CN110932843A - Data communication encryption method for embedded system - Google Patents

Abstract

The invention discloses a data communication encryption method for an embedded system, and belongs to the technical field of communication encryption. The invention realizes the uniqueness of time and space of coding and decoding of any one communication by introducing methods such as random number, equipment unique ID, connection handle and the like by taking a non-deterministic equipment event as a seed. The encryption method has the advantages that the RSA asymmetric encryption algorithm is used for transmitting the key, the advanced encryption standards such as AES256 and the like are used for realizing data encryption, the decryption complexity of the communication protocol is high, and the interception playback cracking method is effectively prevented.

Description

Data communication encryption method for embedded system

Technical Field

The invention belongs to the technical field of communication encryption, and particularly relates to a data communication encryption method for an embedded system.

Background

An Embedded system (Embedded system) is a "special purpose computer system designed for a specific application, completely Embedded inside a controlled device". The embedded system is widely applied to the Internet of things, industrial control, fast-moving products and medical equipment.

In order to ensure that the embedded system is not easily copied and cracked, various encryption means are adopted for matching. For example, the encryption is performed by adopting a CPU or CPLD chip, and a special encryption chip is adopted. The methods have higher encryption strength, but the communication between chips in the system is not encrypted generally or is simply subjected to ciphertext transformation, so that the following three problems exist, and the method is easy to crack. 1. The communication protocol cannot guarantee the uniqueness of each communication, does not have time uniqueness, is easy to record and then decipher by a method of simulating response communication.

2. The encryption system does not strictly authenticate the client, and does not provide a method for preventing the communication sharer embedded in the communication sharer shown in the figure 1 from being cracked, so that the spatial uniqueness of the encryption device cannot be guaranteed.

As shown in fig. 1, encryption systems often achieve spatial uniqueness by limiting the ability of a master device to communicate with only one slave device. By the method of fig. 1, two master devices can communicate with the same slave device through the communication sharer, so that only one slave device can be purchased to serve an unlimited master device, and the uniqueness limitation of the communication space of the device is avoided.

3. The encryption algorithm is not complex enough and can be directly cracked.

Disclosure of Invention

The invention realizes the uniqueness of time and space of coding and decoding of any one communication by introducing methods such as random number, equipment unique ID, connection handle and the like by taking a non-deterministic equipment event as a seed. The symmetric block cipher algorithm AES256 is a well-known and un-breakable algorithm at present, has high execution speed and is easy to realize by hardware, but the algorithm key needs to be known by both parties through a reliable way before transmission. Therefore, the invention uses RSA asymmetric encryption algorithm to transmit the key, uses advanced encryption standards such as AES256 and the like to realize data encryption, has high decryption complexity of the communication protocol, and effectively prevents interception playback cracking method.

In order to achieve the purpose, the invention provides the technical scheme that: a data communication encryption method for an embedded system comprises the following steps:

step 1, establishing communication between master equipment and slave equipment, including establishing a master equipment communication sending frame flow and establishing a slave equipment communication answering frame flow; the process of establishing the communication sending frame of the main equipment comprises the following steps: generating a random number, calculating to obtain the time of the main equipment, filling in a frame plaintext according to a connection establishing frame format, encrypting the frame according to an RSA algorithm, and finishing the sending of the connection establishing frame, wherein the connection establishing frame format comprises the random number, the current time of the main equipment, the unique ID of the slave equipment, an RSA2048 symmetric encryption password, a connection establishing command, a command parameter and a frame CRC;

the process of establishing the slave equipment communication answer frame comprises the following steps: decrypting according to an RSA algorithm, obtaining a data frame decryption key from a decryption frame, generating a connection handle, generating a random number, calculating to obtain the time of a slave device, filling a frame plaintext according to a connection establishment answer frame format, encrypting the frame according to the RSA algorithm, completing the sending of the connection establishment answer frame, wherein the connection establishment answer frame format comprises the random number, the current time of the slave device, the unique ID of a master device, the unique ID of the slave device, the connection handle and the frame CRC;

