage module 200 .

其中,上述加密密钥通过所述控制模块310存储于所述外部存储模块200中。Wherein, the above encryption key is stored in the external storage module 200 through the control module 310 .

安全芯片应用到具体的电子设备如手机之中时,通过手机的应用程序加以控制。下面以一实施例详细说明本安全芯片的加密密钥生成方法,结合图2中的箭头方向,加密密钥生成方法的步骤包括:When the security chip is applied to a specific electronic device such as a mobile phone, it is controlled through an application program of the mobile phone. The encryption key generation method of this security chip is described in detail below with an embodiment, in conjunction with the arrow direction in Figure 2, the steps of the encryption key generation method include:

(1)应用程序发送请求生成密钥的命令,设置生成密钥的类型和存储在片内或片外的参数;(1) The application program sends a command requesting to generate a key, and sets the type of the generated key and the parameters stored on-chip or off-chip;

(2)驱动程序根据应用程序的加密密钥生成请求指令将数据进行封装,通过主处理器100发送到加解密控制模块200;(2) The driver program encapsulates the data according to the encryption key generation request instruction of the application program, and sends it to the encryption and decryption control module 200 through the main processor 100;

(3)控制模块310接收到请求指令,对指令进行解析,判断请求密钥的格式调用对应的算法模块,例如RSA密钥对,则调用RSA模块322;(3) The control module 310 receives the request instruction, parses the instruction, and judges that the format of the request key calls the corresponding algorithm module, such as an RSA key pair, then calls the RSA module 322;

(4)RSA模块322生成密钥对:公钥(public_key)和私钥(private_kes),将密钥对返回给控制模块310(4) The RSA module 322 generates a key pair: public key (public_key) and private key (private_kes), and the key pair is returned to the control module 310

(5)控制模块310接收到密钥对,调用AES模块325,并从内部存储模块330读取根密钥(root_key)传递给AES模块325,由AES模块325使用根密钥(root_key)对私钥(private_key)进行加密,将加密后的密钥返回给控制模块310。(5) The control module 310 receives the key pair, calls the AES module 325, and reads the root key (root_key) from the internal storage module 330 and passes it to the AES module 325, and the AES module 325 uses the root key (root_key) to privately The key (private_key) is encrypted, and the encrypted key is returned to the control module 310.

(6)控制模块310将生成的公钥和加密后私钥存储在外部存储模块200,并向主处理器100返回请求结果,通知主处理器100读取公钥和加密后的私钥。(6) The control module 310 stores the generated public key and the encrypted private key in the external storage module 200, and returns the request result to the main processor 100, notifying the main processor 100 to read the public key and the encrypted private key.

本发明还提供一种上述安全芯片的加密方法,包括The present invention also provides an encryption method for the above-mentioned security chip, comprising

先进行上述的加密密钥生成步骤;First perform the above-mentioned encryption key generation steps;

之后,主处理器100发送加密请求及待加密数据至加解密模块300;Afterwards, the main processor 100 sends the encryption request and the data to be encrypted to the encryption and decryption module 300;

控制模块310调用算法模块320;The control module 310 calls the algorithm module 320;

所述算法模块320读取所述根密钥及所述外部存储模块200中的加密密钥,对所述加密密钥进行解密,还原所述初始密钥;The algorithm module 320 reads the root key and the encryption key in the external storage module 200, decrypts the encryption key, and restores the initial key;

算法模块320利用初始密钥对数据进行加密。The algorithm module 320 encrypts the data with the initial key.

此时所述算法模块320包括HASH模块323,用于对加密的数据计算报文摘要,并添加到所述加密数据的信息首部。At this time, the algorithm module 320 includes a HASH module 323, configured to calculate a message digest for the encrypted data, and add it to the information header of the encrypted data.

