CN110324138A - Data encryption, decryption method and device - Google Patents

Abstract

The embodiment of the present application provides a kind of data encryption, decryption method and device.The data ciphering method includes: using the unique corresponding first key of software root of trust Program Generating and hardware device, according to the first key encryption data.The application can reduce the possibility that hacker etc. directly acquires first key from code, it also ensures that and is cracked even if the key of some hardware device simultaneously, with the hardware device same class or the key that belongs in the hardware device of same hardware vendor is still safe, effectively improve the safety of data and hardware device, also can ensure that no matter whether hardware device has hardware security ability, first key can be generated, the reliability for generating first key is improved.

Description

Data encryption, decryption method and device

Technical field

This application involves field of computer technology, more particularly to a kind of data encryption, decryption method and device.

Background technique

With the development of Internet of Things and computer technology, the poor and resource-constrained hardware device of a large amount of hardware security abilities Start to come into operation, for example as the various hardware devices of internet-of-things terminal node, these hardware devices are usually cheap, do not have Have or be difficult to that safeguard protection is arranged, there is no hardware security ability, therefore the data in the hardware device are easy to by hacker etc. It acquires, safety is poor.

In the prior art, key can be written in the code of hardware device, so as to be set by the key pair hardware Data in standby are encrypted.But by the mode in the code of key write-in hardware device, it is difficult to accomplish a machine (hardware device) One is close, i.e., the key in same class or the hardware device of same hardware vendor is identical, therefore, when in a hardware device When key is cracked, the key of other hardware devices of same class or same hardware vendor just can all be revealed, to be difficult to ensure Data safety causes the safety of data and hardware device lower.

Summary of the invention

In view of the above problems, it proposes on the application overcomes the above problem or at least be partially solved in order to provide one kind State data encryption, decryption method and the device of problem.

This application provides a kind of data ciphering methods characterized by comprising

Using the unique corresponding first key of software root of trust Program Generating and hardware device；

According to the first key encryption data.

Optionally, described to include according to the first key encryption data:

It is random to generate the second key；

Be-encrypted data is encrypted using second key, the first key is for encrypting second key.

Optionally, the method also includes:

Second key is encrypted using the first key.

Optionally, after second key using first key encryption, the method also includes:

By the second key encrypted preservation corresponding with the be-encrypted data encrypted.

Optionally, the method also includes:

Generate the verification data for verifying the integrality of be-encrypted data, the verification data with encrypted it is to be encrypted Data are corresponding to be saved.

Optionally, the verification data of integrality of the generation for verifying be-encrypted data include:

Determine the cryptographic Hash of the be-encrypted data.

Optionally, before according to the first key encryption data, the method also includes:

The second interface for receiving be-encrypted data is provided, and the be-encrypted data is received by the second interface；

It is described according to the first key encryption data after, the method also includes:

Encrypted result is exported to the data source of the be-encrypted data by the second interface.

Present invention also provides a kind of data decryption methods, comprising:

Using the unique corresponding first key of software root of trust Program Generating and hardware device；

According to the first key decrypting encrypted data.

Optionally, described to include: according to the first key decrypting encrypted data

Generate the first key, and, obtain the second key for having encrypted, second key encrypted with it is described Encrypted data is corresponding to be saved；

Using first key decryption second key encrypted, the second key is obtained；

The encrypted data is decrypted using second key.

Optionally, the method also includes:

Verification data are obtained, the verification data are corresponding with the encrypted data to be saved；

Using the integrality of the verification data check decrypted result.

Optionally, the verification data include the first cryptographic Hash of the decrypted result, described to use the verification data Verification decrypted result integrality include:

Generate the second cryptographic Hash of the decrypted result；

It is consistent with first cryptographic Hash to compare second cryptographic Hash, then confirms that the decrypted result has integrality.

Optionally, the method also includes:

Decrypted result is exported by second interface.

Present invention also provides a kind of data ciphering methods characterized by comprising

Using the unique corresponding first key of root of trust Program Generating and hardware device；

According to the first key encryption data.

It is optionally, described that using root of trust Program Generating, uniquely corresponding first key includes: with hardware device

It accesses the hardware built in the hardware device and trusts rooter, generate the first key.

Optionally, there is the hardware device dedicated hardware to trust rooter, described to access built in the hardware device Hardware root of trust program include:

The hardware is accessed by first interface and trusts rooter, and the interface type of the first interface and the hardware are believed Appoint the Program Type adaptation of rooter.

Present invention also provides a kind of data decryption methods, comprising:

Using the unique corresponding first key of root of trust Program Generating and hardware device；

According to the first key decrypting encrypted data.

It is optionally, described that using root of trust Program Generating, uniquely corresponding first key includes: with hardware device

It accesses the hardware built in the hardware device and trusts rooter, generate the first key.

Optionally, there is the hardware device dedicated hardware to trust rooter, described to access built in the hardware device Hardware root of trust program include:

The hardware is accessed by first interface and trusts rooter, and the interface type of the first interface and the hardware are believed Appoint the Program Type adaptation of rooter.

Present invention also provides a kind of data encryption devices, comprising:

First key generation module, for close using software root of trust Program Generating and hardware device unique corresponding first Key；

Data encryption module, for according to the first key encryption data.

Optionally, the data encryption module includes:

Key generates submodule at random, for generating the second key at random；

Data encryption submodule, for encrypting be-encrypted data using second key, the first key is for adding Close second key.

Optionally, described device further include:

Second cipher key encryption block, for encrypting second key using the first key.

Optionally, described device further include:

Data generation module is verified, for generating the verification data of the integrality for verifying be-encrypted data, the school To test data corresponding with the be-encrypted data encrypted to save.

Optionally, described device further include:

Be-encrypted data receiving module connects for providing the second interface for receiving be-encrypted data, and by described second Mouth receives the be-encrypted data；

Encrypted result output module is encrypted for being exported by the second interface to the data source of the be-encrypted data As a result.

Present invention also provides a kind of data decryption apparatus, comprising:

First key generation module, for close using software root of trust Program Generating and hardware device unique corresponding first Key；

Data decryption module, for according to the first key decrypting encrypted data.

Optionally, the data decryption module includes:

Key acquisition submodule, for generating the first key, and, obtain the second key encrypted, it is described Second key of encryption is corresponding with the encrypted data to be saved；

Second key decrypts submodule, for obtaining using first key decryption second key encrypted Second key；

Data deciphering submodule, for decrypting the encrypted data using second key.

Optionally, described device further include:

Data acquisition module is verified, for obtaining verification data, the verification data are corresponding with the encrypted data to be protected It deposits；

Integrity verification module, for the integrality using the verification data check decrypted result.

Optionally, described device further include:

Decrypted result output module, for exporting decrypted result by second interface.

Present invention also provides a kind of data encryption devices, comprising:

First key generation module, for using the unique corresponding first key of root of trust Program Generating and hardware device；

Data encryption module, for according to the first key encryption data.

Optionally, the first key generation module includes:

First key generates submodule, rooter is trusted for accessing hardware built in the hardware device, described in generation First key.

Present invention also provides a kind of data decryption apparatus, comprising:

First key generation module, for using the unique corresponding first key of root of trust Program Generating and hardware device；

Data decryption module, for according to the first key decrypting encrypted data.

Optionally, the first key generation module includes:

First key generates submodule, rooter is trusted for accessing hardware built in the hardware device, described in generation First key.

Present invention also provides a kind of computer equipment, including memory, processor and storage are on a memory and can be The computer program run on processor, the processor are realized one or more as the aforementioned when executing the computer program Method.

Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, the computer Methods one or more as the aforementioned is realized when program is executed by processor.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are encrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

Above description is only the general introduction of technical scheme, in order to better understand the technological means of the application, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects, features and advantages of the application can It is clearer and more comprehensible, below the special specific embodiment for lifting the application.

