CN113420309B - Lightweight data protection system based on state cryptographic algorithm - Google Patents

Lightweight data protection system based on state cryptographic algorithm Download PDF

Info

Publication number
CN113420309B
CN113420309B CN202110747218.3A CN202110747218A CN113420309B CN 113420309 B CN113420309 B CN 113420309B CN 202110747218 A CN202110747218 A CN 202110747218A CN 113420309 B CN113420309 B CN 113420309B
Authority
CN
China
Prior art keywords
encryption
key
ciphertext
decryption
encryption card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110747218.3A
Other languages
Chinese (zh)
Other versions
CN113420309A (en
Inventor
钟立钊
郑欣
徐迎晖
熊晓明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chipeye Microelectronics Foshan Ltd
Guangdong University of Technology
Original Assignee
Chipeye Microelectronics Foshan Ltd
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chipeye Microelectronics Foshan Ltd, Guangdong University of Technology filed Critical Chipeye Microelectronics Foshan Ltd
Priority to CN202110747218.3A priority Critical patent/CN113420309B/en
Publication of CN113420309A publication Critical patent/CN113420309A/en
Application granted granted Critical
Publication of CN113420309B publication Critical patent/CN113420309B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/76Architectures of general purpose stored program computers
    • G06F15/78Architectures of general purpose stored program computers comprising a single central processing unit
    • G06F15/7807System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a lightweight data protection system based on a national cryptographic algorithm, which comprises an encryption card of a hardware part, an embedded firmware program of a software part and upper computer software, wherein: the encryption card adopts a security chip as a main control chip and simultaneously undertakes the operation tasks of encryption and decryption, and the data communication and the circuit power supply of the encryption card are realized by a USB interface; the binary file of the embedded firmware program is stored in Flash of the encryption card for being executed by the security chip; and the upper computer software runs in the upper computer, and realizes the communication with the encryption card in a USB-to-serial port mode. The two-stage key management scheme designed by the invention not only ensures the security of the key, prevents the security threat caused by stealing the key, but also brings convenience for the use of the user; under the condition of low cost, the system achieves obvious simplicity and safety in use, and provides lightweight services for encrypting and decrypting, digitally signing and verifying local files of the computer.

Description

Lightweight data protection system based on cryptographic algorithm
Technical Field
The invention relates to the technical field of information security, in particular to a lightweight data protection system based on a state-secret algorithm.
Background
Currently, data protection can be implemented by an encryption system consisting of software or hardware. The encryption system implemented by software means that encryption and decryption protection of data is implemented by using a software program. Although the development cost is low and the maintenance is convenient, the method occupies more computer resources, the encryption program is easy to monitor and tamper, and the key management is difficult, so the safety is not high. Moreover, the cryptographic operation speed achieved by hardware is several times faster than that of software.
For example, the software encryption may be implemented in a personal data security protection system based on file filter driver in a Windows system, and the encryption and decryption operations are implemented by software. There are also some file encryption systems implemented by a combination of software and hardware, and the USB Key manages and encrypts the session Key, but actually, the file is encrypted and decrypted by software.
An encryption system implemented in hardware refers to the protection of data by dedicated hardware devices that can perform cryptographic algorithms. The operation process of the hardware equipment is difficult to intervene by the outside, the sensitive information in the hardware equipment cannot be directly accessed, and the function of the hardware equipment can be called only through a predefined interface. Compared with software, the hardware encryption system has greater advantages in resisting external attacks, protecting the security of keys, increasing the encryption and decryption operation speed and the like. Hardware implemented encryption systems are the following common examples.
(1) And encrypting the data in the hard disk, and providing integrity verification and identity authentication of the data. (2) The encryption system based on the USB Key carries out identity verification, data encryption and decryption operation and integrity verification by utilizing a built-in security chip of the USB Key.
The prior art has the following disadvantages:
first, the technique of encryption is implemented in software. The disadvantage is that it occupies more computer CPU resources, because the encryption algorithm is a very complex operation, requiring a lot of CPU involvement, especially when the encryption requirement is explosive. In addition, its encryption program is easy to monitor and tamper with, because it does not have a relatively isolated secure environment, risks of computer virus infringement, and is not highly secure. Furthermore, software implemented encryption is relatively slow because it is CPU-operated, which is orders of magnitude slower than encryption algorithms implemented exclusively in hardware chip circuitry.
Then, the encryption technique is implemented in hardware. The security of the system is very high, and a plurality of application modes are provided, like the method mentioned in the background introduction, the system is provided with an FPGA and a security chip, and the form of the system is also changed. However, implementations that can encrypt files purely local to a computer are currently less expensive and often have problems with respect to cost, simplicity, and ease.
Disclosure of Invention
The invention aims to provide a lightweight data protection system based on a state cryptographic algorithm, which achieves obvious simplicity and safety in use under the condition of low cost.
In order to realize the task, the invention adopts the following technical scheme:
a lightweight data protection system based on a national cryptographic algorithm comprises an encryption card of a hardware part, an embedded firmware program of a software part and upper computer software, wherein:
the encryption card adopts a security chip as a main control chip and simultaneously undertakes the operation tasks of encryption and decryption, and the data communication and the circuit power supply of the encryption card are realized by a USB interface; the encryption card includes:
the security chip integrates a CPU and an operation acceleration core of SM2, SM3 and SM4 algorithms, and is provided with a true random number generator, a serial port and an SPI communication interface; the power management module is used for converting the voltage input from the outside so as to supply the voltage to the safety chip, other modules and interfaces for use; the USB-to-serial port module is used for realizing communication between the upper computer and the safety chip, and the USB is also used as a power supply interface; the EEPROM module is a memory for the account and the key data of the user; the Flash module is a memory of the embedded firmware program; JTAG interface, is the debug interface, is used for downloading firmware and debugging the procedure;
the binary file of the embedded firmware program is stored in Flash of the encryption card for being executed by the security chip; and the upper computer software runs in the upper computer, and realizes the communication with the encryption card in a USB-to-serial port mode, wherein:
the embedded firmware program comprises a top layer module and a bottom layer module, wherein the top layer module comprises an encryption card work function; the encryption card work function is used for realizing connection and disconnection of the protection system and providing registration, login, reset, encryption and decryption services for a user; the bottom layer module comprises a plurality of driving programs including driving of SM2, SM3 and SM4 operation acceleration cores, driving of serial ports and GPIO (general purpose input/output), driving of a random number generator and driving of reading and writing an EEPROM (electrically erasable programmable read-only memory) module by using IIC (inter-integrated circuit); the top module realizes a complete working process by continuously calling the bottom module;
the key management method comprises the following steps:
a user firstly registers an account on an encryption card and self-defines a PIN code with 8 digits in a digit range of 0-9, wherein the PIN code is used as a login password of the user and is also used for authentication and key management;