下面以一实施例详细说明本安全芯片的加密方法,结合图3中的箭头方向,加密方法的具体步骤包括:The encryption method of this security chip is described in detail below with an embodiment, in conjunction with the arrow direction in Fig. 3, the specific steps of encryption method include:

(1)应用程序发送对数据(文件)的加密请求;(1) The application program sends an encryption request for data (file);

(2)驱动程序接收请求将数据进行封装,通过主处理器100将加密请求发送到控制模块310;(2) The driver program receives the request and encapsulates the data, and sends the encryption request to the control module 310 through the main processor 100;

(3)控制模块310解析加密请求,接收前述生成的加密密钥和数据(文件)信息;(3) The control module 310 parses the encryption request, and receives the previously generated encryption key and data (file) information;

(4)调用AES模块325,并读取内部存储模块330的根密钥(root_key),对接收到密钥进行解密,还原生成的私钥(private_key)(4) Call the AES module 325, and read the root key (root_key) of the internal storage module 330, decrypt the received key, and restore the generated private key (private_key)

(5)调用RSA模块322,使用还原的私钥(private_key)对数据(文件)进行加密,生成加密数据信息,保证数据的机密性;(5) call the RSA module 322, use the restored private key (private_key) to encrypt the data (file), generate encrypted data information, and ensure the confidentiality of the data;

(6)调用HASH模块323,按照请求信息对数据(文件)计算报文摘要,添加到加密数据信息首部,保证数据的完整性。(6) Call the HASH module 323 to calculate the message digest for the data (file) according to the request information, add it to the header of the encrypted data information, and ensure the integrity of the data.

(7)向主处理器100返回数据加密结果。(7) Return the data encryption result to the main processor 100 .

此发明通过改进现有的芯片设计一种安全机制,芯片内部具有专用的加解密模块,管理密钥和加解密算法。该加解密模块并具有硬件随机数,通过生产过程中生成随机数作为芯片的唯一根密钥,存储在单独的存储区域,该根密钥只能由加解密模块使用,主处理器无法读取该根密钥。而后续应用生成密钥都需要使用加解密模块,并有根密钥自动对生成的密钥(或者非对称算法的私钥)进行加密存储,保证每部终端的数据只能被该终端读取,大大提高了终端的安全性。This invention designs a security mechanism by improving the existing chip. The chip has a dedicated encryption and decryption module inside, which manages keys and encryption and decryption algorithms. The encryption and decryption module also has hardware random numbers, which are generated during the production process as the unique root key of the chip and stored in a separate storage area. This root key can only be used by the encryption and decryption module, and the main processor cannot read it. the root key. Subsequent applications need to use encryption and decryption modules to generate keys, and have root keys to automatically encrypt and store the generated keys (or private keys of asymmetric algorithms), ensuring that the data of each terminal can only be read by the terminal , greatly improving the security of the terminal.

本发明的核心是由专用加解密模块统一管理密钥和加密算法,每颗芯片具有唯一的根密钥,生成的密钥都由该根密钥进行加密存储,保证密钥的机密性。同时使用自动加密技术保护密钥,防止恶意软件攻击;同时,本发明中对数据加密和计算报文摘要都在专用加解密模块内部完整,加强了数据的安全性。The core of the present invention is a dedicated encryption and decryption module for unified management of keys and encryption algorithms, each chip has a unique root key, and the generated keys are encrypted and stored by the root key to ensure the confidentiality of the key. At the same time, automatic encryption technology is used to protect the key to prevent malicious software attacks; at the same time, in the present invention, both data encryption and message summary calculation are completed inside the special encryption and decryption module, which strengthens the security of data.

本发明的安全芯片的加密策略和现有的加密策略的对比如下:The encryption strategy of the security chip of the present invention is compared with the existing encryption strategy as follows:

综上所述,使用本发明的安全芯片的加密方法,由专用加解密模块管理密钥和加密算法,能够大大提高密钥的安全性,能够防止恶意软件窃取用户密钥。In summary, using the encryption method of the security chip of the present invention, the key and the encryption algorithm are managed by a dedicated encryption and decryption module, which can greatly improve the security of the key and prevent malicious software from stealing the user key.

显然,本领域的技术人员可以对发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包括这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the invention without departing from the spirit and scope of the invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies thereof, the present invention also intends to include these modifications and variations.

