CN113609504A - Data processing method, device and system, electronic equipment and storage medium - Google Patents

Data processing method, device and system, electronic equipment and storage medium Download PDF

Info

Publication number
CN113609504A
CN113609504A CN202110921150.6A CN202110921150A CN113609504A CN 113609504 A CN113609504 A CN 113609504A CN 202110921150 A CN202110921150 A CN 202110921150A CN 113609504 A CN113609504 A CN 113609504A
Authority
CN
China
Prior art keywords
target data
encryption
decryption algorithm
token
cpu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110921150.6A
Other languages
Chinese (zh)
Other versions
CN113609504B (en
Inventor
昌明涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gree Electric Appliances Inc of Zhuhai
Original Assignee
Gree Electric Appliances Inc of Zhuhai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gree Electric Appliances Inc of Zhuhai filed Critical Gree Electric Appliances Inc of Zhuhai
Priority to CN202110921150.6A priority Critical patent/CN113609504B/en
Publication of CN113609504A publication Critical patent/CN113609504A/en
Application granted granted Critical
Publication of CN113609504B publication Critical patent/CN113609504B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data processing method, a device, a system, electronic equipment and a storage medium, and belongs to the technical field of data processing. The data processing method is applied to a secure CPU (central processing unit), the secure CPU and a general CPU are integrated on a chip, and the data processing method comprises the following steps: obtaining a token request sent by a general CPU, wherein the token request comprises security processing information of target data; analyzing the token request, and acquiring an encryption and decryption algorithm corresponding to the identification information, the key information and a processing function executed by the request on target data; accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function to obtain an execution result and generate a token response; and returning the token response to the general CPU. Because the general CPU and the safe CPU are integrated in one chip, the general CPU and the safe CPU can not be cracked by violence, the firmware and the private data of the microprocessor are prevented from being stolen, and the data safety is improved.

Description

Data processing method, device and system, electronic equipment and storage medium
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a data processing method, apparatus, system, electronic device, and storage medium.
Background
With the development of the internet and the improvement of technology, the application of the terminal device is more and more extensive, and with the arrival of the world of everything interconnection, the sensitive data related to the security aspect is more and more important for the terminal device, and the protection of the sensitive data of the terminal device is urgent. In order to prevent illegal access and steal of sensitive data and further improve the safety of the data, a data processing method is provided.
Disclosure of Invention
In order to solve the technical problem that sensitive data are stolen by external illegal access, the application provides a data processing method, a device, a system, electronic equipment and a storage medium.
In a first aspect, the present application provides a data processing method, which is applied to a secure CPU, where the secure CPU and a general-purpose CPU are integrated on a chip, and the data processing method includes:
obtaining a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
returning the token response to the general-purpose CPU;
further, the above scheme further includes that before the accessing the target data according to the encryption and decryption algorithm and the key information and performing the processing function on the target data, the method further includes:
determining whether the encryption and decryption algorithm is an encryption and decryption algorithm in a security policy array, wherein the security policy array comprises at least one encryption and decryption algorithm;
if yes, continuing to execute the data processing method;
if not, generating a token response and returning the token response to the general CPU, wherein the token response carries prompt information that the encryption and decryption algorithm is not included in the security policy array;
further, the above scheme further includes that the security policy array includes a matrix with a row and a column, and any element in the matrix corresponds to an encryption/decryption algorithm; a and B are integers greater than or equal to 1;
further, the above scheme further includes that the accessing the target data according to the encryption and decryption algorithm and the key information includes:
inputting the encryption and decryption algorithm, the key information and the indication information of the target data into an encryption and decryption engine;
acquiring a result obtained after the encryption and decryption engine encrypts or decrypts the target data by adopting the encryption and decryption algorithm and the key information, and taking the result as an access result, wherein the target data is obtained by the encryption and decryption engine through the indication information of the target data;
further, the above scheme further includes that the processing function requested to be performed on the target data is key derivation, and the key information includes an address to be stored of a derived key;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
generating a derivative key according to the encryption and decryption algorithm, the target data and a root key in the secure CPU;
storing the derived key to the address to be stored;
further, the above scheme further includes that the request requests a processing function to be performed on target data to be stored securely, where the request includes a target address to be stored securely, and the accessing the target data and performing the processing function on the target data according to the encryption and decryption algorithm and the key information includes:
carrying out encryption operation on the target data according to the encryption and decryption algorithm and the key information;
storing the target data at the target address;
further, the above scheme further includes that the processing function requested to be executed on the target data is a designated function, where the designated function includes at least one of secure startup, network security, network authentication, and factory configuration;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
acquiring an authentication key for executing a specified function;
judging whether the key information is matched with the verification key according to the encryption and decryption algorithm;
and if so, executing the specified function.
In a second aspect, the present application provides a data processing method, which is applied to a general-purpose CPU, where the general-purpose CPU and a secure CPU are integrated on one chip, and the data processing method includes:
acquiring an encryption and decryption algorithm, and encapsulating indication information and safety processing information of target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
sending the token request to a token server;
obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed;
and acquiring the execution result.
In a third aspect, the present application provides a data processing apparatus, which is applied to a secure CPU, wherein the secure CPU and a general-purpose CPU are integrated on a chip, and the apparatus includes:
the first acquisition module is used for acquiring a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the analysis module is used for analyzing the token request and acquiring the processing function of the encryption and decryption algorithm, the key information and the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
the generating module is used for accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
and the return module is used for returning the token response to the general CPU.
In a fourth aspect, the present application provides a data processing apparatus, which is applied to a general-purpose CPU, the general-purpose CPU and a secure CPU are integrated on one chip, and the apparatus includes:
the encapsulation module is used for acquiring an encryption and decryption algorithm and encapsulating the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the sending module is used for sending the token request to a token server;
a second obtaining module, configured to obtain a token response corresponding to the token request, where the token response is returned by the token server according to the token request, and the token response carries an execution result obtained after accessing the target data according to the encryption/decryption algorithm and the key information and executing the processing function;
and the third acquisition module is used for acquiring the execution result.
In a fifth aspect, the present application provides a data processing system comprising at least one secure CPU and at least one general-purpose CPU, the secure CPU and the general-purpose CPU being integrated on one chip, the system comprising:
the safety CPU is used for acquiring a token request sent by the general CPU, and the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information; accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result; returning the token response to the general-purpose CPU;
the general CPU is used for acquiring an encryption and decryption algorithm and packaging the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; sending the token request to a token server; obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed; and acquiring the execution result.
In a sixth aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor, configured to implement the steps of the data processing method according to any one of the embodiments of the first aspect when executing the program stored in the memory.
In a seventh aspect, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the data processing method according to any one of the embodiments of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
according to the method provided by the embodiment of the application, the safe CPU and the general CPU are integrated in the chip, the safe CPU and the general CPU are integrated on the same chip, the safety data are stored in the safe CPU, and the general CPU has no right to directly access. In the communication process, a security CPU obtains a token request sent by a general CPU, wherein the token request comprises security processing information of target data, and the security processing information comprises: the method comprises the steps that identification information, key information and a processing function which is requested to be executed on target data of an encryption and decryption algorithm are obtained, a security CPU analyzes a token request, the encryption and decryption algorithm, the key information and the processing function which is requested to be executed on the target data are obtained, the security CPU accesses the target data and executes the processing function according to the encryption and decryption algorithm and the key information, an execution result is obtained and a token response is generated, the execution result is carried in the token response, and finally the token response is returned to a general CPU to finish a communication process. Because the general CPU and the safety CPU are integrated in one chip, the communication connection is established through a built-in physical channel of the chip, and illegal access through the outside cannot be broken, so that the firmware and sensitive data of the microprocessor can be prevented from being stolen, and the data safety is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a system architecture diagram of a data processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application;
FIG. 3 is a logic diagram of a data processing method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart diagram illustrating another data processing method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;
FIG. 6 is a schematic block diagram of another data processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
According to an aspect of the embodiments of the present application, a data processing method is provided, which may be applied to a system architecture as shown in fig. 1, where the system architecture includes at least one secure CPU101 and at least one general-purpose CPU102, and the secure CPU101 and the general-purpose CPU102 are integrated on one chip, and a communication connection is established through a built-in physical channel.
The secure CPU101 acquires a token request sent by the general CPU102, wherein the token request comprises secure processing information of target data; wherein the secure processing information includes: the identification information, the key information and the processing function of the encryption and decryption algorithm, which is requested to be executed on the target data;
the secure CPU101 analyzes the token request, and acquires an encryption and decryption algorithm corresponding to the identification information, key information and a processing function of the request to be executed on the target data;
the secure CPU101 accesses the target data and executes a processing function according to the encryption and decryption algorithm and the key information, obtains an execution result and generates a token response; the token response carries an execution result;
the secure CPU101 returns a token response to the general-purpose CPU 102.
In the system architecture, a token server is established at a secure CPU end, a token client is established at a general CPU end, the secure CPU and the general CPU are integrated on a chip, the secure CPU and the general CPU establish communication connection in a token mode through a built-in physical channel of the chip, security data are stored in the secure CPU, the secure CPU accesses after receiving a request of the general CPU, and the general CPU has no right to directly access, so that the data security is improved, and external illegal access and sensitive data stealing are prevented.
In the system architecture, when more than or equal to two safe CPUs and/or more than or equal to two general CPUs exist, the safe CPUs and the general CPUs are integrated on one chip, each safe CPU is at least in communication connection with one general CPU through a built-in physical channel, and each general CPU is also at least in communication connection with one safe CPU through a built-in physical channel.
Next, based on the system architecture, an embodiment of a data processing method is described, and the method can be applied to a secure CPU and also can be applied to a general-purpose CPU.
When applied to a secure CPU, as shown in fig. 2, the data processing method mainly includes:
step 201, obtaining a token request sent by a general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of the encryption and decryption algorithm, key information, and a processing function requested to be performed on the target data, and indication information indicating access to the target data.
In this embodiment, the secure CPU obtains a token request sent by the general CPU, where the token request includes requirements of the general CPU, including identification information of using an encryption/decryption algorithm (for example, what encryption/decryption algorithm is used, a type and a length of the encryption/decryption algorithm), key information (if a key is used, the key information includes what key is used, a storage address of the key, and the like, and if a key is derived, the key information includes information such as an address stored after the key is generated), and which processing function is performed on target data.
The processing functions included in the token request include: the system comprises a security CPU, a token request, a key derivation module, a security storage module, a security starting module, a network authentication module, a factory configuration module, a network security module and the like, wherein the security CPU executes related processing functions according to related requests in the token request, and each token request can include processing by using multiple functions. The token request may further include the following processing functions, for example, the processing functions may include setting a function of periodically checking data in the firmware area, setting a preset period time, periodically checking the data in the firmware area, and improving data security, and may also read a register of the secure CPU through token, shield a debug interface of the secure CPU, and further improve a security level. It should be noted that the processing functions described herein are only examples, and the secure CPU may perform processing according to various requirements sent by the general-purpose CPU, and is not limited thereto.
Step 202, analyzing the token request, and acquiring an encryption and decryption algorithm, key information and a processing function of the request on target data; and the encryption and decryption algorithm is obtained according to the identification information.
In this embodiment, the secure CPU parses the token request, acquires the requirement information of the general CPU included in the token request, and acquires the encryption/decryption algorithm and the key information required to execute the requirement.
In one embodiment, after the encryption and decryption algorithm is obtained, whether the encryption and decryption algorithm is an encryption and decryption algorithm in a security policy array of a secure CPU is determined, and the security policy array includes at least one encryption and decryption algorithm.
In this embodiment, the secure CPU verifies the encryption/decryption algorithm used by the general CPU, and a legitimate user knows the encryption/decryption algorithm in the security policy array in the secure CPU. Therefore, if the encryption/decryption algorithm corresponding to the token request is the encryption/decryption algorithm in the security policy array, the token request is considered to be sent by a legitimate user according to the requirement, and step 203 is executed continuously. And if the encryption and decryption algorithm is not in the security policy array of the security CPU, the encryption and decryption algorithm is regarded as misoperation or is sent by an illegal user, a token response is generated and returned to the general CPU, and the token response carries prompt information that the encryption and decryption algorithm is not included in the security policy array. Through the verification of the encryption and decryption algorithm, the data security can be further improved.
In one embodiment, the security policy array comprises a matrix with A rows and B columns, and any element in the matrix corresponds to an encryption and decryption algorithm; a and B are each an integer of 1 or more.
In this embodiment, a matrix of a row a and a column B may be established to include multiple security policies, where the row a includes a elements, the column B includes B elements, and a × B different element combinations may be formed by permutation and combination among elements in different rows and columns, where each element combination corresponds to one encryption/decryption algorithm, or each element combination corresponds to one address, and the corresponding encryption/decryption algorithm is extracted through the corresponding address. The user has more selectivity when using, so that the encryption and decryption algorithm is not single any more, the encryption and decryption algorithm is not easy to crack, and the security of sensitive data is improved. In general, A is 2mAnd B is 2nWherein m and n are natural numbers greater than or equal to 0.
Step 203, accessing the target data according to the encryption and decryption algorithm and the key information and executing a processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result.
In one embodiment, as shown in FIG. 3, accessing the target data based on the encryption/decryption algorithm and the key information comprises: inputting the encryption and decryption algorithm, the key information and the indication information of the target data into an encryption and decryption engine; and acquiring a result obtained after the encryption and decryption engine encrypts or decrypts the target data by adopting an encryption and decryption algorithm and key information, and taking the result as an access result, wherein the target data is acquired by the encryption and decryption engine through the indication information of the target data.
In the embodiment, the encryption or decryption operation in the process of accessing the target data is performed through the encryption and decryption engine which is hardware encryption, so that the efficiency and the speed are high when the encryption or decryption operation is performed. The method for protecting the safety data by the safety algorithm through the internal software of the chip needs to occupy a large amount of operation of a CPU, and has low efficiency and low speed.
In one embodiment, the processing function requested to be performed on the target data is key derivation, and the key information includes an address to be stored for deriving a key; accessing target data and performing processing functions on the target data according to an encryption and decryption algorithm and key information, comprising: generating a derived key according to the encryption and decryption algorithm, the target data and a root key in the secure CPU; and storing the derived key to the address to be stored.
In this embodiment, when the requirement included in the token request is key derivation, the key information included in the token request is a storage address of a key generated by key derivation, and the root key used for the key derivation function in the secure CPU generates a key according to the encryption/decryption algorithm specified in the token request and the target data, and stores the key according to the storage address specified in the key information. Different applications in the general CPU can send token requests according to requirements to derive different keys, the same application can also send token requests according to different functions to derive different keys, and the data security can be improved.
In one embodiment, the processing function requested to be performed on the target data is secure storage, the request includes a target address of the secure storage, the target data is accessed according to an encryption and decryption algorithm and key information, and the processing function is performed on the target data, including: carrying out encryption operation on the target data according to the encryption and decryption algorithm and the key information; the target data is stored at the target address.
In this embodiment, when the requirement included in the token request is secure storage, the target data is accessed according to the encryption and decryption algorithm and the key information, and the target data is stored in the sensitive data storage area specified by the secure CPU according to the storage target data address and the type or function of the target data included in the requirement. The sensitive data storage area includes a Static Random-Access Memory (SRAM), a One Time Programmable (OTP) or a key buffer. The sensitive data are stored in different storage areas according to the security level and the function of the sensitive data, so that the security of the data can be effectively improved.
In one embodiment, the processing function requested to be performed on the target data is a designated function, and the designated function includes at least one of secure boot, network security, network authentication, and factory configuration; accessing target data and performing processing functions on the target data according to an encryption and decryption algorithm and key information, comprising: acquiring an authentication key for executing a specified function; judging whether the key information is matched with the verification key according to an encryption and decryption algorithm; if so, executing the specified function.
In this embodiment, when the requirement included in the token request is the above specified function, in order to ensure the security of the device, it is necessary to verify whether the key included in the token request matches the key required for executing the related function in the secure CPU, if matching, it is considered that the token request sent by a legitimate user is executed, and if not matching, no response is made to the token request.
Step 204, return token response to general purpose CPU.
And after the relevant functions are executed, returning the token response containing the execution result to the general CPU, and finishing one response. When the general CPU needs to relate to sensitive data, the sensitive data are accessed one by one through the token client and the server, so that the illegal access to the sensitive data through the outside is avoided, the safety of the sensitive data is improved, the safe CPU and the general CPU are integrated and packaged in one chip, the brute force of an external device on the chip cannot be cracked, and meanwhile, as the communication process of the safe CPU and the general CPU is carried out in a communication channel arranged in the chip, a data packet in the communication process cannot be stolen, so that the replay attack is avoided.
In another aspect of the embodiments of the present application, the method is applied to a general-purpose CPU, as shown in fig. 4, where a secure CPU and the general-purpose CPU are integrated on a chip, and the method includes:
step 401, acquiring an encryption and decryption algorithm, and encapsulating indication information and security processing information of target data into a token request; wherein the secure processing information includes: identification information of the encryption and decryption algorithm, key information, and a processing function requested to be performed on the target data, and indication information indicating access to the target data.
Before using the encryption and decryption algorithm, the general-purpose CPU may verify whether the encryption and decryption algorithm is included in the security policy array of the secure CPU, and if so, use the encryption and decryption algorithm, and encapsulate the identification information of the encryption and decryption algorithm in the token request.
Step 402, sending a token request to a token server.
And 403, obtaining a token response corresponding to the token request, which is returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed.
In step 404, an execution result is obtained.
After the general CPU obtains the execution result of the requirement, the interaction of the token is completed, and whether the requirement is required to be sent through the token request can be judged according to the execution result. Sensitive data about the safety aspect is stored in the safety CPU, each operation about the sensitive data is to send a token request through the general CPU, execute the token request in the safety CPU and return a token response, and the general CPU does not have the right to directly access the sensitive data stored in the safety CPU, so that the safety of the sensitive data is improved.
Based on the same concept, an embodiment of the present application further provides a data processing apparatus, as shown in fig. 5, which is applied to a secure CPU, where the secure CPU and a general-purpose CPU are integrated on a chip, and the data processing apparatus includes:
a first obtaining module 501, configured to obtain a token request sent by a general CPU, where the token request includes indication information and security processing information of target data; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
the analysis module 502 is configured to analyze the token request, obtain an encryption/decryption algorithm, key information, and a processing function that is requested to be performed on the target data; the encryption and decryption algorithm is obtained according to the identification information;
a generating module 503, configured to access target data according to an encryption/decryption algorithm and key information, perform a processing function on the target data, obtain an execution result, and generate a token response; the token response carries an execution result;
a return module 504 for returning the token response to the general purpose CPU.
The data processing device realizes the protection of the security data through the form of the token server and the client, can effectively prevent the sensitive data from being illegally accessed through the outside, and improves the security of the sensitive data.
An embodiment of the present application further provides another data processing apparatus, as shown in fig. 6, which is applied to a general CPU, and the general CPU and a secure CPU are integrated on one chip, including:
the encapsulation module 601 is configured to obtain an encryption and decryption algorithm, and encapsulate indication information and security processing information of target data into a token request; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
a sending module 602, configured to send a token request to a token server;
a second obtaining module 603, configured to obtain a token response corresponding to the token request, where the token response is returned by the token server according to the token request, and the token response carries an execution result obtained after accessing the target data according to the encryption/decryption algorithm and the key information and executing the processing function;
a third obtaining module 604, configured to obtain an execution result.
As shown in fig. 7, an embodiment of the present application provides an electronic device, which includes a processor 111, a communication interface 112, a memory 113, and a communication bus 114, where the processor 111, the communication interface 112, and the memory 113 complete mutual communication through the communication bus 114,
a memory 113 for storing a computer program;
in an embodiment of the present application, when the processor 111 is configured to execute a program stored in the memory 113, the data processing method provided in any one of the foregoing method embodiments is applied to a secure CPU, where the secure CPU and a general-purpose CPU are integrated on a chip, and the data processing method includes:
obtaining a token request sent by a general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
analyzing the token request, and acquiring an encryption and decryption algorithm, key information and a processing function of the request for executing the target data; the encryption and decryption algorithm is obtained according to the identification information;
accessing the target data according to the encryption and decryption algorithm and the key information and executing a processing function on the target data to obtain an execution result and generate a token response; the token response carries an execution result;
returning the token response to the general purpose CPU.
Or, the data processing method is applied to a general-purpose CPU, the general-purpose CPU and a safety CPU are integrated on a chip, and the data processing method comprises the following steps:
acquiring an encryption and decryption algorithm, and encapsulating indication information and safety processing information of target data into a token request; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
sending a token request to a token server;
obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to an encryption and decryption algorithm and key information and a processing function is executed;
and acquiring an execution result.
The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the terminal and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
The present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the data processing method provided in any one of the foregoing method embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (13)

1. A data processing method is applied to a secure CPU (Central processing Unit), wherein the secure CPU and a general CPU are integrated on a chip, and the data processing method comprises the following steps:
obtaining a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
and returning the token response to the general CPU.
2. The data processing method of claim 1, wherein prior to said accessing the target data and performing the processing function on the target data according to the encryption/decryption algorithm and the key information, the method further comprises:
determining whether the encryption and decryption algorithm is an encryption and decryption algorithm in a security policy array, wherein the security policy array comprises at least one encryption and decryption algorithm;
if yes, continuing to execute the data processing method;
and if not, generating a token response and returning the token response to the general CPU, wherein the token response carries prompt information that the encryption and decryption algorithm is not included in the security policy array.
3. The data processing method of claim 2, wherein the security policy array comprises a matrix with a row and B columns, and any element in the matrix corresponds to an encryption and decryption algorithm; a and B are each an integer of 1 or more.
4. The data processing method of claim 1, wherein the accessing the target data according to the encryption and decryption algorithm and the key information comprises:
inputting the encryption and decryption algorithm, the key information and the indication information of the target data into an encryption and decryption engine;
and acquiring a result obtained after the encryption and decryption engine encrypts or decrypts the target data by adopting the encryption and decryption algorithm and the key information, and taking the result as an access result, wherein the target data is obtained by the encryption and decryption engine through the indication information of the target data.
5. The data processing method according to claim 1, wherein the processing function requested to be performed on the target data is key derivation, and the key information includes an address to be stored for deriving a key;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
generating a derivative key according to the encryption and decryption algorithm, the target data and a root key in the secure CPU;
and storing the derived key to the address to be stored.
6. The data processing method according to claim 1, wherein the request for performing the processing function on the target data is secure storage, the request includes a target address of the secure storage, and the accessing the target data and performing the processing function on the target data according to the encryption and decryption algorithm and the key information includes:
carrying out encryption operation on the target data according to the encryption and decryption algorithm and the key information;
storing the target data at the target address.
7. The data processing method according to claim 3, wherein the processing function requested to be performed on the target data is a specified function, and the specified function includes at least one of secure boot, network security, network authentication, and factory configuration;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
acquiring an authentication key for executing a specified function;
judging whether the key information is matched with the verification key according to the encryption and decryption algorithm;
and if so, executing the specified function.
8. A data processing method is applied to a general CPU, the general CPU and a safety CPU are integrated on a chip, and the data processing method comprises the following steps:
acquiring an encryption and decryption algorithm, and encapsulating indication information and safety processing information of target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
sending the token request to a token server;
obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed;
and acquiring the execution result.
9. A data processing apparatus, applied to a secure CPU integrated with a general-purpose CPU on a chip, comprising:
the first acquisition module is used for acquiring a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the analysis module is used for analyzing the token request and acquiring the processing function of the encryption and decryption algorithm, the key information and the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
the generating module is used for accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
and the return module is used for returning the token response to the general CPU.
10. A data processing apparatus, applied to a general-purpose CPU integrated with a secure CPU on one chip, the apparatus comprising:
the encapsulation module is used for acquiring an encryption and decryption algorithm and encapsulating the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the sending module is used for sending the token request to a token server;
a second obtaining module, configured to obtain a token response corresponding to the token request, where the token response is returned by the token server according to the token request, and the token response carries an execution result obtained after accessing the target data according to the encryption/decryption algorithm and the key information and executing the processing function;
and the third acquisition module is used for acquiring the execution result.
11. A data processing system comprising at least one secure CPU and at least one general purpose CPU, said secure CPU and said general purpose CPU being integrated on a single chip, said system comprising:
the safety CPU is used for acquiring a token request sent by the general CPU, and the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information; accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result; returning the token response to the general-purpose CPU;
the general CPU is used for acquiring an encryption and decryption algorithm and packaging the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; sending the token request to a token server; obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed; and acquiring the execution result.
12. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the steps of the data processing method of any one of claims 1 to 7 or claim 8 when executing the program stored in the memory.
13. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the data processing method according to any one of claims 1 to 7 or 8.
CN202110921150.6A 2021-08-11 2021-08-11 Data processing method, device and system, electronic equipment and storage medium Active CN113609504B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110921150.6A CN113609504B (en) 2021-08-11 2021-08-11 Data processing method, device and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110921150.6A CN113609504B (en) 2021-08-11 2021-08-11 Data processing method, device and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113609504A true CN113609504A (en) 2021-11-05
CN113609504B CN113609504B (en) 2024-05-07

Family

ID=78340343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110921150.6A Active CN113609504B (en) 2021-08-11 2021-08-11 Data processing method, device and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113609504B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060272022A1 (en) * 2005-05-31 2006-11-30 Dmitrii Loukianov Securely configuring a system
US20080155271A1 (en) * 2006-12-21 2008-06-26 Spansion Llc Solid-state memory-based generation and handling of security authentication tokens
US20100217964A1 (en) * 2009-02-24 2010-08-26 General Instrument Corporation Method and apparatus for controlling enablement of jtag interface
CN108322469A (en) * 2018-02-05 2018-07-24 北京百度网讯科技有限公司 Information processing system, method and apparatus
US20180365069A1 (en) * 2017-06-14 2018-12-20 Intel Corporation Method and apparatus for securely binding a first processor to a second processor
WO2020102974A1 (en) * 2018-11-20 2020-05-28 深圳市欢太科技有限公司 Data access method, data access apparatus, and mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060272022A1 (en) * 2005-05-31 2006-11-30 Dmitrii Loukianov Securely configuring a system
US20080155271A1 (en) * 2006-12-21 2008-06-26 Spansion Llc Solid-state memory-based generation and handling of security authentication tokens
US20100217964A1 (en) * 2009-02-24 2010-08-26 General Instrument Corporation Method and apparatus for controlling enablement of jtag interface
US20180365069A1 (en) * 2017-06-14 2018-12-20 Intel Corporation Method and apparatus for securely binding a first processor to a second processor
CN108322469A (en) * 2018-02-05 2018-07-24 北京百度网讯科技有限公司 Information processing system, method and apparatus
WO2020102974A1 (en) * 2018-11-20 2020-05-28 深圳市欢太科技有限公司 Data access method, data access apparatus, and mobile terminal

Also Published As

Publication number Publication date
CN113609504B (en) 2024-05-07

Similar Documents

Publication Publication Date Title
JP5646631B2 (en) Device audit
CN113841145A (en) Lexus software in inhibit integration, isolation applications
CN110268406B (en) Password security
CN101340281A (en) Method and system for safe login input on network
CN103038745A (en) Extending an integrity measurement
WO2020181809A1 (en) Data processing method and system based on interface checking, and computer device
CN108335105B (en) Data processing method and related equipment
US10846373B2 (en) Method and system for securing a client's access to a DRM agent's services for a video player
CN112131564A (en) Encrypted data communication method, apparatus, device, and medium
JP2019122030A (en) Secure client authentication based on conditional provision of code signature
WO2021137769A1 (en) Method and apparatus for sending and verifying request, and device thereof
CN111783049A (en) User information processing method and system based on block chain
CN110445768B (en) Login method and device and electronic equipment
CN113239853A (en) Biological identification method, device and equipment based on privacy protection
WO2020243245A1 (en) Protection of online applications and webpages using a blockchain
CN113761498A (en) Third party login information hosting method, system, equipment and storage medium
US20150295918A1 (en) User authentication system in web mash-up circumstance and authenticating method thereof
US8261328B2 (en) Trusted electronic communication through shared vulnerability
CN110990853B (en) Dynamic heterogeneous redundant data access protection method and device
CN111600864B (en) Method and device for verifying access service interface based on token authentication multidimensional
KR102102179B1 (en) Embedded system, authentication system comprising the same, method of authenticating the system
CN113609504B (en) Data processing method, device and system, electronic equipment and storage medium
WO2022148149A1 (en) License file management method and apparatus, and device
CN114448722A (en) Cross-browser login method and device, computer equipment and storage medium
CN111090850B (en) Authentication system, method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant