CN102693385A - Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof - Google Patents
Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof Download PDFInfo
- Publication number
- CN102693385A CN102693385A CN2012101683181A CN201210168318A CN102693385A CN 102693385 A CN102693385 A CN 102693385A CN 2012101683181 A CN2012101683181 A CN 2012101683181A CN 201210168318 A CN201210168318 A CN 201210168318A CN 102693385 A CN102693385 A CN 102693385A
- Authority
- CN
- China
- Prior art keywords
- calculation modules
- creditable calculation
- embedded
- embedded system
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an embedded terminal based on an SD (secure digital) trusted computing module and an implementation method thereof. The trusted module, serving as a card, is internally installed in the embedded terminal and is more suitable for a terminal of an embedded system than an external USB (universal serial bus) interface device. According to the scheme, under the conditions that a hardware structure of the system is not changed and extra hardware is not added, the implementation method is achieved only by upgrading a storage component of the system, namely an SD card, and upgrading of trusted computing of the embedded system can be achieved by upgrading software, operation environment and data of the embedded system are protected, and personal identification of an embedded device is provided. The SD card is widely applicable, so that the embedded terminal based on the SD trusted computing module can be widely applied to various handheld information safety devices, handheld financial terminals and the like, is easy to implement and has promising application prospect.
Description
Technical field
The present invention relates to trusted terminal and its implementation, be applied in the embedded system.
Background technology
The develop rapidly that with the mobile phone is the embedded system technology of typical case's representative is that popular life has brought huge facility; Business such as mobile office, Mobile banking flourish will be original in the application extension of moving on the desktop computer to mobile device, become one of the swiftest and the most violent direction of development in the built-in field.Simultaneously, the security of system problem of portable terminal such as mobile phone also becomes more and more important.Assault, virus overflowing make the safety problem of embedded system seem particularly severe.
Wherein the former finger desk-top computer of desktop computer is afterwards made a general reference personal computer.
Trusted Computing (Trusted Computing) is meant and in calculating and communication system, is widely used based on the credible calculating platform under the hardware security module support; To improve the security of entire system; Defer to TCG (Trusted Computing Group, Trusted Computing tissue) standard.Trusted Computing is considered to solve an important technology of computer environment safety problem, can be from the safety of many aspects such as the clean boot of system, identity discriminating, data encryption protection computer system.
In table top computer system; To Trusted Computing, Chinese current employing be on computer motherboard, to add TCM (Trusted Cryptography Module, credible password module) module with the autonomous property right of China; Pass through LPC (Low Pin Count between TCM module and the processor bus; Low pin count) interface connects with swap data, realizes functions such as clean boot, identity discriminating, data encryption, can solve the security of system problem of desktop computer.
List of references: " Trusted Computing ", English name " Apractical Guide to Trusted Computing ", the author:: DavidChallener (U.S.) RyanCatherman (U.S.) etc., China Machine Press, on January 1st, 2009.
The TCM standard is released by some IT enterprises in the United Nations of national Password Management office (full name country commercial cipher management office), is a kind of safety chip, can effectively protect PC, prevents that the disabled user from visiting computer.
On Dec 20th, 2007; Association, with the side, in 12 tame PC, software, chip cartels such as emerging integrated circuit, Founder held " make Chinese information security DNA---the autonomous Trusted Computing product associating news conference of China ", first chip that meets the TCM standard of the whole world is born.
Differentiation along with the fast development and the user's request of infotech has also proposed new requirement to present computer security technology, and single technological means can not satisfy the demand of present protecting information safety.Present security computer technology is implemented in hardware aspect and mainly comprises Smart card intelligent safety system, the chip embedded security system of TPM (Trusted Platform Module, reliable platform module), the two net of hard disk isolation technology etc.; Aspect software, comprise a security system and a key restore funcitons etc.These technology all have relative merits separately at present, and many technical application combine, and complement each other and could realize real effectively protection.
Industry experts representes, as a system independently, the TPM chip is positioned at the bottom of PC system on framework, be independent of operating system, and the program in the chip of being solidificated in also can guarantee the inherently safe of TPM chip.The TPM chip is safety why, and maximum advantage is to store and to encrypt data, key file through hardware algorithm.
TPM is actually a little system on a chip that contains crypto-operation parts and memory unit, is made up of parts such as CPU, storer, I/O, crypto-operation device, tandom number generator and embedded OSs.
The LPC interface is a kind of new interface standard that replaces conventional I SA BUS that Intel announced on September 29th, 1997, and the mode to open for free and to authorize, and supplies industry to adopt.
Fast development along with embedded system; On embedded system, realize the Trusted Computing ever more important that also becomes; But the Trusted Computing of desktop can not directly be indiscriminately imitated embedded system, and the Trusted Computing of embedded system does not also have unified standard to follow at present.
The subject matter that exists at present comprises:
1. power problems: the TCM module realizes that towards the desktop design real-time encryption and decryption of data will have a strong impact on the stand-by time of system in embedded system, and this is unacceptable in embedded system.
2. interface problem: TCM is connected with processor bus through the LPC interface, but in embedded device, does not have the LPC interface, connects TCM module and processor if desired, need add an interconnecting device therebetween, carries out the conversion of host-host protocol.Also there is manufacturer that I2C (Inter-Integrated Circuit) is provided in the TCM module interface; Enable to be suitable for Embedded Application; But I2C is a kind of serial data transport protocol of low speed, and speed can only reach 400Kbps, can not reach the requirement of high-performance embedded system.
3. data storage problem: in desktop system, general data such as operating system and application program are to be stored in hard disk or the solid state hard disc, and the TCM module is just used as the engine of important information such as storage key and encryption and decryption; But in embedded system; General data much is to be stored in the SD card; Consider the requirement of embedded system volume compact; If be integrated into the storage of the storage of important informations such as key storage, encryption and decryption engine and general data in the equipment, reduce volume and cost, promote integrated level and reliability, will be very important to embedded system.The creditable calculation modules of employing USB interface solves the problem of Trusted Computing in the Embedded Application that has; But this module can only have been stored important informations such as key; And under the more and more littler situation of built-in terminal volume, through the very inconvenience of the external module of USB interface.
Summary of the invention
Based on the situation of embedded system Trusted Computing, the present invention proposes a kind of built-in terminal and implementation method based on the SD creditable calculation modules, improves the applicability of Trusted Computing on built-in terminal, and is convenient to the upgrading of the Trusted Computing at terminal.
In order to realize goal of the invention of the present invention; A kind of built-in terminal according to one aspect of the present invention based on the SD creditable calculation modules; Comprise the embedded system that contains embedded microprocessor and peripherals, and based on the SD card encapsulation and the SD creditable calculation modules of communicating by letter with said embedded system through the SD control interface;
Wherein, the SD creditable calculation modules contains embedded stone, communicates by letter with said embedded system with the interface command that control operation Chip Operating System is reserved through the SD agreement of expansion.
Implementation method according to a kind of built-in terminal based on the SD creditable calculation modules of another aspect of the present invention; It is characterized in that; Creditable calculation modules based on the SD card by individual packages; The embedded stone that contains through the SD creditable calculation modules, control operate in Chip Operating System on the SD card according to the reservation order and the embedded system interface of the SD agreement of expansion.
Based on such scheme of the present invention, a kind of built-in terminal framework based on the SD creditable calculation modules has been proposed, trusted module is built in the built-in terminal as card, is connected on outside USB interface equipment than needs and is more suitable in embedded system terminal.Scheme based on the SD creditable calculation modules can not change system hardware structure; Do not increase under the situation of additional hardware; Only through the memory unit of upgrade-system, just the SD card is realized, and can realize the Trusted Computing upgrading of embedded system through the mode of software upgrading; Running environment, data to built-in terminal are protected, and provide the identity of embedded device to differentiate.Because the broad applicability of SD card can be widely used in various hand-held information safety devices, hand-held financial terminal etc. based on such scheme of the present invention, and easy to implement, has a good application prospect.
Description of drawings
Fig. 1 is a kind of structural drawing based on the built-in terminal of SD creditable calculation modules
Fig. 2 is a kind of SD creditable calculation modules structural drawing.
Fig. 3 is a kind of SD creditable calculation modules partition holding structure.
Embodiment
Below with a specific embodiment implementation process of the present invention is described, but the present invention is not limited only to this embodiment.Content of the present invention contain anyly on core content of the present invention, make an amendment, the various schemes of equivalence, replacement.