Claims (10)

1. a kind of safety chip, which is characterized in that including primary processor, outer memory module and encryption/decryption module;Described plus solution Close module includes:
Algoritic module, to generate the initial key for being encrypted to data according to Encryption Algorithm;
Storage inside module, includes root key, and the storage inside module is only capable of controlled molding block access;
Control module generates and adds for calling the root key to the algoritic module to encrypt to the initial key Key is simultaneously stored in the outer memory module;The control module is also used to call the root key to the algorithm mould Block is reduced to the initial key so that the encryption key in the outer memory module to be decrypted.
2. safety chip as described in claim 1, which is characterized in that the initial key includes public key and private key, to described Only the private key is encrypted in the step of initial key encrypts, the step of to the encryption key decryption in only to the private Key is decrypted.
3. safety chip as described in claim 1, which is characterized in that the algoritic module includes RSA module, by described RSA module generates the initial key.
4. safety chip as described in claim 1, which is characterized in that the algoritic module includes AES module, for according to institute Root key is stated to encrypt the initial key.
5. safety chip as described in claim 1, which is characterized in that it further include random number generation module, it is random for generating Number is using as the root key.
6. safety chip as described in claim 1, which is characterized in that the control module includes status register, for leading to Crossing init state mark indicates that the root key has generated.
7. a kind of encryption key generation method of safety chip as claimed in any one of claims 1 to 6, which is characterized in that packet It includes
Primary processor sends encryption key and generates request to encryption/decryption module;
Control module calls algoritic module, and the algoritic module generates initial key;
Control module transmits root key to the algoritic module, and the algoritic module encrypts the initial key, generates encryption Key is simultaneously stored in the outer memory module.
8. the encryption key generation method of safety chip as claimed in claim 7, which is characterized in that the encryption key passes through The control module is stored in the outer memory module.
9. a kind of encryption method of safety chip, which is characterized in that including
Carry out the encryption key generation step as described in claim 7-8 any one;
Primary processor sends CIPHERING REQUEST and be-encrypted data to encryption/decryption module;
Control module calls algoritic module;
The algoritic module reads the encryption key in the root key and the outer memory module, to the encryption key into Row decryption, restores the initial key;And
Algoritic module encrypts data using initial key.
10. the encryption method of safety chip as claimed in claim 9, which is characterized in that the algoritic module includes HASH mould Block for calculating message digest to the data of encryption, and is added to the information heading of the encryption data.
CN201510288423.2A 2015-05-29 2015-05-29 Security chip, encryption key generation method and encryption method thereof Active CN106301774B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510288423.2A CN106301774B (en) 2015-05-29 2015-05-29 Security chip, encryption key generation method and encryption method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510288423.2A CN106301774B (en) 2015-05-29 2015-05-29 Security chip, encryption key generation method and encryption method thereof

Publications (2)

Publication Number Publication Date
CN106301774A CN106301774A (en) 2017-01-04
CN106301774B true CN106301774B (en) 2019-08-06

Family

ID=57655467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510288423.2A Active CN106301774B (en) 2015-05-29 2015-05-29 Security chip, encryption key generation method and encryption method thereof

Country Status (1)

Country Link
CN (1) CN106301774B (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681032B (en) * 2016-01-08 2017-09-12 腾讯科技(深圳)有限公司 Method for storing cipher key, key management method and device
CN107070881B (en) * 2017-02-20 2020-11-27 北京古盘创世科技发展有限公司 Key management method, system and user terminal
CN107292199A (en) * 2017-05-24 2017-10-24 上海泰金电子科技有限公司 A kind of doorway machine safety system
CN107341410A (en) * 2017-05-24 2017-11-10 上海泰金电子科技有限公司 A kind of doorway machine safety system
CN109284603B (en) * 2017-07-20 2022-07-01 腾讯科技(深圳)有限公司 Configuration data processing method and device and storage medium
CN107743062A (en) * 2017-08-29 2018-02-27 苏州惠邦科信息技术有限公司 Mobile phone safe encryption chip
CN108322303A (en) * 2017-12-07 2018-07-24 上海西默通信技术有限公司 A kind of data transmission method
CN108880791A (en) * 2018-05-30 2018-11-23 招商银行股份有限公司 Cryptographic key protection method, terminal and computer readable storage medium
CN109145613A (en) * 2018-07-10 2019-01-04 杨俊佳 Security encryption chip and electronic equipment containing the chip
CN109145654A (en) * 2018-08-15 2019-01-04 阿里巴巴集团控股有限公司 Prevent the chip and method for processing business of cracking trajectory model
CN109697173B (en) * 2018-12-11 2023-05-23 中国航空工业集团公司西安航空计算技术研究所 Information security-oriented embedded computer SiP module design method and circuit
CN109672521B (en) * 2018-12-26 2022-11-29 贵州华芯通半导体技术有限公司 Security storage system and method based on national encryption engine
CN109768862B (en) * 2019-03-12 2019-11-22 北京深思数盾科技股份有限公司 A key management method, a key call method, and a cipher machine
CN109995532A (en) * 2019-04-11 2019-07-09 晏福平 A kind of online management method and system of terminal master key
US11398899B2 (en) 2019-05-28 2022-07-26 Shanghai Zhaoxin Semiconductor Co., Ltd. Data processing device and data processing method
CN110138557A (en) * 2019-05-28 2019-08-16 上海兆芯集成电路有限公司 Data processing equipment and data processing method
CN110138556A (en) * 2019-05-28 2019-08-16 上海兆芯集成电路有限公司 Data processing equipment and data processing method
CN110166236B (en) * 2019-05-31 2022-01-18 北京中金国信科技有限公司 Key processing method, device and system and electronic equipment
CN110837649A (en) * 2019-10-23 2020-02-25 特瓦特能源科技有限公司 Data encryption method and system
CN112149176A (en) * 2020-07-01 2020-12-29 南京中新赛克科技有限责任公司 An EEPROM-based key access system and method
CN114697064B (en) * 2020-12-31 2024-05-03 宸芯科技股份有限公司 Data security interaction method and security chip between multiple data modules
CN113626839B (en) * 2021-03-31 2024-09-10 中汽创智科技有限公司 Encryption and decryption engine system and method based on multithreading concurrent processing and automobile
CN115906107A (en) * 2021-09-22 2023-04-04 北京华大智宝电子系统有限公司 An encryption and decryption method and device
CN114662135A (en) * 2022-05-19 2022-06-24 深圳市航顺芯片技术研发有限公司 Data access method, computer device and readable storage medium
CN116049847A (en) * 2022-12-29 2023-05-02 上海驭捷智能科技有限公司 Safety chip of vehicle controller and whole life cycle traceability method of safety chip
CN116028958B (en) * 2023-02-21 2024-04-12 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium
CN121167795A (en) * 2025-11-18 2025-12-19 中孚安全技术有限公司 Safe U disk with independent safe chip, operation method, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582760A (en) * 2008-05-16 2009-11-18 中国科学院研究生院 Key encrypting and storing method based on tree structure
CN1607511B (en) * 2003-10-14 2010-09-08 联想(北京)有限公司 Data protection method and system
US8850227B1 (en) * 2012-09-05 2014-09-30 Google Inc. Cryptographic operations using a key hierarchy
CN104081712A (en) * 2012-02-09 2014-10-01 英特尔公司 Reproducible application-specific encryption keys obtained using hidden root keys

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1607511B (en) * 2003-10-14 2010-09-08 联想(北京)有限公司 Data protection method and system
CN101582760A (en) * 2008-05-16 2009-11-18 中国科学院研究生院 Key encrypting and storing method based on tree structure
CN104081712A (en) * 2012-02-09 2014-10-01 英特尔公司 Reproducible application-specific encryption keys obtained using hidden root keys
US8850227B1 (en) * 2012-09-05 2014-09-30 Google Inc. Cryptographic operations using a key hierarchy

Also Published As

Publication number Publication date
CN106301774A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
CN106301774B (en) Security chip, encryption key generation method and encryption method thereof
CN112836229B (en) A Trusted Data Access Control Scheme Combining Attribute-Based Encryption and Blockchain
US11184164B2 (en) Secure crypto system attributes
CN104468562B (en) A kind of data security protecting portable terminal transparent towards Mobile solution
CN102915263B (en) A kind of data back up method, system and equipment
CN111191286A (en) Hyperledger Fabric blockchain privacy data storage and access system and method
US20150281189A1 (en) Method and apparatus for cloud-assisted cryptography
US11783091B2 (en) Executing entity-specific cryptographic code in a cryptographic coprocessor
WO2016070382A1 (en) Secure information configuration method, secure authentication method and related chip
CN110110548A (en) The correlation technique that file encryption stores under credible performing environment based on encryption chip
CN104090853A (en) Solid-state disc encryption method and system
TW201010370A (en) Integrated cryptographic security module for a network node
CN103067160A (en) Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD)
CN107078904A (en) Hybrid Cipher Key Derivation
CN112653553B (en) Internet of things equipment identity management system
US20200004696A1 (en) Techniques for multi-domain memory encryption
CN116886356A (en) A chip-level transparent file encryption storage system, method and device
CN112422279B (en) An intelligent terminal key management method and layered management system
CN108574567A (en) Privacy file protection and encryption key management system and method, information processing terminal
US20210111901A1 (en) Executing entity-specific cryptographic code in a trusted execution environment
CN115714973A (en) Trusted computing based data security reinforcement method and device for 5G mobile terminal
CN111542050A (en) A TEE-based method for ensuring the security of remote initialization of virtual SIM cards
CN105871866A (en) System and method for password management based on computer hardware information
CN118898081B (en) File encryption method and system based on CP-ABE and USBKEY
CN103312500B (en) A kind of method protecting intelligent code key information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20170104

Assignee: Shanghai Li Ke Semiconductor Technology Co.,Ltd.

Assignor: LEADCORE TECHNOLOGY Co.,Ltd.

Contract record no.: 2018990000159

Denomination of invention: Security chip, encryption secret key generation method thereof and encryption method

License type: Common License

Record date: 20180615

EE01 Entry into force of recordation of patent licensing contract
TA01 Transfer of patent application right

Effective date of registration: 20180827

Address after: 201206 Pudong New Area, Shanghai, China (Shanghai) free trade pilot area, 1258 A406 3 fourth story room.

Applicant after: Chen core technology Co.,Ltd.

Applicant after: DATANG SEMICONDUCTOR DESIGN Co.,Ltd.

Address before: 200233 4 building, No. 333, No. 41, Qinjiang Road, Shanghai, Xuhui District

Applicant before: LEADCORE TECHNOLOGY Co.,Ltd.

Applicant before: DATANG SEMICONDUCTOR DESIGN Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221123

Address after: 201206 Shanghai Pudong New Area free trade pilot area 1258 moon 3 building fourth floor A406 room

Patentee after: Chen core technology Co.,Ltd.

Patentee after: Chenxin Technology Co.,Ltd.

Address before: 201206 Pudong New Area, Shanghai, China (Shanghai) free trade pilot area, 1258 A406 3 fourth story room.

Patentee before: Chen core technology Co.,Ltd.

Patentee before: DATANG SEMICONDUCTOR DESIGN Co.,Ltd.

TR01 Transfer of patent right
CP01 Change in the name or title of a patent holder

Address after: 201206 Shanghai Pudong New Area free trade pilot area 1258 moon 3 building fourth floor A406 room

Patentee after: Chen core technology Co.,Ltd.

Patentee after: Chenxin Technology Co.,Ltd.

Address before: 201206 Shanghai Pudong New Area free trade pilot area 1258 moon 3 building fourth floor A406 room

Patentee before: Chen core technology Co.,Ltd.

Patentee before: Chenxin Technology Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20241021

Address after: Room 102, Building 16, No. 1699, the Pearl River Road, Huangdao District, Qingdao, Shandong 266499

Patentee after: Chenxin Technology Co.,Ltd.

Country or region after: China

Address before: 201206 Shanghai Pudong New Area free trade pilot area 1258 moon 3 building fourth floor A406 room

Patentee before: Chen core technology Co.,Ltd.

Country or region before: China

Patentee before: Chenxin Technology Co.,Ltd.

TR01 Transfer of patent right