CN111814212B - Bus data protection method, device, storage medium and chip - Google Patents
Bus data protection method, device, storage medium and chip Download PDFInfo
- Publication number
- CN111814212B CN111814212B CN202010928069.6A CN202010928069A CN111814212B CN 111814212 B CN111814212 B CN 111814212B CN 202010928069 A CN202010928069 A CN 202010928069A CN 111814212 B CN111814212 B CN 111814212B
- Authority
- CN
- China
- Prior art keywords
- random number
- module
- bus
- number generator
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
技术领域technical field
本申请实施例涉及芯片安全领域,特别涉及一种总线数据的保护方法、装置、存储介质及芯片。The embodiments of the present application relate to the field of chip security, and in particular, to a method, device, storage medium, and chip for protecting bus data.
背景技术Background technique
芯片作为系统的核心部件,在计算机、消费电子、网络通信、汽车电子等重大领域具有举足轻重的作用。为了提高芯片中敏感数据的安全性,芯片中的敏感数据从产生(一端)到使用/消费(一端)的整个过程都需要进行加密保护,目前比较通用的加密保护技术是总线加密技术。As the core component of the system, the chip plays a pivotal role in major fields such as computers, consumer electronics, network communications, and automotive electronics. In order to improve the security of sensitive data in the chip, the entire process of sensitive data in the chip from generation (one end) to use/consumption (one end) needs to be encrypted and protected. Currently, the more common encryption protection technology is bus encryption technology.
目前的芯片中大多采用总线连接主模块和从模块,从而实现了主从模块的数据互联。在很多芯片中,总线是遍布在芯片内的拓扑结构,可以在物理上存在于芯片的各个部分,目前可以针对总线的薄弱点,采用物理攻击手段监听内部信号的状态,很可能可以找到监听的点,直接窃取敏感数据。现有技术中可以对敏感数据增加随机数,对随机数与敏感数据进行掩码传输。Most of the current chips use a bus to connect the master module and the slave module, thereby realizing the data interconnection of the master and slave modules. In many chips, the bus is a topology that spreads all over the chip, and can physically exist in various parts of the chip. Currently, we can use physical attack methods to monitor the status of internal signals for the weak points of the bus, and it is possible to find the monitor. point, directly stealing sensitive data. In the prior art, random numbers can be added to sensitive data, and mask transmission of random numbers and sensitive data can be performed.
上述总线加密技术需要同时传输敏感数据和随机数,而黑客可以同时监控掩码后敏感数据和掩码随机数,再通过简单的运算解出敏感数据,从而导致敏感数据的泄露。另外,在总线上传输掩码后敏感数据和掩码随机数会增加总线位宽的开销。The above bus encryption technology needs to transmit sensitive data and random numbers at the same time, and hackers can monitor the masked sensitive data and masked random numbers at the same time, and then solve the sensitive data through simple operations, resulting in the leakage of sensitive data. In addition, transferring sensitive data and masking random numbers on the bus increases the bit-width overhead of the bus.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供了一种总线数据的保护方法、装置、存储介质及芯片,用于解决在总线上同时传输掩码后敏感数据和掩码随机数时,安全性不高且增加总线位宽的开销的问题。所述技术方案如下:The embodiments of the present application provide a bus data protection method, device, storage medium and chip, which are used to solve the problem of low security and increased bus bit width when simultaneously transmitting masked sensitive data and masked random numbers on the bus cost issue. The technical solution is as follows:
一方面,提供了一种总线数据的保护方法,所述方法包括:In one aspect, a method for protecting bus data is provided, the method comprising:
在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,所述第一模块将所述敏感数据发送给总线加密模块;When the first module determines that the sensitive data needs to be sent to the second module according to the read operation or the write operation, the first module sends the sensitive data to the bus encryption module;
所述总线加密模块接收所述敏感数据,并获取所述第一模块对应的第一随机数发生器中的第一随机数,根据所述第一随机数对所述敏感数据进行加密,将得到的加密数据发送给总线;The bus encryption module receives the sensitive data, obtains the first random number in the first random number generator corresponding to the first module, encrypts the sensitive data according to the first random number, and obtains The encrypted data is sent to the bus;
所述总线将所述加密数据发送给总线解密模块;The bus sends the encrypted data to the bus decryption module;
所述总线解密模块接收所述加密数据,获取所述第二模块对应的第二随机数发生器中的第二随机数,根据所述第二随机数对所述加密数据进行解密,将得到的所述敏感数据发送给所述第二模块,所述第二随机数与所述第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数;The bus decryption module receives the encrypted data, obtains the second random number in the second random number generator corresponding to the second module, decrypts the encrypted data according to the second random number, and obtains the obtained data. The sensitive data is sent to the second module, and the second random number and the first random number are the same random number obtained after updating the same true random number for the same number of times;
所述第二模块接收所述敏感数据。The second module receives the sensitive data.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
在每完成一笔数据传输后,主模块向随机数一致性总线发送随机数更新请求,所述主模块是所述第一模块和所述第二模块中发起数据传输的模块;After each data transmission is completed, the main module sends a random number update request to the random number consistency bus, and the main module is the module that initiates data transmission in the first module and the second module;
所述随机数一致性总线控制每个第一随机数发生器对各自的第一随机数进行一次更新,并控制每个第二随机数发生器对各自的第二随机数进行一次更新;The random number consistency bus controls each first random number generator to update the respective first random number once, and controls each second random number generator to update the respective second random number once;
其中,每个第一随机数发生器对应于一个第一模块,每个第二随机数发生器对应于一个第二模块,且更新后的第一随机数与更新后的第二随机数相同。Wherein, each first random number generator corresponds to a first module, each second random number generator corresponds to a second module, and the updated first random number is the same as the updated second random number.
在一种可能的实现方式中,In one possible implementation,
所述控制每个第一随机数发生器对各自的第一随机数进行一次更新,包括:对于处于第一状态的每个第一随机数发生器,所述第一随机数发生器对自身的第一随机数进行一次更新;对于处于第二状态的每个第一随机数发生器,所述第一随机数发生器记录自身的第一随机数的待更新次数k,在所述第一随机数发生器对应的第一模块完成数据传输后,对自身的第一随机数进行k次更新,并将自身的状态设置为所述第一状态,所述第二状态是所述第一随机数发生器对应的第一模块正在进行数据传输,且其他第一模块和第二模块完成数据传输时设置的,所述k为正整数;The controlling each first random number generator to update the respective first random number once includes: for each first random number generator in the first state, the first random number generator updates its own random number generator. The first random number is updated once; for each first random number generator in the second state, the first random number generator records the number of times k to be updated of its own first random number, and in the first random number After the first module corresponding to the number generator completes data transmission, it updates its first random number k times, and sets its own state to the first state, and the second state is the first random number The first module corresponding to the generator is performing data transmission, and other first modules and second modules are set when data transmission is completed, and the k is a positive integer;
所述控制每个第二随机数发生器对各自的第二随机数进行一次更新,包括:对于处于第一状态的每个第二随机数发生器,所述第二随机数发生器对自身的第二随机数进行一次更新;对于处于第二状态的每个第二随机数发生器,所述第二随机数发生器记录自身的第二随机数的待更新次数n,在所述第二随机数发生器对应的第二模块完成数据传输后,对自身的第二随机数进行n次更新,并将自身的状态设置为所述第一状态,所述第二状态是所述第二 随机数发生器对应的第二模块正在进行数据传输,且其他第一模块和第二模块完成数据传输时设置的,所述n为正整数。The controlling each second random number generator to update the respective second random number once, including: for each second random number generator in the first state, the second random number generator updates its own The second random number is updated once; for each second random number generator in the second state, the second random number generator records the number of times n to be updated of its own second random number, and in the second random number After the second module corresponding to the number generator completes data transmission, it updates its second random number n times, and sets its own state to the first state, and the second state is the second random number The n is a positive integer set when the second module corresponding to the generator is performing data transmission, and other first modules and second modules complete data transmission.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
当所述总线处于空闲状态时,真随机源向所有的第一随机数发生器和所有的第二随机数发生器广播真随机数;When the bus is in an idle state, the true random number source broadcasts true random numbers to all first random number generators and all second random number generators;
每个第一随机数发生器根据所述真随机数生成初始的第一随机数;Each first random number generator generates an initial first random number according to the true random number;
每个第二随机数发生器根据所述真随机数生成初始的第二随机数;Each second random number generator generates an initial second random number according to the true random number;
其中,初始的第一随机数和初始的第二随机数相同。Wherein, the initial first random number and the initial second random number are the same.
在一种可能的实现方式中,其特征在于,In a possible implementation, it is characterized in that,
所述根据所述第一随机数对所述敏感数据进行加密,包括:所述总线加密模块获取所述敏感数据对应的加密算法,根据所述第一随机数和所述加密算法对所述敏感数据进行加密;The encrypting the sensitive data according to the first random number includes: acquiring, by the bus encryption module, an encryption algorithm corresponding to the sensitive data, and encrypting the sensitive data according to the first random number and the encryption algorithm. data is encrypted;
所述根据所述第二随机数对所述加密数据进行解密,包括:所述总线解密模块获取所述加密数据对应的解密算法,根据所述第二随机数和所述解密算法对所述加密数据进行解密,所述解密算法与所述加密算法对应。The decrypting the encrypted data according to the second random number includes: obtaining, by the bus decryption module, a decryption algorithm corresponding to the encrypted data, and decrypting the encrypted data according to the second random number and the decryption algorithm. The data is decrypted, and the decryption algorithm corresponds to the encryption algorithm.
在一种可能的实现方式中,In one possible implementation,
所述总线加密模块获取所述敏感数据对应的加密算法,包括:所述总线加密模块获取从模块的地址信息,在第一对应关系中查找与所述地址信息对应的加密算法,所述第一对应关系中存储有不同的地址信息与不同的加密算法之间的映射;The bus encryption module obtains the encryption algorithm corresponding to the sensitive data, including: the bus encryption module obtains the address information of the slave module, and searches for the encryption algorithm corresponding to the address information in the first correspondence, the first The mapping between different address information and different encryption algorithms is stored in the corresponding relationship;
所述总线解密模块获取所述加密数据对应的解密算法,包括:所述总线解密模块获取所述从模块的地址信息,在第二对应关系中查找与所述地址信息对应的解密算法,所述第二对应关系中存储有不同的地址信息与不同的解密算法之间的映射;The bus decryption module obtaining the decryption algorithm corresponding to the encrypted data includes: the bus decryption module obtains the address information of the slave module, and searches for the decryption algorithm corresponding to the address information in the second correspondence relationship, the The second correspondence stores mappings between different address information and different decryption algorithms;
其中,所述从模块是所述第一模块和所述第二模块中用于进行数据存储或数据运算的模块。Wherein, the slave module is a module used for data storage or data operation in the first module and the second module.
在一种可能的实现方式中,In one possible implementation,
所述总线加密模块获取所述敏感数据对应的加密算法,包括:所述总线加密模块获取总线发送的控制信号,在第三对应关系中查找与所述控制信号对应的加密算法,所述第三对应关系中存储有不同的控制信号与不同的加密算法之间的映射;The bus encryption module obtains the encryption algorithm corresponding to the sensitive data, including: the bus encryption module obtains the control signal sent by the bus, and searches for the encryption algorithm corresponding to the control signal in the third correspondence, the third The mapping between different control signals and different encryption algorithms is stored in the corresponding relationship;
所述总线解密模块获取所述加密数据对应的解密算法,包括:所述总线解密模块获取总线发送的所述控制信号,在第四对应关系中查找与所述控制信号对应的解密算法,所述第四对应关系中存储有不同的控制信号与不同的解密算法之间的映射。Obtaining, by the bus decryption module, a decryption algorithm corresponding to the encrypted data includes: the bus decryption module obtains the control signal sent by the bus, and searches for a decryption algorithm corresponding to the control signal in a fourth correspondence relationship, the The fourth correspondence relationship stores mappings between different control signals and different decryption algorithms.
一方面,提供了一种总线数据的保护装置,所述装置包括:In one aspect, a device for protecting bus data is provided, the device comprising:
发送模块,用于在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,通过所述第一模块将所述敏感数据发送给总线加密模块;a sending module, configured to send the sensitive data to the bus encryption module through the first module when the first module determines that the sensitive data needs to be sent to the second module according to the read operation or the write operation;
加密模块,用于通过所述总线加密模块接收所述敏感数据,并获取所述第一模块对应的第一随机数发生器中的第一随机数,根据所述第一随机数对所述敏感数据进行加密,将得到的加密数据发送给总线;an encryption module, configured to receive the sensitive data through the bus encryption module, and obtain a first random number in a first random number generator corresponding to the first module, and perform the sensitive data according to the first random number The data is encrypted, and the obtained encrypted data is sent to the bus;
传输模块,用于通过所述总线将所述加密数据发送给总线解密模块;a transmission module, configured to send the encrypted data to the bus decryption module through the bus;
解密模块,用于通过所述总线解密模块接收所述加密数据,获取所述第二模块对应的第二随机数发生器中的第二随机数,根据所述第二随机数对所述加密数据进行解密,将得到的所述敏感数据发送给所述第二模块,所述第二随机数与所述第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数;A decryption module, configured to receive the encrypted data through the bus decryption module, obtain a second random number in the second random number generator corresponding to the second module, and perform the encryption on the encrypted data according to the second random number Decrypt, and send the obtained sensitive data to the second module, where the second random number and the first random number are the same random number obtained after updating the same true random number for the same number of times;
接收模块,用于通过所述第二模块接收所述敏感数据。A receiving module, configured to receive the sensitive data through the second module.
一方面,提供了一种计算机可读存储介质,所述存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现如上所述的总线数据的保护方法。In one aspect, a computer-readable storage medium is provided, wherein the storage medium stores at least one instruction, at least one piece of program, code set or instruction set, the at least one instruction, the at least one piece of program, the code set Or the instruction set is loaded and executed by the processor to implement the bus data protection method as described above.
一方面,提供了一种芯片,所述芯片包括处理器和存储器,所述存储器中存储有至少一条指令,所述指令由所述处理器加载并执行以实现如上所述的总线数据的保护方法。In one aspect, a chip is provided, the chip includes a processor and a memory, the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the above-mentioned method for protecting bus data .
本申请实施例提供的技术方案的有益效果至少包括:The beneficial effects of the technical solutions provided by the embodiments of the present application include at least:
在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,先通过第一模块将敏感数据发送给总线加密模块,再通过总线加密模块接收敏感数据,并获取第一模块对应的第一随机数发生器中的第一随机数,根据第一随机数对敏感数据进行加密,将得到的加密数据发送给总线,由总线将加密数据发送给总线解密模块,最后通过总线解密模块接收加密数据,获取第二模块对应的第二随机数发生器中的第二随机数,由于第二随机数与第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数,所以,总线解密模块能够根据第二随机数对加密数据进行解密,将得到的敏感数据发送给第二模块,从而完成一笔数据传输。本实施例中只需要在总线中传输加密数据,而无需传输第一随机数,这样,即使黑客能够监控到加密数据,也会因为无法获取到第二随机数而无法对该加密数据进行解密,从而提高了数据传输的安全性。另外,无需在总线上传输第一随机数还会减少总线位宽的开销。When the first module determines that it needs to send sensitive data to the second module according to the read operation or the write operation, it first sends the sensitive data to the bus encryption module through the first module, then receives the sensitive data through the bus encryption module, and obtains the corresponding data of the first module. The first random number in the first random number generator, encrypts the sensitive data according to the first random number, sends the obtained encrypted data to the bus, sends the encrypted data to the bus decryption module by the bus, and finally sends the encrypted data to the bus decryption module through the bus decryption module. Receive the encrypted data, and obtain the second random number in the second random number generator corresponding to the second module, because the second random number and the first random number are the same random number obtained by updating the same true random number for the same number of times. Therefore, the bus decryption module can decrypt the encrypted data according to the second random number, and send the obtained sensitive data to the second module, thereby completing a data transmission. In this embodiment, only the encrypted data needs to be transmitted in the bus, and the first random number does not need to be transmitted. In this way, even if the hacker can monitor the encrypted data, the encrypted data cannot be decrypted because the second random number cannot be obtained. Thus, the security of data transmission is improved. In addition, not needing to transmit the first random number on the bus also reduces the overhead of the bus bit width.
由于第一随机数发生器和第二随机数发生器的结构相同,且第一随机数发生器和第二随机数发生器接收到的随机种子相同,第一随机数发生器和第二随机数发生器同步根据随机种子进行更新,所以,第一随机数发生器每次自运算更新后得到的第一随机数和第二随机数发生器每次自运算更新后得到的第二随机数是相同的,从而可以保证敏感数据能够被正确加解密。另外,在每完成一笔数据传输后,都需要更新所有第一随机数发生器中的第一随机数和所有第二随机数发生器中的第二随机数,并保持所有第一随机数和第二随机数相同。即,不同次数据传输所采用的第一随机数和第二随机数不同,而同一次数据传输所采用的第一随机数和第二随机数相同。Since the structures of the first random number generator and the second random number generator are the same, and the random seeds received by the first random number generator and the second random number generator are the same, the first random number generator and the second random number generator The generator is updated synchronously according to the random seed, so the first random number obtained by the first random number generator after each self-operation update and the second random number obtained by the second random number generator after each self-operation update are the same , so that sensitive data can be correctly encrypted and decrypted. In addition, after each data transmission is completed, the first random numbers in all the first random number generators and the second random numbers in all the second random number generators need to be updated, and all the first random numbers and The second random number is the same. That is, the first random number and the second random number used in different data transmissions are different, while the first random number and the second random number used in the same data transmission are the same.
随机数发生器采用真随机源提供真随机熵源与伪随机发生单元混合随机数发生形式,真随机源随机的不断广播发送真随机数给伪随机数发生器作为随机种子,随机数发生器接收到真随机源种子加入到伪随机数发生单元,生成一笔新的随机数。每次发生一笔数据传输后,随机数发生器进行一次伪随机发生单元更新。由于主模块和从模块对应的随机数发生器的输入和更新都是一致的,随机数的数值能够保证一致性,从而保证了随机数的不可预测性,提高了数据传输的安全性。The random number generator adopts the true random source to provide the true random entropy source and the pseudo-random generating unit in the form of mixed random number generation. The true random source continuously broadcasts and sends the true random number to the pseudo-random number generator as a random seed, and the random number generator receives it. When the true random source seed is added to the pseudo-random number generating unit, a new random number is generated. After each data transmission, the random number generator performs a pseudo-random unit update. Since the input and update of the random number generators corresponding to the master module and the slave module are consistent, the value of the random number can ensure the consistency, thereby ensuring the unpredictability of the random number and improving the security of data transmission.
当同一时刻允许多个第一模块向多个第二模块发送敏感数据时,仍然可以采用上述随机数的更新方式来更新随机数,使得每笔数据加解密采用的随机数都不相同,从而保证了数据传输的安全性;且同一笔数据加解密所采用的第一随机数和第二随机数相同,从而保证了能够被正确加解密。When multiple first modules are allowed to send sensitive data to multiple second modules at the same time, the above random number update method can still be used to update the random number, so that the random numbers used for each data encryption and decryption are different, so as to ensure The security of data transmission is ensured; and the first random number and the second random number used in the encryption and decryption of the same data are the same, thus ensuring that they can be correctly encrypted and decrypted.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.
图1是本申请一个实施例提供的总线数据的保护方法的方法流程图;Fig. 1 is a method flowchart of a method for protecting bus data provided by an embodiment of the present application;
图2是根据部分示例性实施例示出的一种在同一时刻允许一个模块传输数据的芯片的结构示意图;2 is a schematic structural diagram of a chip that allows one module to transmit data at the same time according to some exemplary embodiments;
图3是根据部分示例性实施例示出的一种在同一时刻允许多个模块传输数据的芯片的结构示意图;3 is a schematic structural diagram of a chip that allows multiple modules to transmit data at the same time, according to some exemplary embodiments;
图4是根据部分示例性实施例示出的一种芯片实例的结构示意图;FIG. 4 is a schematic structural diagram of an example of a chip according to some exemplary embodiments;
图5是本申请一个实施例提供的原始数据、随机数状态和总线加密结果的示意图;5 is a schematic diagram of original data, random number state and bus encryption result provided by an embodiment of the present application;
图6是本申请再一实施例提供的总线数据的保护装置的结构框图。FIG. 6 is a structural block diagram of an apparatus for protecting bus data provided by another embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
请参考图1,其示出了本申请一个实施例提供的总线数据的保护方法的方法流程图,该总线数据的保护方法可以应用于芯片中。该总线数据的保护方法,可以包括:Please refer to FIG. 1 , which shows a method flowchart of a method for protecting bus data provided by an embodiment of the present application, and the method for protecting bus data can be applied to a chip. The protection method of the bus data may include:
步骤101,在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,第一模块将敏感数据发送给总线加密模块。
本实施例中用于进行数据传输的模块包括主模块和从模块。其中,主模块是用于发起数据传输的模块,例如,主模块可以是CPU(Central Processing Unit,中央处理单元)、DMA(Direct Memory Access,直接存储器访问)等等。从模块是用于进行数据存储或数据运算的模块,或者,从模块可以是外设。例如,用于进行数据存储的从模块可以是ROM(Read-Only Memory,只读存储器)、SRAM(Static Random-Access Memory,静态随机存取存储器)等等;用于进行数据运算的从模块可以是运算Engine,外设可以是Peripheral等等。The modules used for data transmission in this embodiment include a master module and a slave module. The main module is a module for initiating data transmission. For example, the main module may be a CPU (Central Processing Unit, central processing unit), a DMA (Direct Memory Access, direct memory access), and so on. A slave module is a module for data storage or data operation, or a slave module can be a peripheral. For example, the slave module used for data storage may be ROM (Read-Only Memory), SRAM (Static Random-Access Memory, static random access memory), etc.; the slave module used for data operation may be It is the operation Engine, and the peripherals can be Peripheral and so on.
若从模块用于进行数据存储,则一种应用场景是主模块向从模块写入敏感数据,此时第一模块是主模块,第二模块是从模块;另一种应用场景是主模块从从模块中读取敏感数据,此时第一模块是从模块,第二模块是主模块。If the slave module is used for data storage, one application scenario is that the master module writes sensitive data to the slave module. At this time, the first module is the master module, and the second module is the slave module; another application scenario is that the master module is slave Sensitive data is read from the module. At this time, the first module is the slave module and the second module is the master module.
若从模块用于进行数据运算,则主模块需要向从模块写入敏感数据,此时第一模块是主模块,第二模块是从模块;在从模块得到运算结果后,主模块还需要从从模块中读取运算结果,此时第一模块是从模块,第二模块是主模块。If the slave module is used for data operation, the master module needs to write sensitive data to the slave module. At this time, the first module is the master module, and the second module is the slave module; after obtaining the operation result from the slave module, the master module also needs to obtain the operation result from the slave module. The operation result is read from the module. At this time, the first module is the slave module, and the second module is the master module.
若从模块是外设,则一种应用场景是主模块向从模块发送数据,另一种应用场景是从模块向主模块发送数据。通常,主模块和从模块之间传输的数据不是敏感数据,所以,可以在总线上以明文传输数据,而无需传输加密数据。If the slave module is a peripheral device, one application scenario is that the master module sends data to the slave module, and another application scenario is that the slave module sends data to the master module. Usually, the data transmitted between the master module and the slave module is not sensitive data, so the data can be transmitted in clear text on the bus without transmitting encrypted data.
无论第一模块是主模块还是从模块,只要第一模块需要向第二模块发送敏感数据,就会将敏感数据发送给总线加密模块。Regardless of whether the first module is a master module or a slave module, as long as the first module needs to send sensitive data to the second module, the sensitive data will be sent to the bus encryption module.
步骤102,总线加密模块接收敏感数据,并获取第一模块对应的第一随机数发生器中的第一随机数,根据第一随机数对敏感数据进行加密,将得到的加密数据发送给总线。
本实施例中的芯片中可以包括多个第一模块和多个第二模块。当同一时刻只允许一个第一模块向一个第二模块发送敏感数据时,若第一模块为主模块,第二模块为从模块,则第一模块与总线之间设置有一个总线加密模块,第二模块与总线之间设置有一个总线解密模块;若第一模块为从模块,第二模块为主模块,则第一模块与总线之间设置有一个总线解密模块,第二模块与总线之间设置有一个总线加密模块。为了便于说明,本实施例中将第一模块与总线之间的一个总线加密模块和一个总线解密模块统称为一个总线加解密模块,将第二模块与总线之间的一个总线加密模块和一个总线解密模块统称为一个总线加解密模块,且每个总线加解密模块中都设置有一个随机数发生器,每个随机数发生器与一个真随机源连接,该真随机源中包括随机熵源,用于向随机数发生器广播真随机数作为随机种子。The chip in this embodiment may include multiple first modules and multiple second modules. When only one first module is allowed to send sensitive data to one second module at the same time, if the first module is the master module and the second module is the slave module, a bus encryption module is set between the first module and the bus, and the second module is a slave module. A bus decryption module is set between the second module and the bus; if the first module is a slave module and the second module is a master module, a bus decryption module is set between the first module and the bus, and a bus decryption module is set between the second module and the bus. A bus encryption module is provided. For convenience of description, in this embodiment, a bus encryption module and a bus decryption module between the first module and the bus are collectively referred to as a bus encryption and decryption module, and a bus encryption module and a bus between the second module and the bus are referred to as The decryption module is collectively referred to as a bus encryption and decryption module, and each bus encryption and decryption module is provided with a random number generator, each random number generator is connected to a true random source, and the true random source includes a random entropy source, Used to broadcast a true random number to the random number generator as a random seed.
请参考图2,图2中以芯片中包括两个主模块和四个从模块为例进行说明,两个主模块通过一个总线加解密模块与总线相连,三个从模块也通过一个总线加解密模块与总线相连,这样,这三个从模块与两个主模块可以在总线上传输加密数据。剩余一个从模块直接与总线连接,该从模块与两个主模块可以在总线上传输明文数据。需要说明的是,从模块中还可以设置加解密模块,本实施例不作限定。Please refer to FIG. 2. In FIG. 2, the chip includes two main modules and four slave modules as an example. The two main modules are connected to the bus through a bus encryption and decryption module, and the three slave modules are also encrypted and decrypted through a bus. The modules are connected to the bus so that the three slave modules and the two master modules can transmit encrypted data on the bus. The remaining one slave module is directly connected to the bus, and the slave module and the two master modules can transmit plaintext data on the bus. It should be noted that, an encryption/decryption module may also be set in the slave module, which is not limited in this embodiment.
当同一时刻允许多个第一模块向多个第二模块发送敏感数据时,即当一个第一模块向一个第二模块发送敏感数据时,另一个第一模块可以向另一个第二模块发送敏感数据,此时可以对每个第一模块分配一个总线加解密模块和一个随机数发生器,对每个第二模块分配一个总线加解密模块和一个随机数发生器,这样,每个第一模块通过对应的一个总线加解密模块与总线连接,通过对应的一个随机数发生器与随机数一致性总线连接;每个第二模块通过对应的一个总线加解密模块与总线连接,通过对应的一个随机数发生器与随机数一致性总线连接,随机数一致性总线与真随机源连接,该真随机源中包括随机熵源,用于通过随机数一致性总线向随机数发生器广播真随机数作为随机种子。When multiple first modules are allowed to send sensitive data to multiple second modules at the same time, that is, when one first module sends sensitive data to one second module, another first module can send sensitive data to another second module At this time, a bus encryption and decryption module and a random number generator can be allocated to each first module, and a bus encryption and decryption module and a random number generator can be allocated to each second module. In this way, each first module It is connected to the bus through a corresponding bus encryption and decryption module, and is connected to the random number consistency bus through a corresponding random number generator; each second module is connected to the bus through a corresponding bus encryption and decryption module, and through a corresponding one The random number generator is connected to the random number consistency bus, and the random number consistency bus is connected to a true random source, which includes a random entropy source for broadcasting to the random number generator through the random number consistency bus True random numbers as random seeds.
请参考图3,图3中以芯片中包括两个主模块和四个从模块为例进行说明,每个主模块对应于一个总线加解密模块和一个随机数发生器,且每个主模块通过对应的一个总线加解密模块与总线相连,通过对应的一个随机数发生器与随机数一致性总线相连。三个从模块中的每个从模块均对应一个总线加解密模块和一个随机数发生器,且每个从模块通过对应的一个总线加解密模块与总线相连,通过对应的一个随机数发生器与随机数一致性总线相连。这样,这三个从模块与两个主模块可以在总线上传输加密数据。剩余一个从模块直接与总线连接,该从模块与两个主模块可以在总线上传输明文数据。需要说明的是,从模块中还可以设置加解密模块,本实施例不作限定。Please refer to FIG. 3. In FIG. 3, the chip includes two main modules and four slave modules as an example. Each main module corresponds to a bus encryption and decryption module and a random number generator, and each main module passes through A corresponding bus encryption and decryption module is connected to the bus, and is connected to the random number consistency bus through a corresponding random number generator. Each of the three slave modules corresponds to a bus encryption and decryption module and a random number generator, and each slave module is connected to the bus through a corresponding bus encryption and decryption module, and is connected to the bus through a corresponding random number generator. The random number consistency bus is connected. In this way, the three slave modules and the two master modules can transmit encrypted data on the bus. The remaining one slave module is directly connected to the bus, and the slave module and the two master modules can transmit plaintext data on the bus. It should be noted that, an encryption/decryption module may also be set in the slave module, which is not limited in this embodiment.
