CN113609504A - Data processing method, device and system, electronic equipment and storage medium - Google Patents
Data processing method, device and system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113609504A CN113609504A CN202110921150.6A CN202110921150A CN113609504A CN 113609504 A CN113609504 A CN 113609504A CN 202110921150 A CN202110921150 A CN 202110921150A CN 113609504 A CN113609504 A CN 113609504A
- Authority
- CN
- China
- Prior art keywords
- target data
- encryption
- decryption algorithm
- token
- cpu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 40
- 238000012545 processing Methods 0.000 claims abstract description 139
- 230000004044 response Effects 0.000 claims abstract description 68
- 230000006870 function Effects 0.000 claims description 99
- 230000006854 communication Effects 0.000 claims description 29
- 238000004891 communication Methods 0.000 claims description 25
- 238000000034 method Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 10
- 238000009795 derivation Methods 0.000 claims description 7
- 239000011159 matrix material Substances 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000005538 encapsulation Methods 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 231100000279 safety data Toxicity 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a data processing method, a device, a system, electronic equipment and a storage medium, and belongs to the technical field of data processing. The data processing method is applied to a secure CPU (central processing unit), the secure CPU and a general CPU are integrated on a chip, and the data processing method comprises the following steps: obtaining a token request sent by a general CPU, wherein the token request comprises security processing information of target data; analyzing the token request, and acquiring an encryption and decryption algorithm corresponding to the identification information, the key information and a processing function executed by the request on target data; accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function to obtain an execution result and generate a token response; and returning the token response to the general CPU. Because the general CPU and the safe CPU are integrated in one chip, the general CPU and the safe CPU can not be cracked by violence, the firmware and the private data of the microprocessor are prevented from being stolen, and the data safety is improved.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a data processing method, apparatus, system, electronic device, and storage medium.
Background
With the development of the internet and the improvement of technology, the application of the terminal device is more and more extensive, and with the arrival of the world of everything interconnection, the sensitive data related to the security aspect is more and more important for the terminal device, and the protection of the sensitive data of the terminal device is urgent. In order to prevent illegal access and steal of sensitive data and further improve the safety of the data, a data processing method is provided.
Disclosure of Invention
In order to solve the technical problem that sensitive data are stolen by external illegal access, the application provides a data processing method, a device, a system, electronic equipment and a storage medium.
In a first aspect, the present application provides a data processing method, which is applied to a secure CPU, where the secure CPU and a general-purpose CPU are integrated on a chip, and the data processing method includes:
obtaining a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
returning the token response to the general-purpose CPU;
further, the above scheme further includes that before the accessing the target data according to the encryption and decryption algorithm and the key information and performing the processing function on the target data, the method further includes:
determining whether the encryption and decryption algorithm is an encryption and decryption algorithm in a security policy array, wherein the security policy array comprises at least one encryption and decryption algorithm;
if yes, continuing to execute the data processing method;
if not, generating a token response and returning the token response to the general CPU, wherein the token response carries prompt information that the encryption and decryption algorithm is not included in the security policy array;
further, the above scheme further includes that the security policy array includes a matrix with a row and a column, and any element in the matrix corresponds to an encryption/decryption algorithm; a and B are integers greater than or equal to 1;
further, the above scheme further includes that the accessing the target data according to the encryption and decryption algorithm and the key information includes:
inputting the encryption and decryption algorithm, the key information and the indication information of the target data into an encryption and decryption engine;
acquiring a result obtained after the encryption and decryption engine encrypts or decrypts the target data by adopting the encryption and decryption algorithm and the key information, and taking the result as an access result, wherein the target data is obtained by the encryption and decryption engine through the indication information of the target data;
further, the above scheme further includes that the processing function requested to be performed on the target data is key derivation, and the key information includes an address to be stored of a derived key;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
generating a derivative key according to the encryption and decryption algorithm, the target data and a root key in the secure CPU;
storing the derived key to the address to be stored;
further, the above scheme further includes that the request requests a processing function to be performed on target data to be stored securely, where the request includes a target address to be stored securely, and the accessing the target data and performing the processing function on the target data according to the encryption and decryption algorithm and the key information includes:
carrying out encryption operation on the target data according to the encryption and decryption algorithm and the key information;
storing the target data at the target address;
further, the above scheme further includes that the processing function requested to be executed on the target data is a designated function, where the designated function includes at least one of secure startup, network security, network authentication, and factory configuration;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
acquiring an authentication key for executing a specified function;
judging whether the key information is matched with the verification key according to the encryption and decryption algorithm;
and if so, executing the specified function.
In a second aspect, the present application provides a data processing method, which is applied to a general-purpose CPU, where the general-purpose CPU and a secure CPU are integrated on one chip, and the data processing method includes:
acquiring an encryption and decryption algorithm, and encapsulating indication information and safety processing information of target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
sending the token request to a token server;
obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed;
and acquiring the execution result.
In a third aspect, the present application provides a data processing apparatus, which is applied to a secure CPU, wherein the secure CPU and a general-purpose CPU are integrated on a chip, and the apparatus includes:
the first acquisition module is used for acquiring a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the analysis module is used for analyzing the token request and acquiring the processing function of the encryption and decryption algorithm, the key information and the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
the generating module is used for accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
and the return module is used for returning the token response to the general CPU.
In a fourth aspect, the present application provides a data processing apparatus, which is applied to a general-purpose CPU, the general-purpose CPU and a secure CPU are integrated on one chip, and the apparatus includes:
the encapsulation module is used for acquiring an encryption and decryption algorithm and encapsulating the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the sending module is used for sending the token request to a token server;
a second obtaining module, configured to obtain a token response corresponding to the token request, where the token response is returned by the token server according to the token request, and the token response carries an execution result obtained after accessing the target data according to the encryption/decryption algorithm and the key information and executing the processing function;
and the third acquisition module is used for acquiring the execution result.
In a fifth aspect, the present application provides a data processing system comprising at least one secure CPU and at least one general-purpose CPU, the secure CPU and the general-purpose CPU being integrated on one chip, the system comprising:
the safety CPU is used for acquiring a token request sent by the general CPU, and the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information; accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result; returning the token response to the general-purpose CPU;
the general CPU is used for acquiring an encryption and decryption algorithm and packaging the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; sending the token request to a token server; obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed; and acquiring the execution result.
In a sixth aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor, configured to implement the steps of the data processing method according to any one of the embodiments of the first aspect when executing the program stored in the memory.
In a seventh aspect, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the data processing method according to any one of the embodiments of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
according to the method provided by the embodiment of the application, the safe CPU and the general CPU are integrated in the chip, the safe CPU and the general CPU are integrated on the same chip, the safety data are stored in the safe CPU, and the general CPU has no right to directly access. In the communication process, a security CPU obtains a token request sent by a general CPU, wherein the token request comprises security processing information of target data, and the security processing information comprises: the method comprises the steps that identification information, key information and a processing function which is requested to be executed on target data of an encryption and decryption algorithm are obtained, a security CPU analyzes a token request, the encryption and decryption algorithm, the key information and the processing function which is requested to be executed on the target data are obtained, the security CPU accesses the target data and executes the processing function according to the encryption and decryption algorithm and the key information, an execution result is obtained and a token response is generated, the execution result is carried in the token response, and finally the token response is returned to a general CPU to finish a communication process. Because the general CPU and the safety CPU are integrated in one chip, the communication connection is established through a built-in physical channel of the chip, and illegal access through the outside cannot be broken, so that the firmware and sensitive data of the microprocessor can be prevented from being stolen, and the data safety is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a system architecture diagram of a data processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application;
FIG. 3 is a logic diagram of a data processing method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart diagram illustrating another data processing method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;
FIG. 6 is a schematic block diagram of another data processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
According to an aspect of the embodiments of the present application, a data processing method is provided, which may be applied to a system architecture as shown in fig. 1, where the system architecture includes at least one secure CPU101 and at least one general-purpose CPU102, and the secure CPU101 and the general-purpose CPU102 are integrated on one chip, and a communication connection is established through a built-in physical channel.
The secure CPU101 acquires a token request sent by the general CPU102, wherein the token request comprises secure processing information of target data; wherein the secure processing information includes: the identification information, the key information and the processing function of the encryption and decryption algorithm, which is requested to be executed on the target data;
the secure CPU101 analyzes the token request, and acquires an encryption and decryption algorithm corresponding to the identification information, key information and a processing function of the request to be executed on the target data;
the secure CPU101 accesses the target data and executes a processing function according to the encryption and decryption algorithm and the key information, obtains an execution result and generates a token response; the token response carries an execution result;
the secure CPU101 returns a token response to the general-purpose CPU 102.
In the system architecture, a token server is established at a secure CPU end, a token client is established at a general CPU end, the secure CPU and the general CPU are integrated on a chip, the secure CPU and the general CPU establish communication connection in a token mode through a built-in physical channel of the chip, security data are stored in the secure CPU, the secure CPU accesses after receiving a request of the general CPU, and the general CPU has no right to directly access, so that the data security is improved, and external illegal access and sensitive data stealing are prevented.
In the system architecture, when more than or equal to two safe CPUs and/or more than or equal to two general CPUs exist, the safe CPUs and the general CPUs are integrated on one chip, each safe CPU is at least in communication connection with one general CPU through a built-in physical channel, and each general CPU is also at least in communication connection with one safe CPU through a built-in physical channel.
Next, based on the system architecture, an embodiment of a data processing method is described, and the method can be applied to a secure CPU and also can be applied to a general-purpose CPU.
When applied to a secure CPU, as shown in fig. 2, the data processing method mainly includes:
In this embodiment, the secure CPU obtains a token request sent by the general CPU, where the token request includes requirements of the general CPU, including identification information of using an encryption/decryption algorithm (for example, what encryption/decryption algorithm is used, a type and a length of the encryption/decryption algorithm), key information (if a key is used, the key information includes what key is used, a storage address of the key, and the like, and if a key is derived, the key information includes information such as an address stored after the key is generated), and which processing function is performed on target data.
The processing functions included in the token request include: the system comprises a security CPU, a token request, a key derivation module, a security storage module, a security starting module, a network authentication module, a factory configuration module, a network security module and the like, wherein the security CPU executes related processing functions according to related requests in the token request, and each token request can include processing by using multiple functions. The token request may further include the following processing functions, for example, the processing functions may include setting a function of periodically checking data in the firmware area, setting a preset period time, periodically checking the data in the firmware area, and improving data security, and may also read a register of the secure CPU through token, shield a debug interface of the secure CPU, and further improve a security level. It should be noted that the processing functions described herein are only examples, and the secure CPU may perform processing according to various requirements sent by the general-purpose CPU, and is not limited thereto.
In this embodiment, the secure CPU parses the token request, acquires the requirement information of the general CPU included in the token request, and acquires the encryption/decryption algorithm and the key information required to execute the requirement.
In one embodiment, after the encryption and decryption algorithm is obtained, whether the encryption and decryption algorithm is an encryption and decryption algorithm in a security policy array of a secure CPU is determined, and the security policy array includes at least one encryption and decryption algorithm.
In this embodiment, the secure CPU verifies the encryption/decryption algorithm used by the general CPU, and a legitimate user knows the encryption/decryption algorithm in the security policy array in the secure CPU. Therefore, if the encryption/decryption algorithm corresponding to the token request is the encryption/decryption algorithm in the security policy array, the token request is considered to be sent by a legitimate user according to the requirement, and step 203 is executed continuously. And if the encryption and decryption algorithm is not in the security policy array of the security CPU, the encryption and decryption algorithm is regarded as misoperation or is sent by an illegal user, a token response is generated and returned to the general CPU, and the token response carries prompt information that the encryption and decryption algorithm is not included in the security policy array. Through the verification of the encryption and decryption algorithm, the data security can be further improved.
In one embodiment, the security policy array comprises a matrix with A rows and B columns, and any element in the matrix corresponds to an encryption and decryption algorithm; a and B are each an integer of 1 or more.
In this embodiment, a matrix of a row a and a column B may be established to include multiple security policies, where the row a includes a elements, the column B includes B elements, and a × B different element combinations may be formed by permutation and combination among elements in different rows and columns, where each element combination corresponds to one encryption/decryption algorithm, or each element combination corresponds to one address, and the corresponding encryption/decryption algorithm is extracted through the corresponding address. The user has more selectivity when using, so that the encryption and decryption algorithm is not single any more, the encryption and decryption algorithm is not easy to crack, and the security of sensitive data is improved. In general, A is 2mAnd B is 2nWherein m and n are natural numbers greater than or equal to 0.
In one embodiment, as shown in FIG. 3, accessing the target data based on the encryption/decryption algorithm and the key information comprises: inputting the encryption and decryption algorithm, the key information and the indication information of the target data into an encryption and decryption engine; and acquiring a result obtained after the encryption and decryption engine encrypts or decrypts the target data by adopting an encryption and decryption algorithm and key information, and taking the result as an access result, wherein the target data is acquired by the encryption and decryption engine through the indication information of the target data.
In the embodiment, the encryption or decryption operation in the process of accessing the target data is performed through the encryption and decryption engine which is hardware encryption, so that the efficiency and the speed are high when the encryption or decryption operation is performed. The method for protecting the safety data by the safety algorithm through the internal software of the chip needs to occupy a large amount of operation of a CPU, and has low efficiency and low speed.
In one embodiment, the processing function requested to be performed on the target data is key derivation, and the key information includes an address to be stored for deriving a key; accessing target data and performing processing functions on the target data according to an encryption and decryption algorithm and key information, comprising: generating a derived key according to the encryption and decryption algorithm, the target data and a root key in the secure CPU; and storing the derived key to the address to be stored.
In this embodiment, when the requirement included in the token request is key derivation, the key information included in the token request is a storage address of a key generated by key derivation, and the root key used for the key derivation function in the secure CPU generates a key according to the encryption/decryption algorithm specified in the token request and the target data, and stores the key according to the storage address specified in the key information. Different applications in the general CPU can send token requests according to requirements to derive different keys, the same application can also send token requests according to different functions to derive different keys, and the data security can be improved.
In one embodiment, the processing function requested to be performed on the target data is secure storage, the request includes a target address of the secure storage, the target data is accessed according to an encryption and decryption algorithm and key information, and the processing function is performed on the target data, including: carrying out encryption operation on the target data according to the encryption and decryption algorithm and the key information; the target data is stored at the target address.
In this embodiment, when the requirement included in the token request is secure storage, the target data is accessed according to the encryption and decryption algorithm and the key information, and the target data is stored in the sensitive data storage area specified by the secure CPU according to the storage target data address and the type or function of the target data included in the requirement. The sensitive data storage area includes a Static Random-Access Memory (SRAM), a One Time Programmable (OTP) or a key buffer. The sensitive data are stored in different storage areas according to the security level and the function of the sensitive data, so that the security of the data can be effectively improved.
In one embodiment, the processing function requested to be performed on the target data is a designated function, and the designated function includes at least one of secure boot, network security, network authentication, and factory configuration; accessing target data and performing processing functions on the target data according to an encryption and decryption algorithm and key information, comprising: acquiring an authentication key for executing a specified function; judging whether the key information is matched with the verification key according to an encryption and decryption algorithm; if so, executing the specified function.
In this embodiment, when the requirement included in the token request is the above specified function, in order to ensure the security of the device, it is necessary to verify whether the key included in the token request matches the key required for executing the related function in the secure CPU, if matching, it is considered that the token request sent by a legitimate user is executed, and if not matching, no response is made to the token request.
And after the relevant functions are executed, returning the token response containing the execution result to the general CPU, and finishing one response. When the general CPU needs to relate to sensitive data, the sensitive data are accessed one by one through the token client and the server, so that the illegal access to the sensitive data through the outside is avoided, the safety of the sensitive data is improved, the safe CPU and the general CPU are integrated and packaged in one chip, the brute force of an external device on the chip cannot be cracked, and meanwhile, as the communication process of the safe CPU and the general CPU is carried out in a communication channel arranged in the chip, a data packet in the communication process cannot be stolen, so that the replay attack is avoided.
In another aspect of the embodiments of the present application, the method is applied to a general-purpose CPU, as shown in fig. 4, where a secure CPU and the general-purpose CPU are integrated on a chip, and the method includes:
Before using the encryption and decryption algorithm, the general-purpose CPU may verify whether the encryption and decryption algorithm is included in the security policy array of the secure CPU, and if so, use the encryption and decryption algorithm, and encapsulate the identification information of the encryption and decryption algorithm in the token request.
And 403, obtaining a token response corresponding to the token request, which is returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed.
In step 404, an execution result is obtained.
After the general CPU obtains the execution result of the requirement, the interaction of the token is completed, and whether the requirement is required to be sent through the token request can be judged according to the execution result. Sensitive data about the safety aspect is stored in the safety CPU, each operation about the sensitive data is to send a token request through the general CPU, execute the token request in the safety CPU and return a token response, and the general CPU does not have the right to directly access the sensitive data stored in the safety CPU, so that the safety of the sensitive data is improved.
Based on the same concept, an embodiment of the present application further provides a data processing apparatus, as shown in fig. 5, which is applied to a secure CPU, where the secure CPU and a general-purpose CPU are integrated on a chip, and the data processing apparatus includes:
a first obtaining module 501, configured to obtain a token request sent by a general CPU, where the token request includes indication information and security processing information of target data; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
the analysis module 502 is configured to analyze the token request, obtain an encryption/decryption algorithm, key information, and a processing function that is requested to be performed on the target data; the encryption and decryption algorithm is obtained according to the identification information;
a generating module 503, configured to access target data according to an encryption/decryption algorithm and key information, perform a processing function on the target data, obtain an execution result, and generate a token response; the token response carries an execution result;
a return module 504 for returning the token response to the general purpose CPU.
The data processing device realizes the protection of the security data through the form of the token server and the client, can effectively prevent the sensitive data from being illegally accessed through the outside, and improves the security of the sensitive data.
An embodiment of the present application further provides another data processing apparatus, as shown in fig. 6, which is applied to a general CPU, and the general CPU and a secure CPU are integrated on one chip, including:
the encapsulation module 601 is configured to obtain an encryption and decryption algorithm, and encapsulate indication information and security processing information of target data into a token request; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
a sending module 602, configured to send a token request to a token server;
a second obtaining module 603, configured to obtain a token response corresponding to the token request, where the token response is returned by the token server according to the token request, and the token response carries an execution result obtained after accessing the target data according to the encryption/decryption algorithm and the key information and executing the processing function;
a third obtaining module 604, configured to obtain an execution result.
As shown in fig. 7, an embodiment of the present application provides an electronic device, which includes a processor 111, a communication interface 112, a memory 113, and a communication bus 114, where the processor 111, the communication interface 112, and the memory 113 complete mutual communication through the communication bus 114,
a memory 113 for storing a computer program;
in an embodiment of the present application, when the processor 111 is configured to execute a program stored in the memory 113, the data processing method provided in any one of the foregoing method embodiments is applied to a secure CPU, where the secure CPU and a general-purpose CPU are integrated on a chip, and the data processing method includes:
obtaining a token request sent by a general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
analyzing the token request, and acquiring an encryption and decryption algorithm, key information and a processing function of the request for executing the target data; the encryption and decryption algorithm is obtained according to the identification information;
accessing the target data according to the encryption and decryption algorithm and the key information and executing a processing function on the target data to obtain an execution result and generate a token response; the token response carries an execution result;
returning the token response to the general purpose CPU.
Or, the data processing method is applied to a general-purpose CPU, the general-purpose CPU and a safety CPU are integrated on a chip, and the data processing method comprises the following steps:
acquiring an encryption and decryption algorithm, and encapsulating indication information and safety processing information of target data into a token request; wherein the secure processing information includes: the encryption and decryption algorithm comprises identification information of the encryption and decryption algorithm, key information and a processing function which is requested to be executed on target data, wherein the indication information is used for indicating the target data to be accessed;
sending a token request to a token server;
obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to an encryption and decryption algorithm and key information and a processing function is executed;
and acquiring an execution result.
The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the terminal and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
The present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the data processing method provided in any one of the foregoing method embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present invention, which enable those skilled in the art to understand or practice the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (13)
1. A data processing method is applied to a secure CPU (Central processing Unit), wherein the secure CPU and a general CPU are integrated on a chip, and the data processing method comprises the following steps:
obtaining a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
and returning the token response to the general CPU.
2. The data processing method of claim 1, wherein prior to said accessing the target data and performing the processing function on the target data according to the encryption/decryption algorithm and the key information, the method further comprises:
determining whether the encryption and decryption algorithm is an encryption and decryption algorithm in a security policy array, wherein the security policy array comprises at least one encryption and decryption algorithm;
if yes, continuing to execute the data processing method;
and if not, generating a token response and returning the token response to the general CPU, wherein the token response carries prompt information that the encryption and decryption algorithm is not included in the security policy array.
3. The data processing method of claim 2, wherein the security policy array comprises a matrix with a row and B columns, and any element in the matrix corresponds to an encryption and decryption algorithm; a and B are each an integer of 1 or more.
4. The data processing method of claim 1, wherein the accessing the target data according to the encryption and decryption algorithm and the key information comprises:
inputting the encryption and decryption algorithm, the key information and the indication information of the target data into an encryption and decryption engine;
and acquiring a result obtained after the encryption and decryption engine encrypts or decrypts the target data by adopting the encryption and decryption algorithm and the key information, and taking the result as an access result, wherein the target data is obtained by the encryption and decryption engine through the indication information of the target data.
5. The data processing method according to claim 1, wherein the processing function requested to be performed on the target data is key derivation, and the key information includes an address to be stored for deriving a key;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
generating a derivative key according to the encryption and decryption algorithm, the target data and a root key in the secure CPU;
and storing the derived key to the address to be stored.
6. The data processing method according to claim 1, wherein the request for performing the processing function on the target data is secure storage, the request includes a target address of the secure storage, and the accessing the target data and performing the processing function on the target data according to the encryption and decryption algorithm and the key information includes:
carrying out encryption operation on the target data according to the encryption and decryption algorithm and the key information;
storing the target data at the target address.
7. The data processing method according to claim 3, wherein the processing function requested to be performed on the target data is a specified function, and the specified function includes at least one of secure boot, network security, network authentication, and factory configuration;
the accessing the target data and executing the processing function on the target data according to the encryption and decryption algorithm and the key information comprises:
acquiring an authentication key for executing a specified function;
judging whether the key information is matched with the verification key according to the encryption and decryption algorithm;
and if so, executing the specified function.
8. A data processing method is applied to a general CPU, the general CPU and a safety CPU are integrated on a chip, and the data processing method comprises the following steps:
acquiring an encryption and decryption algorithm, and encapsulating indication information and safety processing information of target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
sending the token request to a token server;
obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed;
and acquiring the execution result.
9. A data processing apparatus, applied to a secure CPU integrated with a general-purpose CPU on a chip, comprising:
the first acquisition module is used for acquiring a token request sent by the general CPU, wherein the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the analysis module is used for analyzing the token request and acquiring the processing function of the encryption and decryption algorithm, the key information and the request on target data; the encryption and decryption algorithm is obtained according to the identification information;
the generating module is used for accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result;
and the return module is used for returning the token response to the general CPU.
10. A data processing apparatus, applied to a general-purpose CPU integrated with a secure CPU on one chip, the apparatus comprising:
the encapsulation module is used for acquiring an encryption and decryption algorithm and encapsulating the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data;
the sending module is used for sending the token request to a token server;
a second obtaining module, configured to obtain a token response corresponding to the token request, where the token response is returned by the token server according to the token request, and the token response carries an execution result obtained after accessing the target data according to the encryption/decryption algorithm and the key information and executing the processing function;
and the third acquisition module is used for acquiring the execution result.
11. A data processing system comprising at least one secure CPU and at least one general purpose CPU, said secure CPU and said general purpose CPU being integrated on a single chip, said system comprising:
the safety CPU is used for acquiring a token request sent by the general CPU, and the token request comprises indication information and safety processing information of target data; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; analyzing the token request, and acquiring the encryption and decryption algorithm, the key information and a processing function of the request on target data; the encryption and decryption algorithm is obtained according to the identification information; accessing the target data according to the encryption and decryption algorithm and the key information and executing the processing function on the target data to obtain an execution result and generate a token response; the token response carries the execution result; returning the token response to the general-purpose CPU;
the general CPU is used for acquiring an encryption and decryption algorithm and packaging the indication information and the safety processing information of the target data into a token request; wherein the secure processing information includes: identification information of an encryption and decryption algorithm, key information and a processing function requested to be executed on target data, wherein the indication information is used for indicating access to the target data; sending the token request to a token server; obtaining a token response corresponding to the token request returned by the token server according to the token request, wherein the token response carries an execution result obtained after the target data is accessed according to the encryption and decryption algorithm and the key information and the processing function is executed; and acquiring the execution result.
12. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the steps of the data processing method of any one of claims 1 to 7 or claim 8 when executing the program stored in the memory.
13. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the data processing method according to any one of claims 1 to 7 or 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110921150.6A CN113609504B (en) | 2021-08-11 | 2021-08-11 | Data processing method, device and system, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110921150.6A CN113609504B (en) | 2021-08-11 | 2021-08-11 | Data processing method, device and system, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113609504A true CN113609504A (en) | 2021-11-05 |
CN113609504B CN113609504B (en) | 2024-05-07 |
Family
ID=78340343
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110921150.6A Active CN113609504B (en) | 2021-08-11 | 2021-08-11 | Data processing method, device and system, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113609504B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060272022A1 (en) * | 2005-05-31 | 2006-11-30 | Dmitrii Loukianov | Securely configuring a system |
US20080155271A1 (en) * | 2006-12-21 | 2008-06-26 | Spansion Llc | Solid-state memory-based generation and handling of security authentication tokens |
US20100217964A1 (en) * | 2009-02-24 | 2010-08-26 | General Instrument Corporation | Method and apparatus for controlling enablement of jtag interface |
CN108322469A (en) * | 2018-02-05 | 2018-07-24 | 北京百度网讯科技有限公司 | Information processing system, method and apparatus |
US20180365069A1 (en) * | 2017-06-14 | 2018-12-20 | Intel Corporation | Method and apparatus for securely binding a first processor to a second processor |
WO2020102974A1 (en) * | 2018-11-20 | 2020-05-28 | 深圳市欢太科技有限公司 | Data access method, data access apparatus, and mobile terminal |
-
2021
- 2021-08-11 CN CN202110921150.6A patent/CN113609504B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060272022A1 (en) * | 2005-05-31 | 2006-11-30 | Dmitrii Loukianov | Securely configuring a system |
US20080155271A1 (en) * | 2006-12-21 | 2008-06-26 | Spansion Llc | Solid-state memory-based generation and handling of security authentication tokens |
US20100217964A1 (en) * | 2009-02-24 | 2010-08-26 | General Instrument Corporation | Method and apparatus for controlling enablement of jtag interface |
US20180365069A1 (en) * | 2017-06-14 | 2018-12-20 | Intel Corporation | Method and apparatus for securely binding a first processor to a second processor |
CN108322469A (en) * | 2018-02-05 | 2018-07-24 | 北京百度网讯科技有限公司 | Information processing system, method and apparatus |
WO2020102974A1 (en) * | 2018-11-20 | 2020-05-28 | 深圳市欢太科技有限公司 | Data access method, data access apparatus, and mobile terminal |
Also Published As
Publication number | Publication date |
---|---|
CN113609504B (en) | 2024-05-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5646631B2 (en) | Device audit | |
CN113841145A (en) | Lexus software in inhibit integration, isolation applications | |
CN110268406B (en) | Password security | |
CN101340281A (en) | Method and system for safe login input on network | |
CN103038745A (en) | Extending an integrity measurement | |
WO2020181809A1 (en) | Data processing method and system based on interface checking, and computer device | |
CN108335105B (en) | Data processing method and related equipment | |
US10846373B2 (en) | Method and system for securing a client's access to a DRM agent's services for a video player | |
CN112131564A (en) | Encrypted data communication method, apparatus, device, and medium | |
JP2019122030A (en) | Secure client authentication based on conditional provision of code signature | |
WO2021137769A1 (en) | Method and apparatus for sending and verifying request, and device thereof | |
CN111783049A (en) | User information processing method and system based on block chain | |
CN110445768B (en) | Login method and device and electronic equipment | |
CN113239853A (en) | Biological identification method, device and equipment based on privacy protection | |
WO2020243245A1 (en) | Protection of online applications and webpages using a blockchain | |
CN113761498A (en) | Third party login information hosting method, system, equipment and storage medium | |
US20150295918A1 (en) | User authentication system in web mash-up circumstance and authenticating method thereof | |
US8261328B2 (en) | Trusted electronic communication through shared vulnerability | |
CN110990853B (en) | Dynamic heterogeneous redundant data access protection method and device | |
CN111600864B (en) | Method and device for verifying access service interface based on token authentication multidimensional | |
KR102102179B1 (en) | Embedded system, authentication system comprising the same, method of authenticating the system | |
CN113609504B (en) | Data processing method, device and system, electronic equipment and storage medium | |
WO2022148149A1 (en) | License file management method and apparatus, and device | |
CN114448722A (en) | Cross-browser login method and device, computer equipment and storage medium | |
CN111090850B (en) | Authentication system, method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |