Summary of the invention
The technical problem to be solved in the present invention is that in view of the above drawbacks of the prior art, a kind of digital signature is provided and is testedIt signs and encryption/decryption speed is fast, key is unclonable, complexity, reduction system highly-safe, that can greatly reduce key management provideSource consumption reduces power consumption, is directly inserted into cloud service by PCI-E interface in the case where having no need to change server hardware frameworkDevice, with safe API, user can quick and convenient calling the embedded-type security encryption chip based on Cloud Server.
The technical solution adopted by the present invention to solve the technical problems is: constructing a kind of embedded peace based on Cloud ServerFull encryption chip, it is symmetrical including being integrated in internal CPU, SM2 rivest, shamir, adelman module, SM3 hash algorithm module, SM4It is enciphering algorithm module, RSA rivest, shamir, adelman module, SHA hash algorithm module, AES symmetric encipherment algorithm module, truly randomNumber generator, physics unclonable function module and peripheral interface module, the CPU by on-chip bus respectively with the SM2Rivest, shamir, adelman module, SM3 hash algorithm module, SM4 symmetric encipherment algorithm module, RSA rivest, shamir, adelman module,SHA hash algorithm module, AES symmetric encipherment algorithm module, real random number generator, physics unclonable function module and peripheryInterface module connection;The external harmoniousness of the embedded-type security encryption chip based on Cloud Server has PCI-E interface, describedPCI-E interface connects the on-chip bus by PCI Bridge, and the embedded-type security encryption chip based on Cloud Server passes through instituteIt states in PCI-E interface insertion Cloud Server, the Cloud Server is connect with cloud platform, and the cloud platform is connect with api interface.
It further include program storage and quiet in the embedded-type security encryption chip of the present invention based on Cloud ServerState random access memory, described program memory and Static RAM pass through the on-chip bus and connect with the CPU.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the peripheral interface module is at leastIncluding SPI interface, IIC interface, GPIO interface, UART interface and I/O interface.
It is multiple described based on Cloud Server in the embedded-type security encryption chip of the present invention based on Cloud ServerEmbedded-type security encryption chip connect with the PCI-E interface by PCI-E task distributor.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the CPU is using 32 insertionsFormula processor directly accesses each module by the on-chip bus, carries out scheme control, reading data, random number to each moduleGeneration, key pair generate and realize digital signature sign test and encryption and decryption, and the CPU is by controlling the peripheral interface module and coreThe control and communication of piece external equipment.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the physics unclonable functionModule is for generating private key;The real random number generator for generation system encryption and decryption and sign sign test when it is required truly randomNumber, or for generating private key;The real random number generator is by one high entropy true random source, a post-processing and on-line testingModule composition.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the SM2 asymmetric encryption is calculatedMethod module adds for realizing the mould of finite field, mould subtracts, modular multiplication and modular inversion, and the point in curve domain adds, times point and multi point arithmetic;The RSA rivest, shamir, adelman module is for realizing basic operation library.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the SM3 hash algorithm moduleWith SHA hash algorithm module for realizing SM2 rivest, shamir, adelman module and RSA rivest, shamir, adelman module signature sign testThe generation of Hash Value in the process, the SM3 hash algorithm module and SHA hash algorithm module are using controller and data path pointFrom design method, the executive process of the controller charge control circuit, and associated control signal is provided, the data pathFor realizing the hash function of the SM3 hash algorithm module and SHA hash algorithm module, the Hash Value of generation is for sign test of signingIt uses.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the SM4 symmetric encipherment algorithmModule and AES symmetric encipherment algorithm module are made of wheel code key control generation module and enciphering/deciphering module, and the wheel code key is rawIt is the realization logic of code key expansion algorithm at module, for carrying out logical operation to code key, generates wheel code key, be stored in insideIn register;The enciphering/deciphering module is used to carry out logical process to data, obtains corresponding output data.
In the embedded-type security encryption chip of the present invention based on Cloud Server, the api interface includes encryptionAPI, decryption API, signature API, sign test API and key pair generate API.
Implement the embedded-type security encryption chip of the invention based on Cloud Server, has the advantages that due to packetInclude be integrated in internal CPU, SM2 rivest, shamir, adelman module, SM3 hash algorithm module, SM4 symmetric encipherment algorithm module,RSA rivest, shamir, adelman module, SHA hash algorithm module, AES symmetric encipherment algorithm module, real random number generator, physicsUnclonable function module and peripheral interface module can prevent key from stealing using PUF technology, while become key managementVery simple, the random letter of the real random number generator of use for random number needed for generation system, in traditional computerNumber be generated according to certain algorithm simulation, as a result, determine, be visible, this random number is not random, is pseudorandomNumber, so safety is not high, and real random number generator is to rely on physical random number generator, passes through physical process next lifeAt random number, there is absolute fairness, should the external harmoniousness of embedded-type security encryption chip based on Cloud Server havePCI-E interface, it is very convenient, and cloud does not need to carry out key management, saves quite a few resource, should be taken based on cloudThe embedded-type security encryption chip of business device is inserted into Cloud Server by PCI-E interface, and Cloud Server is connect with cloud platform, Yun PingPlatform is connect with api interface, for the user of client, only the api interface of cloud platform need to be called to can be realized required for userSecurity function, therefore of the invention digital signature sign test and encryption/decryption speed are fast, key is unclonable, it is highly-safe, can poleThe big complexity for reducing key management reduces system resources consumption, reduces power consumption, having no need to change server hardware frameworkIn the case of Cloud Server is directly inserted by PCI-E interface, there is safe API, user quick and convenient can call.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, completeSite preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based onEmbodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every otherEmbodiment shall fall within the protection scope of the present invention.
It, should the insertion based on Cloud Server in the embedded-type security encryption chip embodiment the present invention is based on Cloud ServerThe structural schematic diagram of formula security encryption chip is as shown in Figure 1, Fig. 2 is that the embedded-type security based on Cloud Server adds in the present embodimentThe schematic diagram of the external harmoniousness PCI-E interface of close chip;Fig. 3 is the embedded-type security encryption in the present embodiment based on Cloud ServerChip docks the flow diagram being digitally signed with encryption and decryption with cloud platform.
In Fig. 1, being somebody's turn to do the embedded-type security encryption chip based on Cloud Server, (referred to as safety encrypts core in the present embodimentPiece) it include being integrated in internal CPU1, SM2 rivest, shamir, adelman module 2, SM3 hash algorithm module 3, SM4 symmetric cryptography to calculateMethod module 4, RSA rivest, shamir, adelman module 5, SHA hash algorithm module 6, AES symmetric encipherment algorithm module 7, true random numberGenerator 8 (i.e. TRNG), physics unclonable function module 9 and peripheral interface module 10, CPU1 by on-chip bus respectively withM2 rivest, shamir, adelman module 2, SM3 hash algorithm module 3, SM4 symmetric encipherment algorithm module 4, RSA rivest, shamir, adelmanModule 5, SHA hash algorithm module 6, AES symmetric encipherment algorithm module 7, real random number generator 8, physics unclonable functionModule 9 and peripheral interface module 10 connect.
System is analyzed by carrying out performance and occupation condition to pure software algorithm, will occupy that resource is big, arithmetic speedSlow module hardware realization, speed higher on requirement on flexibility influence little module software realization.SM2 is asymmetric to be addedClose algoritic module 2, SM3 hash algorithm module 3, SM4 symmetric encipherment algorithm module 4, RSA rivest, shamir, adelman module 5, SHAHash algorithm module 6 and AES symmetric encipherment algorithm module 7 are hardware modules, are used to realize bottom cryptographic calculation, system is also wrappedReal random number generator 8 and physics unclonable function module 9 are included, the main generation for realizing random number and key.System softwareMain signature sign test and encryption and decryption functions by calling each hardware resource blocks to complete system, realize system hardware and software scheduling andControl, to control and manage entire security system.
Currently, a series of commercial cipher algorithms have been proposed for ensuring information security in China, the present invention is by the close calculation of stateMethod (corresponding SM2 rivest, shamir, adelman module 2, SM3 hash algorithm module 3, SM4 symmetric encipherment algorithm module 4) and international calculationMethod (corresponding RSA rivest, shamir, adelman module 5, SHA hash algorithm module 6 and AES symmetric encipherment algorithm module 7) is integrated into thisThe inside of embedded-type security encryption chip based on Cloud Server can be realized encrypting and decrypting, the signature sign test, key pair of dataThe security functions such as generation have very strong versatility.
The outside of the embedded-type security encryption chip based on Cloud Server passes through PCI-E interface 11 and Cloud Server pairIt connects, user's api interface packaged by calling system, hardware system can be automatically performed function required for user in cloud platformEnergy demand, and result is fed back into user by suitable communication protocol, complete the data interaction with client.The present invention is notUnder the premise of influencing chip arithmetic speed, maximized optimization system structure keeps the flexibility of system higher, versatility is stronger.
The external harmoniousness of the embedded-type security encryption chip based on Cloud Server has PCI-E interface 11, PCI-E interface 11On-chip bus is connected by PCI Bridge 12, PCI-E interface 11 should be passed through based on the embedded-type security encryption chip of Cloud Server and be inserted intoIn Cloud Server, Cloud Server is connect with cloud platform, and cloud platform is connect with api interface.By this based on the embedded of Cloud ServerSecurity encryption chip is applied on Cloud Server, this can be based on cloud service by the PCI-E interface 11 integrated by chip exteriorThe embedded-type security encryption chip of device is directly inserted on Cloud Server, and provides application programming interface in Cloud Server(API), for client, any place may be implemented in line generation digital signature, signature verification and encryption and decryption function at any timeEnergy.Meanwhile key management does not need storage private key for user, need to only store the ID number of user as excitation, by physics can not gramGrand function (PUF) directly generates unique corresponding private key for user, has non-reproduction, uniqueness, stability, immune intrusive moodThe characteristic of attack.
In the present embodiment, above-mentioned peripheral interface module 10 includes at least SPI interface, IIC interface, GPIO interface, UART and connectsMouth and I/O interface etc..
In the present embodiment, should embedded-type security encryption chip based on Cloud Server further include program storage 13 (i.e.FLASH) and Static RAM 14 (i.e. SRAM), program storage 13 and Static RAM 14 pass through on-chip busIt is connect with CPU1.Program storage 13 is used for storing initial data and program code, and Static RAM 14 is for storingThe ephemeral data being currently running.
In the present embodiment, which uses 32 embeded processors, directly each module is accessed by on-chip bus, to eachModule carries out scheme control, reading data, generating random number, key pair and generates and realize digital signature sign test and encryption and decryption, CPUPass through control peripheral interface module 10 (SPI interface, IIC interface, GPIO interface, UART interface and I/O interface) and chip exteriorThe control and communication of equipment.
Physics unclonable function module 9 is used to generate private key, and fabrication error when realization is based on chip manufacturing is rightUnique output can be generated in an excitation.System is assigned a device id to each client automatically, and by thisInput signal of the device id as physics unclonable function module 9 controls physics unclonable function mould by CPU1The operating mode of block 9 simultaneously reads private key of the unique output key of generation as user, and calls SM2 rivest, shamir, adelman mouldPrivate key is carried out public key generation by dot product module in block 2, and public key is finally sent to client.
In the present embodiment, real random number generator 8 for generation system encryption and decryption and sign sign test when it is required truly randomNumber, the generation of private key also can choose the realization of real random number generator 8.Real random number generator 8 by one high entropy true random source,One post-processing and on-line testing module composition.According to different configurations, this true random number based on RO (ring oscillator)The random number of complete uncertainty can be generated in generator 8, can be used for high safety application field.Real random number generator 8 is not required toInput signal is wanted, direct configuration control register selects corresponding mode starting, can obtain from output register at randomNumber.
In the present embodiment, SM2 rivest, shamir, adelman module 2 adds for realizing the mould of finite field, mould subtracts, modular multiplication and mould are inverseOperation, the point in curve domain adds, times point and multi point arithmetic;And point multiplication operation can call basic point processing and modular arithmetic module,And realize digital signature and encryption and decryption is to call corresponding register to manipulate basic processing unit by on-chip bus interfaceModule and the specific secrecy process of realization.
In the present embodiment, RSA rivest, shamir, adelman module 5 mainly realizes basic operation libraries several greatly, including add, subtract,Multiplication and division, modulo operation etc., wherein realizing data encrypting and deciphering and signature sign test most importantly modular multiplication and Montgomery Algorithm.TogetherSample realizes corresponding function of keeping secret by carrying out data interaction with on-chip bus and CPU1.Then add since its key length the longIt is slower to decrypt speed, therefore RSA rivest, shamir, adelman module 5 applies in general to the less situation of encryption data amount.
In the present embodiment, SM3 hash algorithm module 3 and SHA hash algorithm module 6 are for realizing the calculation of SM2 asymmetric encryptionThe generation of Hash Value, 3 He of SM3 hash algorithm module during method module 2 and the signature sign test of RSA rivest, shamir, adelman module 5The design method that SHA hash algorithm module 6 is separated using controller and data path, wherein controller is mainly responsible for control electricityThe executive process on road, and associated control signal is provided, data path is for realizing SM3 hash algorithm module 3 and SHA hash algorithmThe Hash Value of the hash function of module 6, generation is used for signature sign test.
In the present embodiment, SM4 symmetric encipherment algorithm module 4 and AES symmetric encipherment algorithm module 7 are by wheel code key control lifeIt is formed at module and enciphering/deciphering module, wherein wheel code key generation module is the realization logic of code key expansion algorithm, for secretKey carries out logical operation, generates wheel code key, is stored in internal register;Enciphering/deciphering module is used to carry out logic to dataProcessing, obtains corresponding output data.CPU1 is not decrypted symmetric key and unencryption or by controlling corresponding registerData are input in SM4 symmetric encipherment algorithm module 4 or AES symmetric encipherment algorithm module 7, directly read operation to operation completionAs a result.
In Fig. 2, it is somebody's turn to do the embedded-type security encryption chip (security encryption chip i.e. in figure) based on Cloud Server and passes throughPCI-E task distributor is connect with PCI-E interface, forms the security module for being integrated with PCI-E interface, should be based on cloud serviceThe embedded-type security encryption chip of device is directly inserted into Cloud Server, provides secure cryptographic algorithm and safety for Cloud ServerAuthentication function, wherein PCI-E task distributor can assign a task to any security encryption chip, and support multitask simultaneouslyEncryption and decryption or signature sign test operation are carried out, makes that the operational efficiency of system is higher, flexibility is stronger.
In Fig. 3, security encryption chip may be implemented and docked with Cloud Server, user calls api interface real by cloud platformExisting various encryption and decryption and signature sign test function, api interface include cryptographic API, decryption API, signature API, sign test API and key pairGenerate API.
User generates key pair if necessary, and the ID of user is inputted by logging in cloud platform, this ID is generated as key pairThe input of API, the i.e. excitation as physics unclonable function module 9, starting physics unclonable function module 9 generate the useThe dot product module that the private key is sent to SM2 rivest, shamir, adelman module 2 is carried out public key generation by family unique private, generationKey pair generates API by key pair and returns to user.
Encryption and decryption of the user if necessary to carry out asymmetric arithmetic, data use public key encryption, are then generated by previous stepPublic key directly as the key of SM2 rivest, shamir, adelman module 2 or RSA rivest, shamir, adelman module 5 input.If neededCarry out private key decryption, then equally only need user input User ID, system can Auto-matching generate the unique private key of user again intoRow decryption.According to SM4 symmetric encipherment algorithm module 4 or the symmetric cryptography mode of AES symmetric encipherment algorithm module 7, then systemOnly a symmetric key need to be generated by physics unclonable function module 9.Signature using private key signature, test by public keyLabel are consistent with the implementation of asymmetric encryption and decryption, and user does not need to save key, and ID generation is directly inputted when needsIt calls, does not need to carry out key management.User need to only call corresponding API to realize required function, and output result can be straightIt connects and is shown in cloud platform or client is sent to by communications protocol.
In short, the present invention relates to the embedded information security encryption chips and its guarantor in a kind of integrated circuit and cloud platform fieldDecryption method, based on Cloud Server, the close SM2/SM3/SM4 algorithm of state, world RSA/SHA/AES algorithm, physics unclonable function,Real random number generator, Peripheral Component Interconnect interfacing (PCI-E), digital signature, encryption and decryption technology and low-power consumption 32The embedded information security encryption chip of microprocessor (CPU1), and directly connect with Cloud Server by PCI-E interface 11, it is realEncryption and decryption and signature sign test technology of the existing terminal to cloud.Digital signature sign test of the invention and encryption/decryption speed be fast, key notIt can clone, is highly-safe, complexity that key management can be greatly reduced, reduce system resources consumption, reduce power consumption, do not needingChange in the case where server hardware framework Cloud Server is directly inserted by PCI-E interface, can be with safe API, userQuick and convenient calling.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the inventionWithin mind and principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.