请参考图4,图4中的一个主模块为CPU,一个主模块为DMA,一个从模块为ROM、一个从模块为SRAM,一个从模块为运算Engine,一个从模块为外设(Peripheral),总线为AHB32bit总线。Please refer to Figure 4. In Figure 4, a main module is a CPU, a main module is a DMA, a slave module is a ROM, a slave module is a SRAM, a slave module is an operation engine, and a slave module is a peripheral (Peripheral). The bus is AHB32bit bus.
本实施例中,总线加密模块在接收到敏感数据后,可以从第一随机数发生器中读取第一随机数,再根据第一随机数对该敏感数据进行加密,得到加密数据,最后将该加密数据发送给总线。这里所说的总线加密模块为第一模块对应的总线加解密模块中涉及加密功能的模块。其中,第一随机数可以是第一随机数发生器将接收到的真随机数作为随机种子进行更新得到的随机数。In this embodiment, after receiving the sensitive data, the bus encryption module can read the first random number from the first random number generator, and then encrypt the sensitive data according to the first random number to obtain encrypted data, and finally This encrypted data is sent to the bus. The bus encryption module mentioned here is the module involved in the encryption function in the bus encryption and decryption module corresponding to the first module. The first random number may be a random number obtained by the first random number generator updating the received true random number as a random seed.
其中,可以根据安全需求采取高安全加密,标准安全加密和不加密方式传输数据,即可以采用不同的加密算法对敏感数据进行加密,此时,根据第一随机数对敏感数据进行加密,包括:总线加密模块获取敏感数据对应的加密算法,根据第一随机数和加密算法对敏感数据进行加密。Among them, high-security encryption, standard security encryption and non-encryption methods can be used to transmit data according to security requirements, that is, different encryption algorithms can be used to encrypt sensitive data. At this time, the sensitive data is encrypted according to the first random number, including: The bus encryption module obtains an encryption algorithm corresponding to the sensitive data, and encrypts the sensitive data according to the first random number and the encryption algorithm.
在第一种加密方式中,总线加密模块获取敏感数据对应的加密算法,包括:总线加密模块获取从模块的地址信息,在第一对应关系中查找与地址信息对应的加密算法,第一对应关系中存储有不同的地址信息与不同的加密算法之间的映射。In the first encryption method, the bus encryption module obtains the encryption algorithm corresponding to the sensitive data, including: the bus encryption module obtains the address information of the slave module, searches for the encryption algorithm corresponding to the address information in the first correspondence, the first correspondence There are mappings between different address information and different encryption algorithms stored in .
在第二种加密方式中,总线加密模块获取敏感数据对应的加密算法,包括:总线加密模块获取总线发送的控制信号,在第三对应关系中查找与控制信号对应的加密算法,第三对应关系中存储有不同的控制信号与不同的加密算法之间的映射。In the second encryption method, the bus encryption module obtains the encryption algorithm corresponding to the sensitive data, including: the bus encryption module obtains the control signal sent by the bus, searches for the encryption algorithm corresponding to the control signal in the third correspondence, and the third correspondence The mappings between different control signals and different encryption algorithms are stored in .
比如,AHB总线采用HUSER信号作为控制信号,AXI总线采用AxUSER信号作为控制信号。For example, the AHB bus uses the HUSER signal as the control signal, and the AXI bus uses the AxUSER signal as the control signal.
可选的,主模块还可以将从模块的地址信息、主模块的ID等其他数据发送给总线加密模块,总线加密模块可以只对敏感数据加密,而不对其他数据加密,将加密数据和其他数据发送给总线。Optionally, the main module can also send other data such as the address information of the module and the ID of the main module to the bus encryption module. The bus encryption module can only encrypt sensitive data, but not other data, and encrypt the encrypted data and other data. sent to the bus.
步骤103,总线将加密数据发送给总线解密模块。
本实施例中,总线除了获取加密数据,还可以获取从模块的地址信息、主模块的ID等其他数据。上述其他数据可以是总线加密模块发送给总线的,也可以是主模块发送给总线的,本实施例不作限定。In this embodiment, in addition to obtaining encrypted data, the bus may also obtain other data such as address information of the slave module, ID of the master module, and the like. The above other data may be sent to the bus by the bus encryption module, or may be sent to the bus by the main module, which is not limited in this embodiment.
总线根据该地址信息确定与该第二模块对应的总线解密模块,将该加密数据发送给该总线解密模块。这里所说的总线解密模块为第二模块对应的总线加解密模块中涉及解密功能的模块。The bus determines a bus decryption module corresponding to the second module according to the address information, and sends the encrypted data to the bus decryption module. The bus decryption module mentioned here is the module involved in the decryption function in the bus encryption and decryption module corresponding to the second module.
步骤104,总线解密模块接收加密数据,获取第二模块对应的第二随机数发生器中的第二随机数,根据第二随机数对加密数据进行解密,将得到的敏感数据发送给第二模块,第二随机数与第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数。
本实施例中,总线解密模块在接收到加密数据后,可以从第二随机数发生器中读取第二随机数,再根据第二随机数对该加密数据进行解密,得到敏感数据,最后将该敏感数据发送给第二模块。其中,第二随机数可以是第二随机数发生器将接收到的真随机数作为随机种子进行更新得到的随机数。其中,第二随机数与第一随机数基于同一真随机数进行更新,且第二随机数与第一随机数的更新次数相同,这样,就可以保证第二随机数与第一随机数相同。In this embodiment, after receiving the encrypted data, the bus decryption module can read the second random number from the second random number generator, and then decrypt the encrypted data according to the second random number to obtain sensitive data, and finally This sensitive data is sent to the second module. The second random number may be a random number obtained by the second random number generator updating the received true random number as a random seed. The second random number and the first random number are updated based on the same true random number, and the number of times of updating the second random number and the first random number is the same, so that the second random number can be guaranteed to be the same as the first random number.
其中,根据第二随机数对加密数据进行解密,可以包括:总线解密模块获取加密数据对应的解密算法,根据第二随机数和解密算法对加密数据进行解密,解密算法与加密算法对应。Wherein, decrypting the encrypted data according to the second random number may include: the bus decryption module obtains a decryption algorithm corresponding to the encrypted data, decrypts the encrypted data according to the second random number and the decryption algorithm, and the decryption algorithm corresponds to the encryption algorithm.
对应于第一种加密方式,总线解密模块获取加密数据对应的解密算法,可以包括:总线解密模块获取从模块的地址信息,在第二对应关系中查找与地址信息对应的解密算法,第二对应关系中存储有不同的地址信息与不同的解密算法之间的映射。Corresponding to the first encryption method, the bus decryption module obtains the decryption algorithm corresponding to the encrypted data, which may include: the bus decryption module obtains the address information of the slave module, and searches for the decryption algorithm corresponding to the address information in the second correspondence relationship. A mapping between different address information and different decryption algorithms is stored in the relationship.
对应于第二种解密方式,总线解密模块获取加密数据对应的解密算法,可以包括:总线解密模块获取总线发送的控制信号,在第四对应关系中查找与控制信号对应的解密算法,第四对应关系中存储有不同的控制信号与不同的解密算法之间的映射。Corresponding to the second decryption method, the bus decryption module obtains the decryption algorithm corresponding to the encrypted data, which may include: the bus decryption module obtains the control signal sent by the bus, searches for the decryption algorithm corresponding to the control signal in the fourth correspondence, and the fourth correspondence The relationship stores mappings between different control signals and different decryption algorithms.
以图3为例,当主模块1或2向从模块1或2发送敏感数据时,敏感数据通过总线加解密模块中的算法A进行加密,加密数据在总线(Bus Matrix)传输,采用总线加解密模块中的算法 A对加密数据进行解密。当主模块1或2向从模块3发送敏感数据时,敏感数据通过总线加解密模块中的算法B进行加密,加密数据在总线传输,采用总线加解密模块中的算法 B对加密数据进行解密。当主模块1或2向从模块4发送数据时,不对数据进行加解密操作。Taking Figure 3 as an example, when the master module 1 or 2 sends sensitive data to the slave module 1 or 2, the sensitive data is encrypted by the algorithm A in the bus encryption and decryption module, and the encrypted data is transmitted on the bus (Bus Matrix), using bus encryption and decryption. The algorithm A in the module decrypts the encrypted data. When the master module 1 or 2 sends sensitive data to the slave module 3, the sensitive data is encrypted by the algorithm B in the bus encryption and decryption module, the encrypted data is transmitted on the bus, and the encrypted data is decrypted by the algorithm B in the bus encryption and decryption module. When the master module 1 or 2 sends data to the slave module 4, no encryption and decryption operations are performed on the data.
需要说明的是,第一随机数发生器和第二随机数发生器的结构相同,且第一随机数发生器和第二随机数发生器接收到的随机种子相同,第一随机数发生器和第二随机数发生器同步根据随机种子进行更新,所以,第一随机数发生器每次自运算更新后得到的第一随机数和第二随机数发生器每次自运算更新后得到的第二随机数是相同的,从而可以保证敏感数据能够被正确加解密。这样,只需要在总线上传输加密数据,而参与加密的第一随机数和参与解密的第二随机数不在总线上传递,降低了总线的传输开销和逻辑规模,也增加了总线的安全性。It should be noted that the structures of the first random number generator and the second random number generator are the same, and the random seeds received by the first random number generator and the second random number generator are the same. The second random number generator is updated synchronously according to the random seed. Therefore, the first random number obtained by the first random number generator after each self-operation update and the second random number generator obtained after each self-operation update by the second random number generator The random numbers are the same, which ensures that sensitive data can be encrypted and decrypted correctly. In this way, only the encrypted data needs to be transmitted on the bus, and the first random number involved in encryption and the second random number involved in decryption are not transmitted on the bus, which reduces the transmission overhead and logic scale of the bus, and also increases the security of the bus.
步骤105,第二模块接收敏感数据。
本实施例中,在每完成一笔数据传输后,都需要更新所有第一随机数发生器中的第一随机数和所有第二随机数发生器中的第二随机数,并保持所有第一随机数和第二随机数相同。即,不同次数据传输所采用的第一随机数和第二随机数不同,而同一次数据传输所采用的第一随机数和第二随机数相同。In this embodiment, after each data transmission is completed, the first random numbers in all the first random number generators and the second random numbers in all the second random number generators need to be updated, and all the first random number generators need to be updated. The random number and the second random number are the same. That is, the first random number and the second random number used in different data transmissions are different, while the first random number and the second random number used in the same data transmission are the same.
若同一时刻只允许一个第一模块向一个第二模块发送敏感数据,则在每完成一笔数据传输后,需要控制第一随机数发生器和第二随机数发生器进行随机数更新。若同一时刻允许多个第一模块向多个第二模块发送敏感数据,则可以通过随机数一致性总线来协调随机数更新,具体可以通过步骤106-107来进行随机数更新。If only one first module is allowed to send sensitive data to one second module at the same time, after each data transmission is completed, the first random number generator and the second random number generator need to be controlled to update random numbers. If multiple first modules are allowed to send sensitive data to multiple second modules at the same time, the random number update can be coordinated through the random number consistency bus, and specifically, the random number update can be performed through steps 106-107.
步骤106,在每完成一笔数据传输后,主模块向随机数一致性总线发送随机数更新请求,主模块是第一模块和第二模块中发起数据传输的模块。
当读操作或写操作为单笔传输操作时,一次数据传输只需要传输一笔数据。当读操作或写操作为突发(Burst)传输操作时,一次数据传输需要传输多笔数据。其中,突发传输操作广泛应用于芯片的总线数据传输中。When the read operation or the write operation is a single transfer operation, only one data transfer needs to be performed for one data transfer. When a read operation or a write operation is a burst transfer operation, one data transfer needs to transfer multiple data. Among them, the burst transfer operation is widely used in the bus data transfer of the chip.
步骤107,随机数一致性总线控制每个第一随机数发生器对各自的第一随机数进行一次更新,并控制每个第二随机数发生器对各自的第二随机数进行一次更新。
其中,每个第一随机数发生器对应于一个第一模块,每个第二随机数发生器对应于一个第二模块,且更新后的第一随机数与更新后的第二随机数相同。Wherein, each first random number generator corresponds to a first module, each second random number generator corresponds to a second module, and the updated first random number is the same as the updated second random number.
具体的,控制每个第一随机数发生器对各自的第一随机数进行一次更新,包括:对于处于第一状态的每个第一随机数发生器,第一随机数发生器对自身的第一随机数进行一次更新;对于处于第二状态的每个第一随机数发生器,第一随机数发生器记录自身的第一随机数的待更新次数k,在第一随机数发生器对应的第一模块完成数据传输后,对自身的第一随机数进行k次更新,并将自身的状态设置为第一状态,第二状态是第一随机数发生器对应的第一模块正在进行数据传输,且其他第一模块和第二模块完成数据传输时设置的,k为正整数。控制每个第二随机数发生器对各自的第二随机数进行一次更新,可以包括:对于处于第一状态的每个第二随机数发生器,第二随机数发生器对自身的第二随机数进行一次更新;对于处于第二状态的每个第二随机数发生器,第二随机数发生器记录自身的第二随机数的待更新次数n,在第二随机数发生器对应的第二模块完成数据传输后,对自身的第二随机数进行n次更新,并将自身的状态设置为第一状态,第二状态是第二随机数发生器对应的第二模块正在进行数据传输,且其他第一模块和第二模块完成数据传输时设置的,n为正整数。Specifically, controlling each first random number generator to update the respective first random number once, including: for each first random number generator in the first state, the first random number generator updates its own first random number generator. A random number is updated once; for each first random number generator in the second state, the first random number generator records the number of times k to be updated of its own first random number, and the first random number generator corresponds to After the first module completes data transmission, it updates its first random number k times, and sets its own state to the first state, and the second state is that the first module corresponding to the first random number generator is performing data transmission. , and is set when other first modules and second modules complete data transmission, and k is a positive integer. Controlling each second random number generator to update the respective second random numbers once may include: for each second random number generator in the first state, the second random number generator updates its own second random number generator. The number is updated once; for each second random number generator in the second state, the second random number generator records the number of times n to be updated of its own second random number, and in the second random number generator corresponding to the second random number generator After the module completes data transmission, it updates its own second random number n times, and sets its own state to the first state. The second state is that the second module corresponding to the second random number generator is performing data transmission, and It is set when the other first modules and second modules complete data transmission, and n is a positive integer.
当一个第一模块对一个第二模块的数据传输正在进行时,另一个第一模块对另一个第二模块的数据传输结束了,那么正在进行数据传输的第一模块对应的第一随机数发生器和第二模块对应的第二随机数发生器的状态都需要设置为脏(Dirty)(即第二状态),并需要记录需要更新多少次(即待更新次数n)才能追上其他随机数发生器中的随机数的更新,使得所有的随机数发生器中的随机数保持一致。当标记为脏的第一随机数发生器和第二随机数发生器对应的数据传输结束后,需要进行随机数更新,更新完成后将第一随机数发生器和第二随机数发生器的状态变为干净(Clean)(即第一状态)。When the data transmission from a first module to a second module is in progress, and the data transmission from another first module to another second module ends, the first random number corresponding to the first module in the data transmission is generated. Both the state of the second random number generator corresponding to the second module and the second module need to be set to dirty (Dirty) (ie the second state), and need to record how many times it needs to be updated (ie the number of times to be updated n) to catch up with other random numbers The update of the random numbers in the generator makes the random numbers in all the random number generators consistent. When the data transmission corresponding to the first random number generator and the second random number generator marked as dirty is completed, the random number update needs to be performed. After the update is completed, the status of the first random number generator and the second random number generator becomes Clean (ie, the first state).
需要说明的是,当一个第一模块对应的第一随机数发生器的状态为脏时,该第一模块无法进行加密数据传输,直到第一随机数发生器的状态变为干净;当一个第二模块对应的第二随机数发生器的状态为脏时,该第二模块无法进行加密数据传输,直到第二随机数发生器状态变为干净。另外,当一个第一模块与一个第二模块正在进行数据传输时,另一个第一模块想要与该第二模块进行数据传输,则必须等到当前的数据传输结束且随机数更新完成后才能开始下一次的数据传输。It should be noted that when the state of the first random number generator corresponding to a first module is dirty, the first module cannot perform encrypted data transmission until the state of the first random number generator becomes clean; When the state of the second random number generator corresponding to the second module is dirty, the second module cannot perform encrypted data transmission until the state of the second random number generator becomes clean. In addition, when a first module and a second module are in the process of data transmission, another first module wants to perform data transmission with the second module, it must wait until the current data transmission ends and the random number update is completed before it can start. the next data transfer.
本实施例中,随机数一致性总线还可以获取各个主模块的传输状态,若存在至少一个主模块正在进行数据传输,则继续获取各个主模块的传输状态;若所有主模块都未进行数据传输,即总线处于空闲状态,则可以触发真随机数的更新。即,当总线处于空闲状态时,真随机源向所有的第一随机数发生器和所有的第二随机数发生器广播真随机数;每个第一随机数发生器根据真随机数生成初始的第一随机数;每个第二随机数发生器根据真随机数生成初始的第二随机数;其中,初始的第一随机数和初始的第二随机数相同。In this embodiment, the random number consistency bus can also acquire the transmission status of each main module. If there is at least one main module in the process of data transmission, the transmission status of each main module will continue to be acquired; if all main modules are not performing data transmission Transmission, that is, the bus is in an idle state, can trigger the update of the true random number. That is, when the bus is in an idle state, the true random number source broadcasts true random numbers to all first random number generators and all second random number generators; each first random number generator generates an initial random number according to the true random number. a first random number; each second random number generator generates an initial second random number according to the true random number; wherein, the initial first random number and the initial second random number are the same.
本实施例中的随机数发生器采用真随机源提供真随机熵源与伪随机发生单元混合随机数发生形式,真随机源随机的不断广播发送真随机数给伪随机数发生器作为随机种子,随机数发生器接收到真随机源种子加入到伪随机数发生单元,生成一笔新的随机数。每次发生一笔数据传输后,随机数发生器进行一次伪随机发生单元更新。由于主模块和从模块对应的随机数发生器的输入和更新都是一致的,随机数的数值能够保证一致性。其中伪随机数单元可以采用现性反馈移位寄存器(Linear Feedback Shift Register,LFSR)的结构。The random number generator in this embodiment adopts a true random source to provide a mixed random number generation form of a true random entropy source and a pseudo-random generating unit, and the true random source continuously broadcasts and sends the true random number to the pseudo-random number generator as a random seed, The random number generator receives the true random source seed and adds it to the pseudo-random number generating unit to generate a new random number. After each data transmission, the random number generator performs a pseudo-random unit update. Since the input and update of the random number generators corresponding to the master module and the slave module are consistent, the value of the random number can ensure consistency. The pseudo-random number unit may adopt the structure of a linear feedback shift register (Linear Feedback Shift Register, LFSR).
综上所述,本申请实施例提供的总线数据的保护方法,在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,先通过第一模块将敏感数据发送给总线加密模块,再通过总线加密模块接收敏感数据,并获取第一模块对应的第一随机数发生器中的第一随机数,根据第一随机数对敏感数据进行加密,将得到的加密数据发送给总线,由总线将加密数据发送给总线解密模块,最后通过总线解密模块接收加密数据,获取第二模块对应的第二随机数发生器中的第二随机数,由于第二随机数与第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数,所以,总线解密模块能够根据第二随机数对加密数据进行解密,将得到的敏感数据发送给第二模块,从而完成数据传输。本实施例中只需要在总线中传输加密数据,而无需传输第一随机数,这样,即使黑客能够监控到加密数据,也会因为无法获取到第二随机数而无法对该加密数据进行解密,从而提高了数据传输的安全性。另外,无需在总线上传输第一随机数还会减少总线位宽的开销。To sum up, in the method for protecting bus data provided by the embodiments of the present application, when the first module determines that it needs to send sensitive data to the second module according to the read operation or the write operation, the first module sends the sensitive data to the bus encryption first. module, and then receive the sensitive data through the bus encryption module, and obtain the first random number in the first random number generator corresponding to the first module, encrypt the sensitive data according to the first random number, and send the obtained encrypted data to the bus , the encrypted data is sent to the bus decryption module by the bus, and finally the encrypted data is received through the bus decryption module, and the second random number in the second random number generator corresponding to the second module is obtained. It is the same random number obtained by updating the same true random number for the same number of times. Therefore, the bus decryption module can decrypt the encrypted data according to the second random number, and send the obtained sensitive data to the second module to complete the data. transmission. In this embodiment, only the encrypted data needs to be transmitted in the bus, and the first random number does not need to be transmitted. In this way, even if the hacker can monitor the encrypted data, the encrypted data cannot be decrypted because the second random number cannot be obtained. Thus, the security of data transmission is improved. In addition, not needing to transmit the first random number on the bus also reduces the overhead of the bus bit width.
由于第一随机数发生器和第二随机数发生器的结构相同,且第一随机数发生器和第二随机数发生器接收到的随机种子相同,第一随机数发生器和第二随机数发生器同步根据随机种子进行更新,所以,第一随机数发生器每次自运算更新后得到的第一随机数和第二随机数发生器每次自运算更新后得到的第二随机数是相同的,从而可以保证敏感数据能够被正确加解密。另外,在每完成一笔数据传输后,都需要更新所有第一随机数发生器中的第一随机数和所有第二随机数发生器中的第二随机数,并保持所有第一随机数和第二随机数相同。即,不同次数据传输所采用的第一随机数和第二随机数不同,而同一次数据传输所采用的第一随机数和第二随机数相同。Since the structures of the first random number generator and the second random number generator are the same, and the random seeds received by the first random number generator and the second random number generator are the same, the first random number generator and the second random number generator The generator is updated synchronously according to the random seed, so the first random number obtained by the first random number generator after each self-operation update and the second random number obtained by the second random number generator after each self-operation update are the same , so that sensitive data can be correctly encrypted and decrypted. In addition, after each data transmission is completed, the first random numbers in all the first random number generators and the second random numbers in all the second random number generators need to be updated, and all the first random numbers and The second random number is the same. That is, the first random number and the second random number used in different data transmissions are different, while the first random number and the second random number used in the same data transmission are the same.
随机数发生器采用真随机源提供真随机熵源与伪随机发生单元混合随机数发生形式,真随机源随机的不断广播发送真随机数给伪随机数发生器作为随机种子,随机数发生器接收到真随机源种子加入到伪随机数发生单元,生成一笔新的随机数。每次发生一笔数据传输后,随机数发生器进行一次伪随机发生单元更新。由于主模块和从模块对应的随机数发生器的输入和更新都是一致的,随机数的数值能够保证一致性,从而保证了随机数的不可预测性,提高了数据传输的安全性。The random number generator adopts the true random source to provide the true random entropy source and the pseudo-random generating unit in the form of mixed random number generation. The true random source continuously broadcasts and sends the true random number to the pseudo-random number generator as a random seed, and the random number generator receives it. When the true random source seed is added to the pseudo-random number generating unit, a new random number is generated. After each data transmission, the random number generator performs a pseudo-random unit update. Since the input and update of the random number generators corresponding to the master module and the slave module are consistent, the value of the random number can ensure the consistency, thereby ensuring the unpredictability of the random number and improving the security of data transmission.
由于既可以在同一时刻只允许一个第一模块向一个第二模块发送敏感数据,也可以在同一时刻允许多个第一模块向多个第二模块发送敏感数据,从而扩展了敏感数据的传输方式,也扩展了芯片的结构。Since only one first module can be allowed to send sensitive data to one second module at the same time, or multiple first modules can be allowed to send sensitive data to multiple second modules at the same time, the transmission mode of sensitive data can be expanded. , also expands the structure of the chip.
当同一时刻允许多个第一模块向多个第二模块发送敏感数据时,仍然可以采用上述随机数的更新方式来更新随机数,使得每笔数据加解密采用的随机数都不相同,从而保证了数据传输的安全性;且同一笔数据加解密所采用的第一随机数和第二随机数相同,从而保证了能够被正确加解密。When multiple first modules are allowed to send sensitive data to multiple second modules at the same time, the above random number update method can still be used to update the random number, so that the random numbers used for each data encryption and decryption are different, so as to ensure The security of data transmission is ensured; and the first random number and the second random number used in the encryption and decryption of the same data are the same, thus ensuring that they can be correctly encrypted and decrypted.
下面以一个实例对数据传输流程进行说明。The following describes the data transmission process with an example.
假设主模块分别为CPU和DMA,从模块分别为ROM、SRAM、运算Engine和外设,ROM和SRAM中包含加解密模块,Engine模块不包含加解密模块,外设不做数据加解密运算,总线加解密模块中的加解密算法的选择根据从模块的地址信息划分而定。Assume that the main modules are CPU and DMA, and the slave modules are ROM, SRAM, computing engine, and peripherals, respectively. ROM and SRAM contain encryption and decryption modules. Engine module does not include encryption and decryption modules. The peripherals do not perform data encryption and decryption operations. The selection of the encryption and decryption algorithms in the encryption and decryption module is determined according to the division of the address information of the slave modules.
主从模块的随机数发生器采用LFSR结构,一个长度为m的LFSR结构具有的最大内部状态为2m,由于“0”状态是全封闭的,因此它的周期最大为2m−1。当抽头序列加1构成的多项式是本原多项式时,LFSR结构具有最大的周期为 2m−1。本例子生成多项式为:x31+ x3+x2+ x + 1,则反馈函数采用抽头30,3,2,1,0的bit进行异或后输出。The random number generator of the master-slave module adopts the LFSR structure. An LFSR structure with a length of m has a maximum internal state of 2m. Since the "0" state is fully closed, its period is at most 2m−1. When the polynomial formed by adding 1 to the tap sequence is a primitive polynomial, the LFSR structure has a maximum period of 2m−1. The generator polynomial in this example is: x 31 + x 3 +x 2 + x + 1, then the feedback function uses the bits of taps 30, 3, 2, 1, and 0 for XOR output.
本实例中的加密算法采用敏感数据与随机数和地址分别进行异或后进行,基于异或的特性,解密运算与加密算法相同。The encryption algorithm in this example uses sensitive data, random numbers and addresses to be XORed respectively. Based on the XOR feature, the decryption operation is the same as the encryption algorithm.
在芯片初始化的过程中,真随机源发送真随机数给各个主从模块对应的随机数发生器,使各个随机数发生器中的随机数保持一致的状态,这里假设初始的随机数为0xbae7eb8b。In the process of chip initialization, the true random source sends true random numbers to the random number generators corresponding to each master-slave module to keep the random numbers in each random number generator in a consistent state. Here, it is assumed that the initial random number is 0xbae7eb8b.
1、假设CPU先启动一次与ROM的数据传输,该数据传输需要进行加密,传输完成后随机数发生器进行更新,随机数更新为0x75cfd717;1. Suppose the CPU starts a data transfer with the ROM first. The data transfer needs to be encrypted. After the transfer is completed, the random number generator is updated, and the random number is updated to 0x75cfd717;
2、若CPU启动下一次与ROM的数据传输,同时,DMA启动了一次对SRAM的突发(Burst)数据传输(读操作)。在CPU对ROM的数据传输完成时,DMA对SRAM的数据传输还在进行中。2. If the CPU starts the next data transfer with the ROM, at the same time, the DMA starts a burst (Burst) data transfer (read operation) to the SRAM. When the data transfer from the CPU to the ROM is completed, the data transfer from the DMA to the SRAM is still in progress.
3、CPU启动一次对运算Engine的数据传输,这时DMA对SRAM的数据传输还在继续,由于数据传输没有延迟,所以,可以通过随机数一致性总线将随机数更新请求发送到所有随机数发生器中。3. The CPU starts a data transfer to the computing engine. At this time, the DMA data transfer to the SRAM continues. Since the data transfer is not delayed, the random number update request can be sent to all random numbers through the random number consistency bus. in the generator.
4、在总线处于空闲状态时,可以广播随机数种子,以使所有的随机数发生器生成新的初始的随机数0x73f5c5c9;4. When the bus is in an idle state, the random number seed can be broadcast, so that all random number generators can generate a new initial random number 0x73f5c5c9;
5、DMA对SRAM继续进行突发(Burst)数据传输(写操作);5. DMA continues to perform burst (Burst) data transfer (write operation) to SRAM;
6、CPU启动一次对运算Engine的数据传输,由于运算Engine的计算一直没有结束,且DMA对SRAM的数据传输每发生一次,DMA都会给随机数一致性总线发送随机数更新请求,同时自身的随机数发生器中的随机数也会随着更新。在数据传输的过程中CPU和运算Engine接收到了来自随机数一致性总线的随机数更新请求,需要把CPU和运算Engine对应的随机数发生器的状态置为脏,判断DMA对SRAM的数据传输期间发生了4次随机数更新,在CPU完成与运算Engine的数据传输后,需要通过各自对应的随机数发生器对随机数更新4次,随后可以将CPU和运算Engine对应的随机数发生器的状态置为干净。6. The CPU starts a data transfer to the computing engine. Since the computing of the computing engine has never ended, and every time the DMA data transfer to the SRAM occurs, the DMA will send a random number update request to the random number consistency bus, and at the same time its own The random numbers in the random number generator are also updated accordingly. During the data transmission process, the CPU and the computing engine receive a random number update request from the random number consistency bus. It is necessary to set the state of the random number generator corresponding to the CPU and the computing engine to dirty, and determine the data transfer between the DMA and the SRAM. During this period, 4 random number updates occurred. After the CPU completes the data transmission with the computing engine, the random number needs to be updated 4 times through the corresponding random number generators, and then the random number generator corresponding to the CPU and computing engine can be updated. The status is set to clean.
7、CPU启动一次对外设的数据传输,由于外设处于不需要加密的安全区间,所以数据不做加密,随机数不做更新。7. The CPU starts a data transmission to the peripheral. Since the peripheral is in a safe area that does not require encryption, the data is not encrypted and the random number is not updated.
请参考图5所示的每次数据传输的原始数据、随机数状态和总线加密结果。Please refer to the original data, random number status and bus encryption result of each data transmission shown in Figure 5.
请参考图6,其示出了本申请一个实施例提供的总线数据的保护装置的结构框图,该总线数据的保护装置可以应用于芯片中。该总线数据的保护装置,可以包括:Please refer to FIG. 6 , which shows a structural block diagram of an apparatus for protecting bus data provided by an embodiment of the present application. The apparatus for protecting bus data can be applied to a chip. The protection device for bus data may include:
发送模块610,用于在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,通过第一模块将敏感数据发送给总线加密模块;The sending
加密模块620,用于通过总线加密模块接收敏感数据,并获取第一模块对应的第一随机数发生器中的第一随机数,根据第一随机数对敏感数据进行加密,将得到的加密数据发送给总线;The
传输模块630,用于通过总线将加密数据发送给总线解密模块;a
解密模块640,用于通过总线解密模块接收加密数据,获取第二模块对应的第二随机数发生器中的第二随机数,根据第二随机数对加密数据进行解密,将得到的敏感数据发送给第二模块,第二随机数与第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数;The
接收模块650,用于通过第二模块接收敏感数据。The receiving
在一个可选的实施例中,该装置还包括更新模块,用于:In an optional embodiment, the apparatus further includes an update module for:
在每完成一笔数据传输后,主模块向随机数一致性总线发送随机数更新请求,主模块是第一模块和第二模块中发起数据传输的模块;After each data transmission is completed, the main module sends a random number update request to the random number consistency bus, and the main module is the module that initiates data transmission in the first module and the second module;
随机数一致性总线控制每个第一随机数发生器对各自的第一随机数进行一次更新,并控制每个第二随机数发生器对各自的第二随机数进行一次更新;The random number consistency bus controls each first random number generator to update the respective first random number once, and controls each second random number generator to update the respective second random number once;
其中,每个第一随机数发生器对应于一个第一模块,每个第二随机数发生器对应于一个第二模块,且更新后的第一随机数与更新后的第二随机数相同。Wherein, each first random number generator corresponds to a first module, each second random number generator corresponds to a second module, and the updated first random number is the same as the updated second random number.
在一个可选的实施例中,该更新模块还用于:In an optional embodiment, the update module is also used for:
对于处于第一状态的每个第一随机数发生器,第一随机数发生器对自身的第一随机数进行一次更新;对于处于第二状态的每个第一随机数发生器,第一随机数发生器记录自身的第一随机数的待更新次数k,在第一随机数发生器对应的第一模块完成数据传输后,对自身的第一随机数进行k次更新,并将自身的状态设置为第一状态,第二状态是第一随机数发生器对应的第一模块正在进行数据传输,且其他第一模块和第二模块完成数据传输时设置的,k为正整数;For each first random number generator in the first state, the first random number generator updates its own first random number once; for each first random number generator in the second state, the first random number generator The number generator records the number of times k of its own first random number to be updated, and after the first module corresponding to the first random number generator completes data transmission, it updates its own first random number k times, and updates its own state. Set to the first state, and the second state is set when the first module corresponding to the first random number generator is performing data transmission, and other first modules and second modules complete data transmission, and k is a positive integer;
对于处于第一状态的每个第二随机数发生器,第二随机数发生器对自身的第二随机数进行一次更新;对于处于第二状态的每个第二随机数发生器,第二随机数发生器记录自身的第二随机数的待更新次数n,在第二随机数发生器对应的第二模块完成数据传输后,对自身的第二随机数进行n次更新,并将自身的状态设置为第一状态,第二状态是第二随机数发生器对应的第二模块正在进行数据传输,且其他第一模块和第二模块完成数据传输时设置的,n为正整数。For each second random number generator in the first state, the second random number generator updates its own second random number once; for each second random number generator in the second state, the second random number generator The number generator records the number of times n to be updated of its own second random number, and after the second module corresponding to the second random number generator completes data transmission, it updates its own second random number n times, and updates its own state. Set to the first state, the second state is set when the second module corresponding to the second random number generator is performing data transmission, and other first modules and second modules complete data transmission, and n is a positive integer.
在一个可选的实施例中,该更新模块还用于:In an optional embodiment, the update module is also used for:
当总线处于空闲状态时,真随机源向所有的第一随机数发生器和所有的第二随机数发生器广播真随机数;When the bus is in an idle state, the true random number source broadcasts true random numbers to all first random number generators and all second random number generators;
每个第一随机数发生器根据真随机数生成初始的第一随机数;Each first random number generator generates an initial first random number according to the true random number;
每个第二随机数发生器根据真随机数生成初始的第二随机数;each second random number generator generates an initial second random number according to the true random number;
其中,初始的第一随机数和初始的第二随机数相同。Wherein, the initial first random number and the initial second random number are the same.
在一个可选的实施例中,加密模块620,还用于通过总线加密模块获取敏感数据对应的加密算法,根据第一随机数和加密算法对敏感数据进行加密;In an optional embodiment, the
解密模块640,还用于通过总线解密模块获取加密数据对应的解密算法,根据第二随机数和解密算法对加密数据进行解密,解密算法与加密算法对应。The
在一个可选的实施例中,加密模块620,还用于通过总线加密模块获取从模块的地址信息,在第一对应关系中查找与地址信息对应的加密算法,第一对应关系中存储有不同的地址信息与不同的加密算法之间的映射;In an optional embodiment, the
解密模块640,还用于通过总线解密模块获取从模块的地址信息,在第二对应关系中查找与地址信息对应的解密算法,第二对应关系中存储有不同的地址信息与不同的解密算法之间的映射;The
其中,从模块是第一模块和第二模块中用于进行数据存储或数据运算的模块。Wherein, the slave module is a module used for data storage or data operation in the first module and the second module.
在一个可选的实施例中,加密模块620,还用于通过总线加密模块获取总线发送的控制信号,在第三对应关系中查找与控制信号对应的加密算法,第三对应关系中存储有不同的控制信号与不同的加密算法之间的映射;In an optional embodiment, the
解密模块640,还用于通过总线解密模块获取总线发送的控制信号,在第四对应关系中查找与控制信号对应的解密算法,第四对应关系中存储有不同的控制信号与不同的解密算法之间的映射。The
综上所述,本申请实施例提供的总线数据的保护装置,在第一模块根据读操作或写操作确定需要向第二模块发送敏感数据时,先通过第一模块将敏感数据发送给总线加密模块,再通过总线加密模块接收敏感数据,并获取第一模块对应的第一随机数发生器中的第一随机数,根据第一随机数对敏感数据进行加密,将得到的加密数据发送给总线,由总线将加密数据发送给总线解密模块,最后通过总线解密模块接收加密数据,获取第二模块对应的第二随机数发生器中的第二随机数,由于第二随机数与第一随机数是对同一真随机数进行相同次数的更新后得到的相同的随机数,所以,总线解密模块能够根据第二随机数对加密数据进行解密,将得到的敏感数据发送给第二模块,从而完成数据传输。本实施例中只需要在总线中传输加密数据,而无需传输第一随机数,这样,即使黑客能够监控到加密数据,也会因为无法获取到第二随机数而无法对该加密数据进行解密,从而提高了数据传输的安全性。另外,无需在总线上传输第一随机数还会减少总线位宽的开销。To sum up, in the bus data protection device provided by the embodiment of the present application, when the first module determines that it needs to send sensitive data to the second module according to the read operation or the write operation, the first module sends the sensitive data to the bus encryption first. module, and then receive the sensitive data through the bus encryption module, and obtain the first random number in the first random number generator corresponding to the first module, encrypt the sensitive data according to the first random number, and send the obtained encrypted data to the bus , the encrypted data is sent to the bus decryption module by the bus, and finally the encrypted data is received through the bus decryption module, and the second random number in the second random number generator corresponding to the second module is obtained. It is the same random number obtained by updating the same true random number for the same number of times. Therefore, the bus decryption module can decrypt the encrypted data according to the second random number, and send the obtained sensitive data to the second module to complete the data. transmission. In this embodiment, only the encrypted data needs to be transmitted in the bus, and the first random number does not need to be transmitted. In this way, even if the hacker can monitor the encrypted data, the encrypted data cannot be decrypted because the second random number cannot be obtained. Thus, the security of data transmission is improved. In addition, not needing to transmit the first random number on the bus also reduces the overhead of the bus bit width.
由于第一随机数发生器和第二随机数发生器的结构相同,且第一随机数发生器和第二随机数发生器接收到的随机种子相同,第一随机数发生器和第二随机数发生器同步根据随机种子进行更新,所以,第一随机数发生器每次自运算更新后得到的第一随机数和第二随机数发生器每次自运算更新后得到的第二随机数是相同的,从而可以保证敏感数据能够被正确加解密。另外,在每完成一笔数据传输后,都需要更新所有第一随机数发生器中的第一随机数和所有第二随机数发生器中的第二随机数,并保持所有第一随机数和第二随机数相同。即,不同次数据传输所采用的第一随机数和第二随机数不同,而同一次数据传输所采用的第一随机数和第二随机数相同。Since the structures of the first random number generator and the second random number generator are the same, and the random seeds received by the first random number generator and the second random number generator are the same, the first random number generator and the second random number generator The generator is updated synchronously according to the random seed, so the first random number obtained by the first random number generator after each self-operation update and the second random number obtained by the second random number generator after each self-operation update are the same , so that sensitive data can be correctly encrypted and decrypted. In addition, after each data transmission is completed, the first random numbers in all the first random number generators and the second random numbers in all the second random number generators need to be updated, and all the first random numbers and The second random number is the same. That is, the first random number and the second random number used in different data transmissions are different, while the first random number and the second random number used in the same data transmission are the same.
随机数发生器采用真随机源提供真随机熵源与伪随机发生单元混合随机数发生形式,真随机源随机的不断广播发送真随机数给伪随机数发生器作为随机种子,随机数发生器接收到真随机源种子加入到伪随机数发生单元,生成一笔新的随机数。每次发生一笔数据传输后,随机数发生器进行一次伪随机发生单元更新。由于主模块和从模块对应的随机数发生器的输入和更新都是一致的,随机数的数值能够保证一致性,从而保证了随机数的不可预测性,提高了数据传输的安全性。The random number generator adopts the true random source to provide the true random entropy source and the pseudo-random generating unit in the form of mixed random number generation. The true random source continuously broadcasts and sends the true random number to the pseudo-random number generator as a random seed, and the random number generator receives it. When the true random source seed is added to the pseudo-random number generating unit, a new random number is generated. After each data transmission, the random number generator performs a pseudo-random unit update. Since the input and update of the random number generators corresponding to the master module and the slave module are consistent, the value of the random number can ensure the consistency, thereby ensuring the unpredictability of the random number and improving the security of data transmission.
由于既可以在同一时刻只允许一个第一模块向一个第二模块发送敏感数据,也可以在同一时刻允许多个第一模块向多个第二模块发送敏感数据,从而扩展了敏感数据的传输方式,也扩展了芯片的结构。Since only one first module can be allowed to send sensitive data to one second module at the same time, or multiple first modules can be allowed to send sensitive data to multiple second modules at the same time, the transmission mode of sensitive data can be expanded. , also expands the structure of the chip.
当同一时刻允许多个第一模块向多个第二模块发送敏感数据时,仍然可以采用上述随机数的更新方式来更新随机数,使得每笔数据加解密采用的随机数都不相同,从而保证了数据传输的安全性;且同一笔数据加解密所采用的第一随机数和第二随机数相同,从而保证了能够被正确加解密。When multiple first modules are allowed to send sensitive data to multiple second modules at the same time, the above random number update method can still be used to update the random number, so that the random numbers used for each data encryption and decryption are different, so as to ensure The security of data transmission is ensured; and the first random number and the second random number used in the encryption and decryption of the same data are the same, thus ensuring that they can be correctly encrypted and decrypted.
本申请一个实施例提供了一种计算机可读存储介质,所述存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现如上所述的总线数据的保护方法。An embodiment of the present application provides a computer-readable storage medium, in which at least one instruction, at least one piece of program, code set or instruction set is stored, the at least one instruction, the at least one piece of program, the The code set or instruction set is loaded and executed by the processor to implement the bus data protection method as described above.
本申请一个实施例提供了一种芯片,所述芯片包括处理器和存储器,所述存储器中存储有至少一条指令,所述指令由所述处理器加载并执行以实现如上所述的总线数据的保护方法。An embodiment of the present application provides a chip, the chip includes a processor and a memory, the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the above-mentioned bus data transfer method of protection.
需要说明的是:上述实施例提供的总线数据的保护装置在进行总线数据的保护时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将总线数据的保护装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的总线数据的保护装置与总线数据的保护方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the bus data protection device provided in the above embodiment protects the bus data, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated by different The function module is completed, that is, the internal structure of the bus data protection device is divided into different function modules, so as to complete all or part of the functions described above. In addition, the bus data protection device and the bus data protection method embodiment provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiment, which will not be repeated here.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps of implementing the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium. The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, etc.
以上所述并不用以限制本申请实施例,凡在本申请实施例的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请实施例的保护范围之内。The above is not intended to limit the embodiments of the present application, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the embodiments of the present application should be included within the protection scope of the embodiments of the present application.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010928069.6A CN111814212B (en) | 2020-09-07 | 2020-09-07 | Bus data protection method, device, storage medium and chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010928069.6A CN111814212B (en) | 2020-09-07 | 2020-09-07 | Bus data protection method, device, storage medium and chip |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111814212A CN111814212A (en) | 2020-10-23 |
| CN111814212B true CN111814212B (en) | 2020-12-18 |
Family
ID=72860023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010928069.6A Active CN111814212B (en) | 2020-09-07 | 2020-09-07 | Bus data protection method, device, storage medium and chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111814212B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113127901B (en) * | 2021-04-21 | 2023-05-16 | 中国人民解放军战略支援部队信息工程大学 | Processing method, device and chip for data encryption transmission |
| CN113076568B (en) * | 2021-04-27 | 2022-12-23 | 广东电网有限责任公司电力调度控制中心 | Bus protection device, method, chip and storage medium |
| CN114817966A (en) * | 2022-05-30 | 2022-07-29 | 苏州国芯科技股份有限公司 | A SoC security encryption method, system, device and storage medium |
| CN116405284A (en) * | 2023-04-06 | 2023-07-07 | 北京市建筑设计研究院有限公司 | Data transmission method, data acquisition method, device, equipment and medium |
| CN117633920B (en) * | 2023-12-13 | 2024-06-18 | 上海国微芯芯半导体有限公司 | Sensitive data transmission bus architecture, control logic circuit and transmission system |
| CN119519932B (en) * | 2025-01-08 | 2025-04-18 | 深圳市纽创信安科技开发有限公司 | Cipher chip and scrambling method thereof |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8600827B2 (en) * | 2009-04-30 | 2013-12-03 | Visa U.S.A. Inc. | Product recall platform apparatuses, methods and systems |
| CN102081713B (en) * | 2011-01-18 | 2013-01-16 | 苏州国芯科技有限公司 | An Office System for Preventing Data Leakage |
| AU2018321922A1 (en) * | 2017-08-25 | 2020-02-20 | 7Tunnels, Inc. | Cryptographic systems and methods for extending apparent size of pools of truly random numbers |
-
2020
- 2020-09-07 CN CN202010928069.6A patent/CN111814212B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111814212A (en) | 2020-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111814212B (en) | Bus data protection method, device, storage medium and chip | |
| JP6067757B2 (en) | Using the storage controller bus interface to protect data transmission between the storage device and the host | |
| CN112329038B (en) | Data encryption control system and chip based on USB interface | |
| JP2021505995A (en) | Storage devices and methods for address scrambling | |
| US11387980B2 (en) | Hardware multiple cipher engine | |
| TW201826162A (en) | Method and system for generation of cipher round keys by bit-mixers | |
| US20160065368A1 (en) | Address-dependent key generator by xor tree | |
| WO2018090665A1 (en) | Data processing method and device | |
| TW201342867A (en) | Systems and methods for protecting symmetric encryption keys | |
| WO2008031109A2 (en) | System and method for encrypting data | |
| WO2023274011A1 (en) | Method and apparatus for protecting data in otp memory, and device and storage medium | |
| JP2021507343A (en) | High-performance peripheral bus-based serial peripheral interface communication device | |
| CN111566987B (en) | Data processing method, circuit, terminal device and storage medium | |
| CN113810169A (en) | Homomorphic encryption device and ciphertext arithmetic method | |
| US6549622B1 (en) | System and method for a fast hardware implementation of RC4 | |
| CN104902138A (en) | ENCRYPTION/DECRYPTION SYSTEM and its control method | |
| JP2023542936A (en) | Metadata tweak for channel encryption differentiation | |
| KR20220000537A (en) | System and method for transmitting and receiving data based on vehicle network | |
| US10776294B2 (en) | System architecture with secure data exchange | |
| US20230208821A1 (en) | Method and device for protecting and managing keys | |
| CN114327255B (en) | Memory interface controller and memory | |
| CN113536331B (en) | Data security for memory and computing systems | |
| CN119070988B (en) | Lightweight key unit design method based on PCIe architecture | |
| CN112329074B (en) | System-on-a-Chip | |
| CN105580308A (en) | Methods for managing cache coherency |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100176 Beijing City, Daxing District, Beijing Economic and Technological Development Zone, No. 2, Ronghuannan Road, Building 1, 26th Floor, Rooms 01A, 01B, 01C, 02A, 02B Patentee after: Beijing Xinchi Semiconductor Technology Co.,Ltd. Country or region after: China Address before: Room 2268, Yingying Building, No. 99 Tuanjie Road, Yanchuangyuan, Jiangbei New District, Nanjing, Jiangsu Province, 210000 (Nanjing Area, Jiangsu Free Trade Pilot Zone, China) Patentee before: Nanjing Xinchi Semiconductor Technology Co.,Ltd. Country or region before: China |