Shown in accompanying drawing 1, critical piece comprises based on the built-in terminal of trusted module:
1. CPU: central processing unit, the operating system and the application software of operation embedded system are carried out task scheduling, realize the control function of embedded system;
2. storer: comprise ROM, RAM, FLASH, wherein ROM is used to store the start-up code that can not revise, and RAM is used for the variable of storage running, and FLASH is used for stored programme or data;
3. IO interface: be used to realize peripheral access and control;
4. SD creditable calculation modules: realize each item function of Trusted Computing, and can carry out data encrypting and deciphering storage and read operation in real time.
In the SD creditable calculation modules, comprise the various functional modules of supporting Trusted Computing so, through the interface of following content completion, in detail shown in accompanying drawing 2 with embedded system.
The SD creditable calculation modules is the set of hardware and firmware, provides cryptographic algorithm to support and Large Volume Data safety storing function.Trusted module adopts independently packing forms, and like the SD card, the form of mini SD card and TF card (T-Flash claims microSD again) adapts to the demand of different embedded system terminal.
The SD creditable calculation modules adopts the cryptographic algorithm of national Password Management office, and the basic composition structure is shown in accompanying drawing 2.
1. SD control interface: the input and output hardware interface of trusted module provides the resource access to creditable calculation modules; IO interface and embedded system interface through embedded system.
2. tandom number generator: be the unit that generates random number, the random number that is generated is necessary for true random number, and satisfies national commercial cipher random number and detect requirement, for follow-up authentication provides the basis;
3. execution engine: the computing performance element of SD creditable calculation modules, be generally embedded type CPU nuclear, the last operation of CPU Chip Operating System (COS, Chip Operating System) provides interface through COS for the external reference trusted module.
COS in the creditable calculation modules is responsible for the various resources in the dispatching management module, and embedded system provides cryptographic service, realizes each item function of Trusted Computing.APDU between built-in terminal and the trusted module (Application Protocol Data Unit Application Protocol Data Unit) transmits through the data field of SD protocol extension order.
4. nonvolatile memory: the storage unit of storage permanent data, said permanent data comprises important informations such as key, identity; Can also deposit general data such as program, service data.Flash memory space in two types of data sharing SD cards, store with the mode of partition management in the space in the card, need not to increase new storage medium for password.
5. volatile memory: the storage unit of ephemeral data during the creditable calculation modules operation.
6. SM2 elliptic curve cryptography engine: produce the SM2 key to the unit of carrying out SM2 enciphering/deciphering, signature computing; Its key bit length is m (m=256).The SM2 algorithm that this programme adopts, its key bit length is m (m=256).The SM2 algorithm is forgiven: systematic parameter, key are to generation, Digital Signature Algorithm (SM2-1), IKE (SM2-2) and AES (SM2-3) totally five parts.
7. SM3 engine: the unit of carrying out the hash computing; For given length is the message of k (k < 264), SM3 cryptographic hash algorithm through filling, iteration compression and choosing cut out, and generates Hash Value.Through pretreated message block length is 512 bits, and the Hash Value length that this standard is selected for use is 256 bits.
SM3 cryptographic hash algorithm also is the commercial algorithm of national Password Management office establishment, is used for digital signature and checking, the generation of message authentication code and the generation of checking and random number that password is used, can satisfy the demand for security of multiple password application.
8. SMS4 engine: the unit of carrying out the symmetric cryptography computing; This programme symmetric cryptographic algorithm is SMS4.This algorithm is a grouping algorithm, and the block length of this algorithm is 128 bits, and key length is 128 bits.AES and key schedule all adopt 32 to take turns the nonlinear iteration structure.Decipherment algorithm is identical with the structure of AES, is the use reversed in order of round key, and the decryption round key is the backward of encryption round key.
The SMS4 algorithm is a grouping algorithm, in such as " mapping and cryptographic applications thereof fully ", introduction is arranged all.
9. HMAC (keyed-Hash Message Authentication Code; The Hash operation message authentication code that key is relevant) engine: based on the calculating message authentication code element of SM3 engine; Utilize cryptographic hash algorithm SM3; Producing length for the secret information of given message and checking shared by both parties is that (t is the length of Message Authentication Code for the Message Authentication Code of t byte; Be not less than 16 bytes, be not more than 32 bytes), the Message Authentication Code production process adopts the Message Authentication Code production process among the FIPS PUB 198.