step 2, the main device data sending processing flow includes: generating a random number, calculating to obtain the time of main equipment, filling in a frame plaintext according to a command frame format, encrypting the frame plaintext according to an AES256 algorithm, and finishing sending a command frame, wherein the command frame format comprises the random number, the current time of the main equipment, the unique ID of slave equipment, a command parameter, a connection handle and frame CRC;

step 3, the slave device data receiving and processing flow comprises:

step 1, waiting for receiving a data frame;

step 2, reading a random number field in the frame;

step 3, decrypting the non-random number field by XOR of the random number field;

step 4, reading the password data area, and decrypting through an RSA algorithm to obtain a communication password;

step 5, decrypting the rest fields through a communication password and an AES algorithm;

step 6, checking whether the protocol CRC check is correct, and returning to the step 1 if the protocol CRC check is incorrect;

7, if the frame is a connection frame, executing the step 15;

step 8, checking whether the ID section of the protocol slave equipment is correct, and returning to the step 1 if the ID section of the protocol slave equipment is incorrect;

step 9, checking whether the ID section of the protocol master equipment is correct, and returning to the step 1 if the ID section of the protocol master equipment is incorrect;

step 10, checking whether the command is correct, and returning to the step 1 if the command is incorrect;

step 11, executing the command;

and 12, filling a command answer frame, wherein the format of the command answer frame comprises: random number, current time of slave equipment, unique ID of master equipment, unique ID of slave equipment, command execution result, result parameter and frame CRC;

step 13, sending a command reply frame;

step 14, returning to the step 1;

step 15, recording the ID of the master device;

step 16, establishing a connection reply frame to fill in the ID of the slave device;

step 17, establishing a connection reply frame to fill in a connection handle;

step 18, sending a connection establishment reply frame;

and step 19, returning to the step 1.

Further, the connection handle is a random number generated by the slave device when establishing the connection.

Further, RSA2048 symmetric encryption cipher is a random number generated by the host device.

Further, the frame CRC is equal to the result of CRC checking all data from the beginning of the frame to the front of the frame CRC.

Compared with the prior art, the invention has the following advantages and beneficial effects:

compared with the prior art, the method has the following advantages:

1. by connecting handles, the coding and decoding of any one-time communication have spatial uniqueness.

2. By introducing a non-deterministic device event as a random number of a seed, the random change of the coding and decoding of the communication along with the time is realized. The communication data has time uniqueness.

3. By adopting the RSA asymmetric encryption advanced algorithm to transmit the key, the encryption code decryption complexity in the connection frame establishment is improved.

4. The AES256 advanced encryption standard is adopted to realize data encryption, and the data frame decryption complexity is improved.

Has the advantages that: effectively prevents three main communication cracking methods,

1. the method adopts RSA and AES256 encryption algorithms which are widely adopted by systems such as banks and the like, and the encryption algorithms are not easy to crack for a long time, so that the problem of encryption strength of an encryption system is solved.

2. The method has space uniqueness, and avoids the condition that a plurality of encryption terminals are simulated through one effective encryption terminal.

3. The method has time uniqueness, and effectively prevents the cracking method of simulating the response by using the fake terminal according to the recording frame.

Drawings

Fig. 1 is a structural diagram for decoding a communication password by using a communication sharer.

Fig. 2 is a block diagram of data communication.

Fig. 3 is a flow of sending frames for establishing communication.

Fig. 4 shows a flow of establishing a communication reply frame.

Fig. 5 is a flow chart of a process for the primary station to transmit data.

Fig. 6 is a flow chart of a process of receiving data from a station.

Detailed Description

The technical solution of the present invention is further explained with reference to the drawings and the embodiments.

The embodiment of the invention provides an embedded system data communication encryption method, which realizes communication and data interchange between a master device and a slave device, and needs to establish the communication between the master device and the slave device firstly and then perform the data interchange; the method specifically comprises the following steps:

step 1, establishing communication between master equipment and slave equipment, including establishing a master equipment communication sending frame flow and establishing a slave equipment communication answering frame flow; the process of establishing the communication sending frame of the main equipment comprises the following steps: generating a random number, calculating to obtain the time of the main equipment, filling in a frame plaintext according to a connection establishing frame format, encrypting the frame according to an RSA algorithm, and finishing the sending of the connection establishing frame, wherein the connection establishing frame format comprises the random number, the current time of the main equipment, the unique ID of the slave equipment, an RSA2048 symmetric encryption password, a connection establishing command, a command parameter and a frame CRC;

the process of establishing the slave equipment communication answer frame comprises the following steps: decrypting according to RSA algorithm, obtaining data frame decryption key from the decrypted frame, generating connection handle, generating random number, calculating to obtain slave equipment time, filling frame plaintext according to the format of establishing connection answer frame, encrypting frame according to RSA algorithm, completing the sending of establishing connection answer frame, the format of establishing connection answer frame includes: random number, current time of slave equipment, unique ID of master equipment, unique ID of slave equipment, connection handle and frame CRC;

step 2, the main device data sending processing flow includes: generating a random number, calculating to obtain the time of main equipment, filling in a frame plaintext according to a command frame format, encrypting the frame plaintext according to an AES256 algorithm, and finishing sending a command frame, wherein the command frame format comprises the random number, the current time of the main equipment, the unique ID of slave equipment, a command parameter, a connection handle and frame CRC;

step 3, the slave device data receiving and processing flow comprises:

step 1, waiting for receiving a data frame;

step 2, reading a random number field in the frame;

step 3, decrypting the non-random number field by XOR of the random number field;

step 4, reading the password data area, and decrypting through an RSA algorithm to obtain a communication password;

step 5, decrypting the rest fields through a communication password and an AES algorithm;

step 6, checking whether the protocol CRC check is correct, and returning to the step 1 if the protocol CRC check is incorrect;

7, if the frame is a connection frame, executing the step 15;

step 8, checking whether the ID section of the protocol slave equipment is correct, and returning to the step 1 if the ID section of the protocol slave equipment is incorrect;

step 9, checking whether the ID section of the protocol master equipment is correct, and returning to the step 1 if the ID section of the protocol master equipment is incorrect;

step 10, checking whether the command is correct, and returning to the step 1 if the command is incorrect;

step 11, executing the command;

and 12, filling a command answer frame, wherein the format of the command answer frame comprises: random number, current time of slave equipment, unique ID of master equipment, unique ID of slave equipment, command execution result, result parameter and frame CRC;

step 13, sending a command reply frame;

step 14, returning to the step 1;

step 15, recording the ID of the master device;

step 16, establishing a connection reply frame to fill in the ID of the slave device;

step 17, establishing a connection reply frame to fill in a connection handle;

step 18, sending a frame of establishing connection reply frame;

and step 19, returning to the step 1.

For a clearer understanding, some basic principles of the invention are explained below.

1. Generation of random numbers: in order to increase the randomness of the communication system and increase the cracking difficulty, random numbers with hardware noise are adopted in many places. Specifically, a system event pool is maintained, information such as system time, system interrupt times, internal function call times, IO call response time and the like is collected continuously, and the information is used as a new seed generated by random numbers.

2. Frame plaintext format: the frame formats are divided into four categories, namely connection establishment, connection response establishment, command frames and command response frames, and the specific formats are shown in tables 1 to 4;

table 1 establish connection frame format

Table 2 establish connection reply frame format

TABLE 3 Command frame Format

Table 4 command reply frame format

Wherein the connection handle is a random number generated by the slave device when establishing the connection; the RSA2048 symmetric encryption password is a random number generated by the main equipment, both the main equipment and the auxiliary equipment generate a random number in real time in communication, subsequent data are all subjected to equipment verification according to the random password encryption and decryption and the random connection handle, and the combination of the two random numbers is an astronomical number, so that the method for cracking by a recording mode is not feasible.

The frame CRC is equal to the result of CRC checking all data from the beginning of the frame to before the frame CRC.

The connection establishment frame contains a master unique ID and a slave unique ID. The two IDs come from the unique ID in an encryption chip of a CPU (Central processing Unit) of the equipment, and if the equipment does not have the unique ID information, the two IDs can be generated by manual sequential coding during equipment production, and the IDs ensure the spatial uniqueness of the equipment.

The device unique ID and the connection handle ensure spatial uniqueness of the communication frame.

The frame format contains the current time, so that the time uniqueness of the frame is ensured.

3. Frame encryption: after the plaintext frame is established, the plaintext frame needs to be encrypted before being sent out. The specific encryption method is as follows:

first, all the fields within the frame except the random number itself are xor encrypted with the random number at the beginning of each frame.

And secondly, if the connection frame format is established, encrypting the frame by using a 2048-bit RSA algorithm and a public password. If the frame is other frame, the symmetric encryption cipher and 256-bit AES algorithm inside the connection frame are used for encryption.

4. Frame decryption: after receiving the ciphertext frame, the frame decryption is carried out according to the following steps:

in the first step, if the connection frame format is established, the full frame is decrypted by using a2048 bit RSA algorithm and a private cipher. If the frame is other frame, the full frame is decrypted by using the symmetric encryption cipher and 256-bit AES algorithm in the connection frame.

And secondly, carrying out exclusive-OR decryption on all fields except the random number of the frame by using the random number at the beginning of each frame.

The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.

Claims (4)

Translated fromChinese

1.一种嵌入式系统数据通讯加密方法，其特征在于，包括如下步骤：1. an embedded system data communication encryption method, is characterized in that, comprises the steps:步骤1，建立主设备与从设备之间的通讯，包含建立主设备通讯发送帧流程和建立从设备通讯回答帧流程；其中建立主设备通讯发送帧流程包括：生成随机数，计算获得主设备时间，按建立连接帧格式填写帧明文，按RSA算法加密帧，完成建立连接帧的发送，建立连接帧格式包括随机数、主设备当前时间、主设备唯一ID、从设备唯一ID、RSA2048对称加密密码、建立连接命令、命令参数、帧CRC；Step 1, establishing the communication between the master device and the slave device, including establishing the master device communication sending frame process and establishing the slave device communication reply frame process; wherein establishing the master device communication sending frame process includes: generating random numbers, calculating and obtaining the master device time , fill in the frame plaintext according to the format of the connection establishment frame, encrypt the frame according to the RSA algorithm, and complete the transmission of the establishment connection frame. The establishment connection frame format includes the random number, the current time of the master device, the unique ID of the master device, the unique ID of the slave device, and the RSA2048 symmetric encryption password. , Establish connection command, command parameters, frame CRC;建立从设备通讯回答帧流程包括：按RSA算法解密，从解密帧中获得数据帧解密密匙，生成连接句柄，生成随机数，计算获得从设备时间，按建立连接回答帧格式填写帧明文，按RSA算法加密帧，完成建立连接回答帧的发送，建立连接回答帧格式包括随机数、从设备当前时间、主设备唯一ID、从设备唯一ID、连接句柄、帧CRC；The process of establishing the communication reply frame from the slave device includes: decrypting according to the RSA algorithm, obtaining the decryption key of the data frame from the decrypted frame, generating the connection handle, generating a random number, calculating the time of the slave device, filling in the frame plaintext according to the connection establishment answering frame format, and pressing the The RSA algorithm encrypts the frame, completes the sending of the connection establishment reply frame, and the connection establishment reply frame format includes the random number, the current time of the slave device, the unique ID of the master device, the unique ID of the slave device, the connection handle, and the frame CRC;步骤2，主设备数据发送处理流程，包括：生成随机数，计算获得主设备时间，按命令帧格式填写帧明文，按AES256算法加密帧明文，完成命令帧的发送，命令帧格式包括随机数、主设备当前时间、主设备唯一ID、从设备唯一ID、命令、命令参数、连接句柄、帧CRC；Step 2, the master device data sending processing flow, including: generating a random number, calculating and obtaining the master device time, filling in the frame plaintext according to the command frame format, encrypting the frame plaintext according to the AES256 algorithm, and completing the sending of the command frame. The command frame format includes random numbers, Current time of master device, unique ID of master device, unique ID of slave device, command, command parameters, connection handle, frame CRC;步骤3，从设备数据接收处理流程，包括：Step 3, the processing flow of receiving data from the device, including:第1步，等待接收数据帧；Step 1, wait for the data frame to be received;第2步，读取帧中随机数字段；Step 2, read the random number field in the frame;第3步，通过随机数字段异或解密非随机数字段；Step 3, decrypt the non-random number field by XOR of the random number field;第4步，读取密码数据区，并通过RSA算法解密得到通讯密码；The 4th step, read the password data area, and obtain the communication password through RSA algorithm decryption;第5步，通过通讯密码和AES算法解密其余字段；Step 5, decrypt the remaining fields through the communication password and AES algorithm;第6步，检查协议CRC校验是否正确，如果不正确返回第1步；Step 6, check whether the protocol CRC check is correct, if not, return to step 1;第7步，如果是建立连接帧，执行第15步；Step 7, if it is to establish a connection frame, perform step 15;第8步，检查协议从设备ID段是否正确，如果不正确返回第1步；Step 8, check the protocol slave device ID segment is correct, if not, return to step 1;第9步，检查协议主设备ID段是否正确，如果不正确返回第1步；Step 9, check whether the ID segment of the protocol master device is correct, if not, return to step 1;第10步，检查命令是否正确，如果不正确返回第1步；Step 10, check whether the command is correct, if not, return to step 1;第11步，执行命令；Step 11, execute the command;第12步，填写命令回答帧，其中命令回答帧格式包括：随机数、从设备当前时间、主设备唯一ID、从设备唯一ID、命令执行结果、结果参数、帧CRC；Step 12, fill in the command reply frame, where the command reply frame format includes: random number, current time of slave device, unique ID of master device, unique ID of slave device, command execution result, result parameter, frame CRC;第13步，发送命令回答帧；Step 13, send the command reply frame;第14步，返回第1步；Step 14, return to step 1;第15步，记录主设备ID；Step 15, record the main device ID;第16步，建立连接回答帧填写从设备ID；Step 16, establish the connection reply frame and fill in the slave device ID;第17步，建立连接回答帧填写连接句柄；Step 17, establish a connection answer frame and fill in the connection handle;第18步，发送建立连接回答帧；Step 18, send a connection establishment reply frame;第19步，返回第1步。Step 19, go back to step 1.2.如权利要求1所述的一种嵌入式系统数据通讯加密方法，其特征在于：连接句柄为建立连接时由从设备产生的随机数。2 . The data communication encryption method of an embedded system according to claim 1 , wherein the connection handle is a random number generated by the slave device when the connection is established. 3 .3.如权利要求1所述的一种嵌入式系统数据通讯加密方法，其特征在于：RSA2048对称加密密码是由主设备产生的随机数。3 . The data communication encryption method of an embedded system according to claim 1 , wherein the RSA2048 symmetric encryption password is a random number generated by the main device. 4 .4.如权利要求1所述的一种嵌入式系统数据通讯加密方法，其特征在于：帧CRC等于从帧开始到帧CRC前的所有数据进行CRC校验的结果。4. The method for encrypting data communication in an embedded system as claimed in claim 1, wherein the frame CRC is equal to the result of performing CRC check on all data from the beginning of the frame to the frame CRC.

Images