Detailed description of the invention

By reading the following detailed description of the preferred embodiment, various other advantages and benefit are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the application Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:

Fig. 1 shows a kind of data ciphering method flow chart according to the application one embodiment one；

Fig. 2 shows another data ciphering method flow charts according to the application one embodiment two；

Fig. 3 shows another data ciphering method flow chart according to the application one embodiment three；

Fig. 4 shows a kind of data decryption method flow chart according to the application one embodiment four；

Fig. 5 shows another data decryption method flow chart according to the application one embodiment five；

Fig. 6 shows another data decryption method flow chart according to the application one embodiment six；

Fig. 7 shows a kind of data processing method flow chart according to the application one embodiment

Fig. 8 shows a kind of data ciphering method flow chart according to the application one embodiment；

Fig. 9 shows a kind of data decryption method flow chart according to the application one embodiment；

Figure 10 shows a kind of structural block diagram of data encryption device according to the application one embodiment seven；

Figure 11 shows the structural block diagram of another data encryption device according to the application one embodiment eight；

Figure 12 shows a kind of structural block diagram of data decryption apparatus according to the application one embodiment nine；

Figure 13 shows the structural block diagram of another data decryption apparatus according to the application one embodiment ten；

Figure 14 shows a kind of structural block diagram of exemplary system according to the application one embodiment.

Specific embodiment

The application exemplary embodiment is more fully described below with reference to accompanying drawings.Although showing that the application shows in attached drawing Example property embodiment, it being understood, however, that may be realized in various forms the application without that should be limited by embodiments set forth here System.It is to be able to thoroughly understand the application on the contrary, providing these embodiments, and can be complete by scope of the present application Be communicated to those skilled in the art.

The embodiment of the present application is deeply understood for the ease of those skilled in the art, will introduce the embodiment of the present application first below Involved in technical term definition.

Trust rooter, also known as root of trust, refer to that believable function set always is thought in the operation run on hardware device, Root of trust individually provides encryption and decryption service trusty for hardware device.The trust rooter may include hardware root of trust journey Sequence and software trust at least one of rooter.Wherein, hardware trust rooter needs to rely on corresponding hardware, may include Based on intel SGX (intel Software Guard Extensions, Intel's software protecting extended instruction) or it is based on The hardware of TEE (Trusted Execution Environment, credible performing environment) trusts rooter, software root of trust journey Sequence may include KM (key manager, key management module).Certainly, in practical applications, trusting rooter can also include Other hardware trust rooter or software trusts rooter, no longer repeat one by one herein.

First key is derived from by trust rooter according to the equipment unique identification of hardware device, to set with the hardware Standby unique corresponding, first key can be used for encrypting the data in the hardware device.

Wherein, equipment unique identification is used for one electronic equipment of unique identification, for example, the equipment unique identification may include IMEI (International Mobile Equipment Identity, international mobile equipment identification number) or MAC (Media Access Control, media access control) address.

Hardware device can be with various internet-of-things terminals or equipment, for example is applied to meteorological or environmental monitoring various detections The smart home devices such as the intelligent sound box in device or family, it is of course also possible to include mobile phone, smartwatch, VR (Virtual Reality, virtual reality) equipment, tablet computer, E-book reader, MP3 (Moving Picture Experts Group Audio Layer III, dynamic image expert's compression standard audio level 3) player, MP4 (Moving Picture Experts Group Audio Layer IV, dynamic image expert's compression standard audio level 4) it is player, on knee portable Computer, vehicle-mounted computer, desktop computer, set-top box, wearable device etc..The hardware device can with remote server into Row interaction obtains client, plug-in unit, data encryption or decryption service, and may include any device of following figure 10-14, implements Either Fig. 1-9 method, to be encrypted or be decrypted to data.

Client may include at least one application program.The client can operate in positioning device, to realize Data encryption provided by the embodiments of the present application or decryption method.

Plug-in unit may include in the application program for running on positioning device, to realize number provided by the embodiments of the present application According to encryption or decryption method.

The embodiment of the present application can be applied to the scene of data encryption or decryption in the hardware devices such as internet of things equipment, than Such as Border Gateway.Due to directly writing on key in the code of hardware device, the key quilt in a hardware device will lead to When cracking, the key of other hardware devices of same class or same hardware vendor just can all be revealed, to be difficult to ensure that data are pacified Entirely, cause the safety of data and hardware device lower, therefore, to ensure that a machine one is close, and then improve data and hardware device Safety, the embodiment of the present application provides a kind of data ciphering method.In the embodiment of the present application, root of trust journey can be used Sequence generate with the unique corresponding first key of hardware device, and data are encrypted according to first key, due to do not need by Key is directly written in the code of hardware device, is on the one hand reduced hacker etc. and is acquired key possibility, even if on the other hand The key of some hardware device is cracked, and with the hardware device same class or belongs to close in the hardware device of same hardware vendor Key is still safe, so can by the key of safety realize data secure storage, can effectively improve data and The safety of hardware device.In addition, by certain hardware devices may and do not have hardware trust rooter relied on it is hard Part does not have hardware security ability, therefore, in order to ensure no matter whether there is or not the hardware devices of hardware security ability can generate First key, improves the reliability of first key, and then ensures the safety of data and hardware device, while reducing cost, can To call software to trust rooter, first key is generated.It that is to say, it is preferably close to trust rooter offer safety by software Key management function.

The embodiment of the present application can be implemented as client or plug-in unit, and hardware device can be obtained and be installed from remote server The client or plug-in unit, to implement data encryption or decryption provided by the embodiment of the present application by the client or plug-in unit Method.Certainly, the embodiment of the present application can also dispose in the form of software on the remote server, and positioning device can pass through visit The remote server is asked to obtain data encryption or decryption service.

Embodiment one

Referring to Fig.1, a kind of data ciphering method flow chart according to the application one embodiment, specific steps packet are shown It includes:

Step 101, using the unique corresponding first key of software root of trust Program Generating and hardware device.

In order to avoid directly by key be written the code in hardware device and the close problem of the machine one that is difficult to realize and Key, can not be written hardware identification code, but adopted by the lower problem of the safety of the data and hardware device that further result in With root of trust Program Generating first key, and the key generated can be uniquely corresponding with hardware device, on the one hand reduces hacker Deng the possibility for directly acquiring first key from code, on the other hand ensures and broken even if the key of some hardware device Solution, with the hardware device same class or the key that belongs in the hardware device of same hardware vendor is still safe, so as to Enough effectively improve the safety of data and hardware device.In addition, believing due to may and not have hardware in certain hardware devices The hardware for appointing rooter to be relied on, i.e., do not have hardware security ability, therefore, in order to ensure no matter whether there is or not hardware security abilities Hardware device can generate first key, improve the reliability of first key, and then ensure the safety of data and hardware device Property, while cost is reduced, software can be called to trust rooter, generate first key.It that is to say, rooter is trusted by software The preferable key management functions of safety are provided.

Wherein, it may include KM that software, which trusts rooter,.

The equipment unique identification of available hardware device is based on the equipment unique identification using rooter is trusted, and derives from Obtain first key.Due to different hardware equipment to equipment unique identification be different, obtained by different hardware equipment First key be also different.

Step 102, according to the first key encryption data.

From the foregoing it will be appreciated that first key is using root of trust Program Generating and, Neng Gouyou uniquely corresponding with hardware device Effect improves the safety of data and hardware device, therefore can be encrypted according to first key to data.

Be-encrypted data in available hardware device encrypts the be-encrypted data using first key, when So, in practical applications, be-encrypted data can be encrypted according to first key, use more complicated cipher mode, For example, increasing the complexity cracked to encrypted data to further increase cipher round results, data and hardware are improved More keys can be generated in the safety of equipment, using multiple key pair be-encrypted datas including first key into Row encryption etc..

Be-encrypted data may include in hardware device to the higher data of security requirement, such as user password, user Fingerprint characteristic, user's face feature, client iris feature, in hardware device in application keys of application program etc. at least A kind of data may include certainly other data in hardware device, such as user's specified data in practical applications.

Encrypted data is after being encrypted according to first key to be-encrypted data as a result, the encrypted data energy It is enough to be decrypted according to first key, to obtain be-encrypted data again.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are encrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

Embodiment two

Referring to Fig. 2, a kind of data ciphering method flow chart according to the application one embodiment, specific steps packet are shown It includes:

Step 201, using the unique corresponding first key of software root of trust Program Generating and hardware device.

Wherein, using root of trust Program Generating and hardware device uniquely accordingly by the way of first key, before may refer to Associated description in stating is not repeating one by one herein.

It certainly, in practical applications, may include that hardware is trusted in rooter and software trust rooter in hardware device At least one.

Furthermore it is possible to which the first key storage of generation is the corresponding storage location of root of trust program, for example it is stored in In the storage region of KM protection.

Step 202, the second interface for receiving be-encrypted data is provided, and described to be encrypted by second interface reception Data.

From the foregoing it will be appreciated that may include in hardware device, hardware trusts rooter and/or software trusts rooter, or even can It can include that more than one hardware trusts rooter, this may cause connects with multiple first for hardware trust rooter Mouthful, and then cause the system architecture in hardware device chaotic, the application program in application layer needs to carry out complicated heavy adaptation, Not only improve the development cost of application program, it is also possible to the problems such as will appear adaptation mistake, and then cause to be difficult to data encryption Or other problems, reduce the safety and reliability of data and hardware device.It therefore, can be the application program in application layer Unified interface, i.e. second interface are provided, number to be encrypted is received, to be encapsulated in bottom for rooter is trusted by second interface Layer enables various functions of each application program by unified interface using trust rooter, and then makes in hardware device System architecture is more succinct, reduces the development cost of application program, improves application program and hardware device safety and reliable Property.

The second interface of application-oriented layer can be provided by way of hardware or software, by second interface reception come The data of self-application layer, and rooter is trusted according to first interface or software, the data received are converted, after making conversion Data fit first interface or software trust rooter data type or standard.

Be-encrypted data is the data for needing to be encrypted by key, the be-encrypted data may include source with it is any The arbitrary data of application program.

Step 203, the second key is generated at random, and be-encrypted data, the first key are encrypted using second key For encrypting second key.

In order to effectively improve the complexity that data are cracked, it is further reduced the possibility that data are cracked, Ke Yi On the basis of first key, the second key is regenerated, is encrypted by the second key pair be-encrypted data, and is close by first Key encrypts the second key, that is to say, passes through hierarchical encryption management, the safety of Lai Tigao data and hardware device.Due to multiple A possibility that key is cracked, as soon as it is smaller than the possibility that key is cracked, data and hardware device are also improved certainly Safety.In addition, be randomly generated due to the second key, thereby it can be assured that key used by each be-encrypted data Different, even if the data that some in hardware device encrypts are cracked, the data of other encryptions are still safe, thus into one Step improves the safety of data and hardware device.

Wherein it is possible to generate the second key by key schedule by the trust rooter in aforementioned.

Hierarchical encryption management refers to and generates multiple keys by different modes, and each key carries out storage and management respectively, leads to Multiple data keys are crossed to be encrypted, alternatively, encrypted by a portion data key, and by it is therein its The key of its key pair encryption data is encrypted, and the complexity of encryption is effectively improved, make hacker etc. be difficult to get it is all Key, and then be also just difficult to cracking encrypted information, and then improve the safety of encrypted information.

Certainly, in practical applications, acceptable more keys, adopt in a similar manner, are waited for by multiple key pair Encryption data is encrypted, to further increase the safety of data and hardware device.

Step 204, second key is encrypted using the first key.

In order to reduce the possibility that the second key is cracked, and then the possibility that the data for reducing encryption are encrypted, improve data With hardware device safety, the second key can be encrypted with first key.

Wherein, it for the second key using first key encryption, can be saved.

In the embodiment of the present application, optionally, ensure that the legitimate user of the subsequent data can normally obtain to settle Two keys improve the reliability of data encryption so that the be-encrypted data of encryption to be decrypted, can be close by encrypted second Key is corresponding with the be-encrypted data encrypted to be saved.

The be-encrypted data of second key of encryption and encryption can be stored in same storage location, alternatively, will encryption The second key and the be-encrypted data of encryption stored respectively to different storage locations, and where storing the second key of encryption Storage location and encryption be-encrypted data where storage location between corresponding relationship.Certainly, in practical applications, may be used Otherwise, the second key of encryption is carried out corresponding preservation with the be-encrypted data of encryption.

In addition, in another alternative embodiment of the embodiment of the present application, in order to improve the efficiency encrypted to data, The second key can not be regenerated, but directlys adopt first key and be-encrypted data is encrypted, i.e., first key is Key for being encrypted to be-encrypted data.Alternatively, in another alternative embodiment of the application, the can also passed through One key encrypt be-encrypted data on the basis of, encrypted by the second key pair first key, and will have been encrypted first Key is corresponding with the be-encrypted data encrypted to be saved.

It wherein, can be to be added with the second key pair of use in such a way that first key encrypts be-encrypted data The mode that ciphertext data is encrypted is identical, is not repeating one by one herein.

Step 205, generate the verification data for verifying the integrality of be-encrypted data, the verification data with encrypted Be-encrypted data corresponding save.

After being decrypted for the ease of the subsequent be-encrypted data to encryption, whether complete obtained be-encrypted data is verified It is whole, to further increase the safety of data and hardware device, it can be generated the verification data of be-encrypted data, and by check number Corresponding preservation is carried out according to the be-encrypted data encrypted.

Inspection data is including the integrity verification for verifying to be-encrypted data.

It wherein, may include cryptographic Hash for the verification data of integrity verification.

Cryptographic Hash is to carry out the binary value that operation obtains according to file data (such as be-encrypted data), for this article Number of packages is according to progress integrity verification.

In the embodiment of the present application, optionally, in order to ensure it is subsequent can be by the cryptographic Hash of be-encrypted data, to be added Ciphertext data, which carries out integrity verification, can determine the be-encrypted data to improve the safety of data and hardware device Cryptographic Hash.

Certainly, in actually to apply, be-encrypted data can be verified in order to ensure subsequent, check information can also Check information to include other information, such as integrity verification can also include the attribute information of be-encrypted data, phase It answers, can determine the attribute information of be-encrypted data, using determining attribute information as the verification data.

Wherein, attribute information is the information for illustrating the had attribute of be-encrypted data, for example, the attribute information may include At least one of size and data type of be-encrypted data.

The size of be-encrypted data, for the number of data volume included by be-encrypted data to be illustrated.

The type of be-encrypted data is used to illustrate the format or classification of be-encrypted data.

In addition, the mode of data preservation corresponding with the be-encrypted data encrypted will be verified, can with will encrypt the Two keys are identical as the mode of the corresponding preservation of the be-encrypted data encrypted, no longer repeat one by one herein.

In addition, in practical applications, in order to improve encryption efficiency, the verification data of be-encrypted data can not also be generated, I.e. step 205 is optional step.

Step 206, encrypted result is exported to the data source of the be-encrypted data by the second interface.

Storage or other operations are carried out for the ease of be-encrypted data of the application program to encryption, it can be to as data The application program in source exports encrypted result, and the system architecture in hardware device is more succinct, reduces application program in order to make Development cost, improve application program and hardware device safety and reliability, can by unified interface, i.e. second interface, Encrypted result is exported to data source.

Data source is the source of be-encrypted data, may include the application program in aforementioned.

Encrypted result be be-encrypted data is encrypted and export as a result, may include encryption be-encrypted data, Certainly, in practical applications, if the be-encrypted data of encryption is encrypted using the second key, and the second key is close using first Key is encrypted, and encrypted result can also include the second key encrypted through first key；If also being generated in aforementioned to be encrypted The verification data of data then can also include the verification data in the encrypted result.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are encrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

In addition, being capable of providing unified second interface, and encryption data or output encrypted result are received by second interface, It ensures the various functions for enabling each application program by unified interface using trust rooter, and then makes in hardware device System architecture it is more succinct, also reduce the development cost of application program, decrease application program to hardware root of trust journey The problem of being difficult to data encryption caused by the first interface adaptation mistake of sequence, improve data are encrypted it is reliable Property, and then also improve the safety and reliability of data and hardware device.

In addition, the second key can be generated at random, encrypted using the second key pair be-encrypted data, and uses first A possibility that the second key of key pair is encrypted, is cracked due to multiple keys is smaller, and the second key generated at random Can also ensure that can be encrypted using different keys for each be-encrypted data, therefore effectively improve data quilt The complexity cracked, to further improve the safety of data and hardware device.

Embodiment three

Referring to Fig. 3, a kind of data ciphering method flow chart according to the application one embodiment, specific steps packet are shown It includes:

Step 301, using the unique corresponding first key of root of trust Program Generating and hardware device.

In order to reduce the possibility for obtaining key directly from code, the key for reducing by a hardware device is not cracked, other The problem of being cracked with the key of the hardware device same class or the hardware device for belonging to same hardware vendor realizes a machine one It is close, the safety of data and hardware device is effectively improved, can be generated uniquely corresponding with hardware device using rooter is trusted Key.

Wherein, using root of trust Program Generating and hardware device uniquely accordingly by the way of first key, before may refer to Associated description in stating is not repeating one by one herein.

In the embodiment of the present application, optionally, there is hardware device dedicated hardware to trust rooter, generate to improve The reliability of first key, it is ensured that it can be realized that a machine one is close, and then improve the safety of data and hardware device, it is accessible Hardware built in the hardware device trusts rooter, generates the first key.

Wherein, it may include TEE that hardware, which trusts rooter,.

In the embodiment of the present application, optionally, ensure that access hardware trust rooter, improve generate key with And the subsequent reliability that be-encrypted data is encrypted, the hardware can be accessed by first interface trusts rooter, institute The interface type for stating first interface is adapted to the Program Type that the hardware trusts rooter.

For example, first interface may include linux SGX driver if it is intel SGX that hardware, which trusts rooter, In interface；If it is TEE that hardware, which newly trusts rooter, first interface may include GP Client API, wherein GP Client API is the interface name being adapted to TEE.

Certainly, in practical applications, hardware device may include that hardware is trusted in rooter and software trust rooter At least one can generate first key so that it is guaranteed that no matter whether hardware device has hardware security ability, it is ensured that generate The reliability of first key.

Step 302, according to the first key encryption data.

Wherein, according to the mode of first key encryption data, it may refer to the associated description in aforementioned, herein no longer one by one It repeats.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are encrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.

Secondly, being able to access that the hardware built in the hardware device is trusted for the hardware device with hardware security ability Rooter generates first key, improves the reliability for generating first key.

Example IV

Referring to Fig. 4, a kind of data decryption method flow chart according to the application one embodiment, specific steps packet are shown It includes:

Step 401, using the unique corresponding first key of software root of trust Program Generating and hardware device.

In order to avoid directly by key be written the code in hardware device and the close problem of the machine one that is difficult to realize and Key, can not be written hardware identification code, but adopted by the lower problem of the safety of the data and hardware device that further result in With root of trust Program Generating first key, and the key generated can be uniquely corresponding with hardware device, on the one hand reduces hacker Deng the possibility for directly acquiring first key from code, on the other hand ensures and broken even if the key of some hardware device Solution, with the hardware device same class or the key that belongs in the hardware device of same hardware vendor is still safe, so as to Enough effectively improve the safety of data and hardware device.In addition, believing due to may and not have hardware in certain hardware devices Appoint the hardware that is relied on of rooter, therefore, in order to ensure no matter whether there is or not the hardware devices of hardware security ability can generate the One key, improves the reliability of first key, and then ensures the safety of data and hardware device, while reducing cost, can be with It calls software to trust rooter, generates first key.

Wherein, using root of trust Program Generating with by the way of hardware device uniquely corresponding first key, before may refer to Associated description in stating, no longer repeats one by one herein.

Step 402, according to the first key decrypting encrypted data.

It, can be according to first key in order to ensure the legitimate user of encrypted data can normally obtain encrypted data Encrypted data is decrypted.

Wherein, encrypted data can be with the be-encrypted data for aforementioned middle encryption.

It can be according to the aforementioned middle mode encrypted according to first key to data, according to first key to having encrypted number It, then can be using first key to having added for example, encrypted according to first key to the be-encrypted data according to being decrypted Ciphertext data is decrypted；It is encrypted, then can be given birth to according to multiple key pair be-encrypted datas including first key At other keys in multiple key in addition to first key, using multiple key including first key, to Encryption data is decrypted.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are decrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

Embodiment five

Referring to Fig. 5, a kind of data decryption method flow chart according to the application one embodiment, specific steps packet are shown It includes:

Step 501, using the unique corresponding first key of software root of trust Program Generating and hardware device.

Wherein, using root of trust Program Generating with by the way of hardware device uniquely corresponding first key, before may refer to Associated description in stating, no longer repeats one by one herein.

Step 502, encrypted data is obtained by second interface.

In order to which the system architecture in hardware device is more succinct, reduce the development cost of application program, improves application program With the safety and reliability of hardware device, the encryption of each data source can be obtained by unified interface, i.e. second interface Data.

Certainly, in practical applications, the encryption of preservation corresponding with encrypted data can also be obtained by second interface Second key and/or verification data.

Wherein, the second encryption key can be the key generated at random for encrypted data.

If the second key and/or verification data then can be from the storage locations with encrypted data in same storage location Obtain the second key and/or verification data；If the second key and/or the storage location for verifying data, with depositing for encrypted data Storage space set between there are corresponding relationships, then the second key and/or check number can be determined according to the storage location of encrypted data According to storage location, and then acquire the second key and/or verification data.

In addition, in another alternative embodiment of the embodiment of the present application, can not also be obtained in step the second key and/ Or verification data, but in subsequent need using the second key and/or verification data, then obtain the second key and/or verification Data.

Step 503, according to the first key decrypting encrypted data.

Wherein, according to the mode of first key decrypting encrypted data, it may refer to the associated description in aforementioned, herein not It repeats one by one again.

In the embodiment of the present application, optionally, from the foregoing it will be appreciated that a possibility that being cracked due to multiple keys, than one The possibility that a key is cracked is small, so the first key can be generated in order to improve the safety of data and hardware device, And the second key encrypted is obtained, second key encrypted is corresponding with the encrypted data to be saved, using institute First key decryption second key encrypted is stated, the second key is obtained, has been added using second key decryption is described Ciphertext data.It that is to say, pass through hierarchical encryption management, the safety of Lai Tigao data and hardware device.

Wherein, it generates the mode of first key and obtains the mode of the second key, the correlation that may refer in aforementioned is retouched It states, no longer repeats one by one herein.

Step 504, verification data are obtained, the verification data are corresponding with the encrypted data to be saved, using the school Test the integrality of data check decrypted result.

After being decrypted for the ease of encrypted data, whether complete, further to mention if verifying obtained decrypted result The safety of high data and hardware device, available verification data, to be verified to the decrypted result.

Decrypted result is encrypted data to be decrypted as a result, the decrypted result can be to be to be encrypted in aforementioned Data.

Verification data can be generated according to decrypted result, and the verification data of generation are compared with the verification data got Compared with if unanimously, it is determined that decrypted result has integrality, otherwise determines that decrypted result does not have integrality.

In the embodiment of the present application, optionally, in order to ensure decrypted result is consistent with be-encrypted data before encrypting, i.e., really Guarantor verifies the integrality of decrypted result, further increases the safety of data and hardware device, the verification data packet The first cryptographic Hash of the decrypted result is included, correspondingly, the second cryptographic Hash of the decrypted result can be generated, compares described the Two cryptographic Hash are consistent with first cryptographic Hash, then confirm that the decrypted result has integrality.If the second cryptographic Hash and first Cryptographic Hash is inconsistent, then confirms that decrypted result does not have integrality.

Wherein, the first cryptographic Hash be during being encrypted in aforementioned to be-encrypted data determined by this is to be encrypted The cryptographic Hash of data；Second cryptographic Hash is the cryptographic Hash generated according to ciphertext data.If be-encrypted data and decrypted result one It causes, i.e., decrypted result has integrality, then the first cryptographic Hash and the second cryptographic Hash should also be as unanimously.

Available includes the verification data of the first cryptographic Hash, the second cryptographic Hash of decrypted result is generated, by the first Hash Value is compared with the second cryptographic Hash, to determine whether the first cryptographic Hash and the second cryptographic Hash are consistent.

Wherein, the mode for obtaining verification data may refer to the associated description in aforementioned, no longer repeat one by one herein.

In addition, the application implement another alternative embodiment in, in order to ensure decrypted result with it is before encrypting to be encrypted Data are consistent, that is, ensure to verify the integrality of decrypted result, further increase the safety of data and hardware device, school The first attribute information in data including be-encrypted data is tested, correspondingly, the second attribute information of decrypted result can also be obtained, First attribute information is compared with the second attribute information, if unanimously, it is determined that decrypted result has integrality, otherwise determines Decrypted result does not have integrality.

Wherein, the first attribute information is the attribute information generated according to be-encrypted data, and the second attribute information is according to solution The attribute information that close result generates, if be-encrypted data is consistent with decrypted result, i.e., decrypted result has integrality, then first belongs to Property information and the second attribute information should also be as unanimously.

In addition, in practical applications, in order to improve decryption efficiency, integrity verification can not also be carried out to decrypted result, I.e. step 504 is optional step.

Step 505, decrypted result is exported by second interface.

Storage or other operations are carried out for the ease of be-encrypted data of the application program to encryption, it can be to as data The application program in source exports encrypted result, and the system architecture in hardware device is more succinct, reduces application program in order to make Development cost, improve application program and hardware device safety and reliability, can by unified interface, i.e. second interface, Export decrypted result.

Wherein it is possible to export decrypted result to the data source of encrypted data by second interface.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are decrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

Secondly, rooter or software root of trust Program Generating first key can be trusted by hardware, it is ensured that no matter hard Whether part equipment has hardware security ability, can generate first key, improves the reliability for generating first key.

In addition, being capable of providing unified second interface, and encrypted data or output decryption knot are obtained by second interface Fruit, it is ensured that enable various functions of each application program by unified interface using trust rooter, and then set hardware System architecture in standby is more succinct, also reduces the development cost of application program, decreases application program and trusts hardware The problem of being difficult to data deciphering caused by the first interface adaptation mistake of rooter, improve to data be decrypted can By property, and then also improve the safety and reliability of data and hardware device.

In addition, the second key encrypted can be decrypted using first key, and added using the second key pair A possibility that ciphertext data is decrypted, and is cracked due to multiple keys is smaller, effectively improves what data were cracked Complexity, to further improve the safety of data and hardware device.

Embodiment six

Referring to Fig. 6, a kind of data decryption method flow chart according to the application one embodiment, specific steps packet are shown It includes:

Step 601, using the unique corresponding first key of root of trust Program Generating and hardware device.

In order to reduce the possibility for obtaining key directly from code, the key for reducing by a hardware device is not cracked, other The problem of being cracked with the key of the hardware device same class or the hardware device for belonging to same hardware vendor realizes a machine one It is close, the safety of data and hardware device is effectively improved, can be generated uniquely corresponding with hardware device using rooter is trusted Key.

Wherein, using root of trust Program Generating with by the way of hardware device uniquely corresponding first key, before may refer to Associated description in stating, no longer repeats one by one herein.

In the embodiment of the present application, optionally, there is hardware device dedicated hardware to trust rooter, generate to improve The reliability of first key, it is ensured that can be realized that a machine one is close, and then improve the safety of data and hardware device, described in access Hardware built in hardware device trusts rooter, generates the first key.

In the embodiment of the present application, optionally, ensure that access hardware trust rooter, improve generate key with And the reliability that the subsequent be-encrypted data to encryption is decrypted, the hardware root of trust journey can be accessed by first interface Sequence, the interface type of the first interface are adapted to the Program Type that the hardware trusts rooter.

Step 602, according to the first key decrypting encrypted data.

Wherein, according to the mode of first key decrypting encrypted data, it may refer to the associated description in aforementioned, herein not It repeats one by one again.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are decrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.

Secondly, being able to access that the hardware built in the hardware device is trusted for the hardware device with hardware security ability Rooter generates first key, improves the reliability for generating first key.

It should be understood that the method and step in above-described embodiment is not each essential, Under specific situation, it is convenient to omit one or more of steps encrypt data or decrypt as long as can be realized Technical purpose.The quantity and its sequence of step in the embodiment that the present invention does not limit, protection scope of the present invention is when with right Subject to the restriction of claim.

The application is more fully understood for the ease of those skilled in the art, below by way of a specific example to the application A kind of data processing of embodiment, encryption and decryption approaches are illustrated, and are specifically comprised the following steps:

Referring to Fig. 7, a kind of data processing method flow chart of the embodiment of the present application is shown.Specific steps include:

Step 701, hardware trusts rooter or software root of trust Program Generating root key.

Wherein, root key may include aforementioned middle first key.

It, can if be provided with hardware (there is hardware security ability) that hardware trust rooter is relied in hardware device To generate root key by hardware root of trust；If be not provided with the hardware that hardware trust rooter is relied in hardware device, Root key can be generated by software root of trust.

Step 702, rooter is trusted by hardware or software trusts root key of the rooter preservation for secure storage.

Step 703, rooter is trusted by hardware or software trusts rooter, file key is added using root key It is close.

Wherein, file key is the key encrypted to the be-encrypted data in aforementioned, for example, may include in aforementioned The second key.

Step 704, be-encrypted data is encrypted by file key, and stored through the file key after root key encryption.

It can be seen from the above, root key is not directly used for encrypting be-encrypted data, but for be-encrypted data The file key encrypted is encrypted, correspondingly, root key is also not directly used for that encrypted data is decrypted, but For the file key that encrypted data is decrypted to be decrypted, it can be ensured that for different hardware device and difference Data, be capable of providing different keys and encrypted or decrypted, reduce the possibility that data are cracked, improve data and The safety of hardware device.

Step 705, by unified interface, secure storage function is provided to application layer.

It can be by be-encrypted data (such as the sensitive number of application program that unified interface application program is submitted According to), and encrypted result is exported to the level of application；Alternatively, receiving the encrypted data that application program is submitted, and apply journey to this Sequence exports decrypted result.

Wherein, unified interface may include the second interface in aforementioned.

Referring to Fig. 8, a kind of flow chart of data ciphering method of the application one embodiment is shown.Specific steps packet It includes:

Step 801, root of trust Program Generating first key, and first key is stored in and trusts the corresponding storage of rooter Position；

Step 802, trust rooter and the second key is encrypted by first key；

Step 803, it is encrypted by the second key pair be-encrypted data；

Step 804, the cryptographic Hash of be-encrypted data is generated；

Step 805, by encrypted be-encrypted data, the cryptographic Hash of be-encrypted data and through first key encryption second Cipher key combinations are stored at a file.

Referring to Fig. 9, a kind of flow chart of data decryption method of the application one embodiment is shown.Specific steps packet It includes:

Step 901, trust rooter and read encrypted data；

Step 902, trust rooter and the second key is decrypted by first key；

Step 903, pass through the second key decrypting encrypted data；

Step 904, the cryptographic Hash of decrypted result is generated；

Step 905, determine that cryptographic Hash generated is consistent with the cryptographic Hash of the be-encrypted data originally saved；

Step 906, decrypted result is exported.

Embodiment seven

Referring to Fig.1 0, show a kind of structural block diagram of data encryption device according to the application one embodiment, the dress It sets and includes:

First key generation module 1001, for using software root of trust Program Generating and hardware device uniquely corresponding the One key；

Data encryption module 1002, for according to the first key encryption data.

Optionally, the data encryption module includes:

Key generates submodule at random, for generating the second key at random；

Data encryption submodule, for encrypting be-encrypted data using second key, the first key is for adding Close second key.

Optionally, described device further include:

Second cipher key encryption block, for encrypting second key using the first key.

Optionally, described device further include:

Second cipher key storage block, the second key preservation corresponding with the be-encrypted data encrypted for will encrypt.

Optionally, described device further include:

Data generation module is verified, for generating the verification data of the integrality for verifying be-encrypted data, the school To test data corresponding with the be-encrypted data encrypted to save.

Optionally, the verification data generation module includes:

Cryptographic Hash determines submodule, for determining the cryptographic Hash of the be-encrypted data.

Optionally, described device further include:

Be-encrypted data receiving module connects for providing the second interface for receiving be-encrypted data, and by described second Mouth receives the be-encrypted data；

Encrypted result output module is encrypted for being exported by the second interface to the data source of the be-encrypted data As a result.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are encrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

Embodiment eight

Referring to Fig.1 1, show a kind of structural block diagram of data encryption device according to the application one embodiment, the dress It sets and includes:

First key generation module 1101, for close using root of trust Program Generating and hardware device unique corresponding first Key；

Data encryption module 1102, for according to the first key encryption data.

Optionally, the first key generation module includes:

First key generates submodule, rooter is trusted for accessing hardware built in the hardware device, described in generation First key.

Optionally, there is the hardware device dedicated hardware to trust rooter, and the first key generates submodule also For:

The hardware is accessed by first interface and trusts rooter, and the interface type of the first interface and the hardware are believed Appoint the Program Type adaptation of rooter.

In the embodiment of the present application, can using the unique corresponding first key of root of trust Program Generating and hardware device, And then data are encrypted according to first key, reduce that hacker etc. directly acquires first key from code can Can, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belongs to same hardware Key in the hardware device of manufacturer is still safe, effectively improves the safety of data and hardware device.

Embodiment nine

Referring to Fig.1 2, show a kind of structural block diagram of data decryption apparatus according to the application one embodiment, the dress It sets and includes:

First key generation module 1201, for using software root of trust Program Generating and hardware device uniquely corresponding the One key；

Data decryption module 1202, for according to the first key decrypting encrypted data.

Optionally, the data decryption module includes:

Key acquisition submodule, for generating the first key, and, obtain the second key encrypted, it is described Second key of encryption is corresponding with the encrypted data to be saved；

Second key decrypts submodule, for obtaining using first key decryption second key encrypted Second key；

Data deciphering submodule, for decrypting the encrypted data using second key.

Optionally, described device further include:

Data acquisition module is verified, for obtaining verification data, the verification data are corresponding with the encrypted data to be protected It deposits；

Integrity verification module, for the integrality using the verification data check decrypted result.

Optionally, the verification data include the first cryptographic Hash of the decrypted result, the integrity verification module packet It includes:

Second cryptographic Hash generates submodule, for generating the second cryptographic Hash of the decrypted result；

Integrity verification confirms submodule, consistent with first cryptographic Hash for comparing second cryptographic Hash, then really The decrypted result is recognized with integrality.

Optionally, described device further include:

Decrypted result output module, for exporting decrypted result by second interface.

It in the embodiment of the present application, firstly, can be using root of trust Program Generating and hardware device unique corresponding first Key, and then data are decrypted according to first key, reduce hacker etc. and directly acquires first key from code Possibility, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belong to same Key in the hardware device of hardware vendor is still safe, effectively improves the safety of data and hardware device.Its It is secondary, software root of trust Program Generating first key can be passed through, it is ensured that and no matter whether hardware device has hardware security ability, First key can be generated, the reliability for generating first key is improved.

Embodiment ten

Referring to Fig.1 3, show a kind of structural block diagram of data decryption apparatus according to the application one embodiment, the dress It sets and includes:

First key generation module 1301, for close using root of trust Program Generating and hardware device unique corresponding first Key；

Data decryption module 1302, for according to the first key decrypting encrypted data.

Optionally, the first key generation module includes:

First key generates submodule, rooter is trusted for accessing hardware built in the hardware device, described in generation First key.

Optionally, there is the hardware device dedicated hardware to trust rooter, and the first key generates submodule also For:

The hardware is accessed by first interface and trusts rooter, and the interface type of the first interface and the hardware are believed Appoint the Program Type adaptation of rooter.

In the embodiment of the present application, can using the unique corresponding first key of root of trust Program Generating and hardware device, And then data are decrypted according to first key, reduce that hacker etc. directly acquires first key from code can Can, while also ensuring and being cracked even if the key of some hardware device, and the hardware device same class or belongs to same hardware Key in the hardware device of manufacturer is still safe, effectively improves the safety of data and hardware device.

For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple Place illustrates referring to the part of embodiment of the method.

The embodiment of the present application can be implemented as using any suitable hardware, firmware, software, or and any combination thereof progress The system of desired configuration.Figure 14 schematically shows the example that can be used for realizing each embodiment described herein Property system (or device) 1400.

For one embodiment, Figure 14 shows exemplary system 1400, which has one or more processors 1402, the system control module (chipset) 1404, quilt of at least one of (one or more) processor 1402 are coupled to It is coupled to the system storage 1406 of system control module 1404, is coupled to the non-volatile memories of system control module 1404 Device (NVM)/storage equipment 1408, the one or more input-output apparatus 1410 for being coupled to system control module 1404, with And it is coupled to the network interface 1412 of system control module 1406.

Processor 1402 may include one or more single or multiple core processors, and processor 1402 may include general processor Or any combination of application specific processor (such as graphics processor, application processor, Baseband processor etc.).In some embodiments In, system 1400 can be as the hardware device described in the embodiment of the present application.

In some embodiments, system 1400 may include with instruction one or more computer-readable mediums (for example, System storage 1406 or NVM/ store equipment 1408) and mutually merge with the one or more computer-readable medium and be configured To execute instruction the one or more processors 1402 to realize module thereby executing movement described herein.

For one embodiment, system control module 1404 may include any suitable interface controller, with to (one or It is multiple) at least one of processor 1402 and/or any suitable equipment or component that are communicated with system control module 1404 Any suitable interface is provided.

System control module 1404 may include Memory Controller module, to provide interface to system storage 1406.It deposits Memory controller module can be hardware module, software module and/or firmware module.

System storage 1406 can be used for for example, load of system 1400 and storing data and/or instruction.For one Embodiment, system storage 1406 may include any suitable volatile memory, for example, DRAM appropriate.In some implementations In example, system storage 1406 may include four Synchronous Dynamic Random Access Memory of Double Data Rate type (DDR4SDRAM).

For one embodiment, system control module 1404 may include one or more i/o controllers, with to NVM/ stores equipment 1408 and (one or more) input-output apparatus 1410 provides interface.

For example, NVM/ storage equipment 1408 can be used for storing data and/or instruction.NVM/ stores equipment 1408 Any suitable nonvolatile memory (for example, flash memory) and/or may include that any suitable (one or more) is non-volatile Equipment is stored (for example, one or more hard disk drives (HDD), one or more CD (CD) drivers and/or one or more A digital versatile disc (DVD) driver).

NVM/ storage equipment 1408 may include a part for the equipment being physically mounted on as system 1400 Storage resource or its can by the equipment access without a part as the equipment.For example, NVM/ stores equipment 1408 It can be accessed by network via (one or more) input-output apparatus 1410.

(one or more) input-output apparatus 1410 can provide interface for system 1400 appropriate to set with any other Standby communication, input-output apparatus 1410 may include communication component, audio component, sensor module etc..Network interface 1412 can Interface is provided for system 1400 with by one or more network communications, system 1400 can be according to one or more wireless network marks The quasi- and/or arbitrary standards in agreement and/or agreement are carried out wireless communication with the one or more components of wireless network, such as The wireless network based on communication standard is accessed, such as WiFi, 2G or 3G or their combination are carried out wireless communication.

For one embodiment, at least one of (one or more) processor 1402 can be with system control module 1404 The logics of one or more controllers (for example, Memory Controller module) be packaged together.For one embodiment, (one It is a or multiple) at least one of processor 1402 can seal with the logic of one or more controllers of system control module 1404 It is fitted together to form system in package (SiP).For one embodiment, in (one or more) processor 1402 at least one It is a to be integrated on same mold with the logic of one or more controllers of system control module 1404.One is implemented Example, at least one of (one or more) processor 1402 can be with one or more controllers of system control module 1404 Logic is integrated on same mold to form system on chip (SoC).

In various embodiments, system 1400 can be, but not limited to be: work station, desk-top calculating equipment or mobile computing are set Standby (for example, lap-top computing devices, handheld computing device, tablet computer, net book etc.).In various embodiments, system 1400 can have more or fewer components and/or different frameworks.For example, in some embodiments, system 1400 includes one It is a or multiple video cameras, keyboard, liquid crystal display (LCD) screen (including touch screen displays), nonvolatile memory port, more A antenna, graphic chips, specific integrated circuit (ASIC) and loudspeaker.

Wherein, if display includes touch panel, display screen may be implemented as touch screen displays, be used by oneself with receiving The input signal at family.Touch panel includes one or more touch sensors to sense the hand on touch, slide, and touch panel Gesture.The touch sensor can not only sense the boundary of a touch or slide action, but also detect and the touch or sliding Operate relevant duration and pressure.

The embodiment of the present application also provides a kind of non-volatile readable storage medium, be stored in the storage medium one or Multiple modules (programs) when the one or more module is used in terminal device, can make the terminal device execute The instruction (instructions) of various method steps in the embodiment of the present application.

A kind of device is provided in one example, comprising: one or more processors；With what is stored thereon has instruction One or more machine readable medias, when by one or more of processors execute when so that described device execute as this Apply for the method that hardware device executes in embodiment.

Additionally provide one or more machine readable medias in one example, be stored thereon with instruction, when by one or When multiple processors execute, so that device executes the method such as hardware device execution in the embodiment of the present application.

The embodiment of the present application discloses a kind of data encryption, decryption method and device.

Example 1, a kind of data ciphering method, comprising:

Using the unique corresponding first key of software root of trust Program Generating and hardware device；

According to the first key encryption data.

Example 2 may include method described in example 1, described to include according to the first key encryption data:

It is random to generate the second key；

Be-encrypted data is encrypted using second key, the first key is for encrypting second key.

Example 3 may include method described in example 2, the method also includes:

Second key is encrypted using the first key.

Example 4 may include method described in example 3, it is described using the first key encrypt second key it Afterwards, the method also includes:

By the second key encrypted preservation corresponding with the be-encrypted data encrypted.

Example 5 may include method described in example 1, the method also includes:

Generate the verification data for verifying the integrality of be-encrypted data, the verification data with encrypted it is to be encrypted Data are corresponding to be saved.

Example 6 may include method described in example 5, the check number generated for verifying the integrality of be-encrypted data According to including:

Determine the cryptographic Hash of the be-encrypted data.

Example 7 may include method described in example 1, and before according to the first key encryption data, the method is also Include:

The second interface for receiving be-encrypted data is provided, and the be-encrypted data is received by the second interface；

It is described according to the first key encryption data after, the method also includes:

Encrypted result is exported to the data source of the be-encrypted data by the second interface.

Example 8, a kind of data decryption method, comprising:

Using the unique corresponding first key of software root of trust Program Generating and hardware device；

According to the first key decrypting encrypted data.

Example 9 may include method described in example 8, described to include: according to the first key decrypting encrypted data

Generate the first key, and, obtain the second key for having encrypted, second key encrypted with it is described Encrypted data is corresponding to be saved；

Using first key decryption second key encrypted, the second key is obtained；

The encrypted data is decrypted using second key.

Example 10 may include method described in example 8, the method also includes:

Verification data are obtained, the verification data are corresponding with the encrypted data to be saved；

Using the integrality of the verification data check decrypted result.

Example 11 may include method described in example 10, and the verification data include the first Hash of the decrypted result Value, the integrality using the verification data check decrypted result include:

Generate the second cryptographic Hash of the decrypted result；

It is consistent with first cryptographic Hash to compare second cryptographic Hash, then confirms that the decrypted result has integrality.

Example 12 may include method described in example 8, the method also includes:

Decrypted result is exported by second interface.

Example 13, a kind of data ciphering method, comprising:

Using the unique corresponding first key of root of trust Program Generating and hardware device；

According to the first key encryption data.

Example 14 may include method described in example 13, described uniquely corresponding with hardware device using root of trust Program Generating First key include:

It accesses the hardware built in the hardware device and trusts rooter, generate the first key.

Example 15 may include method described in example 14, and there is the hardware device dedicated hardware to trust rooter, institute Stating the hardware root of trust program accessed built in the hardware device includes:

The hardware is accessed by first interface and trusts rooter, and the interface type of the first interface and the hardware are believed Appoint the Program Type adaptation of rooter.

Example 16, a kind of data decryption method, comprising:

Using the unique corresponding first key of root of trust Program Generating and hardware device；

According to the first key decrypting encrypted data.

Example 17 may include method described in example 16, described uniquely corresponding with hardware device using root of trust Program Generating First key include:

It accesses the hardware built in the hardware device and trusts rooter, generate the first key.

Example 18 may include method described in example 17, and there is the hardware device dedicated hardware to trust rooter, institute Stating the hardware root of trust program accessed built in the hardware device includes:

The hardware is accessed by first interface and trusts rooter, and the interface type of the first interface and the hardware are believed Appoint the Program Type adaptation of rooter.

Example 19, a kind of data encryption device, comprising:

First key generation module, for close using software root of trust Program Generating and hardware device unique corresponding first Key；

Data encryption module, for according to the first key encryption data.

Example 20 may include device described in example 19, and the data encryption module includes:

Key generates submodule at random, for generating the second key at random；

Data encryption submodule, for encrypting be-encrypted data using second key, the first key is for adding Close second key.

Example 21 may include device described in example 20, described device further include:

Second cipher key encryption block, for encrypting second key using the first key.

Example 22 may include device described in example 19, described device further include:

Data generation module is verified, for generating the verification data of the integrality for verifying be-encrypted data, the school To test data corresponding with the be-encrypted data encrypted to save.

Example 23 may include device described in example 19, described device further include:

Be-encrypted data receiving module connects for providing the second interface for receiving be-encrypted data, and by described second Mouth receives the be-encrypted data；

Encrypted result output module is encrypted for being exported by the second interface to the data source of the be-encrypted data As a result.

Example 24, a kind of data decryption apparatus, comprising:

First key generation module, for close using software root of trust Program Generating and hardware device unique corresponding first Key；

Data decryption module, for according to the first key decrypting encrypted data.

Example 25 may include device described in example 24, and the data decryption module includes:

Key acquisition submodule, for generating the first key, and, obtain the second key encrypted, it is described Second key of encryption is corresponding with the encrypted data to be saved；

Second key decrypts submodule, for obtaining using first key decryption second key encrypted Second key；

Data deciphering submodule, for decrypting the encrypted data using second key.

Example 26 may include device described in example 24, described device further include:

Data acquisition module is verified, for obtaining verification data, the verification data are corresponding with the encrypted data to be protected It deposits；

Integrity verification module, for the integrality using the verification data check decrypted result.

Example 27 may include device described in example 24, described device further include:

Decrypted result output module, for exporting decrypted result by second interface.

Example 28, a kind of data encryption device, comprising:

First key generation module, for using the unique corresponding first key of root of trust Program Generating and hardware device；

Data encryption module, for according to the first key encryption data.

Example 29 may include device described in example 28, and the first key generation module includes:

First key generates submodule, rooter is trusted for accessing hardware built in the hardware device, described in generation First key.

Example 30, a kind of data decryption apparatus, comprising:

First key generation module, for using the unique corresponding first key of root of trust Program Generating and hardware device；

Data decryption module, for according to the first key decrypting encrypted data.

Example 31 may include device described in example 30, and the first key generation module includes:

First key generates submodule, rooter is trusted for accessing hardware built in the hardware device, described in generation First key.

Example 32, a kind of device, comprising: one or more processors；What is stored thereon has the one or more of instruction Machine readable media, when being executed by one or more of processors, so that described device executes such as example 1- example 18 1 A or multiple method.

Example 33, one or more machine readable media, are stored thereon with instruction, when being performed by one or more processors When, so that device executes as one or more methods such as example 1- example 18.

Although some embodiments are various substitutions, and/or equivalent implementation for the purpose of illustrating and describing Scheme calculates to reach same purpose and implement the realization for exemplifying and describing, and does not depart from the practical range of the application.This Shen It please be intended to cover any modification or variation of the embodiment being discussed herein.It is, therefore, apparent that embodiment described herein only by right It is required that being limited with their equivalent.

Claims (33)

1. a kind of data ciphering method characterized by comprising

Using the unique corresponding first key of software root of trust Program Generating and hardware device；

According to the first key encryption data.

2. the method according to claim 1, wherein described include according to the first key encryption data:

It is random to generate the second key；

Be-encrypted data is encrypted using second key, the first key is for encrypting second key.

3. according to the method described in claim 2, it is characterized in that, the method also includes:

Second key is encrypted using the first key.

4. according to the method described in claim 3, it is characterized in that, described close using first key encryption described second After key, the method also includes:

By the second key encrypted preservation corresponding with the be-encrypted data encrypted.

5. the method according to claim 1, wherein the method also includes:

Generate the verification data for verifying the integrality of be-encrypted data, the verification data and the be-encrypted data encrypted It is corresponding to save.

6. according to the method described in claim 5, it is characterized in that, the integrality generated for verifying be-encrypted data Verifying data includes:

Determine the cryptographic Hash of the be-encrypted data.

7. described the method according to claim 1, wherein before according to the first key encryption data Method further include:

The second interface for receiving be-encrypted data is provided, and the be-encrypted data is received by the second interface；

It is described according to the first key encryption data after, the method also includes:

Encrypted result is exported to the data source of the be-encrypted data by the second interface.

8. a kind of data decryption method characterized by comprising

Using the unique corresponding first key of software root of trust Program Generating and hardware device；

According to the first key decrypting encrypted data.

9. according to the method described in claim 8, it is characterized in that, described according to the first key decrypting encrypted data packet It includes:

The first key is generated, and, the second key encrypted is obtained, second key encrypted has added with described Ciphertext data is corresponding to be saved；

Using first key decryption second key encrypted, the second key is obtained；

The encrypted data is decrypted using second key.

10. according to the method described in claim 8, it is characterized in that, the method also includes:

Verification data are obtained, the verification data are corresponding with the encrypted data to be saved；

Using the integrality of the verification data check decrypted result.

11. according to the method described in claim 10, it is characterized in that, the verification data include the first of the decrypted result Cryptographic Hash, the integrality using the verification data check decrypted result include:

Generate the second cryptographic Hash of the decrypted result；

It is consistent with first cryptographic Hash to compare second cryptographic Hash, then confirms that the decrypted result has integrality.

12. according to the method described in claim 8, it is characterized in that, the method also includes:

Decrypted result is exported by second interface.

13. a kind of data ciphering method characterized by comprising

Using the unique corresponding first key of root of trust Program Generating and hardware device；

According to the first key encryption data.

14. according to the method for claim 13, which is characterized in that described to use root of trust Program Generating and hardware device only One corresponding first key includes:

It accesses the hardware built in the hardware device and trusts rooter, generate the first key.

15. according to the method for claim 14, which is characterized in that the hardware device has dedicated hardware root of trust journey Sequence, the hardware root of trust program built in the access hardware device include:

The hardware, which is accessed, by first interface trusts rooter, the interface type of the first interface and the hardware root of trust The Program Type of program is adapted to.

16. a kind of data decryption method characterized by comprising

Using the unique corresponding first key of root of trust Program Generating and hardware device；

According to the first key decrypting encrypted data.

17. according to the method for claim 16, which is characterized in that described to use root of trust Program Generating and hardware device only One corresponding first key includes:

It accesses the hardware built in the hardware device and trusts rooter, generate the first key.

18. according to the method for claim 17, which is characterized in that the hardware device has dedicated hardware root of trust journey Sequence, the hardware root of trust program built in the access hardware device include:

The hardware, which is accessed, by first interface trusts rooter, the interface type of the first interface and the hardware root of trust The Program Type of program is adapted to.

19. a kind of data encryption device characterized by comprising

First key generation module, for using the unique corresponding first key of software root of trust Program Generating and hardware device；

Data encryption module, for according to the first key encryption data.

20. device according to claim 19, which is characterized in that the data encryption module includes:

Key generates submodule at random, for generating the second key at random；

Data encryption submodule, for encrypting be-encrypted data using second key, the first key is for encrypting institute State the second key.

21. device according to claim 20, which is characterized in that described device further include:

Second cipher key encryption block, for encrypting second key using the first key.

22. device according to claim 19, which is characterized in that described device further include:

Data generation module is verified, for generating the verification data of the integrality for verifying be-encrypted data, the check number It is saved according to corresponding with the be-encrypted data encrypted.

23. device according to claim 19, which is characterized in that described device further include:

Be-encrypted data receiving module for providing the second interface for receiving be-encrypted data, and is connect by the second interface Receive the be-encrypted data；

Encrypted result output module, for exporting encryption knot to the data source of the be-encrypted data by the second interface Fruit.

24. a kind of data decryption apparatus characterized by comprising

First key generation module, for using the unique corresponding first key of software root of trust Program Generating and hardware device；

Data decryption module, for according to the first key decrypting encrypted data.

25. device according to claim 24, which is characterized in that the data decryption module includes:

Key acquisition submodule, for generating the first key, and, the second key encrypted is obtained, it is described to have encrypted The second key it is corresponding with the encrypted data save；

Second key decrypts submodule, for obtaining second using first key decryption second key encrypted Key；

Data deciphering submodule, for decrypting the encrypted data using second key.

26. device according to claim 24, which is characterized in that described device further include:

Data acquisition module is verified, for obtaining verification data, the verification data are corresponding with the encrypted data to be saved；

Integrity verification module, for the integrality using the verification data check decrypted result.

27. device according to claim 24, which is characterized in that described device further include:

Decrypted result output module, for exporting decrypted result by second interface.

28. a kind of data encryption device characterized by comprising

First key generation module, for using the unique corresponding first key of root of trust Program Generating and hardware device；

Data encryption module, for according to the first key encryption data.

29. device according to claim 28, which is characterized in that the first key generation module includes:

First key generates submodule, trusts rooter for accessing the hardware built in the hardware device, generates described first Key.

30. a kind of data decryption apparatus characterized by comprising

First key generation module, for using the unique corresponding first key of root of trust Program Generating and hardware device；

Data decryption module, for according to the first key decrypting encrypted data.

31. device according to claim 30, which is characterized in that the first key generation module includes:

First key generates submodule, trusts rooter for accessing the hardware built in the hardware device, generates described first Key.

32. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes one as described in claim 1-18 when executing the computer program A or multiple method.

33. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program One or more methods as described in claim 1-18 are realized when being executed by processor.