HMAC utilizes hash algorithm, is input with a key and a message, generates an eap-message digest as output.The HMAC engine provides HMAC computing effect:
(1) authorization data and the verify data of checking TPM acceptance;
(2) confirm that the command request that TPM receives is the request of having authorized, and order was not changed in the process that transmits.
Definition HMAC needs an encryption with hash function (being expressed as H, can be MD5 or SHA-1) and a key K.We represent the byte number of data block with B.(the partition data piece word length B=64 of the above hash function of mentioning) representes the output data byte number (L=16 among the MD5, L=20 among the SHA-1) of hash function with L.The length of authentication key can be any positive integer value smaller or equal to the data block word length.If the key length that uses in the application program is bigger than B, then at first with using hash function H to act on it, L length character string conduct actual key that uses in HMAC of exporting with H then.Generally speaking, the minimum key K length of recommendation is L byte.
The core content of above-mentioned built-in terminal based on the SD creditable calculation modules is to propose a kind of creditable calculation modules of realizing based on the SD card; In this terminal, adopt creditable calculation modules based on the SD interface, realize the function of embedded Trusted Computing; Simultaneously with the high capacity storage space subregion of SD card; On the same card, realize that important information such as key stores with the general data subregion and need not extra memory device, this SD card is a creditable calculation modules; Realize the storage and the encryption and decryption engine function of important informations such as key, realize the encryption memory function of general data simultaneously.
Communicate by letter between built-in terminal and the trusted module and realize through the reservation order of expansion SD agreement.According to the standard of SD agreement, the user can be self-defined explosion command realize new function, these new orders are that the memory command common with SD can not conflict to the replenishing of stereotyped command in the SD standard.Therefore this programme is deferred to the standard design of SD agreement, and the memory function of common SD card can not be affected.
The storage space of SD creditable calculation modules is the flash memory device in the module, need not extra non-volatile storage space, and its flash memory space distributes like accompanying drawing 3, is divided into service area, key district and file system area.Service area is that SD Ka Nei system reserves; Be used to store the configuration information of SD card flash memory and the reserved block of bad piece; Configuration information writes the instrument burning by special-purpose flash memory in the trusted module production run; By drive software management in the trusted module, this content was conventional SD card production run after burning was accomplished, and was not that this programme is set forth emphasis.The key district is used to deposit key, identity information etc.File system area is used for the store data file.
In three subregions; Having only file system area is visible to the operating system of embedded system, and to not supporting the embedded system of Trusted Computing, trusted module shows as common SD card; To supporting the embedded system of Trusted Computing, can pass through SD explosion command access key district and file system area.
The SD creditable calculation modules is that built-in terminal provides generation random number, signature, integrity measurement, data encryption feature.
Random number produces based on the true random number generating module in the SD creditable calculation modules; Random number is the basis of authentication between embedded device and the trusted module, and embedded device and trusted module carry out the encryption and decryption computing in order to confirm the other side's identity legitimacy to same random number.Guarantee that based on the ID authentication mechanism of true random number key under any circumstance can only conduct interviews through the mode that encryption and decryption is unified random number and can not guaranteed the security of key by the direct read access of external entity.
The SD creditable calculation modules adopts crypto module key (EK) to identify its identity; Authorize down SD creditable calculation modules owner; Right at SM2 key of the inner generation of trusted module, as trusted module identity key (MIK), be used for the information of inside modules is carried out digital signature; Realize trusted module authentication and trusted module integrity report, thereby confirm the credibility of trusted module internal data to the outside.The crypto module key by a trusted party signature, is guaranteed its credibility before trusted module uses, be used to set up the one-to-one relationship of crypto module key and credible password module.Suppose that M is a message, KPRI-S and KPUB-S are respectively the private key and the PKIs of a pair of identity key (MIK) of trusted module.Trusted module is encrypted message M with KPRI-S; Obtain KPRI-S{M}; And KPRI-S{M} sent to the embedded device of appointment; This embedded device is deciphered the KPRI-S{M} that obtains with KPUB-S, obtain message M, and promptly provable message M is that trusted module authentication secret key and private key is the embedded device transmission of KPRI-S.
Integrity measurement is meant that the process of the metric computing metric of calculating unit is to carry out the process of hash computing.The data of hash computing input should be can characterizing by the data of tolerance person's characteristic of tolerance person's appointment, are defined as parts.
The Hash Value of hash computing output is by tolerance person's integrity measurement value.Tolerance person should charge to metric among the PCR (platform configuration register) of appointment in the trusted module.The way of charging to is: new PCR value=cryptographic hash algorithm (former PCR value || metric), || symbolic representation two segment datas are stitched together and form the operation of one piece of data.Hash algorithm in trusted module is SM3, and input message block length is 512 bits, and the Hash Value length of gained is 256 bits.Trusted module is charged to metric in the credible password module in the corresponding platform configuration register (PCR).If each the parts integrity measurement value in parts sequence is stored among the same PCR, then adopt the compression memory mode, promptly begin from first parts; Existing storing value splicing with this parts integrity measurement value and target P CR; Carry out the hash computing, then the gained result is stored among this PCR again, and the like; After the integrity measurement value storage operation of last parts was accomplished, income value was this parts sequence and stores the integrity measurement value among the PCR into.
Can confirm the integrality of each parts of embedded system through the operation of integrity measurement.If value and expected results that parts integrity measurement is stored among the PCR are not inconsistent, then represent the destroy integrity of these parts, security of system is encroached on, and embedded system will get into exception handler, attempt recovering these parts or logging off.
Data encrypting and deciphering adopts symmetric cryptographic algorithm SMS4 to realize.When carrying out the encryption and decryption operation in credible password module inside, need to specify key through order, data packet length is 128 bits, and key length is 128 bits.
The command interaction of SD creditable calculation modules and embedded system carries out based on the explosion command of SD agreement; Mutual basic command interface between definition embedded system and the trusted module, major function comprises: get random number, authentication, identity signature, integrity measurement, more new key, safe read-write.The standard commands of SD agreement is as shown in table 1.
Table 1 SD protocol command form
| Bit | 47 | 46 | 45:40 | 39:8 | 7:1 | 0 |
| Describe | Start bit | Traffic bit | Command index | Parameter | Cyclic check | Stop bit |
The command index of in the SD agreement, reserving for the manufacturer can be as the command index of explosion command, and the explosion command of this programme is CMD63, command format such as table 2.Order is divided into two parts, and first is the standard commands of CMD63, and totally 48, the functional definition of parameter field definition explosion command wherein; A back part is the APDU data field that sends to trusted module of built-in terminal.
Table 2 custom command form
| The CMD63 order | Data field (APDU) |
The definition of CMD63 explosion command is as shown in table 3, and is by parameter field [11:8] decision, irrelevant with all the other positions.
Table 3 explosion command parameter-definition
| Command definition | Parameter [11:8] | Remarks |
| Get random number | 0001 | The byte number of random number is got in [15:12] expression |
| The tolerance request | 0010 | The operation of execution hash function |
| The identity signature | 0011 | Trusted module identity signature, [15:12] expression message M length |
| Authentication secret | 0100 | Authentication secret |
| Safety is read | 0101 | The reading encrypted data fixedly read 512 bytes, the address of [39:12] expression reading of data. |
| Safety is write | 0,100 0000 | Write enciphered data, fixedly write 512 bytes, [39:12] expression writes the destination address of data |
(1) get random number:
Embedded system is obtained the true random number of given length through this operation from trusted module, as the basis of follow-up Password Operations.
Its operation steps:
1) embedded system is sent to trusted module and is got the random number request command, and parameter field [15:12] provides the byte number of getting random number;
2) trusted module calls the true random number generating module, produces the random number sequence of given byte, returns through the response of CMD63.
(2) tolerance request:
Embedded system is for the integrality of parts in the verification system; The tolerance request of integrality is proposed to trusted module; The input data of tolerance are can characterizing by the data of tolerance person's characteristic of tolerance person's appointment; The Hash Value of hash computing output is by tolerance person's integrity measurement value, and metric is charged among the PCR (platform configuration register) of appointment.Input message block length is 512 bits, and the Hash Value length of gained is 256 bits.
