CN116611096A - Fault detection method and device, electronic equipment and storage medium - Google Patents
Fault detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116611096A CN116611096A CN202310735355.4A CN202310735355A CN116611096A CN 116611096 A CN116611096 A CN 116611096A CN 202310735355 A CN202310735355 A CN 202310735355A CN 116611096 A CN116611096 A CN 116611096A
- Authority
- CN
- China
- Prior art keywords
- encryption
- calculation
- decryption
- result
- round
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 238000004364 calculation method Methods 0.000 claims abstract description 299
- 238000002347 injection Methods 0.000 claims abstract description 86
- 239000007924 injection Substances 0.000 claims abstract description 86
- 238000000034 method Methods 0.000 claims abstract description 71
- 230000007704 transition Effects 0.000 claims abstract description 52
- 238000004590 computer program Methods 0.000 claims description 7
- 238000004422 calculation algorithm Methods 0.000 description 19
- 230000005540 biological transmission Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 238000013478 data encryption standard Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/588—Random number generators, i.e. based on natural stochastic processes
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a fault detection method, a fault detection device, electronic equipment and a storage medium. The method comprises the following steps: inputting the initial data into an encryption and decryption module for encryption and/or decryption operation; in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result; the transition data is related to the initial data and the current calculation run; and determining a first fault injection result according to the calculation result and the redundancy result. Therefore, whether fault injection exists can be detected at any time, the fault injection result is fed back in time, whether fault injection exists can be judged without waiting for the end of the password operation, and the consumption of hardware resources is saved.
Description
Technical Field
The present application relates to the field of data security technologies, and in particular, to a fault detection method, a fault detection device, an electronic device, and a storage medium.
Background
Along with rapid expansion of informatization technology, information interaction is more frequent, and the correctness, the integrity and the safety of information transmission are urgently guaranteed by a cryptographic algorithm. At present, an attacker attacks a cryptographic algorithm by using a side channel and fault injection so that a unit module may have a register fault under the condition that the cryptographic operation is interfered, and further has an operation abnormality, so that an operation effect is relatively poor. Therefore, how to detect fault injection in the cryptographic process is a problem to be solved.
Disclosure of Invention
In order to solve the technical problems, the embodiment of the application provides a fault detection method, a fault detection device, electronic equipment and a storage medium.
In a first aspect, an embodiment of the present application provides a fault detection method, where the method includes:
inputting the initial data into an encryption and decryption module for encryption and/or decryption operation;
in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result; the transition data is related to the initial data and the current calculation run;
and determining a first fault injection result according to the calculation result and the redundancy result.
In an embodiment, the determining the first fault injection result according to the calculation result and the redundancy result includes:
if the calculated result is different from the redundant result, the first fault injection result indicates that fault injection exists;
and if the calculated result is the same as the redundant result, the first fault injection result indicates that no fault injection exists.
In an embodiment, before the initial data is input into the encryption and decryption module for encryption and/or decryption operation, the method further includes:
Acquiring the security priority of the initial data;
setting at least one calculation round in the encryption and/or decryption operation process as the redundant calculation round according to the security priority;
optionally, the security priority includes a high security priority and a low security priority, and setting at least one calculation round in the encryption and/or decryption operation process to the redundant calculation round according to the security priority includes:
setting N redundant calculation rounds in the calculation rounds according to the high security priority;
and setting M redundant calculation rounds in the calculation rounds according to the low security priority, wherein N > M.
In an embodiment, if the current calculation round of the encryption and decryption module is a redundant calculation round, the operation of the encryption and decryption module to perform redundant calculation according to the transition data to obtain a calculation result and a redundant result includes:
if the current calculation round is a redundant encryption calculation round, operating a target encryption sub-module corresponding to the current calculation round to perform redundant encryption calculation according to transition data to obtain an encryption calculation result and a redundant encryption result, wherein the redundant calculation round comprises the redundant encryption calculation round, the encryption and decryption module comprises a plurality of encryption sub-modules, and the plurality of encryption sub-modules comprise the target encryption sub-module;
And/or the number of the groups of groups,
and if the current calculation round is a redundant decryption calculation round, operating a target decryption sub-module corresponding to the current calculation round to perform redundant decryption calculation according to the transition data to obtain a decryption calculation result and a redundant decryption result, wherein the redundant calculation round comprises the redundant decryption calculation round, the encryption and decryption module comprises a plurality of decryption sub-modules, and the plurality of decryption sub-modules comprise the target decryption sub-module.
In an embodiment, in a case that the redundancy calculation round is a first calculation round, the transition data is the initial data;
and under the condition that the redundant calculation round is not the first calculation round, the transition data is the calculation result of the previous calculation round of the current calculation round.
In one embodiment, the method further comprises:
under the condition that the initial data is input into the encryption and decryption module to carry out encryption and decryption operation, a first information check value is obtained according to the initial data;
obtaining a final result of the encryption and decryption operation, and obtaining a second information check value according to the final result;
and determining a second fault injection result according to the first information check value and the second information check value.
In an embodiment, after the initial data is input to the encryption and decryption module to perform encryption and/or decryption operation, the method further includes:
in the encryption and/or decryption operation process, determining the operation type of the current calculation round;
when the operation type is a random delay type, not storing the calculation result of the current calculation round;
and when the operation type is a normal operation type, storing the calculation result of the current calculation round.
In a second aspect, an embodiment of the present application provides a fault detection device, including:
the input module is used for inputting the initial data into the encryption and decryption module to carry out encryption and/or decryption operation;
the redundancy calculation module is used for operating the encryption and decryption module to perform redundancy calculation according to the transition data to obtain a calculation result and a redundancy result if the current calculation round of the encryption and decryption module is the redundancy calculation round in the encryption and/or decryption operation process; the transition data is related to the initial data and the current calculation run;
and the determining module is used for determining a first fault injection result according to the calculation result and the redundancy result.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is configured to store a computer program, and the computer program executes the fault detection method provided in the first aspect when the processor runs.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium storing a computer program which, when run on a processor, performs the fault detection method provided in the first aspect.
The fault detection method, the fault detection device, the electronic equipment and the storage medium provided by the application are characterized in that initial data are input into an encryption and decryption module to carry out encryption and/or decryption operation; in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result; the transition data is determined according to the initial data and the current calculation round; and determining a first fault injection result according to the calculation result and the redundancy result. Therefore, whether fault injection exists in encryption and decryption operation or not can be detected at any time, a fault injection result is fed back in time, whether fault injection exists or not can be judged without waiting for the end of password operation, the technical problem of how to detect fault injection in the encryption operation process is solved, and compared with hardware fault injection, the scheme realizes fault injection detection in a data redundancy mode, and hardware resource consumption is saved.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are required for the embodiments will be briefly described, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope of the present application. Like elements are numbered alike in the various figures.
Fig. 1 is a schematic flow chart of a fault detection method according to an embodiment of the present application;
fig. 2 is a schematic diagram of another flow chart before S101 in the fault detection method according to the embodiment of the present application;
fig. 3 is a schematic diagram illustrating an execution of encryption and decryption operations by an encryption and decryption module in the fault detection method according to the embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 5 shows another schematic structural diagram of the fault detection device according to the embodiment of the present application.
Major icons: 500-fault detection device, 501-input module, 502-redundancy calculation module, 503-determination module.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments.
The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present application.
The terms "comprises," "comprising," "including," or any other variation thereof, are intended to cover a specific feature, number, step, operation, element, component, or combination of the foregoing, which may be used in various embodiments of the present application, and are not intended to first exclude the presence of or increase the likelihood of one or more other features, numbers, steps, operations, elements, components, or combinations of the foregoing.
Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of the application belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having a meaning that is the same as the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein in connection with the various embodiments of the application.
Example 1
The embodiment of the application provides a fault detection method.
Referring to fig. 1, the fault detection method includes steps S101 to S103, and the fault detection method may be applied to an electronic device, where the electronic device may be an electronic device in a broad sense, for example, a smart terminal such as a mobile phone or a tablet computer, or a Chip, for example, a System On Chip (SOC), or any device that needs to implement encryption and decryption of information or data.
The steps are described below.
Step S101, inputting the initial data into an encryption and decryption module for encryption and/or decryption operation.
In this embodiment, the initial data is data to be encrypted or data to be decrypted, where the data to be encrypted may include plaintext and a key, and the data to be decrypted may include ciphertext and may also include a key.
The encryption and decryption modules comprise an encryption sub-module and a decryption sub-module, and the number of the encryption sub-module and the decryption sub-module can be multiple, for example, the number of the encryption sub-module and the decryption sub-module can be consistent. The encryption operation can be performed by the encryption sub-module, and the decryption operation can be performed by the decryption sub-module.
The electronic device may perform encryption operations on the initial data alone, decryption operations alone, or both based on different application scenarios.
The algorithm involved in the encryption and decryption operation may be at least one of an SM4 block cipher algorithm, an AES (Advanced Encryption Standard ) algorithm, a TDES (Tactical Data Encryption System, tactical data encryption system) algorithm, and a DES (Data Encryption Standard ) algorithm, and may also be other cipher algorithms.
Step S102, in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result.
In this embodiment, when the encryption and/or decryption module is used to perform encryption and/or decryption operations, a pipelined multi-round operation may be performed, for example, please refer to fig. 3, a plurality of encryption sub-modules and/or a plurality of decryption sub-modules may be connected in series to form a pipelined encryption and decryption structure, each encryption sub-module may perform at least one encryption calculation, and each decryption sub-module may perform at least one decryption calculation, thereby forming a plurality of calculation rounds in the encryption and/or decryption calculation process.
In the calculation process, when a redundancy calculation round is encountered, namely, fault injection detection is triggered, transition data can be determined according to the calculation round in which the current redundancy calculation is located and initial data, and then the transition data is input into an encryption sub-module or a decryption sub-module corresponding to the redundancy calculation round, so that encryption or decryption operation is correspondingly executed, and a redundancy (calculation) result and a normal encryption or decryption calculation result are obtained.
For example, when one redundancy calculation is set in the redundancy calculation round, the corresponding encryption sub-module or decryption sub-module may perform two calculations, where the first calculation may be a normal calculation and the second calculation may be a redundancy calculation; alternatively, the first calculation may be a redundant calculation and the second calculation may be a normal calculation.
For another example, when two redundant computations are provided in a redundant computation round, the corresponding encryption sub-module or decryption sub-module may perform three computations, one of which is a normal computation and the other two of which are redundant computations.
The transition data is related to the initial data and the current calculation round, and may be determined according to the initial data and the current calculation round, for example.
In an embodiment, in a case where the redundant calculation round is a first calculation round, the transition data is the initial data.
And under the condition that the redundant calculation round is not the first calculation round, the transition data is the calculation result of the previous calculation round of the current calculation round.
For example, in the case where the initial data is encrypted and then decrypted, assuming that the first round of decryption operation is a redundant calculation round, the corresponding transition data at this time is the calculation result output by the last round of encryption operation.
Therefore, the transition data can be clearly and accurately determined according to whether the redundant calculation round is the first calculation round, and the accuracy of the calculation result is ensured.
In one embodiment, step S102 includes:
and if the current calculation round is the redundant encryption calculation round, operating a target encryption sub-module corresponding to the current calculation round to perform redundant encryption calculation according to the transition data to obtain an encryption calculation result and a redundant encryption result.
The target encryption submodule is included in a plurality of encryption submodules, and corresponds to a current calculation round.
Under the condition that the current calculation round is the first round encryption calculation round, the transition data is the initial data; and under the condition that the current calculation round is not the first round of encryption calculation round, the transition data is the encryption result of the previous encryption calculation round of the current encryption calculation round.
In this embodiment, for a redundant encryption calculation round, a corresponding target encryption sub-module is operated to perform redundant encryption calculation according to the transition data to obtain an encryption calculation result and a redundant encryption result, so that whether the encryption calculation process of the redundant encryption calculation round has a fault or not is conveniently judged according to the encryption calculation result and the redundant encryption result.
And/or the number of the groups of groups,
and if the current calculation round is the redundant decryption calculation round, operating a target decryption sub-module corresponding to the current calculation round to perform redundant decryption calculation according to the transition data, so as to obtain a decryption calculation result and a redundant decryption result.
The target decryption submodule is included in a plurality of decryption submodules, and corresponds to a current calculation round.
Under the condition that the current calculation round is the first round decryption calculation round, the transition data is the initial data; and under the condition that the current calculation round is not the first calculation round, the transition data is the decryption result of the previous calculation round of the current calculation round.
In this embodiment, for the redundancy decryption computation round, the corresponding target decryption submodule is operated to perform redundancy decryption computation according to the transition data to obtain a decryption computation result and a redundancy decryption result, so that whether the encryption computation process of the redundancy decryption computation round has a fault or not is conveniently determined according to the decryption computation result and the redundancy decryption result.
And step S103, determining a first fault injection result according to the calculation result and the redundancy result.
It should be noted that, the first fault injection result may be a fault injection result of the current calculation round, or may be a fault injection result corresponding to the whole encryption and decryption operation process of the encryption and decryption module. For example, when the current calculation round is a non-last calculation round, the fault injection result corresponding to the current calculation round is obtained. When the current calculation round is the last round, the fault injection result is correspondingly the fault injection result of the whole encryption and decryption operation process.
Referring to fig. 3, an encryption algorithm is exemplified as SM4 algorithm. As shown in fig. 3, the initial data is plaintext and a secret key, and the plaintext and the secret key are input to an encryption and decryption module, the encryption and decryption module performs encryption operation by adopting an SM4 algorithm, the encryption and decryption module comprises 32 encryption sub-modules, and each encryption sub-module is responsible for one round of encryption operation.
In the conventional hardware structure redundancy process, fault injection can be detected after the completion of calculation of 32 rounds of calculation, in contrast to the embodiment of the application shown in fig. 3, in which the previous 3 rounds are set as redundancy encryption calculation rounds, when the 1 st round is calculated, if the calculation result and the redundancy result are different, the first fault injection result of the fault injection in the current calculation round can be determined in the 1 st round of calculation; if the calculation result and the redundancy result are different in the calculation of the 3 rd round, the first fault injection result with fault injection can be determined in the 3 rd round of calculation.
The embodiment adopts a data redundancy mode, which is different from the hardware structure redundancy, and the implementation effect of the data redundancy mode in the embodiment can not only determine whether to inject faults or not in the encryption and decryption calculation round process, so that the efficiency is improved, but also the resource consumption can be further reduced by configuring the data redundancy round number. In addition, a smaller fault injection range can be determined through different rounds, so that the fault removal efficiency is improved.
In one embodiment, step S103 includes:
if the calculated result is different from the redundant result, the first fault injection result indicates that fault injection exists;
And if the calculated result is the same as the redundant result, the first fault injection result indicates that no fault injection exists.
The redundancy calculation round comprises two rounds of encryption and decryption calculation, the first round of encryption and decryption calculation and the second round of encryption and decryption calculation of the redundancy calculation round have the same input data, the input data is transition data, an encryption and decryption result of the first round of encryption and decryption calculation of the redundancy calculation round is used as a calculation result, an encryption and decryption result of the second round of encryption and decryption calculation of the redundancy calculation round is used as a redundancy result, if the calculation result is the same as the redundancy result, no fault injection exists in the redundancy calculation round, and if the calculation result is different from the redundancy result, the fault injection exists in the redundancy calculation round.
Referring to fig. 2, before step S101 in fig. 1, the method further includes:
step S104, acquiring the security priority of the initial data;
step S105, setting at least one encryption/decryption computation round in the encryption and/or decryption computation process as the redundancy computation round according to the security priority.
Corresponding application scenes can be determined through different initial data, and different security requirements can exist for different application scenes, so that security priorities corresponding to different initial data can be obtained.
For example, the security priority may be represented in the form of numerals or characters, or may be differentiated according to high, medium, and low. Different security priorities may correspond to different redundancy calculation runs.
Illustratively, since an attacker typically attacks the first and last three rounds of the SM4 algorithm, it can crack the key by analyzing a relatively small amount of data. Therefore, aiming at a general attack mode, an optional data redundancy mode is adopted, and which round of operation in 32 rounds of encryption operation can be controlled to carry out redundancy. Taking the 1 st round of encryption operation in fig. 3 as an example, the dotted line of the first round of encryption operation indicates that the first round of encryption operation is changed from 1 round (cycle) completion operation to 2 rounds (cycle) completion operation in the prior art.
The cryptographic operation of this embodiment is implemented in a pipeline manner, and the same initial data is given to the first cycle and the second cycle of the 1 st round of cryptographic operation, where the same initial data may refer to the same plaintext and key, and the output results of the two cycles of the 1 st round of cryptographic operation are stored by using a register, and whether the outputs of the two cycles are the same is compared by using a common comparator (which may be implemented by an exclusive or operation).
If the two types of the data are the same, indicating that no fault injection exists in the round of encryption operation; if the two types of the data are different, the fact that the fault injection exists in the encryption operation of the round is indicated, and the data can be fed back immediately to end the encryption operation of the round. The operation mode adopts a pipeline calculation mode, and the application requirements of high speed and high throughput are met. The data to be encrypted in the 1 st round of operation is plaintext, the data to be encrypted in the i-1 st round of operation is the encryption operation result of the i-1 st round of encryption operation, and i is more than or equal to 2 and less than or equal to 32.
In an embodiment, the security priority includes a high security priority and a low security priority, and step S105 includes:
setting N redundant calculation rounds in the calculation rounds according to the high security priority;
and setting M redundant calculation rounds in the calculation rounds according to the low security priority, wherein N > M.
For example, if the security requirement of the application scenario of the user is general, the data redundancy of 32 rounds of the SM4 algorithm can be configured to be 0, which indicates that the cryptographic operation performs normal encryption and decryption operations, and 32 cycles are needed to complete one operation. However, for an application scenario with higher security, the encryption operation and the decryption operation are performed by configuring redundancy calculation rounds, for example, six redundancy calculation rounds exist in the encryption and decryption operation, whether fault injection exists in the encryption and decryption operation process or not is detected at any time, fault information is fed back in time, whether the fault injection exists or not can be judged without the need of judging when the password operation is finished, whether the fault injection exists or not can be judged by the current round of encryption and decryption operation, and hardware resource consumption is saved.
In one embodiment, the method further comprises:
under the condition that the initial data is input into the encryption and decryption module to carry out encryption and decryption operation, a first information check value is obtained according to the initial data;
obtaining a final result of the encryption and decryption operation, and obtaining a second information check value according to the final result;
and determining a second fault injection result according to the first information check value and the second information check value.
The first information check value and the second information check value are the same, and the second fault injection result indicates that fault injection does not exist in the calculation process of the encryption and decryption module.
If the first information check value and the second information check value are different, a second fault injection result indicates that fault injection exists in the calculation process of the encryption and decryption module.
In this embodiment, the first information check value and the second information check value may be hash operation message authentication codes (HMACs), and whether the final result is subjected to fault injection or tampering in the transmission process of the final result may be determined through the first information check value and the second information check value, so as to ensure that the final result is not tampered in the transmission process.
For example, if the first information check value and the second information check value are HMAC values, it can not only be determined whether the information is tampered maliciously during the transmission of the cryptographic information, but also verify whether a fault is injected during the operation of the cryptographic algorithm.
If the HMAC values judged by the first information check value and the second information check value are the same, the fact that the transmission process of the password information in the encryption and decryption module is not subjected to malicious tampering is indicated, and the encryption and decryption operation is correct. If the HMAC values are different, the transmission of the password information in the encryption and decryption module is tampered maliciously, or the encryption and decryption operation is self-error.
For the case that the HMAC values are different, the encryption and decryption operation may be performed again to retrieve the second information check value, so as to compare the retrieved second information check value with the first information check value. If still different, it may be caused by errors in the operation itself; if the same, the previous transmission process may be tampered with maliciously.
In one embodiment, the method further comprises:
in the encryption and/or decryption operation process, determining the operation type of the current calculation round;
when the operation type is a random delay type, not storing the calculation result of the current calculation round;
And when the operation type is a normal operation type, storing the calculation result of the current calculation round.
For example, the random delay may be predetermined, if the random delay is 3 clock cycles, and the normal encryption and decryption calculation process needs 33 clock cycles, the overall calculation cycle for performing encryption and decryption calculation is 35 clock cycles, the calculation round corresponding to the random delay is a random delay class, the calculation round corresponding to the normal encryption and decryption cycle is a normal calculation class, and encryption and decryption calculation is still performed at the calculation round corresponding to the 3 clock cycles of the random delay class, but the encryption and decryption calculation result is not reserved. And carrying out normal encryption and decryption calculation on calculation rounds corresponding to 33 clock cycles of the normal operation class, reserving encryption and decryption results, and completing the encryption and decryption operation only by 35 clock cycles.
Thus, an attacker cannot determine the position of the target which is originally wanted to be attacked, and the security of the password operation is enhanced. The method can hide the actual encryption operation process by calculating the plaintext mask and the secret key mask through the random mask, and effectively reduce the energy and electromagnetic attack in the encryption operation process.
In order to clearly illustrate the application of the fault injection method in the embodiment of the present application to the implementation process of each function of the electronic device, the following is an example description of each module linkage scheme of the electronic device when the whole fault is injected with reference to fig. 4.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device, where the electronic device includes an analysis module, a generation module, a control module, an operation module, a verification module, a fault injection module, and a feedback module. The parsing module is configured to receive an externally input random number generation instruction, and control the generation module to generate a random number according to the random number generation instruction, where the random number may include a first random number and a second random number, where the first random number is a smaller random number, for example, the value of the first random number is 3, the second random number is a larger random number, and the number of bits of the second random number is equal to the width of the plaintext or the secret key, for example, the plaintext is 128 bits, and the second random number is 128 bits.
The control module is used for determining random delay according to the first random number and determining a random mask according to the second random number. For example, if the first random number is 3, the random delay is 3, and if the second random number is a 128-bit number, the random mask is a 128-bit number. The random mask can hide the actual encryption operation process, and effectively reduce the energy and electromagnetic attack in the encryption operation process.
In this embodiment, the operation module includes an encryption and decryption module, where the encryption and decryption module is configured to obtain an operation start signal, a data/key valid signal, an address signal, and the like, where the operation start signal may be understood as: a start signal of the cryptographic operation, which is high, indicates that the cryptographic algorithm starts to operate. The data/key valid signal can be understood as: when the operation start signal is high, and the data/key meets a specified data/key size (e.g., 128 bits), it indicates that the data/key to be operated is ready to be completed. The address signal can be understood as: location information of data/keys, such as: the first two bits of the address register indicate whether the operation start signal is high level; the middle two bits indicate whether the data is in place; the second two bits indicate whether the key is in place or not, ready for the encryption operation.
In this embodiment, the encryption and decryption module performs encryption and decryption operations according to the random delay, the random mask and the initial data, so as to obtain a first result.
The encryption and decryption module performs exclusive-or operation on the plaintext and the random mask after the random time delay to obtain a plaintext mask, performs exclusive-or operation on the key and the random mask to obtain a key mask, and performs encryption operation on the plaintext mask according to the key mask to obtain a second encryption result.
Respectively taking the second random number as a preset plaintext and a preset secret key, and carrying out encryption operation on the preset plaintext according to the preset secret key to obtain a third encryption result; and performing exclusive OR operation on the second encryption result and the third encryption result to obtain the first encryption result.
For example, if a normal cryptographic algorithm needs to complete the encryption operation in 32 clock cycles, and adds a random delay (for example, randomly delays 3 clock cycles, and the encryption operation is still performed in the 3 clock cycles, but each encryption operation result in the 3 clock cycles is not reserved), the cryptographic operation needs to complete the operation in 35 clock cycles.
Thus, an attacker cannot determine the position of the target which is originally wanted to be attacked, and the security of the password operation is enhanced. The method can hide the actual encryption operation process by calculating the plaintext mask and the secret key mask through the random mask, and effectively reduce the energy and electromagnetic attack in the encryption operation process.
In this embodiment, the final first encryption result is obtained by the exclusive-or operation of the second encryption result and the third encryption result, so that the influence of the random mask on the encryption result is avoided, and the random mask can play a role in improving the data security.
In this embodiment, in order to verify the correctness of the encryption and decryption operation process, the fault detection method further includes:
the verification module performs encryption and decryption operation according to the initial data through the testing tool to obtain a second result;
comparing the first result with the second result, and judging whether the correctness of the encryption and decryption module passes verification or not according to the comparison result;
if the verification is passed, a first information check value is obtained according to the initial data, and the first information check value and the first result are stored;
and if the verification is not passed, modifying the configuration information of the encryption and decryption module until the correctness of the encryption and decryption module is passed.
In this embodiment, the test tool is a standard encryption tool, and the test tool can simulate the operation process of the encryption and decryption module, and the encryption and decryption calculation result of the test tool can be used as a correct encryption result and can be used as reference data of the first result output by the encryption and decryption module.
It should be noted that, modifying the configuration information of the encryption and decryption module may include: and determining an output error caused by incorrect partial codes or operation designs in the encryption operation design, detecting error configuration information corresponding to the error occurrence of encryption and decryption operation according to encryption algorithm standards, and modifying the error configuration information.
Referring to fig. 4 again, in case of fault injection, the feedback module generates a fault feedback signal, and deletes the corresponding encryption and decryption result according to the fault feedback signal. Exemplary, the fault feedback signal is pulled high, which indicates that fault injection exists in the encryption and decryption algorithm of the encryption and decryption module; the fault feedback signal is pulled down to indicate that no fault is injected in the encryption and decryption algorithm of the encryption and decryption module.
The fault feedback signal is adopted to indicate that the encryption and decryption module has errors, the encryption and decryption results are not reserved, the operation result is deleted according to the fault feedback signal, and the next password operation is carried out.
Referring to fig. 4 again, the fault injection module inputs a glitch signal to the encryption and decryption module, and completes the fault injection to the encryption and decryption module. In this embodiment, the electronic device may generate a fault injection control instruction, generate a glitch signal according to the fault injection control instruction, and input the glitch signal to the encryption and decryption module, where the glitch signal includes a clock glitch or a voltage glitch.
For example, in the case of determining that a fault injection exists, in order to ensure data security, a glitch signal may be input to the subsequent encryption/decryption subunit. Alternatively, during fault injection simulation testing, a glitch signal may be generated and output by the fault injection module.
Therefore, the fault is ensured to be injected into the encryption and decryption module, namely the fault injection is completed, and the fault detection and the fault feedback can be realized.
According to the fault detection method provided by the embodiment, initial data are input into an encryption and decryption module to be encrypted and/or decrypted; in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result; the transition data is determined according to the initial data and the current calculation round; and determining a first fault injection result according to the calculation result and the redundancy result. Therefore, whether fault injection exists in encryption and decryption operation is detected at any time, fault information is fed back in time, whether fault injection exists can be judged without the need of ending password operation, fault injection results can be determined in the current round of encryption and decryption operation, and hardware resource consumption is saved.
Example 2
In addition, the embodiment of the application provides a fault detection device.
Specifically, as shown in fig. 5, the fault detection apparatus 500 includes:
the input module 501 is used for inputting the initial data into the encryption and decryption module to perform encryption and/or decryption operation;
the redundancy calculation module 502 is configured to operate the encryption/decryption module to perform redundancy calculation according to the transition data to obtain a calculation result and a redundancy result if the current calculation round of the encryption/decryption module is a redundancy calculation round in the encryption/decryption operation process; the transition data is related to the initial data and the current calculation run;
a determining module 503, configured to determine a first fault injection result according to the calculation result and the redundancy result.
In an embodiment, the determining module 503 is further configured to, if the calculation result is different from the redundancy result, indicate that a fault injection exists in the first fault injection result;
and if the calculated result is the same as the redundant result, the first fault injection result indicates that no fault injection exists.
In one embodiment, the fault detection apparatus 500 further includes:
the acquisition module is used for acquiring the security priority of the initial data; setting at least one calculation round in the encryption and/or decryption operation process as the redundant calculation round according to the security priority;
Optionally, the acquiring module is further configured to set N redundant computation rounds in the computation rounds according to the high security priority; and setting M redundant calculation rounds in the calculation rounds according to the low security priority, wherein N > M.
In an embodiment, the encryption and decryption module comprises an encryption sub-module and/or a decryption sub-module, the redundancy calculation round comprises a redundancy encryption calculation round and/or a redundancy decryption calculation round, and the transition data comprises first transition data and/or second transition data; the calculation result comprises a target encryption result and/or a target decryption result, and the redundant result comprises a redundant encryption result and/or a redundant decryption result;
the redundancy calculation module 502 is further configured to operate a target encryption sub-module corresponding to the current calculation round if the current calculation round is a redundancy encryption calculation round, so as to perform redundancy encryption calculation according to the transition data to obtain an encryption calculation result and a redundancy encryption result, where the redundancy calculation round includes the redundancy encryption calculation round, the encryption/decryption module includes a plurality of encryption sub-modules, and the plurality of encryption sub-modules includes the target encryption sub-module;
And/or the number of the groups of groups,
and if the current calculation round is a redundant decryption calculation round, operating a target decryption sub-module corresponding to the current calculation round to perform redundant decryption calculation according to the transition data to obtain a decryption calculation result and a redundant decryption result, wherein the redundant calculation round comprises the redundant decryption calculation round, the encryption and decryption module comprises a plurality of decryption sub-modules, and the plurality of decryption sub-modules comprise the target decryption sub-module.
In an embodiment, in a case that the redundancy calculation round is a first calculation round, the transition data is the initial data;
and under the condition that the redundant calculation round is not the first calculation round, the transition data is the calculation result of the previous calculation round of the current calculation round.
In one embodiment, the fault detection apparatus 500 further includes:
the first processing module is used for acquiring a first information check value according to the initial data under the condition that the initial data is input into the encryption and decryption module to carry out encryption and decryption operation;
obtaining a final result of the encryption and decryption operation, and obtaining a second information check value according to the final result;
and determining a second fault injection result according to the first information check value and the second information check value.
In one embodiment, the fault detection apparatus 500 further includes:
the second processing module is used for determining the operation type of the current calculation round in the encryption and/or decryption operation process;
when the operation type is a random delay type, not storing the calculation result of the current calculation round;
and when the operation type is a normal operation type, storing the calculation result of the current calculation round.
The fault detection device 500 provided in this embodiment can implement the fault detection method provided in embodiment 1, and in order to avoid repetition, a description thereof will be omitted.
The fault detection device provided by the embodiment inputs the initial data into the encryption and decryption module to carry out encryption and/or decryption operation; in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result; the transition data is determined according to the initial data and the current calculation round; and determining a first fault injection result according to the calculation result and the redundancy result. Therefore, whether fault injection exists in encryption and decryption operation is detected at any time, fault information is fed back in time, whether fault injection exists can be judged without the need of ending password operation, fault injection results can be determined in the current round of encryption and decryption operation, and hardware resource consumption is saved.
Example 3
Furthermore, an embodiment of the present application provides an electronic device including a memory and a processor, the memory storing a computer program that, when run on the processor, performs the fault detection method provided in embodiment 1.
The electronic device provided in this embodiment may implement the fault detection method provided in embodiment 1, and in order to avoid repetition, details are not repeated here.
Example 4
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the fault detection method provided by embodiment 1.
In the present embodiment, the computer readable storage medium may be a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, an optical disk, or the like.
The computer readable storage medium provided in this embodiment can implement the fault detection method provided in embodiment 1, and in order to avoid repetition, a detailed description is omitted here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal comprising the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.
Claims (10)
1. A method of fault detection, the method comprising:
inputting the initial data into an encryption and decryption module for encryption and/or decryption operation;
in the encryption and/or decryption operation process, if the current calculation round of the encryption and decryption module is a redundant calculation round, the encryption and decryption module is operated to perform redundant calculation according to the transition data, so as to obtain a calculation result and a redundant result; the transition data is related to the initial data and the current calculation run;
and determining a first fault injection result according to the calculation result and the redundancy result.
2. The method of claim 1, wherein the determining a first fault injection result from the calculation result and the redundancy result comprises:
if the calculated result is different from the redundant result, the first fault injection result indicates that fault injection exists;
and if the calculated result is the same as the redundant result, the first fault injection result indicates that no fault injection exists.
3. The method of claim 1, wherein before the initial data is input to the encryption and/or decryption module for encryption and/or decryption operations, further comprising:
Acquiring the security priority of the initial data;
setting at least one calculation round in the encryption and/or decryption operation process as the redundant calculation round according to the security priority;
optionally, the security priority includes a high security priority and a low security priority, and setting at least one calculation round in the encryption and/or decryption operation process to the redundant calculation round according to the security priority includes:
setting N redundant calculation rounds in the calculation rounds according to the high security priority;
and setting M redundant calculation rounds in the calculation rounds according to the low security priority, wherein N > M.
4. The method of claim 1, wherein if the current calculation round of the encryption and decryption module is a redundant calculation round, operating the encryption and decryption module to perform redundant calculation according to the transition data to obtain a calculation result and a redundant result, includes:
if the current calculation round is a redundant encryption calculation round, operating a target encryption sub-module corresponding to the current calculation round to perform redundant encryption calculation according to transition data to obtain an encryption calculation result and a redundant encryption result, wherein the redundant calculation round comprises the redundant encryption calculation round, the encryption and decryption module comprises a plurality of encryption sub-modules, and the plurality of encryption sub-modules comprise the target encryption sub-module;
And/or the number of the groups of groups,
and if the current calculation round is a redundant decryption calculation round, operating a target decryption sub-module corresponding to the current calculation round to perform redundant decryption calculation according to the transition data to obtain a decryption calculation result and a redundant decryption result, wherein the redundant calculation round comprises the redundant decryption calculation round, the encryption and decryption module comprises a plurality of decryption sub-modules, and the plurality of decryption sub-modules comprise the target decryption sub-module.
5. The method according to claim 1, wherein the transition data is the initial data in the case where the redundant calculation round is a first calculation round;
and under the condition that the redundant calculation round is not the first calculation round, the transition data is the calculation result of the previous calculation round of the current calculation round.
6. The method according to claim 1, wherein the method further comprises:
under the condition that the initial data is input into the encryption and decryption module to carry out encryption and decryption operation, a first information check value is obtained according to the initial data;
obtaining a final result of the encryption and decryption operation, and obtaining a second information check value according to the final result;
And determining a second fault injection result according to the first information check value and the second information check value.
7. The method of claim 1, wherein after the initial data is input to the encryption and/or decryption module for encryption and/or decryption operations, further comprising:
in the encryption and/or decryption operation process, determining the operation type of the current calculation round;
when the operation type is a random delay type, not storing the calculation result of the current calculation round;
and when the operation type is a normal operation type, storing the calculation result of the current calculation round.
8. A fault detection device, the device comprising:
the input module is used for inputting the initial data into the encryption and decryption module to carry out encryption and/or decryption operation;
the redundancy calculation module is used for operating the encryption and decryption module to perform redundancy calculation according to the transition data to obtain a calculation result and a redundancy result if the current calculation round of the encryption and decryption module is the redundancy calculation round in the encryption and/or decryption operation process; the transition data is related to the initial data and the current calculation run;
and the determining module is used for determining a first fault injection result according to the calculation result and the redundancy result.
9. An electronic device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, performs the fault detection method of any one of claims 1 to 7.
10. A computer readable storage medium, characterized in that it stores a computer program which, when run on a processor, performs the fault detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310735355.4A CN116611096A (en) | 2023-06-20 | 2023-06-20 | Fault detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310735355.4A CN116611096A (en) | 2023-06-20 | 2023-06-20 | Fault detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116611096A true CN116611096A (en) | 2023-08-18 |
Family
ID=87681923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310735355.4A Pending CN116611096A (en) | 2023-06-20 | 2023-06-20 | Fault detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116611096A (en) |
-
2023
- 2023-06-20 CN CN202310735355.4A patent/CN116611096A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9350728B2 (en) | Method and system for generating and authorizing dynamic password | |
| US10841077B2 (en) | Cryptographic device arranged to compute a target block cipher | |
| CN103997402B (en) | A kind of encryption chip Testing Method of Safety and device | |
| US9298947B2 (en) | Method for protecting the integrity of a fixed-length data structure | |
| EP3316160A1 (en) | Authentication method and apparatus for reinforced software | |
| CN111327490B (en) | Byzantine fault-tolerant detection method of block chain and related device | |
| CN109960903A (en) | A kind of method, apparatus, electronic equipment and storage medium that application is reinforced | |
| CN107977568B (en) | MCU safety protection identity authentication device and method | |
| WO2021137769A1 (en) | Method and apparatus for sending and verifying request, and device thereof | |
| CN111835518A (en) | Error injection method and system in security evaluation of elliptic curve public key cryptographic algorithm | |
| US10447487B2 (en) | Data generating device, communication device, mobile object, data generating method, and computer program product | |
| CN110069415B (en) | Software integrity checking and software testing method used in software testing process | |
| Luo et al. | Differential fault analysis of SHA-3 under relaxed fault models | |
| CN111143904B (en) | Data decryption method, device and computer readable storage medium | |
| CN116611096A (en) | Fault detection method and device, electronic equipment and storage medium | |
| CN106548098A (en) | For detecting the method and system of fault attacks | |
| CN115333824A (en) | Encryption method, device, equipment and storage medium for resisting error injection attack | |
| JP2005045760A (en) | Cipher processing method and device thereof | |
| US7797574B2 (en) | Control of the execution of an algorithm by an integrated circuit | |
| US11461505B2 (en) | Obfuscation of operations in computing devices | |
| KR102348769B1 (en) | Information input methods and devices | |
| CN107292172B (en) | Method for automatically verifying a target computer file with respect to a reference computer file | |
| CN115766166B (en) | Log processing method, device and storage medium | |
| CN114584314B (en) | Registration method, device, equipment and medium | |
| US20240195636A1 (en) | Hardened Encoded Message Check for RSA Signature Verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |