CN102236754A

Movatterモバイル変換

Info

Publication number: CN102236754A
Application number: CN2010101748257A
Authority: CN
Inventors: 杨睿
Original assignee: Ali Corp
Current assignee: Ali Corp
Priority date: 2010-05-07
Filing date: 2010-05-07
Publication date: 2011-11-09
Anticipated expiration: 2030-05-07
Also published as: CN102236754B

Abstract

The invention discloses a data encryption method which is used on an electronic device. The data security method comprises the following steps: generating a first password and a second password; (b) giving the electronic device an electronic device serial number; (c) generating a first key according to the first password and the serial number of the electronic device; (d) generating a second key according to the second password and the serial number of the electronic device, and encrypting at least a part of data of the electronic device by using the second key to generate encrypted data; and (e) when the electronic device is in operation, decrypting the first key by using the first password to generate recovered data, and decrypting the encrypted data according to the second key when the serial number information of the electronic device, which is contained in the recovered data, corresponds to the existing serial number of the electronic device.

Description

Data encryption method and the electronic installation that uses this data encryption method

Technical field

The present invention is relevant for data encryption method and the electronic installation that uses this data encryption method, and being particularly to not must the Additional Protection device and the electronic installation that has the data encryption method of lower cost and use this data encryption method.

Background technology

Illegally read even steal for fear of important data, many data confidentiality mechanism are developed.Generally speaking, one of them purpose of data confidentiality mechanism is replicated for anti-locking system.That is to say only have specific I C (Integration Circuit) can operate user's software, so,, then can't use the software that is stolen if there is not corresponding IC even user's software pirate is got.In addition, be stolen, can use encipherment protection to come defence program or data for fear of program or data.

Under will summarize the data encryption method that often is used now.Wherein a kind ofly be: give each chip one identifying code, when software operates, can go to confirm whether this identifying code is correct, if identifying code is incorrect, then software can decommission.Yet, this type of the suitable easy crack of secret mode.This identifying code can divide again fixing burned or with the single enciphering/deciphering (One Time Programing, OTP) mode writes.

Another protected mode then is to provide a storer with the usefulness as authentication in IC inside.When IC operated, IC can read the sign indicating number that stores in the storage arrangement and confirm whether outside sign indicating number is correct, if outside sign indicating number is incorrect, then can decommission.In addition, also different golden keys can be offered different clients, and utilize this golden key to encrypt, to ensure the safety in the data at the data in the IC.Yet therefore this kind practice can cause IC to produce and managerial difficulty because must provide different passwords in IC at different clients.

Summary of the invention

Therefore, one of the present invention purpose be to provide a kind of must additional circuit and low cost, the data encryption method of convenient management.

Another embodiment of the present invention has disclosed a kind of electronic installation with data confidentiality mechanism, comprises: a processor; And a storage device, store one first password, one second password and an electronic installation sequence number; Wherein one first gold medal key is produced according to this first password and this electronic installation sequence number, and one second gold medal key produces according to this second password and this electronic installation sequence number, and data based this second gold medal key of at least one part of this electronic installation is encrypted and produce enciphered data; When this electronic installation running, this processor uses this first password to decipher this first gold medal key to produce a restoring data, and when this restoring data corresponded to this first password, this processor was deciphered this enciphered data according to this second gold medal key.

See through previous embodiment, can under the situation that does not increase additional circuit, carry out strong data confidentiality.And owing to not being about to the IC classification earlier, only when shipment, the data input is got final product, therefore can save in the IC manufacturing and managerial cost.

Description of drawings

Fig. 1 to Fig. 3, it has illustrated the process flow diagram according to the data encryption method of preferred embodiment of the present invention;

Fig. 4 has illustrated the IC calcspar of data encryption method according to an embodiment of the invention.

The main element symbol description:

409 enciphering/deciphering elements

Embodiment

In the middle of instructions and follow-up claim, used some vocabulary to censure specific element.The person with usual knowledge in their respective areas should understand, and same element may be called with different nouns by hardware manufacturer.This instructions and follow-up claim are not used as distinguishing the mode of element with the difference of title, but the criterion that is used as distinguishing with the difference of element on function.Be an open term mentioned " comprising " in the middle of instructions and the follow-up request item in the whole text, so should be construed to " comprise but be not limited to ".In addition, " coupling " speech is to comprise any indirect means that are electrically connected that directly reach at this.Therefore, be coupled to one second device, then represent this first device can directly be electrically connected in this second device, or be electrically connected to this second device indirectly through other devices or connection means if describe one first device in the literary composition.

Please refer to Fig. 1 and Fig. 3, it has illustrated the data encryption method according to preferred embodiment of the present invention.Wherein Fig. 1 has illustrated the step before IC (Integration Circuit) starts, and Fig. 3 has illustrated the verification step after IC starts.It is noted that these steps in order to for example, are not in order to limit the present invention only.

Please consult Fig. 1 and Fig. 2 jointly and more understand technical spirit of the present invention.In one embodiment, thestep 101 of the following stated can be undertaken by manufacturer (for example, chip design company) tostep 107, just when making IC,step 101 put into IC to the software ofstep 107 and element in the middle of.A startup storer 205 is placed by manufacturer duringstep 101 in IC 200.Manufacturer puts into IC 200 (at the embodiment of Fig. 2, being to be positioned in the storage device 207) with one first password S_KEY_1 and one second password S_KEY_2 during step 103.Step 105, manufacturer puts into an enciphering/deciphering program (also being placed in the storage device 207 in this embodiment) in IC.Perhaps, enciphering/deciphering element 209 that can be shown in Figure 2 replaces.Instep 107, manufacturer puts into an IC device sequence number (at the embodiment of Fig. 2, being to be positioned in the storage device 207) in IC.

And client is returned to manufacturer's execution instep 111 with IC device sequence number and produces the first gold medal key C_KEY_1 and the second gold medal key C_KEY_2 after receiving IC and obtaining IC device sequence number (step 109).Client can be given with the first gold medal key C_KEY_1 and the second gold medal key C_KEY_2 by manufacturer.And client is being received just execution instep 113 of the first gold medal key C_KEY_1 and the second gold medal key C_KEY_2, and the second gold medal key C_KEY_2 that maintains secrecy.

In addition, the first gold medal key C_KEY_1 in thestep 111 and the second gold medal key C_KEY_2 also can produce with reference to other parameters except producing according to IC device sequence number, please refer to formula () and (two))

C_KEY_1＝AES_128_Encrypt(S_KEY_1，Serial_ID|Mask_Bits|RN|Customer_ID)

Formula (one)

C_KEY_2＝AES_128_Decrypt(S_KEY_2，Serial_ID|Mask_Bits|RN|Customer_ID)

Formula (two)

Formula (one) and (two) the expression first gold medal key C_KEY_1 and the second gold medal key C_KEY_2 can by IC device sequence number Serial_ID, quantity parameter Mask Bits, at random mess code RN and customer number Customer_ID wherein one or more forms.Wherein how many IC quantity parameter Mask Bits representative has use the same group first gold medal key C_KEY_1 and the second gold medal key C_KEY_2, and customer number Customer_ID then is a numbering (predetermined number just) that gives different clients.Formula () and (two) though in used all parameters, do not represent that scope of the present invention is defined in to use all parameters.

It is noted that, for example illustrate with the first password S_KEY_1 and the second password S_KEY_2 difference in this embodiment, but in fact the first password S_KEY_1 and the second password S_KEY_2 can be identical passwords.

Fig. 2 has illustrated the calcspar that uses the IC 200 of aforementioned data time slot scrambling, and it understands structure and the manner of execution of the IC that uses the aforementioned data time slot scrambling in more detail.As shown in Figure 2, IC 200 has comprised a processor 201, a memory cache 203, starts storer 205, a storage device 207 and an enciphering/deciphering element 209.Processor 201 produces the second gold medal key C_KEY_2 in order to the action of control IC 200 and in order to control enciphering/deciphering element 209 according to the second password S_KEY_2, memory cache 203 in order to store the first gold medal key C_KEY_1, by the second gold medal key C_KEY_2 ciphered data and other unencrypted data, storage device 207 is in order to store the first password S_KEY_1, the second password S_KEY_2 and an electronic installation sequence number Serial_ID.Enciphering/deciphering element 209 is in order to carry out the action of encrypting, and enciphering/deciphering element 209 herein can be carried out with the hardware mode, and also the available software mode is carried out.Note that memory cache 203 and storage device 207 are not limited to two storage devices independently, also can be same storage device.

As previously mentioned, after client obtains IC 200, can obtain the first password S_KEY_1, the second password S_KEY_2 and send manufacturer to by self-storing mechanism 207 in one embodiment.Manufacturer can utilize the first password S_KEY_1, the second password S_KEY_2 produce the first gold medal key C_KEY_1, by the second gold medal key C_KEY_2 and give client.Yet the first gold medal key C_KEY_1 can be stored in memory cache 203, and uses the second gold medal key C_KEY_2 to encrypt data in thememory cache 403.

After IC 200 starts, start storer 205 and can go to confirm whether the first gold medal key C_KEY_1 in the memory cache 203 is correct, if correctly then processor 201 just can utilize the second password S_KEY_2 to produce the second gold medal key C_KEY_2, and utilizes the second gold medal key C_KEY_2 to come the enciphered data in the memory cache 203 is decrypted.The step that IC starts can be shown in the process flow diagram of Fig. 3.

Fig. 3 has illustrated the verification step after the IC startup.Fig. 3 has comprised the following step:

Step 301

IC 200 starts.

Step 303

Use the enciphering/deciphering program and the first password S_KEY_1 of IC 200 inside to decipher the first gold medal key C_KEY_1.Various parameters that solve such as IC device sequence number Serial_ID and quantity parameter Mask Bits will be in order to compare the relevant bits of IC device sequence number.If contrast is correct, then the expression checking is passed through, and just can carry outstep 305, then can not arrivestep 304 IC 200 lockings if having.

Step 304

Locking IC 200.

Step 305

The second password S_KEY_2 that use is left among the IC 200 produces the second gold medal key C_KEY_2 (that is producing a recasting second gold medal key C_KEY_2).

Step 307

Use the second gold medal key C_KEY_2 that the enciphered data in the memory cache is decrypted.

Step 309

Carry out the procedure code of having deciphered.If the second gold medal key C_KEY_2 is correct, then procedure code can correctly be deciphered, thus can arrive step 311-IC normal operation, otherwise can arrive the mistake that step 313-generation can not be expected.

Step 311

IC 200 normal operations.

Step 313

The mistake that generation can not be expected.

Except aforesaid IC 200, aforesaid data guard method more can use on other device, and therefore aforesaid data guard method can be simplified to the process flow diagram among Fig. 4.Fig. 4 has comprised following step:

Step 401

Produce one first password S_KEY_1 and one second password S_KEY_2.

Step 403

Give electronic installation one electronic installation sequence number Serial_ID.

Step 405

Produce one first gold medal key C_KEY_1 according to the first password S_KEY_1 and electronic installation sequence number Serial_ID.

Step 407

Produce one second gold medal key C_KEY_2 according to the second password S_KEY_2 and electronic installation sequence number Serial_ID.

Step 409

When electronic installation operates, use the first password S_KEY_1 to decipher the first gold medal key C_KEY_1 to produce a restoring data, when restoring data corresponds to first password when coincideing (that is the parameter that solves), come decrypt encrypted data according to this second gold medal key with the parameter in first password.

Other detailed step can be pushed away easily by the step among earlier figures 1 and Fig. 3, does not repeat them here.

The above only is preferred embodiment of the present invention, and all equalizations of being done according to claim scope of the present invention change and modify, and all should belong to covering scope of the present invention.

Claims

Translated fromChinese

1.一种数据保密方法，使用在一电子装置上，其特征在于，所述的方法包含：1. A data security method, which is used on an electronic device, is characterized in that the method comprises:

(a)产生一第一密码以及一第二密码；(a) generating a first password and a second password;

(b)给予所述的电子装置一电子装置序列号；(b) giving said electronic device an electronic device serial number;

(c)根据所述的第一密码和所述的电子装置序列号产生一第一金钥；(c) generating a first key according to the first password and the serial number of the electronic device;

(d)根据所述的第二密码和所述的电子装置序列号产生一第二金钥，并使用所述的第二金钥加密所述的电子装置至少一部份数据来产生加密数据；以及(d) generating a second key according to the second password and the serial number of the electronic device, and using the second key to encrypt at least a part of the data of the electronic device to generate encrypted data; as well as

(e)当所述的电子装置运作时，使用所述的第一密码来解密所述的第一金钥以产生一还原数据，当所述的还原数据中包含的电子装置序列号信息对应于所述的电子装置已有的序列号时，根据所述的第二金钥来解密所述的加密数据。(e) When the electronic device is in operation, use the first password to decrypt the first key to generate a restore data, when the serial number information of the electronic device included in the restore data corresponds to When the electronic device has a serial number, the encrypted data is decrypted according to the second key.

2.如权利要求1所述的数据保密方法，其特征在于，所述的方法还包含给予所述的电子装置一预定编号，其中所述的预定编号不同于所述的电子装置序列号，且所述的步骤(c)更包含根据所述的预定编号来产生所述的第一金钥。2. The data security method according to claim 1, further comprising giving the electronic device a predetermined number, wherein the predetermined number is different from the serial number of the electronic device, and The step (c) further includes generating the first key according to the predetermined number.

3.如权利要求1所述的数据保密方法，其特征在于，所述的方法更包含给予所述的电子装置一预定编号，其中所述的预定编号不同于所述的电子装置序列号，且所述的步骤(d)更包含根据所述的预定编号来产生所述的第二金钥。3. The data security method according to claim 1, further comprising giving the electronic device a predetermined number, wherein the predetermined number is different from the serial number of the electronic device, and The step (d) further includes generating the second key according to the predetermined number.

4.如权利要求1所述的数据保密方法，其特征在于，所述的步骤(c)更包含根据一随机乱码来产生所述的第一金钥。4. The data security method according to claim 1, wherein said step (c) further comprises generating said first key according to a random garbled code.

5.如权利要求1所述的数据保密方法，其特征在于，所述的步骤(d)更包含根据一随机乱码来产生所述的第二金钥。5. The data security method according to claim 1, wherein said step (d) further comprises generating said second key according to a random garbled code.

6.如权利要求1所述的数据保密方法，其特征在于，所述的方法更包含提供一数量参数给所述的电子装置，其中所述的数量参数代表了使用同一组所述的第一密码和所述的第二密码的电子装置的数目，且所述的步骤(c)更包含根据所述的数量参数来产生所述的第一金钥。6. The data security method according to claim 1, characterized in that, said method further comprises providing a quantity parameter to said electronic device, wherein said quantity parameter represents using the same set of said first The password and the number of electronic devices of the second password, and the step (c) further includes generating the first key according to the quantity parameter.

7.如权利要求1所述的数据保密方法，其特征在于，所述的方法更包含提供一数量参数给所述的电子装置，其中所述的数量参数代表了使用同一组所述的第一密码和所述的第二密码的电子装置的数目，且所述的步骤(d)更包含根据所述的数量参数来产生所述的第二金钥。7. The data security method according to claim 1, characterized in that, said method further comprises providing a quantity parameter to said electronic device, wherein said quantity parameter represents using the same set of said first The password and the number of electronic devices of the second password, and the step (d) further includes generating the second key according to the quantity parameter.

8.如权利要求1所述的数据保密方法，其特征在于，所述的电子装置系为一芯片或一IC。8. The data security method according to claim 1, wherein the electronic device is a chip or an IC.

9.如权利要求1所述的数据保密方法，其特征在于，所述的第一密码以及所述的第二密码系储存于所述的电子装置中。9. The data security method according to claim 1, wherein the first password and the second password are stored in the electronic device.

10.如权利要求1所述的数据保密方法，其特征在于，所述的方法更包含当所述的还原数据相对应于所述的第一密码时，再根据所述的第二密码来产生一重制第二金钥，并使用所述的重制第二金钥来解密所述的加密数据。10. The data security method according to claim 1, characterized in that, said method further comprises when said restored data corresponds to said first password, then generating a password according to said second password -regenerating the second key, and using the reforged second key to decrypt the encrypted data.

11.如权利要求1所述的数据保密方法，其特征在于，所述的方法更包含将一加/解密程序储存于所述的电子装置中，且所述的步骤(e)系使用所述的加/解密程序来进行解密。11. The data security method as claimed in claim 1, wherein said method further comprises storing an encryption/decryption program in said electronic device, and said step (e) uses said encryption/decryption program to decrypt.

12.如权利要求1所述的数据保密方法，其特征在于，所述的第一密码与所述的第二密码相同。12. The data security method according to claim 1, wherein the first password is the same as the second password.

13.一种具有数据保密机制的电子装置，其特征在于，所述的装置包含：13. An electronic device with a data security mechanism, characterized in that the device comprises:

一处理器；以及a processor; and

一储存装置，储存一第一密码、一第二密码、以及一电子装置序列号；A storage device, storing a first password, a second password, and an electronic device serial number;

其中一第一金钥根据所述的第一密码和所述的电子装置序列号被产生，而一第二金钥根据所述的第二密码和所述的电子装置序列号产生，且所述的电子装置至少一部份数据根据所述的第二金钥被加密而产生加密数据；wherein a first key is generated according to the first password and the serial number of the electronic device, and a second key is generated according to the second password and the serial number of the electronic device, and the At least a part of the data of the electronic device is encrypted according to the second key to generate encrypted data;

当所述的电子装置运作时，所述的处理器使用所述的第一密码来解密所述的第一金钥以产生一还原数据，当所述的还原数据相对应于所述的第一密码时，所述的处理器根据所述的第二金钥来解密所述的加密数据。When the electronic device is in operation, the processor uses the first password to decrypt the first key to generate a recovery data, when the recovery data corresponds to the first When encrypting, the processor decrypts the encrypted data according to the second key.

14.如权利要求13所述的具有数据保密机制的电子装置，其特征在于，所述的电子装置更包含一预定编号，其中所述的预定编号不同于所述的电子装置序列号，且所述的第一金钥或所述的第二金钥亦根据所述的预定编号而产生。14. The electronic device with a data security mechanism as claimed in claim 13, wherein the electronic device further comprises a predetermined number, wherein the predetermined number is different from the serial number of the electronic device, and the The first key or the second key is also generated according to the predetermined number.

15.如权利要求13所述的具有数据保密机制的电子装置，其特征在于，所述的第一金钥或所述的第二金钥亦根据一随机乱码来产生。15. The electronic device with a data security mechanism as claimed in claim 13, wherein the first key or the second key is also generated according to a random garbled code.

16.如权利要求13所述的具有数据保密机制的电子装置，其特征在于，所述的电子装置系为一芯片或一IC。16. The electronic device with data security mechanism as claimed in claim 13, wherein the electronic device is a chip or an IC.

17.如权利要求13所述的具有数据保密机制的电子装置，其特征在于，当所述的还原数据相对应于所述的第一密码时，所述的处理器根据所述的第二密码来产生一重制第二金钥，并使用所述的重制第二金钥来解密所述的加密数据。17. The electronic device with a data security mechanism as claimed in claim 13, wherein when the restored data corresponds to the first password, the processor according to the second password to generate a remade second key, and use the remade second key to decrypt the encrypted data.

18.如权利要求13所述的具有数据保密机制的电子装置，其特征在于，所述的储存装置更储存一加/解密程序，且所述的处理器使用所述的加/解密程序来进行解密。18. The electronic device with a data security mechanism as claimed in claim 13, wherein the storage device further stores an encryption/decryption program, and the processor uses the encryption/decryption program to perform decrypt.

19.如权利要求13所述的具有数据保密机制的电子装置，其特征在于，所述的第一密码与所述的第二密码相同。19. The electronic device with a data security mechanism as claimed in claim 13, wherein the first password is the same as the second password.