Its operation steps:
1) embedded system is sent the tolerance request command to trusted module, and data field length is 512 bits;
2) trusted module enables the SM3 engine, carries out the hash computing, and the result is stored among the PCR;
3) whether successful the response of trusted module through CMD63 to embedded system return result.
(3) identity signature:
Trusted module identity key (MIK) at trusted module; Information to inside modules is carried out digital signature; Realize trusted module authentication and trusted module integrity report, thereby to the credibility of outside confirmation trusted module internal data, external entity is verified through the PKI of MIK.
Its operation steps:
1) embedded system obtains the message M that length is Length through getting the random number order from trusted module;
2) embedded system is sent the identity signature request to trusted module, and message M sends in the data field of order.
3) trusted module to message M is encrypted, obtains KPRI-S{M} with the private key of MIK, and returns to embedded system through the response of CMD63;
4) embedded system is deciphered KPUB-S{M} with the PKI of MIK, if obtain message M, then expression can be confirmed the identity of trusted module, and confirms the integrality of trusted module; Otherwise the identity of expression trusted module is wrong or be destroyed.
(4) authentication secret:
Based on random number, the key of checking embedded system is confirmed the legitimacy of embedded system to the trusted module operation.
Its operation steps:
1) embedded system obtains the message M that length is Length through getting the random number order from trusted module;
2) embedded system is encrypted M with the SMS4 algorithm with the symmetric key of oneself storing, and generates SMS4 (M), and sends to trusted module through the authentication secret order;
3) trusted module uses the symmetric key of oneself storing with the SMS4 algorithm SMS4 (M) to be deciphered, if solve M, then checking is passed through, otherwise fails, and the result is returned through the response of CMD63.
(5) safety is read:
On the basis of authentication secret, the data that are stored in the trusted module are read in deciphering.
Its operation steps:
1) confirms the legitimacy of embedded system through authentication secret, obtain data access authority the trusted module operation;
2) embedded system is sent safe read command to trusted module, fixedly reads 512 bytes;
3) trusted module reads target data, uses the key through checking, carries out data decryption with the SMS4 algorithm and obtains expressly, and return to embedded system.
(6) safety is write:
On the basis of authentication secret, the plaintext of embedded system input is encrypted and is stored in the trusted module.
Its operation steps:
1) confirms the legitimacy of embedded system through authentication secret, obtain data access authority the trusted module operation;
2) embedded system is sent safe write order to trusted module, fixedly writes 512 bytes, writes data and provides at the data field of CMD63;
3) trusted module receiving target data are used the key through checking, carry out data encryption with the SMS4 algorithm and obtain ciphertext, and enciphered data is stored in destination address;
4) whether successful trusted module return to embedded system and write result.
Claims (6)
1. built-in terminal based on the SD creditable calculation modules; It is characterized in that; Comprise the embedded system that contains embedded microprocessor and peripherals, and based on the SD card encapsulation and the SD creditable calculation modules of communicating by letter with said embedded system through the SD control interface;
Wherein, the SD creditable calculation modules contains embedded stone, communicates by letter with said embedded system with the interface command that control operation Chip Operating System is reserved through the SD agreement of expansion.
2. implementation method based on the built-in terminal of SD creditable calculation modules; It is characterized in that; Creditable calculation modules based on the SD card by individual packages; The embedded stone that contains through the SD creditable calculation modules, control operate in Chip Operating System on the SD card according to the reservation order and the embedded system interface of the SD agreement of expansion.
3. implementation method according to claim 2; It is characterized in that; SD card in the said creditable calculation modules is except that the service area of reserving; Distribute a storage space to be used to deposit Trusted Computing key and identity information, be designated as the key district, all the other storage spaces are the file system area that is used to deposit user data.
4. implementation method according to claim 2; It is characterized in that; The interface method of SD creditable calculation modules and embedded system is the command index definition reserved according to the SD agreement order based on credible computing, and representes the order be scheduled to through the definition of parameter field; Embedded system is sent instruction word and is given creditable calculation modules, and creditable calculation modules is resolved instruction word, and according to the parameter that obtains, the corresponding command is carried out in the order that coupling is predetermined.
5. implementation method according to claim 2; It is characterized in that; Adopt ID authentication mechanism between SD creditable calculation modules and embedded system based on true random number; Under the situation that SD creditable calculation modules owner authorizes, it is right to generate a SM2 key in SD creditable calculation modules inside modules, as identity key the inner information of SD creditable calculation modules is carried out digital signature.
6. implementation method according to claim 2 is characterized in that, the integrity measurement of embedded system is handled by the SD creditable calculation modules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101683181A CN102693385A (en) | 2012-05-28 | 2012-05-28 | Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101683181A CN102693385A (en) | 2012-05-28 | 2012-05-28 | Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102693385A true CN102693385A (en) | 2012-09-26 |
Family
ID=46858810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101683181A Pending CN102693385A (en) | 2012-05-28 | 2012-05-28 | Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102693385A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819706A (en) * | 2012-07-26 | 2012-12-12 | 重庆大学 | Device and method for implementing credible embedded system on existing embedded equipment |
| CN103530553A (en) * | 2013-10-22 | 2014-01-22 | 山东神思电子技术股份有限公司 | Mobile terminal with authorization card and authorization method |
| CN103942074A (en) * | 2014-04-09 | 2014-07-23 | 华为技术有限公司 | Algorithm loading method and device |
| CN104184586A (en) * | 2013-05-20 | 2014-12-03 | 硅工厂股份有限公司 | Method of generating message authentication code and authentication device and authentication request device using the method |
| CN105515764A (en) * | 2015-12-08 | 2016-04-20 | 北京元心科技有限公司 | Method and device for protecting security of secret key in mobile terminal |
| CN106557700A (en) * | 2016-11-24 | 2017-04-05 | 苏州国芯科技有限公司 | A kind of gauging system and method for trusted computer |
| CN107425976A (en) * | 2017-04-26 | 2017-12-01 | 美的智慧家居科技有限公司 | Key chip system and internet of things equipment |
| CN107704756A (en) * | 2017-09-26 | 2018-02-16 | 晶晨半导体(上海)股份有限公司 | Safe checking method and system before a kind of system upgrade |
| CN110740041A (en) * | 2019-10-16 | 2020-01-31 | 北京仁信证科技有限公司 | Embedded system safe starting and credibility measuring method based on credible computing module |
| US11520596B2 (en) | 2020-02-26 | 2022-12-06 | Microsoft Technology Licensing, Llc | Selective boot sequence controller for resilient storage memory |
| CN115509587A (en) * | 2022-11-22 | 2022-12-23 | 成都卫士通信息产业股份有限公司 | Firmware upgrading method and device, electronic equipment and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101430747A (en) * | 2008-09-26 | 2009-05-13 | 武汉大学 | Movable equipment based on credible embedded platform and its security storage method |
| CN201440662U (en) * | 2009-04-14 | 2010-04-21 | 公安部第一研究所 | Information security equipment based on SD Memory/SDIO interface |
| CN202102447U (en) * | 2011-05-25 | 2012-01-04 | 国民技术股份有限公司 | Trusted computing chip and device |
| CN202495041U (en) * | 2011-11-17 | 2012-10-17 | 国民技术股份有限公司 | A trusted computing chip |
| CN202600714U (en) * | 2012-05-28 | 2012-12-12 | 山东神思电子技术股份有限公司 | Embedded terminal based on SD (Secure Digital) trusted computing module |
-
2012
- 2012-05-28 CN CN2012101683181A patent/CN102693385A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101430747A (en) * | 2008-09-26 | 2009-05-13 | 武汉大学 | Movable equipment based on credible embedded platform and its security storage method |
| CN201440662U (en) * | 2009-04-14 | 2010-04-21 | 公安部第一研究所 | Information security equipment based on SD Memory/SDIO interface |
| CN202102447U (en) * | 2011-05-25 | 2012-01-04 | 国民技术股份有限公司 | Trusted computing chip and device |
| CN202495041U (en) * | 2011-11-17 | 2012-10-17 | 国民技术股份有限公司 | A trusted computing chip |
| CN202600714U (en) * | 2012-05-28 | 2012-12-12 | 山东神思电子技术股份有限公司 | Embedded terminal based on SD (Secure Digital) trusted computing module |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819706B (en) * | 2012-07-26 | 2014-12-10 | 重庆大学 | Device and method for implementing credible embedded system on existing embedded equipment |
| CN102819706A (en) * | 2012-07-26 | 2012-12-12 | 重庆大学 | Device and method for implementing credible embedded system on existing embedded equipment |
| CN104184586A (en) * | 2013-05-20 | 2014-12-03 | 硅工厂股份有限公司 | Method of generating message authentication code and authentication device and authentication request device using the method |
| CN104184586B (en) * | 2013-05-20 | 2019-01-11 | 硅工厂股份有限公司 | Message authentication code generating method realizes the authentication device and certification request device of this method |
| CN103530553A (en) * | 2013-10-22 | 2014-01-22 | 山东神思电子技术股份有限公司 | Mobile terminal with authorization card and authorization method |
| CN103942074A (en) * | 2014-04-09 | 2014-07-23 | 华为技术有限公司 | Algorithm loading method and device |
| CN105515764B (en) * | 2015-12-08 | 2019-06-07 | 北京元心科技有限公司 | A kind of method and apparatus for protecting key safety in the terminal |
| CN105515764A (en) * | 2015-12-08 | 2016-04-20 | 北京元心科技有限公司 | Method and device for protecting security of secret key in mobile terminal |
| CN106557700A (en) * | 2016-11-24 | 2017-04-05 | 苏州国芯科技有限公司 | A kind of gauging system and method for trusted computer |
| CN107425976A (en) * | 2017-04-26 | 2017-12-01 | 美的智慧家居科技有限公司 | Key chip system and internet of things equipment |
| CN107704756A (en) * | 2017-09-26 | 2018-02-16 | 晶晨半导体(上海)股份有限公司 | Safe checking method and system before a kind of system upgrade |
| CN110740041A (en) * | 2019-10-16 | 2020-01-31 | 北京仁信证科技有限公司 | Embedded system safe starting and credibility measuring method based on credible computing module |
| CN110740041B (en) * | 2019-10-16 | 2022-04-15 | 北京仁信证科技有限公司 | Embedded system safe starting and credibility measuring method based on credible computing module |
| US11520596B2 (en) | 2020-02-26 | 2022-12-06 | Microsoft Technology Licensing, Llc | Selective boot sequence controller for resilient storage memory |
| CN115509587A (en) * | 2022-11-22 | 2022-12-23 | 成都卫士通信息产业股份有限公司 | Firmware upgrading method and device, electronic equipment and computer readable storage medium |
| CN115509587B (en) * | 2022-11-22 | 2023-04-07 | 成都卫士通信息产业股份有限公司 | Firmware upgrading method and device, electronic equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102693385A (en) | Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof | |
| CN109716375B (en) | Block chain account processing method, device and storage medium | |
| AU2021203184B2 (en) | Transaction messaging | |
| CN100487715C (en) | Date safety storing system, device and method | |
| CN108345806B (en) | Hardware encryption card and encryption method | |
| CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
| US9256210B2 (en) | Safe method for card issuing, card issuing device and system | |
| CN101196855B (en) | Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method | |
| CN100454321C (en) | USB device with data memory and intelligent secret key and control method thereof | |
| CN105306194B (en) | For encrypted file and/or the multiple encryption method and system of communications protocol | |
| CN101582109A (en) | Data encryption method and device, data decryption method and device and solid state disk | |
| CN103067170A (en) | Encrypting file system, encrypting method and deciphering method based on EXT2 file system | |
| CN102163267A (en) | Solid state disk as well as method and device for secure access control thereof | |
| CN104484628B (en) | It is a kind of that there is the multi-application smart card of encrypting and decrypting | |
| CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
| CN104574652A (en) | Method for increasing and deducting pollution discharge data of IC card and IC card | |
| CN110191136A (en) | A kind of convenient and fast file secure transmission method and equipment | |
| CN201716734U (en) | Usb safe storage encryption device | |
| CN202600714U (en) | Embedded terminal based on SD (Secure Digital) trusted computing module | |
| CN101127062A (en) | Binding function implement method for electronic key and computer | |
| CN101127013A (en) | Enciphered mobile storage apparatus and its data access method | |
| CN1808457B (en) | Portable trusted device for remote dynamic management | |
| CN103138925A (en) | Card issuing operation method, integrated circuit (IC) card and card issuing device | |
| CN102761559A (en) | Private data-based network security sharing method and communication terminal | |
| CN102270182A (en) | Encrypted mobile storage equipment based on synchronous user and host machine authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120926 |