the encryption card continuously carries out SM3 operation on the PIN code for two times to respectively obtain 256 bits of message digests of the first operation and the second operation; then, the second message abstract is stored in an EEPROM module to be used as a PIN comparison standard when a user logs in later;
the encryption card generates a pair of random public and private keys of SM2, and then, the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are used as a symmetric key to encrypt the private key of SM2 by using an SM4 algorithm, while the public key of SM2 is not encrypted; storing the public key plaintext of SM2 and the encrypted SM2 private key ciphertext into an EEPROM module;
the encryption card randomly generates a symmetric key of SM4, the first 128 bits of the message digest obtained by the first SM3 calculation of the PIN code are used for carrying out SM4 algorithm encryption on the SM4 symmetric key, and finally, the encrypted ciphertext of the SM4 symmetric key is stored in the EEPROM module.
Further, the upper computer software is divided into five panels: control panel, login panel, encryption panel, decryption panel and file show panel, wherein:
the control panel is used for configuring a communication port, selecting a connection/disconnection device and entering/exiting an encryption mode; the login panel is used for providing a user login interface and displaying a login state; the encryption panel is used for selecting a path of a plaintext file, a path for storing a ciphertext, a path for storing an SM2 public key and a path for storing an SM2 digital signature, and controlling the start of encryption; the decryption panel is used for selecting a path of a ciphertext file, a path of an SM2 digital signature, a path of an SM2 public key and a path for storing a plaintext file, and controlling the start of decryption; the file display panel is used for displaying the plaintext before encryption/the ciphertext after encryption and the ciphertext before decryption/the plaintext after decryption.
Further, the management of the key is divided into two stages, and the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are the first-stage key; and a randomly generated SM2 private key, SM4 symmetric key, i.e. a second level key; the first-level key encrypts the second-level key, and then the ciphertext of the key is stored; when the second-level key is needed, the cipher text of the key is taken out first and can be used after being decrypted by the first-level key.
Further, the processes of encryption, decryption, digital signature and verification are as follows:
in the encryption card, a plaintext is encrypted through SM4 to generate a ciphertext, then an SM3 algorithm generates a message digest of the ciphertext, then SM2 digital signature is carried out on the message digest, and finally the digital signature and the ciphertext are sent to an upper computer;
when the signature is verified, firstly, the digital signature is subjected to SM2 signature verification algorithm to obtain a message digest of an original ciphertext, then the received ciphertext is subjected to SM3 algorithm to obtain a message digest, then the two message digests are compared, if the two message digests are the same, the verification is successful, the ciphertext is subjected to SM4 decryption to obtain a plaintext, and the plaintext is sent to an upper computer; otherwise, the verification fails and the subsequent decryption is not carried out.
Furthermore, only the control panel is displayed at the beginning of the operation of the upper computer, and the user can perform encryption and decryption only by connecting equipment, registering (the first use is required or the first use is required after the reset) and successfully logging in; the user can use the reset function to clear all account and key data of the encryption card.
Further, the security chip adopts an internet of things security chip CE2343P7 of Foshan core bead microelectronics Inc.
Further, the embedded firmware program also comprises a board-level support package which is used for providing an environment for running the firmware.
Compared with the prior art, the invention has the following technical characteristics:
1. the system of the invention is firstly a hardware encryption scheme, which comprises the design of software and hardware, the hardware encryption has the advantages that the hardware encryption has, the biggest purpose is to achieve obvious simplicity and safety in use under the condition of low cost, and the system is focused on the light-weight service of encrypting and decrypting, digitally signing and verifying only for local files of a computer. The invention is designed based on the commercial cryptographic algorithms SM2, SM3 and SM4 of China, has no foreign cryptographic algorithm, has significance on national security, after all, the cryptographic algorithms are not foreign but are own in China, and has significance on the popularization of the cryptographic algorithms supporting China's homemade, and the design of the current similar products is rarely designed based on the national cryptographic algorithm.
2. Based on the Chinese commercial cryptographic algorithms SM2, SM3 and SM4, the invention designs a very simple and effective two-stage key management scheme, which not only ensures the security of the key and prevents the security threat caused by stealing the key, but also brings convenience to the use of the user. A very practical and safe flow scheme for file encryption and decryption, digital signature and verification is designed; the complete hardware circuit of the encryption card and the software which is matched with the encryption card to work together are designed, the aim of light weight is taken, a simple and effective double-factor identity authentication scheme (the encryption card and the PIN code form the double-factor identity authentication scheme) is realized, the uniqueness of the user identity is ensured, and the use and the management are convenient.
Drawings
FIG. 1 is an overall design framework of the present invention;
FIG. 2 is a schematic diagram of the cryptographic card hardware circuit;
FIG. 3 is a PCB diagram of an encryption card;
FIG. 4 is an overall design framework for software;
FIG. 5 is an interface diagram of the upper computer software;
FIG. 6 is a key management flow diagram;
FIG. 7 is a flow diagram of encryption and digital signature generation;
fig. 8 is a flow chart of digital signature verification and decryption.
Detailed Description
The lightweight data protection system based on the cryptographic algorithm has the following functional requirements:
(1) encryption and decryption requirements. The file data in the computer is encrypted and decrypted by using special hardware based on the national encryption algorithm, so that the safety of the data is ensured.
(2) And (5) digital signature and verification. After the user encrypts the file data, a corresponding digital signature is generated. Before the user decrypts the data, the corresponding digital signature needs to be verified, and the source and integrity of the data are confirmed, so that the data are ensured to be encrypted by the user and are not tampered or damaged.
(3) And (4) user identity authentication. The user operating the system needs to be authenticated, and only the authenticated user can normally use the system to perform operations such as encryption and decryption, digital signature and the like on data.
(4) A key management function. The file encryption and decryption system needs to have the functions of key storage and management, and the SM2 private key and the SM4 symmetric key of a user can only be stored in encryption hardware equipment and cannot be derived, so that the security of the keys is ensured. Furthermore, the account information of the user also needs to be managed and stored in the encrypted hardware device.
The system also needs to fulfill the following 2-point non-functional requirements:
(1) the operation is easy. The method and the device need to realize a simple and easy-to-operate user interface, run stably and improve the use experience of users.
(2) Low cost and light weight. And the cost and complexity of design are reduced under the condition of ensuring the safety and the practicability of the system.
The overall design is divided:
in order to meet the design requirements, the system is determined to be composed of encryption hardware equipment (hereinafter referred to as an encryption card), an embedded firmware program and upper computer software. The system utilizes SM4 algorithm to realize encryption and decryption of file data; the SM2 algorithm is used and matched with the SM3 algorithm to realize digital signature and verification, and the requirements on the source and integrity verification of data are met; the identity authentication of the user is realized by setting a Personal Identification Number (PIN) of the user; the key management function is realized by designing a two-stage key management mechanism, encrypting the key and storing the encrypted key in a memory EEPROM of an encryption card; the simplicity of operation is realized through a reasonably and smoothly designed graphical user interface.
The specific design is divided as follows:
(1) designing a hardware circuit of the encryption card.
(2) And designing an embedded firmware program of the encryption card, and compiling the program of the encryption card according to the selected hardware resources of the master control security chip and the board-level development kit to realize functions of data encryption and decryption, digital signature and verification, key management, identity authentication and the like.
(3) And designing upper computer software with a graphical user interface to be matched with the work of the encryption card, so that the operation of a user is facilitated.
According to the whole design division, the system is determined to be composed of hardware and software, and a specific design framework is shown in figure 1.
Hardware circuit design of the encryption card:
the encryption card is combined with the design goals of low cost and light weight, the security chip is used as a main control chip, and meanwhile, the chip undertakes the operation tasks of encryption and decryption. Data communication and circuit power supply are realized by means of a USB interface. The hardware circuit of the encryption card specifically comprises the following six parts:
(1) the main control security chip is an Internet of things security chip CE2343P7 of Fushan core bead microelectronics Limited. The chip integrates a CPU and an operation acceleration core of SM2, SM3 and SM4 algorithms, and is provided with a true random number generator, a serial port, an SPI and other communication interfaces.
(2) And the power management module is used for converting the voltage input from the outside so as to supply the voltage to other modules for use.
(3) And the USB-to-serial port module realizes communication between the upper computer and the safety chip, and the USB is also used as a power supply interface.
(4) The EEPROM module is a memory for the account and key data of the user.
(5) And the Flash module is a memory of the embedded firmware program.
(6) The JTAG interface is a debugging interface and is used for downloading firmware and debugging programs.
The schematic design of the hardware circuit of the encryption card is shown in FIG. 2:
according to the circuit, a PCB diagram is generated and layout, wiring and other designs are carried out, and the final PCB diagram (front side) is shown in FIG. 3; the length and width of the encryption card PCB are about 52mm and 28mm, the size is small, and the carrying is convenient.
Designing software:
overall design of software:
the software of the system consists of an embedded firmware program and upper computer software, and a binary file of the embedded firmware program is stored in Flash of the encryption card for a security chip to execute during actual application; and the upper computer software runs in the upper computer, and realizes the communication with the encryption card in a USB-to-serial port mode. The overall design framework of the software is shown in fig. 4.
The embedded firmware program is divided into a top module and a bottom module, and the top module is a Main function mainly comprising an encryption card work function. The encryption card work function can realize connection and disconnection of equipment, and provides registration, login, reset, encryption and decryption (including digital signature and verification) services for a user. The bottom layer module is mainly various driving programs including driving of SM2, SM3 and SM4 operation acceleration cores, driving of serial ports and GPIO (general purpose input/output), driving of a random number generator, driving of reading and writing EEPROM (electrically erasable programmable read-only memory) by IIC (inter-integrated circuit). The board level support package provides an environment for the firmware to run. The top module realizes a complete workflow by continuously calling the bottom module.
The upper computer software is realized based on the GUIDE tool of MATLAB, has a simple graphical user interface and is divided into five panels: control panel, login panel, encryption panel, decryption panel and file display panel, as shown in fig. 5, the control panel, encryption panel and file display panel in operation:
the control panel is used for configuring a communication port, selecting a connection/disconnection device and entering/exiting an encryption mode; the login panel is used for providing a user login interface and displaying a login state; the encryption panel is used for selecting a path of a plaintext file, a path for storing a ciphertext, a path for storing an SM2 public key and a path for storing an SM2 digital signature, and controlling the start of encryption; the decryption panel is used for selecting a path of the ciphertext file, a path of the SM2 digital signature, a path of the SM2 public key and a path for storing the plaintext file, and controlling the start of decryption; the file display panel is used for displaying the plaintext before encryption/the ciphertext after encryption and the ciphertext before decryption/the plaintext after decryption.
The control panel is only displayed at the beginning of the operation of the upper computer, and the user can only encrypt and decrypt after connecting equipment, registering (the first use is needed or the first use is needed after resetting) and successfully logging in. In addition, the user can use the reset function to clear all account and key data of the encryption card. The document display panel can view the text data before and after encryption and before and after decryption.
Key management and identity authentication scheme:
the system encrypts and decrypts data based on SM4 algorithm and digitally signs and verifies data based on SM2 algorithm. Then one SM4 symmetric key and a pair of SM2 public and private keys must be generated. The secret key is generated by a true random number generator in a security chip of the encryption card, so that the unpredictability of the secret key is ensured. In order to protect the security of the system and the secret key, a smart and simple two-stage secret key management scheme is designed, and a double-factor identity authentication method is adopted. The specific key management flow is shown in fig. 6.
The key management flow is described as follows:
step 1, a user firstly registers an account on an encryption card and self-defines an 8-digit personal identification password (PIN code) with a digit range of 0-9. The PIN code is used as a login password of the user and is also used for identity authentication and key management.
And 2, continuously performing SM3 operation on the PIN code twice by the encryption card to respectively obtain 256-bit message digests of the first operation and the second operation. After that, the second message abstract is stored in the EEPROM as the comparison standard of the PIN code when the user logs in later.
And 3, generating a pair of random public and private keys of the SM2 by the encryption card. Next, the first 128 bits of the message digest resulting from the first SM3 operation of the PIN code are used as symmetric keys to perform SM4 algorithm encryption on the SM2 private key. While the public key of SM2 is not encrypted. And storing the public key plaintext of the SM2 and the encrypted SM2 private key ciphertext into the EEPROM.
Step 4, the encryption card randomly generates a symmetric key of SM 4. The SM4 symmetric key is SM4 algorithm encrypted using the first 128 bits of the message digest resulting from the first SM3 calculation of the PIN code. And finally, storing the encrypted SM4 symmetric key ciphertext into the EEPROM.
Generally speaking, the management of the key is divided into two stages, the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are the first stage key; while the randomly generated SM2 private key, SM4 symmetric key, is the second level key. The first-level key encrypts the second-level key, and then the ciphertext of the key is stored; when the second-level key is needed, the cipher text of the key is taken out first and can be used after being decrypted by the first-level key.
This solution has the following three advantages:
(1) on the premise of light weight, the safety of all keys is guaranteed. Based on the one-way nature of the SM3 algorithm, the first message digest or PIN code cannot be derived back from the second message digest of the PIN code.
(2) The safety of the system is effectively ensured by the double-factor identity authentication. The user must possess the encryption card and PIN code at the same time to use the system normally.
(3) A good user experience is provided. The user only needs to memorize an 8-bit PIN code and well keeps and manages the encryption card hardware equipment, and the method is simple and convenient.
Encryption and decryption and digital signature and verification processes:
the design comprehensively uses the national secret SM2, SM3 and SM4 algorithms. In the encryption card, a plaintext is encrypted through SM4 to generate a ciphertext, then an SM3 algorithm generates a message digest of the ciphertext, then SM2 digital signature is carried out on the message digest, and finally the digital signature and the ciphertext are sent to an upper computer. The whole flow is shown in fig. 7.
When the signature is verified, firstly, the digital signature is subjected to SM2 signature verification algorithm to obtain a message digest of an original ciphertext, then the received ciphertext is subjected to SM3 algorithm to obtain a message digest, then the two message digests are compared, if the two message digests are the same, the verification is successful, the ciphertext is subjected to SM4 decryption to obtain a plaintext, and the plaintext is sent to an upper computer; otherwise, the verification fails and the subsequent decryption is not carried out. The whole flow is shown in fig. 8.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (7)

1. The lightweight data protection system based on the national cryptographic algorithm is characterized by comprising an encryption card of a hardware part, an embedded firmware program of a software part and upper computer software, wherein:
the encryption card adopts a security chip as a main control chip and simultaneously undertakes the operation tasks of encryption and decryption, and the data communication and the circuit power supply of the encryption card are realized by a USB interface; the encryption card includes:
the security chip integrates a CPU and an operation acceleration core of SM2, SM3 and SM4 algorithms, and is provided with a true random number generator, a serial port and an SPI communication interface; the power management module is used for converting the voltage input from the outside so as to supply the voltage to the safety chip, other modules and interfaces for use; the USB-to-serial port module is used for realizing communication between the upper computer and the safety chip, and the USB is also used as a power supply interface; the EEPROM module is a memory for the account and the key data of the user; the Flash module is a memory of the embedded firmware program; JTAG interface, is the debug interface, is used for downloading firmware and debugging the procedure;
the binary file of the embedded firmware program is stored in Flash of the encryption card for being executed by the security chip; and the upper computer software runs in the upper computer, and realizes the communication with the encryption card in a USB-to-serial port mode, wherein:
the embedded firmware program comprises a top layer module and a bottom layer module, wherein the top layer module comprises an encryption card work function; the encryption card work function is used for realizing connection and disconnection of the protection system and providing registration, login, reset, encryption and decryption services for a user; the bottom layer module comprises a plurality of driving programs including driving of SM2, SM3 and SM4 operation acceleration cores, driving of serial ports and GPIO (general purpose input/output), driving of a random number generator and driving of reading and writing an EEPROM (electrically erasable programmable read-only memory) module by using IIC (inter-integrated circuit); the top module realizes a complete working process by continuously calling the bottom module;
the key management method comprises the following steps:
a user firstly registers an account on an encryption card and self-defines a PIN code with 8 digits in a digit range of 0-9, wherein the PIN code is used as a login password of the user and is also used for authentication and key management;
the encryption card firstly executes SM3 operation on the PIN code, and then executes SM3 operation on the operation result to respectively obtain 256-bit message digests of the first operation and the second operation; then, the second message abstract is stored in an EEPROM module to be used as a PIN comparison standard when a user logs in later;
the encryption card generates a pair of random public and private keys of SM2, then, the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are used as a symmetric key to encrypt the SM4 algorithm of the private key of SM2, and the public key of SM2 is not encrypted; storing the public key plaintext of SM2 and the encrypted SM2 private key ciphertext into an EEPROM module;
the encryption card randomly generates a symmetric key of SM4, the first 128 bits of the message digest obtained by the first SM3 calculation of the PIN code are used for carrying out SM4 algorithm encryption on the SM4 symmetric key, and finally, the encrypted ciphertext of the SM4 symmetric key is stored in the EEPROM module.
2. The lightweight data protection system based on cryptographic algorithm of claim 1, wherein the upper computer software is divided into five panels: control panel, login panel, encryption panel, decryption panel and file show panel, wherein:
the control panel is used for configuring a communication port, selecting a connection/disconnection device and entering/exiting an encryption mode; the login panel is used for providing a user login interface and displaying a login state; the encryption panel is used for selecting a path of a plaintext file, a path for storing a ciphertext, a path for storing an SM2 public key and a path for storing an SM2 digital signature, and controlling the start of encryption; the decryption panel is used for selecting a path of a ciphertext file, a path of an SM2 digital signature, a path of an SM2 public key and a path for storing a plaintext file, and controlling the start of decryption; the file display panel is used for displaying the plaintext before encryption/the ciphertext after encryption and the ciphertext before decryption/the plaintext after decryption.
3. The lightweight data protection system based on the cryptographic algorithm of claim 1, wherein the management of the key is divided into two stages, and the first 128 bits of the message digest obtained by the first SM3 operation of the PIN code are the first stage key; and a randomly generated SM2 private key, SM4 symmetric key, i.e. a second level key; the first-level key encrypts the second-level key, and then the ciphertext of the key is stored; when the second-level key is needed, the cipher text of the key is taken out first and can be used after being decrypted by the first-level key.
4. The lightweight data protection system based on the cryptographic algorithm of claim 1, wherein the processes of encryption and decryption and digital signature and verification are as follows:
in the encryption card, a plaintext is encrypted through SM4 to generate a ciphertext, then an SM3 algorithm generates a message digest of the ciphertext, then SM2 digital signature is carried out on the message digest, and finally the digital signature and the ciphertext are sent to an upper computer;
when the signature is verified, firstly, the digital signature is subjected to SM2 signature verification algorithm to obtain a message digest of an original ciphertext, then the received ciphertext is subjected to SM3 algorithm to obtain a message digest, then the two message digests are compared, if the two message digests are the same, the verification is successful, the ciphertext is subjected to SM4 decryption to obtain a plaintext, and the plaintext is sent to an upper computer; otherwise, the verification fails and the subsequent decryption is not carried out.
5. The lightweight data protection system based on the cryptographic algorithm of claim 1, wherein the upper computer only displays the control panel at the beginning of operation, and a user can perform encryption and decryption only by connecting equipment, registering and successfully logging in; the user can clear all accounts and key data of the encryption card by using a reset function; wherein the first use requires registration after the first use or reset.
6. The lightweight data protection system based on the cryptographic algorithm of claim 1, wherein the security chip is an internet of things security chip CE2343P7 of Foshan core bead microelectronics, Inc.
7. The lightweight data protection system based on the cryptographic algorithm of claim 1, wherein the embedded firmware program further comprises a board-level support package for providing an environment for firmware to run.
CN202110747218.3A 2021-07-01 2021-07-01 Lightweight data protection system based on state cryptographic algorithm Active CN113420309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110747218.3A CN113420309B (en) 2021-07-01 2021-07-01 Lightweight data protection system based on state cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110747218.3A CN113420309B (en) 2021-07-01 2021-07-01 Lightweight data protection system based on state cryptographic algorithm

Publications (2)

Publication Number Publication Date
CN113420309A CN113420309A (en) 2021-09-21
CN113420309B true CN113420309B (en) 2022-05-17

Family

ID=77720043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110747218.3A Active CN113420309B (en) 2021-07-01 2021-07-01 Lightweight data protection system based on state cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN113420309B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640510B (en) * 2022-03-02 2023-07-04 宁波三星医疗电气股份有限公司 Method for communication by adopting separated encryption server
CN114996724B (en) * 2022-04-25 2024-05-03 麒麟软件有限公司 Safe operating system based on cryptographic algorithm module
CN114978714B (en) * 2022-05-24 2023-11-10 中国科学院大学 RISC-V based lightweight data bus encryption safe transmission method
CN115550042B (en) * 2022-10-08 2023-06-20 江南信安(北京)科技有限公司 Signature verification server for realizing national encryption algorithm based on security chip
CN116886356B (en) * 2023-07-04 2024-02-02 广州链融信息技术有限公司 Chip-level transparent file encryption storage system, method and equipment
CN117077220B (en) * 2023-10-18 2024-01-23 北京金科联信数据科技有限公司 Multi-physical interface and multi-chip embedded type cipher module device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358110A (en) * 2017-07-24 2017-11-17 山东华芯半导体有限公司 Mobile terminal USB flash disk based on the close safety chip of state and its communication means with Android device
CN109672521A (en) * 2018-12-26 2019-04-23 贵州华芯通半导体技术有限公司 Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation
CN109726598A (en) * 2018-12-10 2019-05-07 佛山芯珠微电子有限公司 Embedded-type security encryption chip based on Cloud Server
CN112865969A (en) * 2021-02-07 2021-05-28 广东工业大学 Encryption method and device for data encryption card

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148057A1 (en) * 2006-12-19 2008-06-19 Ohanae, Inc. Security token
CN110414244B (en) * 2018-04-28 2023-07-21 阿里巴巴集团控股有限公司 Encryption card, electronic equipment and encryption service method
SG11201908938PA (en) * 2019-03-29 2019-10-30 Alibaba Group Holding Ltd Cryptography chip with identity verification
CN110879880B (en) * 2019-10-24 2021-09-28 南京东科优信网络安全技术研究院有限公司 Password device for user to autonomously control data security level protection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358110A (en) * 2017-07-24 2017-11-17 山东华芯半导体有限公司 Mobile terminal USB flash disk based on the close safety chip of state and its communication means with Android device
CN109726598A (en) * 2018-12-10 2019-05-07 佛山芯珠微电子有限公司 Embedded-type security encryption chip based on Cloud Server
CN109672521A (en) * 2018-12-26 2019-04-23 贵州华芯通半导体技术有限公司 Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation
CN112865969A (en) * 2021-02-07 2021-05-28 广东工业大学 Encryption method and device for data encryption card

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
The Software/Hardware Co-design and Implementation of SM2/3/4 Encryption/Decryption and Digital Signature System;Xin Zheng et.al;《 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS 》;20201031;全文 *
基于FPGA的高速加密卡设计与实现;彭阳等;《电子科技》;20130615(第06期);全文 *
用SM2算法芯片实现嵌入式***的安全设计;王振;《单片机与嵌入式***应用》;20120401(第04期);全文 *

Also Published As

Publication number Publication date
CN113420309A (en) 2021-09-21

Similar Documents

Publication Publication Date Title
CN113420309B (en) Lightweight data protection system based on state cryptographic algorithm
US10009173B2 (en) System, device, and method of secure entry and handling of passwords
CN102646077B (en) A kind of method of the full disk encryption based on credible password module
US9223994B2 (en) Secure transaction method from a non-secure terminal
US8966269B2 (en) Integrity protected smart card transaction
US10693641B2 (en) Secure container based protection of password accessible master encryption keys
CN109951295B (en) Key processing and using method, device, equipment and medium
CN106611310B (en) Data processing method, wearable electronic device and system
GB2508606A (en) Mobile application for credential recovery
CN101447010A (en) Login system and method for logging in
CN111464297B (en) Transaction processing method, device, electronic equipment and medium based on block chain
CN108769027A (en) Safety communicating method, device, mobile terminal and storage medium
CN109460639A (en) A kind of license authentication control method, device, terminal and storage medium
CN110245466B (en) Software integrity protection and verification method, system, device and storage medium
CN106452771A (en) Method and device for calling cipher card by JCE (Java Cryptography Extension) to implement internal RSA secret key operation
CN100334519C (en) Method for establishing credible input-output channels
CN114499859A (en) Password verification method, device, equipment and storage medium
CN113032753A (en) Identity verification method and device
CN113055157A (en) Biological characteristic verification method and device, storage medium and electronic equipment
CN202978979U (en) Password security keypad device and password security pad system
CN102270182A (en) Encrypted mobile storage equipment based on synchronous user and host machine authentication
CN103136489B (en) Portable and secure automatic password input unit
CN114866228A (en) Method, system, storage medium and terminal for realizing soft password module
CN112054890B (en) Screen configuration file export and import method and device and broadcasting control equipment
CN105933112B (en) Key updating method and device for unattended terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant