CN115801328A - Encryption method based on TPM chip and embedded device - Google Patents

Encryption method based on TPM chip and embedded device Download PDF

Info

Publication number
CN115801328A
CN115801328A CN202211312583.2A CN202211312583A CN115801328A CN 115801328 A CN115801328 A CN 115801328A CN 202211312583 A CN202211312583 A CN 202211312583A CN 115801328 A CN115801328 A CN 115801328A
Authority
CN
China
Prior art keywords
key
file
tpm chip
encrypted
key file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211312583.2A
Other languages
Chinese (zh)
Inventor
程鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Hengwan Technology Co Ltd
Original Assignee
Sichuan Hengwan Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Hengwan Technology Co Ltd filed Critical Sichuan Hengwan Technology Co Ltd
Priority to CN202211312583.2A priority Critical patent/CN115801328A/en
Publication of CN115801328A publication Critical patent/CN115801328A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides an encryption method based on a TPM chip and an embedded device. In this embodiment, an original file is encrypted based on a predetermined encryption algorithm and a key file to obtain an encrypted original file, and the key file is encrypted based on the TPM chip to obtain an encrypted key file, so that encryption of a larger original file is achieved through a software encryption algorithm and a corresponding key file, and the key file is encrypted through an encryption algorithm built in the TPM chip to obtain security protection based on hardware, thereby improving the security level of the device and ensuring confidentiality of device information.

Description

Encryption method based on TPM chip and embedded device
Technical Field
The invention relates to the technical field of information security, in particular to an encryption method based on a TPM chip and an embedded device.
Background
The safety protection of the external environment of the equipment (such as outdoor communication equipment and outdoor monitoring equipment, for example) installed in an open public space and unattended is almost zero. In order to facilitate network access and intercommunication, near-end debugging and equipment production, the devices themselves usually provide direct connection modes such as network ports and serial ports. In theory, a potential attacker could attempt a direct connection using these open ports to crack or attack, even through device emulation and device impersonation, connection to an upstream device or even more damage into the entire network. Therefore, how to improve the safety protection level of the equipment is an urgent problem to be solved.
Disclosure of Invention
In view of this, embodiments of the present invention provide an encryption method and an embedded device based on a TPM chip, so as to implement encryption of a larger original file through a software encryption algorithm and a corresponding key file, and encrypt the key file through an encryption algorithm built in the TPM chip, thereby obtaining security protection based on hardware, thereby improving the security level of the device and ensuring confidentiality of device information.
In a first aspect, an embodiment of the present invention provides an encryption method based on a TPM chip, where the method includes:
encrypting the original file based on a preset encryption algorithm and the key file to obtain the encrypted original file;
and encrypting the key file based on the TPM chip to obtain the encrypted key file.
Optionally, the method further includes:
and storing the encrypted original file and the encrypted key file into a nonvolatile memory of the equipment.
Optionally, the key file is generated by the TPM chip.
Optionally, the method further includes:
randomly generating an initial key based on the TPM chip;
and encoding the initial key to obtain the key file.
Optionally, encrypting the key file based on the TPM chip, wherein obtaining the encrypted key file includes:
creating a master key object based on the TPM chip;
creating a sub-key object based on the main key object, and acquiring a sub-key object context;
and calling the corresponding sub-key object through the sub-key object context based on the TPM chip to encrypt the key file, and acquiring the encrypted key file.
Optionally, encrypting the key file based on the TPM chip, wherein obtaining the encrypted key file includes:
creating a key object based on the TPM chip;
and calling a corresponding key object through the key object context based on the TPM chip to encrypt the key file, and acquiring the encrypted key file.
Optionally, the method further includes:
and storing the sub-key object into a nonvolatile memory of the TPM chip.
Optionally, the TPM chip employs an asymmetric encryption algorithm.
Optionally, the predetermined encryption algorithm is an OpenSSL symmetric encryption algorithm.
In a second aspect, an embodiment of the present invention provides an encryption apparatus based on a TPM chip, where the apparatus includes:
a software encryption unit configured to encrypt an original file based on a predetermined encryption algorithm and a key file, and obtain an encrypted original file;
and the hardware encryption unit is configured to encrypt the key file based on the TPM chip to obtain the encrypted key file.
In a third aspect, an embodiment of the present invention provides an embedded device, where the embedded device includes a memory, a processor, and a TPM chip, and the memory is configured to store one or more computer program instructions, where the one or more computer program instructions are executed by the processor and the TPM chip to implement the method described above.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor and a TPM chip, the computer program implements the method described above.
In this embodiment, an original file is encrypted based on a predetermined encryption algorithm and a key file to obtain an encrypted original file, and the key file is encrypted based on the TPM chip to obtain an encrypted key file, so that encryption of a larger original file is achieved through a software encryption algorithm and a corresponding key file, and the key file is encrypted through an encryption algorithm built in the TPM chip to obtain security protection based on hardware, thereby improving the security level of the device and ensuring the confidentiality of device information.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent from the following description of embodiments of the present invention with reference to the accompanying drawings, in which:
FIG. 1 is a flow chart of an encryption method based on a TPM chip according to an embodiment of the present invention;
FIG. 2 is a flow chart of a key file encryption method of an embodiment of the present invention;
FIG. 3 is a flow chart of another TPM chip based encryption method according to an embodiment of the present invention;
FIG. 4 is a process diagram of an encryption method based on a TPM chip according to an embodiment of the present invention;
FIG. 5 is a flowchart of a TPM chip based decryption method according to an embodiment of the present invention;
FIG. 6 is a diagram of an encryption apparatus based on a TPM chip according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an embedded device of an embodiment of the present invention.
Detailed Description
The present invention will be described below based on examples, but the present invention is not limited to only these examples. In the following detailed description of the present invention, certain specific details are set forth. It will be apparent to one skilled in the art that the present invention may be practiced without these specific details. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention.
Furthermore, those of ordinary skill in the art will appreciate that the drawings provided herein are for illustrative purposes and are not necessarily drawn to scale.
Unless the context clearly requires otherwise, throughout the description, the words "comprise", "comprising", and the like are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense; that is, what is meant is "including, but not limited to".
In the description of the present invention, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified.
The present embodiment is mainly described by taking an embedded device deployed outdoors as an example, and it should be understood that the encryption method of the present embodiment may also be applied to the encryption mode of other devices, and the present embodiment does not limit this.
An outdoor-deployed embedded device generally employs a digital certificate system to implement authentication of the device, for example, a digital certificate of a Network Access device specified by an Open Radio Access Network (O-RAN) protocol. That is, each network access device may pre-store a digital certificate for proving its identity, and when the device starts to access the network, the security server of the network may authenticate its certificate. According to the principle of public key encryption, in this authentication process, the device needs to use the private key corresponding to its digital certificate to interact, so as to prove that the device is the owner (Subject) of the digital certificate. This requires the device to maintain a private key on its non-volatile memory (usually Flash memory for embedded devices), and the security of this private key is a difficult problem.
If a software encryption algorithm built in the device is adopted to encrypt the private key of the digital certificate, a secret key is needed by the software encryption algorithm, and how to protect a new secret key becomes a new difficult problem. In the nature of cryptography, the whole system lacks a secure Root of Trust (Root of Trust), and a TPM (Trusted Platform Module) chip is introduced to provide a hardware-based Root of Trust.
The security of the TPM chip itself includes: the password is not exposed, the physical disassembly is prevented, and the firmware circuit is not tampered. The embedded device is matched with a safety enhancement scheme on the basis of additionally installing the TPM chip, so that the confidentiality of sensitive information of the common embedded device can be ensured, the information is prevented from being tampered, and the safety effects of device authentication and the like are realized.
The TPM provides cryptographic functions such as asymmetric key pair generation, asymmetric encryption/decryption, symmetric encryption/decryption, hashing, signing, signature verification, random number generation, and the like. However, compared with the capabilities provided by the OpenSSL cryptography software library of the PC computing system, the TPM chip is limited by hardware resources due to cost considerations, and most capabilities are weak. For example, the O-RAN protocol requires that the private key of the application certificate is RSA4096 in length, but the TPM 2.0 specification only requires that RSA2048 is supported, so that it is not feasible to apply for the certificate by directly using the RSA key inside the TPM. For example, the length of a general RSA4096 private key file is about 3KB, while the size of an input buffer area of a TPM chip is usually 1-2KB under a PC system, and is smaller under an embedded system, so that the TPM is not feasible for directly encrypting an externally generated private key file. Therefore, in the embedded system, the TPM is introduced, and needs to be modified for implementation in the conventional PC system. Therefore, in order to adapt to an embedded limited computing environment, the embodiment of the invention combines the OpenSSL cryptography software library and the TPM chip, so that the capability limit of the TPM can be broken through, the trust root can be protected by TPM hardware, the security level of equipment is improved, and the confidentiality of equipment information is ensured. It should be understood that the present embodiment is not limited to the OpenSSL cryptography software library, and other cryptography software libraries capable of providing software encryption algorithms may also be applied to the present embodiment.
Fig. 1 is a flowchart of an encryption method based on a TPM chip according to an embodiment of the present invention. As shown in fig. 1, the encryption method based on TPM chip of this embodiment includes the following steps:
step S110, encrypting the original file based on a predetermined encryption algorithm and the key file, and obtaining the encrypted original file. Optionally, in this embodiment, the original file may be used as an encrypted original public and private key, such as the private key of the digital certificate, or may be another file, which is not limited in this embodiment.
In an alternative implementation manner, the predetermined encryption algorithm may be an encryption algorithm in any cryptographic software library, for example, an encryption algorithm in an OpenSSL cryptographic software library, which is not limited in this embodiment.
In an optional implementation manner, the present embodiment may employ a symmetric encryption algorithm (e.g., AES 256) in OpenSSL to encrypt the original file that needs to be encrypted. Further optionally, the key file used by the predetermined encryption algorithm of this embodiment may be a key preset by a user, and may also be randomly generated or generated according to a predetermined requirement, which is not limited in this embodiment. It should be understood that the symmetric encryption algorithm of the present embodiment is not limited to the AES256 encryption algorithm, and may be determined according to factors such as the encryption strength required in an actual application scenario.
In an alternative implementation, the key file is randomly generated by the TPM chip. Further, in this embodiment, an initial key is randomly generated based on the TPM chip, and the initial key is encoded to obtain a key file. Since the random number generated by the TPM chip is binary, the random number may include special symbols such as a line break, which are interpreted by the encryption algorithm as an end-of-key marker, which may result in a reduction in the length of the random key and a weakening of the encryption strength. Therefore, when the encryption algorithm in OpenSSL is used, in order to conform to the key format of the OpenSSL command, a key file randomly generated by the TPM chip needs to be encoded once to remove a special symbol. Optionally, the coding mode may adopt a coding mode such as base64 coding. It should be understood that any encoding method capable of removing special symbols such as line breaks can be applied to the present embodiment, and the present embodiment does not limit this.
In this embodiment, based on a key file randomly generated by a TPM chip, a predetermined encryption algorithm (for example, a symmetric encryption algorithm AES256 in OpenSSL) is used to encrypt an original file, so that the encryption strength is improved, and the file security is further improved.
In an optional implementation manner, the embodiment may persistently store the encrypted original file into a non-volatile memory of the device (for example, a flash memory of the device), so as to decrypt the encrypted original file when needed. Further, the original file is deleted after encryption is completed, so that security is improved.
And step S120, encrypting the key file based on the TPM chip to obtain the encrypted key file.
In an alternative implementation manner, the TPM chip of this embodiment encrypts the key file by using an asymmetric encryption algorithm (e.g., RSA). Moreover, if the AES256 encryption algorithm is adopted, the key length of the corresponding key file is 256bits (that is, 32 bytes), the key file has sufficient encryption strength, and the buffer area of the TPM can completely accommodate the key file. It should be understood that, in case of meeting the specification, the TPM chip may also use a symmetric encryption algorithm, and this embodiment does not limit this.
Further, the key file encryption method of the present embodiment includes the following steps:
step S121, a master key object is created based on the TPM chip. Taking the TPM v2.0 chip as an example, a TPM2_ createprrimary command is used to create a master key object. Wherein the context file of the created master key object is saved to interact with the master key object through the context file of the master key object.
Step S122, creating a sub-key object based on the master key object, and acquiring a sub-key object context. Taking the TPM v2.0 chip as an example, a TPM2_ create command therein is used to create a child key object, the parent of which is the master key created in step S121.
Step S123, based on the TPM chip, the corresponding sub-key object is called through the sub-key object context to encrypt the key file, and the encrypted key file is obtained.
In the embodiment, the main key object and the sub key object taking the main key object as the parent are created, and the key file is encrypted based on the sub key object, so that the encryption strength is improved, and the equipment security is further improved.
In another optional implementation manner, the present embodiment may also directly use the master key object to encrypt the key file, so as to improve the encryption efficiency. Specifically, in this embodiment, a key object is created based on the TPM chip, and the corresponding key object is called through the key object context based on the TPM chip to encrypt the key file, so as to obtain the encrypted key file. Therefore, the encryption efficiency can be improved under the condition of ensuring certain encryption strength.
In an optional implementation manner, the embodiment may persistently store the encrypted key file to a non-volatile memory of the device (for example, a flash memory of the device) so as to decrypt the encrypted key file when needed. Further, the unencrypted initial key and key file are deleted after the encryption of the key file is completed, so that the security is improved.
Further optionally, in this embodiment, a persistent command (e.g., TPM2_ epictcontrol) provided by the TPM chip for a key object used by the encrypted key file is stored in the nonvolatile storage memory of the TPM chip, so as to call a key in the memory to decrypt the encrypted key file when needed, and delete the corresponding main key object context and sub key object context, so as to improve security.
In this embodiment, the original file is encrypted based on a predetermined encryption algorithm and the key file to obtain an encrypted original file, and the key file is encrypted based on the TPM chip to obtain an encrypted key file. Therefore, the embodiment can realize the encryption of a larger original file through a software encryption algorithm and a corresponding key file, and encrypt the key file through an encryption algorithm built in a TPM chip to obtain the security protection based on hardware, so that the security level of the equipment is improved, and the confidentiality of the equipment information is ensured.
FIG. 3 is a flowchart of another TPM chip based encryption method according to an embodiment of the present invention. As shown in fig. 3, the encryption method based on TPM chip of this embodiment includes the following steps:
in step S210, an initial key is generated by the TPM chip.
Step S220, encode the initial key to obtain a key file. Optionally, in this embodiment, a base64 encoding manner may be adopted to encode the binary initial key randomly generated by the TPM chip to obtain the key file. This makes it possible to avoid the case where a special symbol such as a line break in the binary initial key is recognized as the key end flag, and to ensure the encryption strength.
Step S230, encrypting the original file by using the key file based on a predetermined encryption algorithm, and obtaining the encrypted original file. Optionally, the encryption algorithm in this embodiment may adopt a symmetric encryption algorithm in OpenSSL (for example, AES 256), and it should be understood that the software encryption algorithm adopted in this embodiment may be selected according to the actual application requirement, and this embodiment does not limit this.
Step S240, persisting the encrypted original file in the non-volatile memory of the device, and deleting the unencrypted original file.
In step S250, the TPM chip creates a master key object and generates a context file of the master key object.
Step S260, the TPM chip creates a master key object as a parent child key object, and generates a context file of the child key object.
Step S270, the TPM chip calls the corresponding sub-key object to encrypt the key file through the context file of the sub-key object, and the encrypted key file is obtained. Therefore, the embodiment can encrypt the key file through the sub key object, and the encryption strength is improved.
Step S280, persisting the encrypted key file to the non-volatile memory of the device, and deleting the initial key and the unencrypted key file.
Step S290, persisting the master key object and the sub key object to the non-volatile memory of the TPM chip, and deleting the corresponding context file.
It should be understood that the present embodiment does not limit the execution sequence of the key file obtaining process (steps S210-S220) and the creation process of the master key object and the sub key object, and may be executed sequentially or simultaneously.
In this embodiment, an original file is encrypted based on a predetermined encryption algorithm and a key file to obtain an encrypted original file, and the key file is encrypted based on a TPM chip to obtain an encrypted key file. Therefore, the embodiment can realize the encryption of a larger original file through a software encryption algorithm and a corresponding key file, and encrypt the key file through an encryption algorithm built in a TPM chip to obtain the security protection based on hardware, so that the security level of the equipment is improved, and the confidentiality of the equipment information is ensured.
Fig. 4 is a process diagram of an encryption method based on a TPM chip according to an embodiment of the present invention. In this embodiment, an original key file of a digital certificate is encrypted by using a symmetric encryption algorithm AES256 in an OpenSSL cryptography software library and an asymmetric encryption algorithm RSA provided by a TPM chip as an example, so as to describe an apparatus encryption process. As shown in fig. 4, when applying for a digital certificate, an original key file (i.e., the original file) privkey.
In the present embodiment, the TPM chip randomly generates an initial key aeskey by executing the command TPM2_ getrandom based on the AES encryption algorithm. In this embodiment, in order to avoid a situation that a special symbol such as a wrapping character in the binary initial key aeskey.rand is identified as the key end marker, an openssl base64 command is executed on the initial key aeskey.rand to perform base64 encoding on the initial key aeskey.rand, so as to generate the key file aeskey.priv.
Further, in this embodiment, a symmetric encryption algorithm AES256 in OpenSSL is adopted, and an OpenSSL enc command is executed on the original file privkey.pem based on the key file aeskey.priv, so as to encrypt the original file privkey.pem, and obtain the encrypted original file privkey.enc.
In this embodiment, the TPM chip encrypts the key file aeskey.priv used to encrypt the original file privkey.pem, so that the original file and the key file obtain hardware-based protection, and the security level of the device is further improved.
Specifically, in the present embodiment, the TPM chip creates a master key object by executing the master key creation command TPM2_ createprrimary, and generates a context file primary. Further, the TPM chip creates a child key object with the master key object as a parent by executing a child key creation command TPM2_ create, and generates a context file rsalet. And the TPM chip persists the main key object and the sub key object to a nonvolatile memory of the TPM chip by executing a persistence command TPM2_ epictcontrol, so as to avoid key loss.
In this embodiment, the TPM chip employs an asymmetric encryption algorithm RSA, and calls a corresponding sub-key object through a context file rsalet.ctx of the sub-key object to encrypt the key file aeskey.priv, and generates an encrypted key file aeskey.enc. Specifically, the TPM chip executes the command TPM2_ rsaincypt based on the subkey object to encrypt the key file aeskey.priv, and generates an encrypted key file aeskey.enc.
The command OpenSSL enc is a command corresponding to an encryption algorithm in OpenSSL. Commands such as TPM2_ get, TPM2_ createprrimary, TPM2_ create, TPM2_ epicontrol, and TPM2_ rsaincypt are related commands in TPM v2.0, and specific calling and executing processes thereof are not described herein again.
In an alternative implementation manner, after the encryption is completed, the encrypted file is subjected to persistent storage, and the original file and the intermediate file are deleted, where a specific storage layout is shown in table (1).
Watch (1)
Document Content providing method and apparatus Storing
privkey.pem Original key file of digital certificate Deleting
privkey.enc Encrypted original key file Device flash memory
aeskey.rand AES initial key (binary format) Deleting
aeskey.priv AES key file (base 64 format) Deleting
aeskey.enc Encrypted AES key file Device flash memory
primary.ctx TPM master key object context Deleting
rsaket.ctx TPM slave key object context Deletion of
- Master/subkey object TPM nonvolatile memory
In this embodiment, the original file is encrypted based on a predetermined encryption algorithm and the key file to obtain an encrypted original file, and the key file is encrypted based on the TPM chip to obtain an encrypted key file. Therefore, the embodiment can realize the encryption of a larger original file through a software encryption algorithm and a corresponding key file, and encrypt the key file through an encryption algorithm built in a TPM chip to obtain the security protection based on hardware, so that the security level of the equipment is improved, and the confidentiality of the equipment information is ensured.
FIG. 5 is a flowchart of a TPM chip based decryption method according to an embodiment of the present invention. As shown in fig. 5, in this embodiment, the TPM chip-based device decryption method includes the following steps:
step S310, the sub-key object stored in the TPM chip is called to decrypt the key file.
In step S320, the original file is decrypted based on the key file by a predetermined encryption algorithm.
Taking the encryption process shown in fig. 5 as an example, based on an original file to be decrypted, the sub-key object stored in the TPM chip is called, and the AES key file is decrypted based on the RSA encryption and decryption algorithm, and further based on the AES key file, the original file, that is, the original key file of the digital certificate is decrypted by the symmetric encryption algorithm AES256 in OpenSSL, so as to verify the digital certificate.
In this embodiment, the sub-key object stored in the TPM chip is called to decrypt the key file, and the original file is decrypted based on the key file through a predetermined encryption algorithm. Therefore, the embodiment can realize the encryption and decryption of a larger original file through a software encryption and decryption algorithm and a corresponding key file, and encrypt and decrypt the key file through an encryption and decryption algorithm built in a TPM chip to obtain the security protection based on hardware, thereby improving the security level of the equipment and ensuring the confidentiality of the equipment information.
FIG. 6 is a schematic diagram of an encryption apparatus based on TPM chip according to an embodiment of the present invention. As shown in fig. 6, the device encryption apparatus 6 of the embodiment of the present invention includes a software encryption unit 61 and a hardware encryption unit 62.
The software encrypting unit 61 is configured to encrypt an original file based on a predetermined encryption algorithm and a key file, and acquire an encrypted original file. Optionally, the predetermined encryption algorithm is an OpenSSL symmetric encryption algorithm.
The hardware encryption unit 62 is configured to encrypt the key file based on the TPM chip, and obtain an encrypted key file. Optionally, the TPM chip employs an asymmetric encryption algorithm.
In an optional implementation manner, the device encryption apparatus 6 further includes a first storage unit, configured to store the encrypted original file and the encrypted key file in a nonvolatile memory of the device.
In an alternative implementation, the key file is generated by the TPM chip. Optionally, the device encryption apparatus 6 further includes a key generation unit and an encoding unit.
The key generation unit is configured to randomly generate an initial key based on the TPM chip. The encoding unit is configured to encode the initial key and acquire the key file.
In an alternative implementation, the hardware encryption unit 62 includes a master key creation subunit, a subkey creation subunit, and a key file generation subunit.
The master key creation subunit is configured to create a master key object based on the TPM chip. The subkey creating subunit is configured to create a subkey object based on the master key object, and obtain a subkey object context. The key file generation subunit is configured to call, based on the TPM chip, a corresponding sub-key object through a sub-key object context to encrypt the key file, and obtain the encrypted key file.
In an alternative implementation, the hardware encryption unit 62 includes an object creation subunit and a key generation subunit.
An object creation subunit is configured to create a key object based on the TPM chip. The key generation subunit is configured to call a corresponding key object to encrypt the key file through a key object context based on the TPM chip, and obtain the encrypted key file.
In an optional implementation manner, the device encryption apparatus 6 further includes a second storage unit, configured to store the sub-key object in a nonvolatile memory of the TPM chip.
In this embodiment, an original file is encrypted based on a predetermined encryption algorithm and a key file to obtain an encrypted original file, and the key file is encrypted based on the TPM chip to obtain an encrypted key file, so that encryption of a larger original file is achieved through a software encryption algorithm and a corresponding key file, and the key file is encrypted through an encryption algorithm built in the TPM chip to obtain security protection based on hardware, thereby improving the security level of the device and ensuring the confidentiality of device information.
Fig. 7 is a schematic diagram of an embedded device of an embodiment of the present invention. As shown in fig. 7, the embedded device 7 of the present embodiment includes a processor 71, a TPM chip 72, and a memory flash73. In this embodiment, the memory flash73 is used to persist the encrypted original file and the encrypted key file for easy recall upon decryption. In an alternative implementation, the memory flash73 may also be used to store instructions or programs executable by the processor 71 (and/or the TPM chip). In alternative implementations, the embedded device 7 may also include other memory to store instructions or programs executable by the processor 71 (and/or the TPM chip).
In this embodiment, the TPM chip 72 includes a non-volatile memory 721 for storing master key objects and/or sub-key objects created by the TPM chip. Further optionally, the non-volatile memory 721 may also be used to store executable execution or programs for the TPM chip. It should be understood that executions or programs executable by the TPM chip may also be stored in other processors.
Further, the processor 71 may be a stand-alone microprocessor or a collection of one or more microprocessors. Thus, the processor 71 and the TPM chip 72 implement the processing of data and the control of other devices by executing instructions stored in the memory flash73 (or other memory) to perform the method flows of the embodiments of the present invention as described above. In an alternative implementation manner, the embedded device of this embodiment connects the above components together through a bus, and simultaneously connects the above components to a display controller and a display device and an input/output (I/O) device. Input/output (I/O) devices may be a mouse, keyboard, modem, network interface, touch input device, motion-sensing input device, printer, and other devices known in the art. Typically, the input/output devices are connected to the system through input/output (I/O) controllers.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus (device) or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may employ a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Another embodiment of the invention is directed to a non-volatile storage medium storing a computer-readable program for causing a computer to perform some or all of the above-described method embodiments.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be accomplished by specifying, by a program, relevant hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made to the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (12)

1. An encryption method based on a TPM chip, the method comprising:
encrypting the original file based on a preset encryption algorithm and the key file to obtain the encrypted original file;
and encrypting the key file based on the TPM chip to obtain the encrypted key file.
2. The method of claim 1, further comprising:
and storing the encrypted original file and the encrypted key file into a nonvolatile memory of the equipment.
3. The method of claim 1, wherein the key file is generated by the TPM chip.
4. The method of claim 3, further comprising:
randomly generating an initial key based on the TPM chip;
and encoding the initial key to obtain the key file.
5. The method of claim 1, wherein encrypting the key file based on the TPM chip, and obtaining the encrypted key file comprises:
creating a master key object based on the TPM chip;
creating a sub-key object based on the main key object, and acquiring a sub-key object context;
and calling the corresponding sub-key object through the sub-key object context based on the TPM chip to encrypt the key file, and acquiring the encrypted key file.
6. The method of claim 1, wherein encrypting the key file based on the TPM chip, and obtaining the encrypted key file comprises:
creating a key object based on the TPM chip;
and calling a corresponding key object through the key object context based on the TPM chip to encrypt the key file, and acquiring the encrypted key file.
7. The method of claim 6, further comprising:
and storing the sub-key object into a nonvolatile memory of the TPM chip.
8. The method of any of claims 1-7, wherein the TPM chip employs an asymmetric encryption algorithm.
9. The method according to any of claims 1-7, wherein the predetermined encryption algorithm is an OpenSSL symmetric encryption algorithm.
10. An encryption apparatus based on a TPM chip, the apparatus comprising:
a software encryption unit configured to encrypt an original file based on a predetermined encryption algorithm and a key file, and obtain an encrypted original file;
and the hardware encryption unit is configured to encrypt the key file based on the TPM chip and acquire the encrypted key file.
11. An embedded device, comprising a memory, a processor, and a TPM chip, the memory to store one or more computer program instructions, wherein the one or more computer program instructions are executed by the processor and the TPM chip to implement the method of any of claims 1-9.
12. A computer-readable storage medium, in which a computer program is stored which, when executed by a processor and a TPM chip, implements the method of any one of claims 1 to 9.
CN202211312583.2A 2022-10-25 2022-10-25 Encryption method based on TPM chip and embedded device Pending CN115801328A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211312583.2A CN115801328A (en) 2022-10-25 2022-10-25 Encryption method based on TPM chip and embedded device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211312583.2A CN115801328A (en) 2022-10-25 2022-10-25 Encryption method based on TPM chip and embedded device

Publications (1)

Publication Number Publication Date
CN115801328A true CN115801328A (en) 2023-03-14

Family

ID=85433747

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211312583.2A Pending CN115801328A (en) 2022-10-25 2022-10-25 Encryption method based on TPM chip and embedded device

Country Status (1)

Country Link
CN (1) CN115801328A (en)

Similar Documents

Publication Publication Date Title
CN110378139B (en) Data key protection method, system, electronic equipment and storage medium
CN109933995B (en) User sensitive data protection and system based on cloud service and block chain
CN107667374B (en) Techniques for memory privacy, integrity and replay protection
CN106529308B (en) data encryption method and device and mobile terminal
CN110650010B (en) Method, device and equipment for generating and using private key in asymmetric key
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN110008745B (en) Encryption method, computer equipment and computer storage medium
CN110062014B (en) Encryption and decryption method and system of network model
JP5736994B2 (en) Information processing apparatus, validity verification method, and program
KR20140099126A (en) Method of securing software using a hash function, Computer readable storage medium of recording the method and a software processing apparatus
JP2013545182A (en) Method and apparatus including architecture for protecting sensitive code and data
CN108199847B (en) Digital security processing method, computer device, and storage medium
KR102397579B1 (en) Method and apparatus for white-box cryptography for protecting against side channel analysis
US20230325516A1 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
CN111124453B (en) Method for upgrading firmware program of terminal equipment
EP2901350A1 (en) Securely generating and storing passwords in a computer system
CN105468940A (en) Software protection method and apparatus
CN104866784A (en) BIOS encryption-based safety hard disk, and data encryption and decryption method
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN115065472A (en) Multi-key encryption and decryption-based security chip encryption and decryption method and device
CN115442032A (en) Data processing method, system on chip and readable storage medium
CN107257282B (en) Code full-package encryption method based on RC4 algorithm
CN114124364A (en) Key security processing method, device, equipment and computer readable storage medium
CN109784072B (en) Security file management method and system
CN112115430A (en) Apk reinforcement method, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination