CN113094718A - File encryption method and related device - Google Patents
File encryption method and related device Download PDFInfo
- Publication number
- CN113094718A CN113094718A CN201911343064.0A CN201911343064A CN113094718A CN 113094718 A CN113094718 A CN 113094718A CN 201911343064 A CN201911343064 A CN 201911343064A CN 113094718 A CN113094718 A CN 113094718A
- Authority
- CN
- China
- Prior art keywords
- target
- random number
- file
- key
- descriptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
 
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
 
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
 
- 
        - G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
 
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
本申请实施例公开了一种文件加密方法及装置,其中,一种文件加密的装置,包括:处理器、与该处理器耦合的通用闪存主机UFS控制器、以及与该UFS控制器耦合的存储器;该处理器,用于向该UFS控制器发送第一请求,该第一请求用于请求对目标文件进行存储;该UFS控制器,用于:获取该目标文件对应的目标随机数;根据该目标随机数和预存储的第一密钥生成该目标文件对应的第二密钥;通过该第二密钥对该目标文件进行加密,得到加密后的目标文件;将该加密后的目标文件存储至该存储器;该存储器,用于存储该加密后的目标文件。通过第一方面提供的装置,可以在存储效率高的情况下,仍能保证一文件一密钥的加密方式,提高文件的加密级别。
Embodiments of the present application disclose a file encryption method and device, wherein a file encryption device includes: a processor, a universal flash host UFS controller coupled to the processor, and a memory coupled to the UFS controller ; The processor is used to send the first request to the UFS controller, and the first request is used to request to store the target file; the UFS controller is used to: obtain the target random number corresponding to the target file; According to the The second key corresponding to the target file is generated by the target random number and the pre-stored first key; the target file is encrypted by the second key to obtain the encrypted target file; the encrypted target file is stored to the memory; the memory is used to store the encrypted target file. With the device provided in the first aspect, under the condition of high storage efficiency, the encryption method of one file and one key can still be guaranteed, and the encryption level of the file can be improved.
Description
技术领域technical field
本申请涉及信息技术领域,尤其涉及一种文件加密方法及相关装置。The present application relates to the field of information technology, and in particular, to a file encryption method and a related device.
背景技术Background technique
随着智能终端的普及,智能终端已经成为人们日常生活的必需品,但与此同时智能终端的安全问题也日益突出:如:信息泄露、诈骗盗号、木马病毒等。因此,用户对智能终端的安全问题越发看重。为了智能终端内的信息安全,当前智能终端存储系统一般都采用全盘加密或文件加密的方式来保护智能终端内的文件信息。例如:基于现有的通用闪存存储(Universal Flash Storage,UFS)协议的文件加密方法采用的是有限密钥文件加密(total files limited keys)方法,该方法是由处理器中的可信执行环境(Trust ExecuteEnvironment,TEE)一次性把32组初始密钥Class Key配置好,再通过该初始密钥对智能终端内的文件进行加密。但是该方法在以后其他文件的加密过程中,不会再去刷新配置新的Class Key,因此,这种文件加密方法在加密过程中使用的密钥都是固定的32组初始密钥,达不到一文件一密钥的要求,加密级别较低。如果要实现一文件一密钥,那就是每进行一次文件加密前,都需要去切换TEE侧配置一次新的Class Key然后再切换至处理器中的文件管理模块去进行该文件的加密存储,这样就会导致TEE和文件管理模块的频繁交互,使得实际存储效率极低。With the popularization of smart terminals, smart terminals have become a necessity for people's daily life, but at the same time, the security problems of smart terminals have become increasingly prominent: such as information leakage, fraud and theft of accounts, Trojan viruses, etc. Therefore, users pay more and more attention to the security of smart terminals. In order to secure the information in the smart terminal, the current smart terminal storage system generally uses full disk encryption or file encryption to protect the file information in the smart terminal. For example, the file encryption method based on the existing Universal Flash Storage (UFS) protocol adopts the limited key file encryption (total files limited keys) method, which is implemented by the trusted execution environment ( Trust ExecuteEnvironment, TEE) configures 32 groups of initial keys Class Key at one time, and then encrypts the files in the smart terminal through the initial key. However, this method will not refresh and configure a new Class Key in the encryption process of other files in the future. Therefore, the keys used in the encryption process of this file encryption method are all fixed 32 sets of initial keys, which can not be achieved. The encryption level is lower to the one-file-one-key requirement. If you want to implement one file and one key, that is, before each file encryption, you need to switch the TEE side to configure a new Class Key, and then switch to the file management module in the processor to encrypt and store the file. This will lead to frequent interaction between the TEE and the file management module, making the actual storage efficiency extremely low.
因此,如何在智能终端加密保存文件的情况下,同时保证文件加密的存储效率和加密级别,是亟待解决的问题。Therefore, how to ensure the storage efficiency and encryption level of file encryption when the file is encrypted and stored by the intelligent terminal is an urgent problem to be solved.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种文件加密方法及相关设备,在基于UFS传输协议的情况下,同时保证文件加密的存储效率和加密级别。The embodiments of the present application provide a file encryption method and related equipment, which can ensure the storage efficiency and encryption level of file encryption at the same time under the condition of the UFS transmission protocol.
第一方面,本申请实施例提供了一种文件加密装置,包括:处理器和与上述处理器耦合的通用闪存主机UFS控制器;上述处理器,用于向上述UFS控制器发送第一请求,上述第一请求用于请求对目标文件进行存储;上述UFS控制器,用于:获取上述目标文件对应的目标随机数;根据上述目标随机数和预存储的第一密钥生成上述目标文件对应的第二密钥;通过上述第二密钥对上述目标文件进行加密,得到加密后的目标文件。In a first aspect, an embodiment of the present application provides a file encryption device, including: a processor and a universal flash host UFS controller coupled to the processor; the processor is configured to send a first request to the UFS controller, The above-mentioned first request is used for requesting to store the target file; the above-mentioned UFS controller is used for: obtaining the target random number corresponding to the above-mentioned target file; generating the corresponding target file according to the above-mentioned target random number and the pre-stored first key. second key; encrypting the target file by using the second key to obtain the encrypted target file.
通过第一方面提供的装置,UFS控制器在加密不同文件时,可以首先根据相同的初始密钥(第一密钥)和不同文件中的每一个文件对应的随机数,分别生成不同文件的密钥(第二密钥),然后再根据该不同文件中的每一个文件对应的密钥,分别对不同的文件进行加密,使得在文件加密过程中每一个文件所使用的加密密钥均不相同,其中,每一个文件都有唯一的一个随机数与之对应。可以理解的是,由于不同文件之间用于文件加密的密钥不同,可以保证在文件的加密存储后,被加密的文件不容易被攻破,造成信息泄露,该加密方式可以极大地提高文件的加密等级。其次,在每次的文件加密过程中,都可以在相同的初始密钥基础上使用不同的随机数生成文件密钥,可以避免为了提高文件的加密等级,可信执行环境TEE过于频繁的刷新初始密钥,使得文件的加密存储效率低下,浪费资源。因此,通过第一方面所提供的方法可以在基于UFS传输协议的情况下,同时保证文件加密的存储效率和加密级别。With the device provided in the first aspect, when encrypting different files, the UFS controller can firstly generate the encryption keys of different files according to the same initial key (first key) and the random number corresponding to each of the different files. key (second key), and then encrypt different files according to the key corresponding to each file in the different files, so that the encryption key used by each file is different in the file encryption process. , where each file has a unique random number corresponding to it. It is understandable that due to the different keys used for file encryption between different files, it can be ensured that after the files are encrypted and stored, the encrypted files are not easily broken, resulting in information leakage. This encryption method can greatly improve the security of the files. Encryption level. Secondly, in each file encryption process, different random numbers can be used to generate the file key based on the same initial key, which can avoid the TEE from refreshing the initial file too frequently in order to improve the encryption level of the file. key, which makes the encrypted storage of files inefficient and wastes resources. Therefore, the method provided by the first aspect can ensure the storage efficiency and encryption level of file encryption at the same time under the condition of using the UFS transmission protocol.
在一种可能实现的方式中,上述UFS控制器还用于:获取上述目标文件。实施本申请实施例,可以对目标文件加密前首先获取目标文件,该目标文件可以是处理器的文件管理系统在生成该文件后,该UFS控制器主动获取的,还可以是处理器的文件管理系统在生成该文件后,该UFS控制器被动接收的。例如:文件管理模块在创建完目标文件后,直接将该目标文件发送至UFS控制器;又例如:文件管理模块在创建完目标文件后,将上述目标文件存储至临时内存中,并将存储地址与第一请求一起发送至UFS控制器,该UFS控制器根据该存储地址获取上述目标文件。In a possible implementation manner, the above-mentioned UFS controller is further used for: acquiring the above-mentioned target file. Implementing the embodiment of the present application, the target file can be obtained first before encrypting the target file, and the target file can be acquired actively by the UFS controller after the file management system of the processor generates the file, or can also be the file management system of the processor. After the system generates the file, the UFS controller passively receives it. For example: after the file management module creates the target file, it directly sends the target file to the UFS controller; for another example: after the file management module creates the target file, it stores the above target file in the temporary memory, and stores the address of the target file. It is sent to the UFS controller together with the first request, and the UFS controller obtains the above-mentioned target file according to the storage address.
在一种可能实现的方式中,上述UFS控制器,还用于:获取上述目标文件对应的上述第一请求的描述符,上述描述符包括数据单元号DUN;上述UFS控制器,具体用于:将上述目标文件分为多个文件数据块;从上述多个文件数据块中上述DUN对应的一个文件数据块开始,依次根据上述第二密钥将上述多个文件数据块进行加密以得到上述加密后的目标文件。实施本申请实施例,UFS控制器对目标文件加密过程中,需要根据描述符中的DUN确定目标文件的初始加密对象(即,多个文件数据块中上述DUN对应的文件数据块)后,再控制目标文件执行加密存储操作,可以在保证文件加密的存储效率的情况下,提高文件的加密级别。其次,将目标文件分为多个文件数据块,然后使用分组加密算法对目标文件进行加密,也提高了文件加密的加密等级。举例来说,该分组加密算法的区块长度可以是128比特,密钥长度则可以是128比特,192比特或256比特的高级加密标准的加密算法。In a possible implementation manner, the above-mentioned UFS controller is further used to: obtain the descriptor of the above-mentioned first request corresponding to the above-mentioned target file, and the above-mentioned descriptor includes the data unit number DUN; the above-mentioned UFS controller is specifically used for: Divide the above-mentioned target file into a plurality of file data blocks; start from a file data block corresponding to the above-mentioned DUN in the above-mentioned plurality of file data blocks, and sequentially encrypt the above-mentioned plurality of file data blocks according to the above-mentioned second key to obtain the above-mentioned encryption. the target file after. Implementing the embodiment of the present application, in the process of encrypting the target file by the UFS controller, it is necessary to determine the initial encryption object of the target file (that is, the file data block corresponding to the above DUN in the multiple file data blocks) according to the DUN in the descriptor, and then Controlling the encrypted storage operation of the target file can improve the encryption level of the file while ensuring the storage efficiency of file encryption. Secondly, the target file is divided into multiple file data blocks, and then the target file is encrypted by using a block encryption algorithm, which also improves the encryption level of file encryption. For example, the block length of the block encryption algorithm may be 128 bits, and the key length may be 128 bits, 192 bits or 256 bits of the Advanced Encryption Standard encryption algorithm.
在一种可能实现的方式中,上述处理器,还用于:在创建上述目标文件时,生成上述目标文件的上述目标随机数和上述描述符。实施本申请实施例,处理器中的文件管理模块创建目标文件时,可以生成上述目标文件唯一对应的目标随机数,以及目标文件对应的第一请求的描述符。因此,不同文件其所对应的随机数和描述符都是不同的,保证了文件加密的加密等级,提高了加密后的目标文件的破解难度,降低了目标文件泄露的风险。In a possible implementation manner, the above-mentioned processor is further configured to: when creating the above-mentioned target file, generate the above-mentioned target random number and the above-mentioned descriptor of the above-mentioned target file. In implementing the embodiments of the present application, when the file management module in the processor creates the target file, it can generate the target random number uniquely corresponding to the target file and the descriptor of the first request corresponding to the target file. Therefore, the random numbers and descriptors corresponding to different files are different, which ensures the encryption level of file encryption, improves the cracking difficulty of the encrypted target file, and reduces the risk of leakage of the target file.
在一种可能实现的方式中,上述装置还包括与所述处理器、上述UFS控制器分别耦合的动态随机存储器;上述处理器,还用于:将上述描述符根据上述目标随机数扩展,获得扩展后的描述符,上述扩展后的描述符包括上述目标随机数和上述DUN;向上述动态随机存储器发送上述扩展后的描述符;上述UFS控制器具体用于:根据上述第一请求,从上述动态随机存储器中获取上述扩展后的描述符;根据上述扩展后的描述符,获取上述目标随机数和上述DUN。实施本申请实施例,UFS控制器获取目标随机数的方式可以是在生成目标随机数和描述符时,将上述目标随机数添加至该描述符中,即,可以通过扩展描述符的方式,令该扩展后的描述符可以携带目标随机数被保存至动态随机存储器中,上述UFS控制器通过获取扩展后的描述符的方式获取目标随机数。这种获取目标随机数后再根据该目标随机数生成密钥,该密钥的获取方式也保证了只有目标随机数会出现在处理器的文件管理模块(即,软件层面)里,而根密钥(即,第二密钥)是硬件逻辑派生获得的,并不会被软件感知和获取,因此会使得密钥的安全系数提高。In a possible implementation manner, the above-mentioned apparatus further includes a dynamic random access memory coupled to the processor and the above-mentioned UFS controller respectively; the above-mentioned processor is further configured to: extend the above-mentioned descriptor according to the above-mentioned target random number to obtain The expanded descriptor, where the expanded descriptor includes the above-mentioned target random number and the above-mentioned DUN; the above-mentioned expanded descriptor is sent to the above-mentioned dynamic random access memory; the above-mentioned UFS controller is specifically used for: according to the above-mentioned first request, from the above-mentioned Obtain the expanded descriptor in the dynamic random access memory; obtain the target random number and the DUN according to the expanded descriptor. To implement this embodiment of the present application, the way for the UFS controller to obtain the target random number may be to add the above-mentioned target random number to the descriptor when generating the target random number and the descriptor, that is, to extend the descriptor to make the target random number. The expanded descriptor may carry the target random number and be stored in the dynamic random access memory, and the above-mentioned UFS controller obtains the target random number by acquiring the expanded descriptor. After obtaining the target random number, a key is generated according to the target random number. The method of obtaining the key also ensures that only the target random number will appear in the file management module (ie, the software level) of the processor, and the root key The key (ie, the second key) is obtained by logical derivation of hardware, and cannot be perceived and obtained by software, thus improving the security factor of the key.
在一种可能实现的方式中,上述装置还包括与所述处理器、上述UFS控制器分别耦合的动态随机存储器;上述处理器,还用于:向上述动态随机存储器发送上述目标随机数;将上述描述符根据上述目标随机数的存储地址以及上述目标随机数的数据长度扩展,获得扩展后的描述符,上述扩展后的描述符包括上述目标随机数的存储地址、上述目标随机数的数据长度以及上述DUN;向上述动态随机存储器发送上述扩展后的描述符;上述UFS控制器具体用于:根据上述第一请求,从上述动态随机存储器中获取上述扩展后的描述符;确定上述扩展后的描述符中的上述目标随机数的存储地址,并根据上述目标随机数的存储地址获取上述目标随机数;根据上述扩展后的描述符获取上述DUN。实施本申请实施例在基于JESD223D协议的情况下,UFS控制器可以通过获取扩展后的描述符中的存储地址来获取目标随机数。这种获取目标随机数后再根据该目标随机数生成密钥,该密钥的获取方式也保证了只有目标随机数会出现在处理器的文件管理模块(即,软件层面)里,而根密钥(即第二密钥)是硬件逻辑派生获得的,并不会被软件感知和获取,因此会使得密钥的安全系数提高,大大降低了不法分子窃取密钥后破解文件的风险。In a possible implementation manner, the above-mentioned apparatus further includes a dynamic random access memory coupled to the processor and the UFS controller respectively; the above-mentioned processor is further configured to: send the above-mentioned target random number to the above-mentioned dynamic random access memory; The above-mentioned descriptor is extended according to the storage address of the above-mentioned target random number and the data length of the above-mentioned target random number to obtain an extended descriptor, and the above-mentioned extended descriptor includes the storage address of the above-mentioned target random number and the data length of the above-mentioned target random number. and the above-mentioned DUN; send the above-mentioned extended descriptor to the above-mentioned dynamic random access memory; the above-mentioned UFS controller is specifically used for: according to the above-mentioned first request, obtain the above-mentioned extended descriptor from the above-mentioned dynamic random access memory; determine the above-mentioned extended descriptor The storage address of the target random number in the descriptor, and the target random number is obtained according to the storage address of the target random number; the DUN is obtained according to the expanded descriptor. In the case of implementing the embodiment of the present application based on the JESD223D protocol, the UFS controller may acquire the target random number by acquiring the storage address in the extended descriptor. After obtaining the target random number, a key is generated according to the target random number. The method of obtaining the key also ensures that only the target random number will appear in the file management module (ie, the software level) of the processor, and the root key The key (ie, the second key) is derived from hardware logic and cannot be sensed and acquired by software, so the security factor of the key is improved, and the risk of cracking files after criminals steal the key is greatly reduced.
在一种可能实现的方式中,上述装置还包括与所述处理器、上述UFS控制器分别耦合的动态随机存储器;上述处理器,还用于:向上述动态随机存储器发送上述描述符;向上述UFS控制器中的地址寄存器发送上述目标随机数的存储地址;上述UFS控制器具体用于:根据上述第一请求,从上述动态随机存储器中获取上述描述符;根据上述UFS控制器中地址寄存器存储的上述目标随机数的存储地址,获取上述目标随机数。实施本申请实施例,处理器直接发送目标随机数至UFS控制器中,UFS控制器再根据该目标随机数生成加密的密钥,这种UFS控制器可以通过直接获取目标随机数的存储地址方式来获取目标随机数的方法,也保证了只有目标随机数会出现在处理器(即,软件层面)里,而根密钥(第二密钥)是硬件逻辑派生获得的,并不会被软件感知和获取,因此会使得用于目标文件加密的密钥的安全系数提高,大大降低了不法分子窃取密钥后破解文件的风险,提高了安全等级,而且目标随机数的获取方式也不会影响目标文件的存储效率,节省了资源。In a possible implementation manner, the above-mentioned apparatus further includes a dynamic random access memory coupled to the processor and the UFS controller respectively; the above-mentioned processor is further configured to: send the above-mentioned descriptor to the above-mentioned dynamic random-access memory; to the above-mentioned The address register in the UFS controller sends the storage address of the target random number; the UFS controller is specifically configured to: obtain the descriptor from the dynamic random access memory according to the first request; store the descriptor according to the address register in the UFS controller The storage address of the above-mentioned target random number is obtained, and the above-mentioned target random number is obtained. Implementing the embodiment of the present application, the processor directly sends the target random number to the UFS controller, and the UFS controller generates an encrypted key according to the target random number. This UFS controller can directly obtain the storage address of the target random number by means of The method to obtain the target random number also ensures that only the target random number will appear in the processor (ie, the software level), and the root key (second key) is derived from hardware logic and will not be used by software. Therefore, the security factor of the key used to encrypt the target file will be improved, the risk of cracking the file after criminals steal the key will be greatly reduced, and the security level will be improved, and the acquisition method of the target random number will not affect the The storage efficiency of the target file saves resources.
在一种可能实现的方式中,上述装置还包括:与上述UFS控制器耦合的随机数发生器,上述随机数发生器用于生成变量参数,上述变量参数用于生成上述第二密钥;上述UFS控制器,具体用于:根据上述目标随机数和上述变量参数生成第三密钥,其中,上述变量参数包括第一变量和第二变量,上述第一变量用于标识上述第二密钥的位宽,上述第二变量为预设固定位宽的随机数或者标识上述目标文件文件属性的预设固定位宽的数,其中,上述第二变量的上述预设固定位宽由上述第三密钥的位宽确定;根据上述第三密钥和预先存储的上述第一密钥通过派生算法生成上述第二密钥。实施本申请实施例可以根据目标随机数、第一变量参数和第二变量参数生成第三密钥,该第三密钥唯一对应目标文件,进而其根据第三密钥和预先存储的第一密钥生成的第二密钥也是唯一的,因此,一文件一密钥的加密方式,大大提高了文件的加密等级。同时该第二密钥根据第一密钥由硬件逻辑派生出来,软件无法感知和获取,降低了密钥被不法分子窃取后文件被解密的风险。In a possible implementation manner, the above-mentioned device further includes: a random number generator coupled to the above-mentioned UFS controller, the above-mentioned random number generator is used to generate variable parameters, and the above-mentioned variable parameters are used to generate the above-mentioned second key; the above-mentioned UFS The controller is specifically configured to: generate a third key according to the target random number and the variable parameter, wherein the variable parameter includes a first variable and a second variable, and the first variable is used to identify the bit of the second key width, the second variable is a random number with a preset fixed bit width or a number with a preset fixed bit width that identifies the file attribute of the target file, wherein the preset fixed bit width of the second variable is determined by the third key The bit width is determined; the second key is generated through a derivation algorithm according to the third key and the pre-stored first key. Implementing the embodiment of the present application can generate a third key according to the target random number, the first variable parameter and the second variable parameter, the third key uniquely corresponds to the target file, and then it is based on the third key and the pre-stored first key. The second key generated by the key is also unique. Therefore, the encryption method of one file and one key greatly improves the encryption level of the file. At the same time, the second key is derived from the hardware logic according to the first key, and the software cannot perceive and obtain it, which reduces the risk of the file being decrypted after the key is stolen by criminals.
在一种可能实现的方式中,上述目标随机数为文件属性的随机数,上述目标随机数的位宽包括以下位宽中的一个:128位、192位、256位、512位。实施本申请实施例可以通过不同位数的随机数对目标文件进行加密。可以理解的是,目标随机数是为了对目标文件加密,不同位数的随机数其在加密过程中所使用的加密算法可能相同也有可能不同,当随机数的位数越高时,其对应的加密算法可能就越复杂,即运算过程也就更加繁琐,安全性能就越高,更有利于文件的保护。In a possible implementation manner, the target random number is a random number of file attributes, and the bit width of the target random number includes one of the following bit widths: 128 bits, 192 bits, 256 bits, and 512 bits. By implementing the embodiments of the present application, the target file can be encrypted by using random numbers of different digits. It can be understood that the target random number is used to encrypt the target file. The encryption algorithm used in the encryption process of random numbers of different digits may be the same or different. When the number of digits of the random number is higher, the corresponding The more complex the encryption algorithm may be, that is, the more complicated the operation process, the higher the security performance, and the more conducive to the protection of files.
在一种可能实现的方式中,上述装置还包括与上述UFS控制器耦合的存储器;上述UFS控制器,用于将上述加密后的目标文件存储至上述存储器;上述存储器,用于存储上述加密后的目标文件。实施本申请实施例,可以通过存储器存储加密后的目标文件,该存储器可以是智能终端的固态硬盘、UFS闪存(UFS Flash)、固态存储器等等,可以使得在智能终端加密文件后,有效保存目标文件。In a possible implementation manner, the above-mentioned device further includes a memory coupled to the above-mentioned UFS controller; the above-mentioned UFS controller is used to store the above-mentioned encrypted target file in the above-mentioned memory; The above-mentioned memory is used to store the above-mentioned encrypted target file. target file. Implementing the embodiment of the present application, the encrypted target file can be stored through a memory, and the memory can be a solid-state hard disk, UFS Flash (UFS Flash), solid-state memory, etc. document.
在一种可能实现的方式中,上述处理器,还用于:向上述UFS控制器发送第二请求,上述第二请求用于请求对上述加密后的目标文件进行读取;上述UFS控制器,还用于:根据上述第二请求,获取上述目标文件对应的上述第二密钥,根据上述第二密钥将上述加密后的目标文件解密后读取。实施本申请实施例,可以在UFS控制器接收到读取加密文件的请求时,可以根据该读取请求获得文件加密时使用的唯一第二密钥对加密文件进行解密读取。只有在有第二密钥的情况下才能够读取目标文件,有利于目标文件的保密,同时该第二密钥是硬件逻辑派生出来,并不会保存在UFS控制器中,软件无法感知和获取,降低了被不法分子窃取的风险。In a possible implementation manner, the above-mentioned processor is further configured to: send a second request to the above-mentioned UFS controller, where the above-mentioned second request is used to request to read the above-mentioned encrypted target file; the above-mentioned UFS controller, The method is further used for: obtaining the second key corresponding to the target file according to the second request, and decrypting the encrypted target file according to the second key and then reading the encrypted target file. By implementing the embodiments of the present application, when the UFS controller receives a request to read an encrypted file, it can obtain a unique second key used in file encryption according to the read request to decrypt and read the encrypted file. The target file can only be read when there is a second key, which is beneficial to the confidentiality of the target file. At the same time, the second key is derived from hardware logic and will not be stored in the UFS controller. The software cannot perceive and Access, reducing the risk of being stolen by criminals.
第二方面,本申请实施例提供了一种文件加密方法,包括:通过处理器向通用闪存主机UFS控制器发送第一请求,上述第一请求用于请求对目标文件进行存储;通过上述UFS控制器获取上述目标文件对应的目标随机数;通过上述UFS控制器根据上述目标随机数和预存储的第一密钥生成上述目标文件对应的第二密钥;通过上述UFS控制器根据上述第二密钥对上述目标文件进行加密,得到加密后的目标文件。In a second aspect, an embodiment of the present application provides a file encryption method, including: sending a first request to a universal flash memory host UFS controller through a processor, where the first request is used to request to store a target file; obtain the target random number corresponding to the above target file; generate the second key corresponding to the above target file by the above UFS controller according to the above target random number and the pre-stored first key; The above target file is encrypted with the key to obtain the encrypted target file.
在一种可能实现的方式中,上述方法还包括:通过上述UFS控制器获取上述目标文件。In a possible implementation manner, the above-mentioned method further includes: obtaining the above-mentioned target file through the above-mentioned UFS controller.
在一种可能实现的方式中,上述方法还包括:通过上述UFS控制器获取上述目标文件对应的上述第一请求的描述符,上述描述符包括数据单元号DUN;上述通过上述UFS控制器根据上述第二密钥对上述目标文件进行加密,得到加密后的目标文件,包括:通过上述UFS控制器将上述目标文件分为多个文件数据块;通过上述UFS控制器从上述多个文件数据块中上述DUN对应的一个文件数据块开始,依次根据上述第二密钥将上述多个文件数据块进行加密以得到加密后的目标文件。In a possible implementation manner, the method further includes: obtaining, through the UFS controller, a descriptor of the first request corresponding to the target file, where the descriptor includes a data unit number DUN; The second key encrypts the above-mentioned target file to obtain the encrypted target file, including: dividing the above-mentioned target file into a plurality of file data blocks by the above-mentioned UFS controller; Starting from a file data block corresponding to the above DUN, the above-mentioned multiple file data blocks are encrypted according to the above-mentioned second key in sequence to obtain an encrypted target file.
在一种可能实现的方式中,上述方法还包括:通过上述处理器在创建上述目标文件时,生成上述目标文件的上述目标随机数和上述描述符。In a possible implementation manner, the above-mentioned method further includes: when the above-mentioned target file is created by the above-mentioned processor, generating the above-mentioned target random number and the above-mentioned descriptor of the above-mentioned target file.
在一种可能实现的方式中,上述方法还包括:通过上述处理器将上述描述符根据上述目标随机数扩展,获得扩展后的描述符,上述扩展后的描述符包括上述目标随机数和上述DUN;通过上述处理器向动态随机存储器发送上述扩展后的描述符;上述通过上述UFS控制器获取上述目标文件对应的目标随机数,包括:通过上述UFS控制器根据上述第一请求,从上述动态随机存储器中获取上述扩展后的描述符;通过上述UFS控制器根据上述扩展后的描述符,获取上述目标随机数和上述DUN。In a possible implementation manner, the method further includes: extending the descriptor according to the target random number by the processor to obtain an expanded descriptor, where the expanded descriptor includes the target random number and the DUN Send the above-mentioned expanded descriptor to the dynamic random access memory by the above-mentioned processor; The above-mentioned acquisition of the target random number corresponding to the above-mentioned target file by the above-mentioned UFS controller includes: according to the above-mentioned first request by the above-mentioned UFS controller, from the above-mentioned dynamic random number The expanded descriptor is obtained in the memory; the target random number and the DUN are obtained through the UFS controller according to the expanded descriptor.
在一种可能实现的方式中,上述方法还包括:通过上述处理器向动态随机存储器发送上述目标随机数;通过上述处理器将上述描述符根据上述目标随机数的存储地址以及上述目标随机数的数据长度扩展,获得扩展后的描述符,上述扩展后的描述符包括上述目标随机数的存储地址、上述目标随机数的数据长度以及上述DUN;通过上述处理器向上述动态随机存储器发送上述扩展后的描述符;上述通过上述UFS控制器获取上述目标文件对应的目标随机数,包括:通过上述UFS控制器根据上述第一请求,从上述动态随机存储器中获取上述扩展后的描述符;通过上述UFS控制器确定上述扩展后的描述符中的上述目标随机数的存储地址,并根据上述目标随机数的存储地址获取上述目标随机数;上述通过上述UFS控制器获取上述目标文件对应的上述第一请求的描述符,包括:通过上述UFS控制器根据上述扩展后的描述符获取上述DUN。In a possible implementation manner, the above-mentioned method further includes: sending the above-mentioned target random number to a dynamic random access memory by the above-mentioned processor; Extending the data length to obtain an extended descriptor, where the extended descriptor includes the storage address of the target random number, the data length of the target random number, and the DUN; sending the extended descriptor to the dynamic random access memory by the processor The above-mentioned obtaining the target random number corresponding to the above-mentioned target file through the above-mentioned UFS controller includes: obtaining the above-mentioned extended descriptor from the above-mentioned dynamic random access memory through the above-mentioned UFS controller according to the above-mentioned first request; Through the above-mentioned UFS The controller determines the storage address of the above-mentioned target random number in the above-mentioned extended descriptor, and obtains the above-mentioned target random number according to the storage address of the above-mentioned target random number; The above-mentioned first request corresponding to the above-mentioned target file is obtained through the above-mentioned UFS controller The descriptor includes: obtaining the DUN according to the expanded descriptor through the UFS controller.
在一种可能实现的方式中,上述方法还包括:通过上述处理器向动态随机存储器发送上述描述符;通过上述处理器向上述UFS控制器中的地址寄存器发送上述目标随机数的存储地址;上述通过上述UFS控制器获取上述目标文件对应的目标随机数,包括:通过上述UFS控制器根据上述第一请求,从上述动态随机存储器中获取上述描述符;通过上述UFS控制器根据上述UFS控制器中地址寄存器存储的上述目标随机数的存储地址,获取上述目标随机数。In a possible implementation manner, the method further includes: sending the descriptor to the dynamic random access memory through the processor; sending the storage address of the target random number to the address register in the UFS controller through the processor; Obtaining the target random number corresponding to the target file through the UFS controller includes: obtaining the descriptor from the dynamic random access memory according to the first request through the UFS controller; obtaining the descriptor from the dynamic random access memory through the UFS controller according to the first request; The storage address of the above-mentioned target random number stored in the address register is obtained, and the above-mentioned target random number is obtained.
在一种可能实现的方式中,上述方法还包括:通过随机数发生器生成变量参数,上述变量参数用于生成上述第二密钥;上述通过上述UFS控制器根据上述目标随机数和预存储的第一密钥生成上述目标文件对应的第二密钥,包括:通过上述UFS控制器根据上述目标随机数和上述变量参数生成第三密钥,其中,上述变量参数包括第一变量和第二变量,上述第一变量用于标识上述第二密钥的位宽,上述第二变量为预设固定位宽的随机数或者标识上述目标文件文件属性的预设固定位宽的数,其中,上述第二变量的上述预设固定位宽由上述第三密钥的位宽确定;通过上述UFS控制器根据上述第三密钥和预先存储的上述第一密钥通过派生算法生成上述第二密钥。In a possible implementation manner, the above-mentioned method further includes: generating a variable parameter by a random number generator, and the above-mentioned variable parameter is used to generate the above-mentioned second key; Generating the second key corresponding to the above-mentioned target file with the first key includes: generating the third key according to the above-mentioned target random number and the above-mentioned variable parameter by the above-mentioned UFS controller, wherein the above-mentioned variable parameter includes a first variable and a second variable , the above-mentioned first variable is used to identify the bit width of the above-mentioned second key, and the above-mentioned second variable is a random number of a preset fixed bit width or a number of a preset fixed bit width that identifies the file attribute of the above-mentioned target file, wherein the above-mentioned first The preset fixed bit width of the two variables is determined by the bit width of the third key; the UFS controller generates the second key through a derivation algorithm according to the third key and the pre-stored first key.
在一种可能实现的方式中,上述目标随机数为文件属性的随机数,上述目标随机数的位宽包括以下位宽中的一个:128位、192位、256位、512位。In a possible implementation manner, the target random number is a random number of file attributes, and the bit width of the target random number includes one of the following bit widths: 128 bits, 192 bits, 256 bits, and 512 bits.
在一种可能实现的方式中,上述方法还包括:通过上述UFS控制器将上述加密后的目标文件存储至存储器;通过上述存储器存储上述加密后的目标文件。In a possible implementation manner, the above method further includes: storing the encrypted target file in a memory through the UFS controller; and storing the encrypted target file through the memory.
在一种可能实现的方式中,上述方法还包括:通过上述处理器向上述UFS控制器发送第二请求,上述第二请求用于请求对上述加密后的目标文件进行读取;通过上述UFS控制器根据上述第二请求,获取上述目标文件对应的上述第二密钥,根据上述第二密钥将上述加密后的目标文件解密后读取。In a possible implementation manner, the method further includes: sending a second request to the UFS controller through the processor, where the second request is used to request to read the encrypted target file; controlling the UFS through the UFS The device obtains the second key corresponding to the target file according to the second request, decrypts the encrypted target file according to the second key, and reads it.
第三方面,本申请实施例提供了一种文件加密装置,包括:第一发送单元,用于通过处理器向通用闪存主机UFS控制器发送第一请求,上述第一请求用于请求对目标文件进行存储;第一获取单元,用于通过上述UFS控制器获取上述目标文件对应的目标随机数;密钥单元,用于通过上述UFS控制器根据上述目标随机数和预存储的第一密钥生成上述目标文件对应的第二密钥;加密单元,用于通过上述UFS控制器根据上述第二密钥对上述目标文件进行加密,得到加密后的目标文件。In a third aspect, an embodiment of the present application provides a file encryption device, including: a first sending unit, configured to send a first request to a universal flash memory host UFS controller through a processor, where the first request is used to request a target file storage; a first acquisition unit, used to obtain the target random number corresponding to the above-mentioned target file through the above-mentioned UFS controller; a key unit, used to generate the above-mentioned target random number and the pre-stored first key by the above-mentioned UFS controller a second key corresponding to the above target file; an encryption unit configured to encrypt the above target file by the above-mentioned UFS controller according to the above-mentioned second key to obtain an encrypted target file.
在一种可能实现的方式中,上述装置还包括:第二获取单元,用于通过上述UFS控制器获取上述目标文件。In a possible implementation manner, the above-mentioned apparatus further includes: a second obtaining unit, configured to obtain the above-mentioned target file through the above-mentioned UFS controller.
在一种可能实现的方式中,上述装置还包括:第三获取单元,用于通过上述UFS控制器获取上述目标文件对应的上述第一请求的描述符,上述描述符包括数据单元号DUN;上述加密单元,具体用于:通过上述UFS控制器将上述目标文件分为多个文件数据块;通过上述UFS控制器从上述多个文件数据块中上述DUN对应的一个文件数据块开始,依次根据上述第二密钥将上述多个文件数据块进行加密以得到上述加密后的目标文件。In a possible implementation manner, the above-mentioned apparatus further includes: a third obtaining unit, configured to obtain, through the above-mentioned UFS controller, a descriptor of the above-mentioned first request corresponding to the above-mentioned target file, and the above-mentioned descriptor includes a data unit number DUN; the above-mentioned The encryption unit is specifically used for: dividing the target file into a plurality of file data blocks by the UFS controller; starting from a file data block corresponding to the DUN in the plurality of file data blocks by the UFS controller, and sequentially according to the above The second key encrypts the above-mentioned multiple file data blocks to obtain the above-mentioned encrypted target file.
在一种可能实现的方式中,上述装置还包括:第一生成单元,用于通过上述处理器在创建上述目标文件时,生成上述目标文件的上述目标随机数和上述描述符。In a possible implementation manner, the above-mentioned apparatus further includes: a first generating unit, configured to generate the above-mentioned target random number and the above-mentioned descriptor of the above-mentioned target file by the above-mentioned processor when the above-mentioned target file is created.
在一种可能实现的方式中,上述装置还包括:第一扩展单元,用于通过上述处理器将上述描述符根据上述目标随机数扩展,获得扩展后的描述符,上述扩展后的描述符包括上述目标随机数和上述DUN;第二发送单元,用于通过上述处理器向动态随机存储器发送上述扩展后的描述符;上述第一获取单元,具体用于:通过上述UFS控制器根据上述第一请求,从上述动态随机存储器中获取上述扩展后的描述符;通过上述UFS控制器根据上述扩展后的描述符,获取上述目标随机数和上述DUN。In a possible implementation manner, the above-mentioned apparatus further includes: a first expansion unit, configured to expand the above-mentioned descriptor according to the above-mentioned target random number through the above-mentioned processor, to obtain an expanded descriptor, and the above-mentioned expanded descriptor includes: The above-mentioned target random number and the above-mentioned DUN; the second sending unit is used for sending the above-mentioned extended descriptor to the dynamic random access memory through the above-mentioned processor; the above-mentioned first obtaining unit is specifically used for: according to the above-mentioned first acquisition unit by the above-mentioned UFS controller request, obtain the expanded descriptor from the dynamic random access memory; obtain the target random number and the DUN through the UFS controller according to the expanded descriptor.
在一种可能实现的方式中,上述装置还包括:第三发送单元,用于通过上述处理器向动态随机存储器发送上述目标随机数;第二扩展单元,用于通过上述处理器将上述描述符根据上述目标随机数的存储地址以及上述目标随机数的数据长度扩展,获得扩展后的描述符,上述扩展后的描述符包括上述目标随机数的存储地址、上述目标随机数的数据长度以及上述DUN;第三发送单元,用于通过上述处理器向上述动态随机存储器发送上述扩展后的描述符;上述第一获取单元,具体用于:通过上述UFS控制器根据上述第一请求,从上述动态随机存储器中获取上述扩展后的描述符;通过上述UFS控制器确定上述扩展后的描述符中的上述目标随机数的存储地址,并根据上述目标随机数的存储地址获取上述目标随机数;上述第三获取单元,具体用于:通过上述UFS控制器根据上述扩展后的描述符获取上述DUN。In a possible implementation manner, the above-mentioned apparatus further includes: a third sending unit, configured to send the above-mentioned target random number to the dynamic random access memory through the above-mentioned processor; The extended descriptor is obtained according to the storage address of the target random number and the data length of the target random number. The extended descriptor includes the storage address of the target random number, the data length of the target random number, and the DUN The third sending unit is used to send the above-mentioned expanded descriptor to the above-mentioned dynamic random access memory through the above-mentioned processor; The above-mentioned first acquisition unit is specifically used for: according to the above-mentioned first request by the above-mentioned UFS controller, from the above-mentioned dynamic random access Obtain the above-mentioned expanded descriptor in the memory; determine the storage address of the above-mentioned target random number in the above-mentioned expanded descriptor through the above-mentioned UFS controller, and obtain the above-mentioned target random number according to the storage address of the above-mentioned target random number; above-mentioned third The obtaining unit is specifically configured to: obtain the above-mentioned DUN according to the above-mentioned extended descriptor through the above-mentioned UFS controller.
在一种可能实现的方式中,上述装置还包括:第四发送单元,用于通过上述处理器向动态随机存储器发送上述描述符;通过上述处理器向上述UFS控制器中的地址寄存器发送上述目标随机数的存储地址;上述第一获取单元,具体用于:通过上述UFS控制器根据上述第一请求,从上述动态随机存储器中获取上述描述符;通过上述UFS控制器根据上述UFS控制器中地址寄存器存储的上述目标随机数的存储地址,获取上述目标随机数。In a possible implementation manner, the above-mentioned apparatus further includes: a fourth sending unit, configured to send the above-mentioned descriptor to the dynamic random access memory through the above-mentioned processor; to send the above-mentioned target to the address register in the above-mentioned UFS controller through the above-mentioned processor The storage address of the random number; the first obtaining unit is specifically configured to: obtain the descriptor from the dynamic random access memory through the UFS controller according to the first request; obtain the descriptor from the dynamic random access memory through the UFS controller; according to the address in the UFS controller through the UFS controller The storage address of the above-mentioned target random number stored in the register is used to obtain the above-mentioned target random number.
在一种可能实现的方式中,上述装置还包括:第二生成单元,用于通过随机数发生器生成变量参数,上述变量参数用于生成上述第二密钥;上述密钥单元具体用于:通过上述UFS控制器根据上述目标随机数和上述变量参数生成第三密钥,其中,上述变量参数包括第一变量和第二变量,上述第一变量用于标识上述第二密钥的位宽,上述第二变量为预设固定位宽的随机数或者标识上述目标文件文件属性的预设固定位宽的数,其中,上述第二变量的上述预设固定位宽由上述第三密钥的位宽确定;通过上述UFS控制器根据上述第三密钥和预先存储的上述第一密钥通过派生算法生成上述第二密钥。In a possible implementation manner, the above-mentioned device further includes: a second generating unit, configured to generate a variable parameter through a random number generator, and the above-mentioned variable parameter is used to generate the above-mentioned second key; the above-mentioned key unit is specifically used for: The UFS controller generates a third key according to the target random number and the variable parameter, wherein the variable parameter includes a first variable and a second variable, and the first variable is used to identify the bit width of the second key, The second variable is a random number with a preset fixed bit width or a number with a preset fixed bit width that identifies the file attribute of the target file, wherein the preset fixed bit width of the second variable is determined by the bits of the third key. The width is determined; the UFS controller generates the second key through a derivation algorithm according to the third key and the pre-stored first key.
在一种可能实现的方式中,上述目标随机数为文件属性的随机数,上述目标随机数的位宽包括以下位宽中的一个:128位、192位、256位、512位。In a possible implementation manner, the target random number is a random number of file attributes, and the bit width of the target random number includes one of the following bit widths: 128 bits, 192 bits, 256 bits, and 512 bits.
在一种可能实现的方式中,上述装置还包括:第一存储单元,用于通过上述UFS控制器将上述加密后的目标文件存储至存储器;第二存储单元,用于通过上述存储器存储上述加密后的目标文件。In a possible implementation manner, the above device further includes: a first storage unit for storing the encrypted target file in a memory through the UFS controller; a second storage unit for storing the encrypted target file through the memory the target file after.
在一种可能实现的方式中,上述装置还包括:第五发送单元,用于通过上述处理器向上述UFS控制器发送第二请求,上述第二请求用于请求对上述加密后的目标文件进行读取;解密单元,用于通过上述UFS控制器根据上述第二请求,获取上述目标文件对应的上述第二密钥,根据上述第二密钥将上述加密后的目标文件解密后读取。In a possible implementation manner, the above-mentioned apparatus further includes: a fifth sending unit, configured to send a second request to the above-mentioned UFS controller through the above-mentioned processor, where the above-mentioned second request is used for requesting the above-mentioned encrypted target file to be processed. Reading; a decryption unit, configured to obtain the second key corresponding to the target file through the UFS controller according to the second request, and decrypt the encrypted target file according to the second key and read it.
第四方面,本申请实施例提供了一种芯片系统,该芯片系统包括用于支持上述第一方面中所涉及文件加密的任意一个装置,该芯片系统,可以由芯片构成,也可以包含芯片和其他分立器件。In a fourth aspect, an embodiment of the present application provides a chip system, where the chip system includes any device for supporting the file encryption involved in the first aspect. The chip system may be composed of a chip, or may include a chip and a other discrete devices.
第五方面,本申请实施例提供了一种计算机存储介质,用于储存为上述第一方面提供的一种文件加密装置所用的计算机软件指令,其包含用于执行上述第一方面所设计的程序。In a fifth aspect, an embodiment of the present application provides a computer storage medium for storing computer software instructions used by the file encryption device provided in the first aspect above, which includes a program for executing the program designed in the first aspect above .
第六方面,本申请实施例提供了一种计算机程序,该计算机程序包括指令,当该计算机程序被计算机执行时,使得计算机可以执行上述第一方面中的文件加密装置所执行的流程。In a sixth aspect, an embodiment of the present application provides a computer program, where the computer program includes instructions, when the computer program is executed by a computer, the computer can execute the process performed by the file encryption apparatus in the first aspect.
附图说明Description of drawings
为了更清楚地说明本申请实施例或背景技术中的技术方案,下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the background technology, the accompanying drawings required in the embodiments or the background technology of the present application will be described below.
图1A是本申请实施例提供的一种加密保存录音文件时的应用场景示意图。FIG. 1A is a schematic diagram of an application scenario when an audio recording file is encrypted and saved according to an embodiment of the present application.
图1B是本申请实施例提供的一种保存下载文件的应用场景示意图。FIG. 1B is a schematic diagram of an application scenario of saving a downloaded file provided by an embodiment of the present application.
图1C是本申请实施例提供的一种基于UFS控制器的文件加密架构示意图。FIG. 1C is a schematic diagram of a file encryption architecture based on a UFS controller provided by an embodiment of the present application.
图1D是本申请实施例提供的另一种基于UFS控制器的文件加密架构示意图。FIG. 1D is a schematic diagram of another file encryption architecture based on a UFS controller provided by an embodiment of the present application.
图2是本申请实施例提供的一种文件加密装置示意图。FIG. 2 is a schematic diagram of a file encryption apparatus provided by an embodiment of the present application.
图3是本申请实施例提供的一种文件加密方法的流程示意图。FIG. 3 is a schematic flowchart of a file encryption method provided by an embodiment of the present application.
图4是本申请实施例提供的一种传输请求描述符UTRD的结构示意图。FIG. 4 is a schematic structural diagram of a transmission request descriptor UTRD provided by an embodiment of the present application.
图5是本申请实施例提供的一种扩展后的描述符UTRD的结构示意图。FIG. 5 is a schematic structural diagram of an extended descriptor UTRD provided by an embodiment of the present application.
图6是本申请实施例提供的一种应用于UFS控制器内的文件加密算法框架示意图。FIG. 6 is a schematic diagram of a file encryption algorithm framework applied in a UFS controller provided by an embodiment of the present application.
图7是本申请实施例提供的另一种文件加密装置的结构示意图。FIG. 7 is a schematic structural diagram of another file encryption apparatus provided by an embodiment of the present application.
图8是本申请实施例提供的又一种文件加密装置的结构示意图。FIG. 8 is a schematic structural diagram of another file encryption apparatus provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例进行描述。The embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third" and "fourth" in the description and claims of the present application and the drawings are used to distinguish different objects, rather than to describe a specific order . Furthermore, the terms "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes unlisted steps or units, or optionally also includes For other steps or units inherent to these processes, methods, products or devices.
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. It is explicitly and implicitly understood by those skilled in the art that the embodiments described herein may be combined with other embodiments.
在本说明书中使用的术语“部件”、“模块”、“系统”等用于表示计算机相关的实体、硬件、固件、硬件和软件的组合、软件、或执行中的软件。例如,部件可以是但不限于,在处理器上运行的进程、处理器、对象、可执行文件、执行线程、程序和/或计算机。通过图示,在计算设备上运行的应用和计算设备都可以是部件。一个或多个部件可驻留在进程和/或执行线程中,部件可位于一个计算机上和/或分布在2个或更多个计算机之间。此外,这些部件可从在上面存储有各种数据结构的各种计算机可读介质执行。部件可例如根据具有一个或多个数据分组(例如来自与本地系统、分布式系统和/或网络间的另一部件交互的二个部件的数据,例如,通过信号与其它系统交互的互联网)的信号通过本地和/或远程进程来通信。The terms "component", "module", "system" and the like are used in this specification to refer to a computer-related entity, hardware, firmware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device may be components. One or more components may reside within a process and/or thread of execution, and a component may be localized on one computer and/or distributed between 2 or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. A component may, for example, be based on data with one or more data packets (eg, data from two components interacting with another component between a local system, a distributed system, and/or a network, such as the Internet interacting with other systems via signals). Signals are communicated through local and/or remote processes.
首先,对本申请中的部分用语进行解释说明,以便于本领域技术人员理解。First, some terms in this application will be explained so as to facilitate the understanding of those skilled in the art.
(1)通用闪存存储(Universal Flash Storage,UFS),是一种设计用于数码相机、智能终端等电子产品使用的闪存存储规范。在提供高数据传输速度和稳定性的同时,也可以减少用户对于市面上各种存储卡格式的混淆和不同存储卡转接器的使用。其中,UFS闪存(UFS Flash)是手机系统中主流存储媒介之一,可以为手机套片系统的存储媒介,手机SOC芯片和UFS Flash之间交换数据基于mipi ufs协议实现。(1) Universal Flash Storage (UFS) is a flash memory storage specification designed for use in electronic products such as digital cameras and smart terminals. While providing high data transfer speed and stability, it can also reduce user confusion about various memory card formats on the market and the use of different memory card adapters. Among them, UFS flash memory (UFS Flash) is one of the mainstream storage media in the mobile phone system, which can be the storage medium of the mobile phone chip system. The data exchange between the mobile phone SOC chip and the UFS Flash is realized based on the mipi ufs protocol.
(2)固态驱动器(Solid State Drive,SSD),或称固态硬盘,是用固态电子存储芯片阵列而制成的硬盘。SSD由控制单元和存储单元(Flash芯片、DRAM芯片)组成,其芯片的工作温度范围很宽,应用领域广泛。固态硬盘的存储介质通常为两种,一种是采用闪存(Flash芯片)作为存储介质,另外一种是采用DRAM作为存储介质。(2) Solid State Drive (SSD), or solid state drive, is a hard drive made of a solid state electronic storage chip array. SSD consists of a control unit and a storage unit (Flash chip, DRAM chip), the chip has a wide operating temperature range and a wide range of applications. There are usually two types of storage media for solid-state drives, one is using flash memory (Flash chip) as the storage medium, and the other is using DRAM as the storage medium.
(3)高级加密标准(Advanced Encryption Standard,AES),AES加密过程是在一个4×4的字节矩阵上运作,这个矩阵又称为“体(state)”,其初值就是一个明文区块(矩阵中一个元素大小就是明文区块中的一个Byte)。(Rijndael加密法因支持更大的区块,其矩阵行数可视情况增加)加密时,各轮AES加密循环(除最后一轮外)均包含4个步骤,分别是AddRoundKey,SubBytes,ShiftRows,和MixColumns。(3) Advanced Encryption Standard (AES), the AES encryption process operates on a 4×4 byte matrix, which is also called "state", and its initial value is a plaintext block (The size of one element in the matrix is one Byte in the plaintext block). (Rijndael encryption method supports larger blocks, and the number of matrix rows can be increased according to the situation.) During encryption, each round of AES encryption cycle (except the last round) includes 4 steps, namely AddRoundKey, SubBytes, ShiftRows, and MixColumns.
(4)密钥获取函数(Key Derivation Functions,KDF),又可以称为密钥派生函数。密钥派生函数的作用是从一个共享的秘密比特串中派生出密钥数据。在密钥协商过程中,密钥派生函数的作用在密钥交换所获得的共享的秘密比特串上,从中产生所需要的会话密钥,或进一步加密所需要的密钥数据。(4) Key Derivation Functions (KDF), also known as key derivation functions. The role of the key derivation function is to derive key data from a shared secret string of bits. In the key negotiation process, the key derivation function acts on the shared secret bit string obtained by the key exchange, and generates the required session key from it, or further encrypts the required key data.
(5)中央处理器(Central Processing Unit),简称CPU,是一个计算机的运算核心和控制核心,是信息处理、程序运行的最终执行单元。CPU包含运算逻辑部件、寄存器部件和控制部件等,并具有处理指令、执行操作、控制时间、处理数据等功能。(5) Central Processing Unit (CPU), referred to as CPU, is the computing core and control core of a computer, and is the final execution unit for information processing and program running. The CPU includes arithmetic logic components, register components, control components, etc., and has functions such as processing instructions, executing operations, controlling time, and processing data.
(6)可信执行环境(Trust execute environment,TEE),它是处理器CPU上的一块区域。这块区域的作用是给数据和代码的执行提供一个更安全的空间,并保证它们的机密性和完整性。(6) Trusted execution environment (Trust execute environment, TEE), which is an area on the processor CPU. The role of this area is to provide a more secure space for the execution of data and code, and to guarantee their confidentiality and integrity.
(7)寄存器,是集成电路中非常重要的一种存储单元,通常由触发器组成。寄存器是中央处理器内的组成部分。寄存器是有限存贮容量的高速存贮部件,它们可用来暂存指令、数据和地址。在中央处理器的控制部件中,包含的寄存器有指令寄存器(IR)和程序计数器(PC)。在中央处理器的算术及逻辑部件中,寄存器有累加器(ACC)。(7) A register is a very important storage unit in an integrated circuit, usually composed of flip-flops. Registers are an integral part of the central processing unit. Registers are high-speed storage elements with limited storage capacity that can be used to temporarily store instructions, data, and addresses. In the control part of the central processing unit, the registers included are the instruction register (IR) and the program counter (PC). In the arithmetic and logic part of the central processing unit, the registers have accumulators (ACC).
(8)物理块(block),是数据库中的最小存储和处理单位,包含块本身的头信息数据或PL/SQL代码。块的大小是可以在安装时选择“自定义安装”来指定,block的容量大小一般在数百KB至数MB之间,每个block包括多个页(page),page的容量大小一般为4KB的倍数(如4KB或者16KB)。(8) A physical block (block) is the smallest storage and processing unit in the database, and contains the header information data or PL/SQL code of the block itself. The size of the block can be specified by selecting "custom installation" during installation. The size of the block is generally between hundreds of KB and several MB. Each block includes multiple pages (pages), and the capacity of pages is generally 4KB. multiples (such as 4KB or 16KB).
(9)双倍速率同步动态随机存储器(Double Data Rate,DDR),使指定地址、数据的输送和输出主要步骤既独立执行,又保持与CPU完全同步;DDR使用了DLL(Delay LockedLoop,延时锁定回路提供一个数据滤波信号)技术,当数据有效时,存储控制器可使用这个数据滤波信号来精确定位数据,每16次输出一次,并重新同步来自不同存储器模块的数据。(9) Double-rate synchronous dynamic random access memory (Double Data Rate, DDR), so that the main steps of the specified address, data transmission and output can be executed independently, while maintaining complete synchronization with the CPU; DDR uses DLL (Delay Locked Loop, delay time) The locked loop provides a data filter signal) technique that the memory controller can use to pinpoint the data when the data is valid, output every 16 times, and resynchronize the data from the different memory modules.
(10)动态随机存取存储器(Dynamic Random Access Memory,DRAM),利用电容内存储电荷的多寡来代表0和1,这就是一个二进制位元(bit),内存的最小单位。即,DRAM是最为常见的系统内存。DRAM只能将数据保持很短的时间。为了保持数据,DRAM使用电容存储,所以必须隔一段时间刷新(refresh)一次,如果存储单元没有被刷新,存储的信息就会丢失。(10) Dynamic Random Access Memory (DRAM), which uses the amount of stored charge in the capacitor to represent 0 and 1, which is a binary bit (bit), the smallest unit of memory. That is, DRAM is the most common system memory. DRAM can only hold data for a short period of time. In order to keep data, DRAM uses capacitors for storage, so it must be refreshed at regular intervals. If the memory cells are not refreshed, the stored information will be lost.
为了便于理解本发明实施例,以下示例性列举本申请中文件加密方法所应用的场景,可以包括如下两个场景:In order to facilitate understanding of the embodiments of the present invention, the following exemplarily enumerates the scenarios in which the file encryption method in this application is applied, which may include the following two scenarios:
         场景一,用户在使用智能终端时,可以对所产生的相关文件加密保存。
当用户的在使用智能终端(如,手机)时,为了更好的保护用户使用该智能终端时所产生的隐私,需要将使用该智能终端时所产生的文件(如:打游戏时的游戏视频文件,电话通话时录音的音频文件,照相机拍摄的图像文件,编辑备忘录时的文本文件,上网浏览时的浏览记录等等)加密保存,避免因智能终端信息被不法分子的攻击盗取,造成用户的隐私泄露。例如:请参考附图1A,图1A是本申请实施例提供的一种加密保存录音文件时的应用场景示意图。如图1A所示,用户在使用完毕手机的录音功能时,智能终端可以通过SOC芯片将该录音后的音频文件加密后,放入存储器中保存。因此,用户在使用智能终端时,其所产生的相关数据可以加密保存,以保证用户的隐私不被泄露。When a user is using a smart terminal (such as a mobile phone), in order to better protect the privacy of the user when using the smart terminal, it is necessary to store files generated when using the smart terminal (such as game video when playing games). files, audio files recorded during phone calls, image files captured by cameras, text files when editing memos, browsing records when browsing the Internet, etc.) encrypted and stored to avoid intelligent terminal information being attacked and stolen by criminals, causing users privacy breach. For example, please refer to FIG. 1A . FIG. 1A is a schematic diagram of an application scenario when encrypting and saving a recording file provided by an embodiment of the present application. As shown in FIG. 1A , when the user finishes using the recording function of the mobile phone, the smart terminal can encrypt the recorded audio file through the SOC chip and store it in the memory. Therefore, when the user uses the smart terminal, the relevant data generated by the smart terminal can be encrypted and stored to ensure that the user's privacy is not leaked.
场景二,用户通过智能终端连接互联网,下载相关数据文件后,可以对数据文件进行加密保存。Scenario 2, the user connects to the Internet through the smart terminal, and after downloading the relevant data files, the data files can be encrypted and saved.
当用户用手机在上网时,浏览到心仪的图片、视频、文件等等,可以将该文件加密保存至手机中,不仅可以更好的存储该文件,还可以防止隐私信息泄露。例如:请参考附图1B,图1B是本申请实施例提供的一种保存下载文件的应用场景示意图。如图1B所示,用户在上网下载文件后,可以通过文件控制模块和UFS控制器控制其加密后,放入存储器中存储,加密后的文件,大大降低了被加密的文件被窃取的风险。因此,用户在使用智能终端下载或接收其他智能终端发送的文件时,对该文件进行加密存储,可以大大避免了重要的信息或者隐私信息泄露机会。When a user browses the Internet with a mobile phone, and browses to a favorite picture, video, file, etc., the file can be encrypted and saved to the mobile phone, which can not only store the file better, but also prevent the leakage of private information. For example, please refer to FIG. 1B . FIG. 1B is a schematic diagram of an application scenario of saving a downloaded file provided by an embodiment of the present application. As shown in Figure 1B, after the user downloads the file from the Internet, he can control the encryption through the file control module and the UFS controller, and store it in the memory. The encrypted file greatly reduces the risk of the encrypted file being stolen. Therefore, when a user uses a smart terminal to download or receive a file sent by other smart terminals, the file is encrypted and stored, which can greatly avoid the opportunity of leakage of important information or private information.
可以理解的是,上述两种应用场景的只是本发明实施例中的几种示例性的实施方式,本发明实施例中的应用场景包括但不仅限于以上应用场景。例如:通过蓝牙接收的文件进行加密保存、智能终端运行相关应用后产生的系统文件加密保存等等。It can be understood that the above two application scenarios are only several exemplary implementations in the embodiments of the present invention, and the application scenarios in the embodiments of the present invention include but are not limited to the above application scenarios. For example, files received through Bluetooth are encrypted and stored, and system files generated after the smart terminal runs related applications are encrypted and stored, and so on.
         基于本申请中对应的应用场景,也为了便于理解本发明实施例,下面先对本申请实施例所基于的其中一种系统架构进行描述。请参见图1C,图1C是本申请实施例提供的一种基于UFS控制器的文件加密架构示意图,图1C所示的架构主要以SOC芯片为主体,从文件加密存储的角度进行描述,可应用于上述图1A与上述图1B所示的应用场景中。本申请提出的基于UFS控制器的文件加密方法可以应用于该系统架构。该系统架构中包含了处理器101和与所述处理器101耦合的通用闪存主机控制器(Universal Flash Storage HostController,UFSHC),即UFS控制器102,还可以包括:以及与所述UFS控制器102耦合的存储器103、双倍速率动态随机存储控制器(Double Data Rate DRAM controller,DDRC)104,其中,若该加密架构应用在智能终端(如:手机、平板电脑等),UFS控制器102相当于智能终端的固态硬盘(Solid State Disk,SSD),可以理解的是,固态硬盘可以配置在不同的设备中,在不同的设备中对应不同主控的形式,本申请实施例对主控的形式不作限定,比如服务器或者个人电脑等;存储器103相当于UFS闪存(UFS Flash)、固态存储器等等,用于存储加密后的目标文件;双倍速率动态随机存储控制器104用于控制智能终端的临时内存或运行内存,如,动态随机存储器(Dynamic Random Access Memory,DRAM)、双倍速率同步动态随机存储器(Double Data Rate,DDR)等。可选的,请参见图1D,图1D是本申请实施例提供的另一种基于UFS控制器的文件加密架构示意图。在图1C的基础上,该基于UFS控制器的文件加密架构还可以包括与所述UFS控制器102耦合的随机数发生器105。以图1D以处理器101、UFS控制器102、双倍速率动态随机存储控制器104和随机数发生器105集成在SOC芯片内部为例进行说明;可选地,UFS控制器102可以为独立于处理器101的处理器件,通过与处理器101、存储器103连接,执行文件存储、文件读取以及文件加密等操作;而双倍速率动态随机存储控制器103也可以为独立的存储器件,用于控制动态随机存储器存储处理器101生成该目标文件的目标随机数和描述符等等,在此不再赘述。Based on the corresponding application scenarios in the present application, and in order to facilitate understanding of the embodiments of the present invention, one of the system architectures on which the embodiments of the present application are based is described below. Please refer to FIG. 1C. FIG. 1C is a schematic diagram of a file encryption architecture based on a UFS controller provided by an embodiment of the present application. The architecture shown in FIG. In the application scenarios shown in the above-mentioned FIG. 1A and the above-mentioned FIG. 1B . The file encryption method based on the UFS controller proposed in this application can be applied to this system architecture. The system architecture includes a processor 101 and a Universal Flash Storage Host Controller (UFSHC) coupled with the processor 101, that is, the UFS controller 102, and may further include: and the UFS controller 102 A coupled 
具体地,当处理器101创建文件时,可以同步生成该文件的目标随机数和描述符,其中,该目标随机数(Meta Data)是随机生成的,带有文件属性的随机数;该描述符在本申请中可以理解为是UFS传输协议传输请求描述符(UTP Transfer Request Descriptor,UTRD)。所述处理器,还用于向所述UFS控制器发送第一请求,所述第一请求用于请求对目标文件进行存储或加密存储。Specifically, when the processor 101 creates a file, it can synchronously generate a target random number and a descriptor of the file, wherein the target random number (Meta Data) is a random number generated randomly and has file attributes; the descriptor In this application, it may be understood as a UFS transfer protocol transfer request descriptor (UTP Transfer Request Descriptor, UTRD). The processor is further configured to send a first request to the UFS controller, where the first request is used to request storage or encrypted storage of the target file.
当UFS控制器102接收到处理器101关于目标文件的第一请求后,可以根据该第一请求去获取第一请求对应的目标文件的目标随机数;再根据所述目标随机数和预存储的第一密钥生成该目标文件对应的第二密钥;然后通过所述第二密钥对所述目标文件进行加密,得到加密后的目标文件;将所述加密后的目标文件存储至所述存储器。After the UFS controller 102 receives the first request from the processor 101 about the target file, it can obtain the target random number of the target file corresponding to the first request according to the first request; and then according to the target random number and the pre-stored random number The first key generates a second key corresponding to the target file; then the target file is encrypted by the second key to obtain an encrypted target file; the encrypted target file is stored in the memory.
         与所述UFS控制器102耦合的随机数发生器105,可以生成变量参数,所述变量参数用于生成用于文件加密的第二密钥。使用第二密钥加密后,该变量参数以及目标随机数和加密后的文件可以一起保存到存储器103中。以便在读取文件时,根据该目标文件对应的变量参数和目标随机数确定第二秘钥,然后再使用相同的第二秘钥去对加密后的文件进行解密读取。其中,随机数发生器104可以是真随机数发生器。A 
         可以理解的是,在配置了处理器101、与所述处理器101耦合的UFS控制器102、以及与所述UFS控制器102耦合的存储器103之后的具体的文件加密场景也适用本申请实施例图示的系统架构,在此不再赘述。It can be understood that the specific file encryption scenario after configuring the processor 101, the UFS controller 102 coupled to the processor 101, and the 
还可以理解的是,存储器与动态随机存储器是两种不同的存储器,存储器用于存储加密后的文件,是长时间存储数据的存储器,即智能终端/系统断电后其存储的加密文件也不会丢失,如:手机内的手机内存;而动态随机存储器是用于临时存储加密前的目标文件、用于存储随机数、描述符等,是短时间存储数据的存储器,即智能终端/系统断电后其存储的临时文件、存储随机数、描述符等会丢失,如:手机内的运行内存。It is also understandable that the memory and the dynamic random access memory are two different kinds of memory. The memory is used to store encrypted files and is a memory that stores data for a long time, that is, the encrypted files stored in the smart terminal/system will not be stored after the power is turned off. It will be lost, such as: the mobile phone memory in the mobile phone; and the dynamic random access memory is used to temporarily store the target file before encryption, used to store random numbers, descriptors, etc. Temporary files, stored random numbers, descriptors, etc. will be lost after the power is turned on, such as the running memory in the mobile phone.
需要说明是的,处理器101、UFS控制器102以及双倍速率动态随机存储控制器104,可以集成在一个芯片中,也可以分别集成在不同的芯片中,本申请实施例对此不作具体的限定。It should be noted that, the processor 101 , the UFS controller 102 and the double-rate dynamic random access memory controller 104 may be integrated in one chip, or may be integrated in different chips respectively, which are not specifically described in this embodiment of the present application. limited.
还需要说明的是,图1C与图1D所示的文件加密系统架构只是本申请实施例中的部分示例性的实施方式,本申请实施例中的文件加密系统架构包括但不仅限于以上文件加密系统架构。It should also be noted that the file encryption system architectures shown in FIG. 1C and FIG. 1D are only some exemplary implementations in the embodiments of the present application, and the file encryption system architectures in the embodiments of the present application include but are not limited to the above file encryption systems. Architecture.
         结合图1C和图1D所示的系统架构,本申请实施例还提供了一种应用于智能手机终端的文件加密装置图示,可以应用于图1D所示系统架构,请参见图2,图2是本申请实施例提供的一种文件加密装置示意图。如图2所示,本申请实施例中文件加密装置10可以包括处理器101、与所述处理器101耦合的UFS控制器102、与所述UFS控制器102耦合的存储器103、与所述UFS控制器102和双倍速率动态随机存储控制器104(DDRC)耦合的动态随机存储器DRAM113以及与所述UFS控制器102耦合的随机数发生器105。其中,处理器101的内置逻辑模块可以包括:可信执行环境(Trust Execute Environment,TEE)211和文件管理模块212等。UFS控制器102的内置逻辑模块可以包括:密钥库(Key Store)221等,该密钥库221相当于UFS控制器内部的存储器,其中,密钥库221中还可以包括用于存储目标随机数的存储地址的地址寄存器。动态随机存储器DRAM113的内置逻辑模块可以包括第一存储模块231和第二存储模块232。其中,With reference to the system architecture shown in FIG. 1C and FIG. 1D , an embodiment of the present application also provides an illustration of a file encryption device applied to a smartphone terminal, which can be applied to the system architecture shown in FIG. 1D , please refer to FIG. 2 , FIG. 2 It is a schematic diagram of a file encryption device provided by an embodiment of the present application. As shown in FIG. 2 , the file encryption apparatus 10 in this embodiment of the present application may include a processor 101, a UFS controller 102 coupled with the processor 101, a 
处理器中的TEE211可以用于配置文件加密过程中的第一密钥。例如:在文件加密装置所属的智能终端的系统上电启动后或者初始化UFS控制器时,可信执行环境TEE将第一密钥(Class Key)配置到UFS控制器的Key Store中。一般情况下,UFS控制器中只有32组ClassKey,因此使用效率最高的方案之一可以是在初始化UFS控制器时,由TEE一次性配置32组ClassKey至UFS控制器的Key Store中。The TEE 211 in the processor can be used to configure the first key in the encryption process of the file. For example, after the system of the intelligent terminal to which the file encryption device belongs is powered on or when the UFS controller is initialized, the trusted execution environment TEE configures the first key (Class Key) into the Key Store of the UFS controller. In general, there are only 32 sets of ClassKeys in the UFS controller, so one of the most efficient solutions can be to configure 32 sets of ClassKeys at one time by the TEE to the Key Store of the UFS controller when the UFS controller is initialized.
处理器中的文件管理模块212可以创建目标文件以进行存储或读取等,还可以在创建目标文件时,同步生成该文件的目标随机数和传输请求描述符UTRD,用于该文件的加密存储和解密读取。The file management module 212 in the processor can create a target file for storage or reading, etc., and can also generate the target random number of the file and the transmission request descriptor UTRD synchronously when creating the target file, which is used for encrypted storage of the file. and decrypted read.
UFS控制器102中的密钥库(Key Store)221相当于UFS控制器内部的存储器/寄存器用于存储处理器中的TEE下发的第一密钥。其中,在一种可能的实现方式中,该存储器还可以包括地址寄存器,该地址寄存器用于保存目标随机数的存储地址,方便UFS控制器根据寄存器存储的存储地址直接获取所述目标随机数,以便目标文件加密。The key store (Key Store) 221 in the UFS controller 102 is equivalent to a memory/register inside the UFS controller for storing the first key issued by the TEE in the processor. Wherein, in a possible implementation manner, the memory may further include an address register, and the address register is used to store the storage address of the target random number, so that the UFS controller can directly obtain the target random number according to the storage address stored in the register, in order to encrypt the target file.
动态随机存储器113中的第一存储模块231可以用于存储目标随机数。The first storage module 231 in the dynamic random access memory 113 may be used to store the target random number.
动态随机存储器113中的第二存储模块232可以用于存储传输请求描述符UTRD。可以理解的是,第一存储模块231与第二存储模块232可以是同一个动态随机存储器中的不同存储区域,也可以是两个不同的动态随机存储器,本申请实施例对比不作具体限定。The second storage module 232 in the dynamic random access memory 113 may be used to store the transmission request descriptor UTRD. It can be understood that the first storage module 231 and the second storage module 232 may be different storage areas in the same dynamic random access memory, or may be two different dynamic random access memories, which are not specifically limited in the comparison of the embodiments of the present application.
         随机数发生器105,可以生成变量参数,所述变量参数包括第一变量和第二变量,所述第一变量用于标识所述第二密钥的位宽,所述第二变量为预设固定位宽的随机数或者标识所述目标文件文件属性的预设固定位宽的数,其中,所述第二变量的所述预设固定位宽由所述第三密钥的位宽确定;根据所述第三密钥和预先存储的所述第一密钥通过派生算法生成所述第二密钥。其中,随机数发生器105可以是真随机数发生器。The 
还需要说明的是,图2所示的文件加密装置结构只是本申请实施例中的部分示例性的实施方式,本申请实施例中的文件加密装置结构包括但不仅限于以上文件加密装置结构。It should also be noted that the structure of the file encryption device shown in FIG. 2 is only a part of exemplary implementations in the embodiments of the present application, and the structure of the file encryption device in the embodiments of the present application includes but is not limited to the above structure of the file encryption device.
基于图1C和图1D提供的系统架构,以及图2提供的文件加密装置的结构,结合本申请中提供的文件加密方法,对本申请中提出的技术问题进行具体分析和解决。Based on the system architecture provided in FIG. 1C and FIG. 1D and the structure of the file encryption device provided in FIG. 2, combined with the file encryption method provided in this application, the technical problems proposed in this application are specifically analyzed and solved.
参见图3,图3是本申请实施例提供的一种文件加密方法的流程示意图,该方法可应用于上述图1C和图1D中所示的文件加密系统架构和图2所示的文件加密装置中,其中,图2所示的文件加密装置10可以用于支持并执行图3中所示的方法流程步骤S301-步骤S306。Referring to FIG. 3, FIG. 3 is a schematic flowchart of a file encryption method provided by an embodiment of the present application. The method can be applied to the file encryption system architecture shown in the above-mentioned FIG. 1C and FIG. 1D and the file encryption device shown in FIG. 2. wherein, the file encryption device 10 shown in FIG. 2 can be used to support and execute the method flow steps S301 to S306 shown in FIG. 3 .
步骤S301:通过处理器向通用闪存主机UFS控制器发送第一请求。Step S301: Send a first request to the universal flash host UFS controller through the processor.
具体地,通过处理器向通用闪存主机UFS控制器发送第一请求,所述第一请求用于请求对目标文件进行存储。可以理解的是,处理器中的文件管理模块可以向UFS控制器发送用于请求对目标文件进行存储的第一请求,例如:该第一请求在本申请中可以为UFS输运请求(UFS Transport ProtocolTransfer Request),即,UTP Transfer Request。可选的,所述第一请求还可以用于请求对目标文件进行加密存储。Specifically, the processor sends a first request to the universal flash host UFS controller, where the first request is used to request to store the target file. It can be understood that the file management module in the processor can send a first request for requesting to store the target file to the UFS controller, for example: the first request can be a UFS transport request (UFS Transport Request) in this application. ProtocolTransfer Request), that is, UTP Transfer Request. Optionally, the first request may also be used to request encrypted storage of the target file.
可选的,通过所述UFS控制器获取所述目标文件。可以理解的是,当接收到第一请求后,UFS控制器可以获取第一请求中标识或携带的目标文件对其进行加密。其中,UFS控制器获取文件的方式可以包括:UFS控制器接收处理器中的文件管理模块发送的目标文件,例如:文件管理模块在创建完目标文件后,直接将该目标文件发送至UFS控制器;或者,UFS控制器再根据处理器中的文件管理模块发送的第一请求去动态随机存储器(即,临时内存)中获取目标文件,其中,所述动态随机存储器可以用于临时存储处理器中的文件管理模块创建的目标文件,例如:文件管理模块在创建完目标文件后,将所述目标文件存储至动态随机存储器中,并将存储地址与第一请求一起发送至UFS控制器,该UFS控制器根据该存储地址获取所述目标文件。Optionally, obtain the target file through the UFS controller. It can be understood that, after receiving the first request, the UFS controller can obtain the target file identified or carried in the first request and encrypt it. The manner in which the UFS controller obtains the file may include: the UFS controller receives the target file sent by the file management module in the processor, for example: after the file management module has created the target file, it directly sends the target file to the UFS controller Or, the UFS controller obtains the target file in the dynamic random access memory (that is, the temporary memory) according to the first request sent by the file management module in the processor, wherein, the dynamic random access memory can be used for temporary storage in the processor The target file created by the file management module, for example: after the file management module has created the target file, the target file is stored in the dynamic random access memory, and the storage address and the first request are sent to the UFS controller, the UFS The controller obtains the target file according to the storage address.
可选的,通过所述处理器在创建所述目标文件时,生成所述目标文件的所述目标随机数和所述描述符。可以理解的是,处理器中的文件管理模块创建目标文件,可以生成所述目标文件的目标随机数(Meta Data)和传输请求描述符UTRD。其中,该目标随机数可以与目标文件唯一对应,是文件唯一性的标识符,即可以理解的是,不同的文件之间,其文件所对应的随机数之间也不相同,因此,使用与目标文件唯一对应的随机数对目标文件进行加密时可以更好的提高目标文件的加密等级,保证目标文件的信息安全。描述符在本申请实施例可以用于在目标文件加密时提供数据单元编号(Data Unit Numbe,DUN),还需要说明的是,文件对应的描述符有多种(如:用于读取的描述符),不同的命令或请求都会对应不同的描述符,即,不同类型的描述符对应不同的功能。在本申请中所提到的描述符可以理解为是UFS传输协议传输请求描述符(UTP Transfer Request Descriptor,UTRD),当UFS控制器获取到处理器发送的传输请求时,UFS控制器就会去获取该UTRD,以通过UFS控制器实现该UTRD对应的命令和/或功能。同时,在创建所述目标文件时,生成所述目标文件的所述目标随机数和所述描述符,可以保证不同文件其所对应的随机数和描述符都是不同的,保证了文件加密的加密等级,提高了不法分子对加密后的目标文件的的破解难度。Optionally, the target random number and the descriptor of the target file are generated by the processor when the target file is created. It can be understood that the file management module in the processor creates a target file, and can generate a target random number (Meta Data) of the target file and a transmission request descriptor UTRD. Among them, the target random number can uniquely correspond to the target file and is the unique identifier of the file, that is to say, it can be understood that the random numbers corresponding to the files are also different between different files. When encrypting the target file, the random number uniquely corresponding to the target file can better improve the encryption level of the target file and ensure the information security of the target file. The descriptor can be used to provide the data unit number (Data Unit Numbe, DUN) when the target file is encrypted in this embodiment of the present application. It should also be noted that there are various descriptors corresponding to the file (for example, the description used for reading). Descriptor), different commands or requests will correspond to different descriptors, that is, different types of descriptors correspond to different functions. The descriptor mentioned in this application can be understood as the UFS transfer protocol transfer request descriptor (UTP Transfer Request Descriptor, UTRD). When the UFS controller obtains the transfer request sent by the processor, the UFS controller will go to Acquire the UTRD to implement commands and/or functions corresponding to the UTRD through the UFS controller. At the same time, when the target file is created, the target random number and the descriptor of the target file are generated, which can ensure that the random numbers and descriptors corresponding to different files are different, and ensure that the file is encrypted. The encryption level increases the difficulty for criminals to crack the encrypted target file.
可选的,所述目标随机数为文件属性的随机数,所述目标随机数的位宽包括以下位宽中的一个:128位、192位、256位、512位。需要说明的是,本申请对目标随机数的具体位宽,不做具体的限定,例如:目标随机数的位宽可以为128bit、192bit、256bit、512bit。除了以上四种位宽外,不排除其他数值的位宽同样适用于本申请实施例用于文件加密。可以理解是,目标随机数是为了对目标文件加密,不同位数的随机数其在加密过程中所使用的加密算法可能相同也有可能不同,当随机数的位数越高时,其对应的加密算法可能就越复杂,即运算过程也就更加繁琐,安全性能就越高,更有利于文件的保护。Optionally, the target random number is a random number of a file attribute, and the bit width of the target random number includes one of the following bit widths: 128 bits, 192 bits, 256 bits, and 512 bits. It should be noted that the specific bit width of the target random number is not specifically limited in this application, for example, the bit width of the target random number may be 128 bits, 192 bits, 256 bits, and 512 bits. In addition to the above four bit widths, bit widths that do not exclude other numerical values are also applicable to the embodiments of the present application for file encryption. It can be understood that the target random number is used to encrypt the target file. The encryption algorithm used in the encryption process of random numbers with different digits may be the same or different. When the number of digits of the random number is higher, the corresponding encryption algorithm The more complex the algorithm may be, that is, the more complicated the operation process, the higher the security performance, and the more conducive to the protection of files.
步骤S302:通过UFS控制器获取目标文件对应的目标随机数。Step S302: Obtain the target random number corresponding to the target file through the UFS controller.
具体地,通过所述UFS控制器获取所述目标文件对应的目标随机数(Meta Data)。在本申请实施例中,目标随机数可以用于在加密过程中与初始密钥一起,生成用于加密目标文件的文件密钥(即,本申请中的第二密钥),因为目标文件只唯一对应一个目标随机数,所以根据目标随机数确定的文件密钥,可以确保文件密钥的唯一性,因此,UFS控制器在对文件加密前需要首先获得目标随机数。Specifically, the target random number (Meta Data) corresponding to the target file is obtained through the UFS controller. In this embodiment of the present application, the target random number can be used together with the initial key in the encryption process to generate a file key for encrypting the target file (that is, the second key in the present application), because the target file only has It uniquely corresponds to a target random number, so the file key determined according to the target random number can ensure the uniqueness of the file key. Therefore, the UFS controller needs to obtain the target random number before encrypting the file.
步骤S303:通过UFS控制器获取目标文件对应的第一请求的描述符。Step S303: Obtain the descriptor of the first request corresponding to the target file through the UFS controller.
具体地,通过所述UFS控制器获取所述目标文件对应的所述第一请求的描述符,所述描述符包括数据单元号DUN。请参见图4,图4是本申请实施例提供的一种传输请求描述符UTRD的结构示意图。在目标文件加密过程中,所述UFS控制器需要根据传输请求描述符UTRD中的DUN值(例如:图4所示中的DW1和DW3行所示)确定目标文件的初始加密对象,而且所述目标描述符还包括存储命令的存储地址等(如图4所示中的DW4和DW5行所示),该存储命令可以用于所述UFS控制器根据该存储命令控制目标文件执行加密存储操作。Specifically, the descriptor of the first request corresponding to the target file is obtained through the UFS controller, where the descriptor includes a data unit number DUN. Referring to FIG. 4, FIG. 4 is a schematic structural diagram of a transmission request descriptor UTRD provided by an embodiment of the present application. In the process of encrypting the target file, the UFS controller needs to determine the initial encryption object of the target file according to the DUN value in the transmission request descriptor UTRD (for example, shown in the lines DW1 and DW3 shown in FIG. 4 ), and the The target descriptor also includes the storage address of the storage command (shown in lines DW4 and DW5 in FIG. 4 ), and the storage command can be used by the UFS controller to control the target file to perform encrypted storage operations according to the storage command.
可以理解的是,本申请实施例对执行步骤S302与步骤S303之间的先后顺序不作具体限定。例如:本申请实施例可以先获取目标文件对应的目标随机数再获取描述符,也可以先获取描述符再获取目标文件对应的目标随机数,还可以目标文件对应的目标随机数与描述符同时获取。It can be understood that, the embodiment of the present application does not specifically limit the sequence of executing step S302 and step S303. For example, in this embodiment of the present application, the target random number corresponding to the target file may be obtained first, and then the descriptor may be obtained, or the descriptor may be obtained first, and then the target random number corresponding to the target file may be obtained, or the target random number corresponding to the target file and the descriptor may be obtained at the same time. Obtain.
可选的,通过所述处理器将所述描述符根据所述目标随机数扩展,获得扩展后的描述符,所述扩展后的描述符包括所述目标随机数和所述DUN;通过所述处理器向动态随机存储器发送所述扩展后的描述符。所述通过所述UFS控制器获取所述目标文件对应的目标随机数,包括:通过所述UFS控制器根据所述第一请求,从所述动态随机存储器中获取所述扩展后的描述符;通过所述UFS控制器根据所述扩展后的描述符,获取所述目标随机数和所述DUN。可以理解的是,UFS控制器要想通过目标随机数对目标文件进行加密,首先必须要先获取到该目标随机数,而目标随机数是由处理器中的文件管理模块与描述符一起生成的,因此,UFS控制器可以通过获取扩展后的描述符来获取目标随机数,即,在基于JESD223D协议的情况下,UFS控制器获取目标随机数的方式之一。请参见图5,图5是本申请实施例提供的一种扩展后的描述符UTRD的结构示意图。例如,如图5所示,128位的目标随机数处于扩展后的描述符UTRD的DW8-DW11行区域内,需要说明的是,当目标随机数的位数增加时,扩展后的描述符UTRD的行数也随之增加。可以理解的是,处理器中的文件管理模块在生成目标随机数和描述符时,将目标随机数添加至描述符UTRD中,即,可以通过扩展描述符的方式,令该扩展后的描述符UTRD可以携带目标随机数被保存至动态随机存储器中,进而所述UFS控制器可以通过获取扩展后的描述符的方式获取目标随机数,获取目标随机数后再根据该目标随机数生成密钥,该密钥的获取方式保证了只有目标随机数会出现在处理器的文件管理模块(即,软件层面)里,而根密钥(即,第二密钥)是硬件逻辑派生出来的,并不会被软件感知和/或获取,因此会使得密钥的安全系数提高。Optionally, extending the descriptor according to the target random number by the processor to obtain an extended descriptor, where the extended descriptor includes the target random number and the DUN; The processor sends the expanded descriptor to the dynamic random access memory. The obtaining, through the UFS controller, the target random number corresponding to the target file includes: obtaining, through the UFS controller, the expanded descriptor from the dynamic random access memory according to the first request; Obtain the target random number and the DUN according to the extended descriptor by the UFS controller. It is understandable that if the UFS controller wants to encrypt the target file by the target random number, it must first obtain the target random number, and the target random number is generated by the file management module in the processor together with the descriptor. , therefore, the UFS controller can obtain the target random number by obtaining the extended descriptor, that is, in the case based on the JESD223D protocol, one of the ways for the UFS controller to obtain the target random number. Referring to FIG. 5, FIG. 5 is a schematic structural diagram of an extended descriptor UTRD provided by an embodiment of the present application. For example, as shown in Figure 5, the 128-bit target random number is in the DW8-DW11 row area of the extended descriptor UTRD. It should be noted that when the number of bits of the target random number increases, the extended descriptor UTRD The number of rows also increases. It can be understood that when the file management module in the processor generates the target random number and the descriptor, the target random number is added to the descriptor UTRD, that is, the extended descriptor can be made by extending the descriptor. The UTRD can carry the target random number and be stored in the dynamic random access memory, and then the UFS controller can obtain the target random number by obtaining the extended descriptor, and then generate the key according to the target random number after obtaining the target random number, The way of obtaining the key ensures that only the target random number will appear in the file management module (ie, the software level) of the processor, and the root key (ie, the second key) is derived by hardware logic, not It will be perceived and/or acquired by software, thus increasing the security factor of the key.
可选的,通过所述处理器向动态随机存储器发送所述目标随机数;通过所述处理器将所述描述符根据所述目标随机数的存储地址以及所述目标随机数的数据长度扩展,获得扩展后的描述符,所述扩展后的描述符包括所述目标随机数的存储地址、所述目标随机数的数据长度以及所述DUN;通过所述处理器向所述动态随机存储器发送所述扩展后的描述符;所述通过所述UFS控制器获取所述目标文件对应的目标随机数,包括:通过所述UFS控制器根据所述第一请求,从所述动态随机存储器中获取所述扩展后的描述符;通过所述UFS控制器确定所述扩展后的描述符中的所述目标随机数的存储地址,并根据所述扩展后的描述符中的所述目标随机数的存储地址获取所述目标随机数;所述通过所述UFS控制器获取所述目标文件对应的所述第一请求的描述符,包括:通过所述UFS控制器根据所述扩展后的描述符获取所述DUN。Optionally, sending the target random number to a dynamic random access memory by the processor; extending the descriptor according to the storage address of the target random number and the data length of the target random number by the processor, Obtain an extended descriptor, where the extended descriptor includes the storage address of the target random number, the data length of the target random number, and the DUN; sending the data to the dynamic random access memory through the processor; the expanded descriptor; the obtaining the target random number corresponding to the target file by the UFS controller includes: obtaining the target random number from the dynamic random access memory by the UFS controller according to the first request The extended descriptor; the storage address of the target random number in the extended descriptor is determined by the UFS controller, and the storage address of the target random number in the extended descriptor is determined according to the storage address of the target random number in the extended descriptor Obtaining the target random number from an address; obtaining the descriptor of the first request corresponding to the target file through the UFS controller includes: obtaining, through the UFS controller according to the expanded descriptor, the descriptor of the first request. mentioned DUN.
可以理解的是,处理器中的文件管理模块在生成目标随机数并将该目标随机数存储至动态随机存储器后,可以将目标随机数的存储地址和目标随机数的数据长度添加至描述符UTRD中,即,可以通过扩展描述符的方式,令该扩展后的描述符UTRD可以携带目标随机数的存储地址和数据长度,进而所述UFS控制器可以通过该存储地址和数据长度获取目标随机数,并且扩展后的描述符也可以获取DUN值。例如:扩展方式可以为,在图4所示的描述符中再添加DW8和DW9两行,其中DW8行可以以DW4行的形式添加,DW8行包括了目标随机数的存储地址,DW9行可以以DW5行的形式添加,DW9行包括了目标随机数的数据长度。因此,在基于JESD223D协议的情况下,UFS控制器可以通过获取扩展后的描述符中的存储地址来获取目标随机数。这种获取目标随机数后再根据该目标随机数生成密钥,该密钥的获取方式也保证了只有目标随机数会出现在处理器的文件管理模块(即,软件层面)里,而根密钥(即,第二密钥)第二密钥是根据第一密钥由硬件逻辑派生出来的,并不会被软件感知和获取,因此会使得密钥的安全系数提高,大大降低了不法分子窃取密钥后破解文件的风险。It can be understood that, after generating the target random number and storing the target random number in the dynamic random access memory, the file management module in the processor can add the storage address of the target random number and the data length of the target random number to the descriptor UTRD. That is, the extended descriptor UTRD can carry the storage address and data length of the target random number by extending the descriptor, and then the UFS controller can obtain the target random number through the storage address and data length. , and the extended descriptor can also get the DUN value. For example, the extension method can be to add two lines DW8 and DW9 to the descriptor shown in Figure 4, where the DW8 line can be added in the form of DW4 line, the DW8 line includes the storage address of the target random number, and the DW9 line can be in the form of The DW5 line is added, and the DW9 line includes the data length of the target random number. Therefore, in the case based on the JESD223D protocol, the UFS controller can obtain the target random number by obtaining the storage address in the extended descriptor. After obtaining the target random number, a key is generated according to the target random number. The method of obtaining the key also ensures that only the target random number will appear in the file management module (ie, the software level) of the processor, and the root key The second key (ie, the second key) is derived from the hardware logic according to the first key, and will not be perceived and acquired by the software, so the security factor of the key will be improved, and criminals will be greatly reduced. Risk of cracking files after stealing keys.
可选的,通过所述处理器向动态随机存储器发送所述描述符;通过所述处理器向所述UFS控制器中的地址寄存器发送所述目标随机数的存储地址;所述通过所述UFS控制器获取所述目标文件对应的目标随机数,包括:通过所述UFS控制器根据所述第一请求,从所述动态随机存储器中获取所述描述符;通过所述UFS控制器根据所述UFS控制器中地址寄存器存储的所述目标随机数的存储地址,获取所述目标随机数。可以理解的是,UFS控制器要想通过目标随机数对目标文件进行加密,首先必须要先获取到该目标随机数,而目标随机数是由处理器中的文件管理模块与描述符一起生成的,因此,UFS控制器除了可以通过获取扩展后的描述符来获取目标随机数外,还可以接收文件管理模块直接发送至密钥库的地址寄存器中的目标随机数的存储地址,根据该存储地址获取目标随机数。即,可以控制UFS控制器在基于扩展协议的IO Memory/Register Space的情况下,在Register Space(密钥库)中新增Meta Data(目标随机数)的Address地址寄存器,实现方式可以参考该协议中的UTRLBA/UTRLBAU registers部分。还可以理解的是,通过所述处理器向动态随机存储器发送所述目标随机数进行存储。Optionally, sending the descriptor to a dynamic random access memory through the processor; sending the storage address of the target random number to an address register in the UFS controller through the processor; The controller obtaining the target random number corresponding to the target file includes: obtaining the descriptor from the dynamic random access memory through the UFS controller according to the first request; obtaining the descriptor according to the first request through the UFS controller; The storage address of the target random number stored in the address register in the UFS controller is obtained, and the target random number is obtained. It is understandable that if the UFS controller wants to encrypt the target file by the target random number, it must first obtain the target random number, and the target random number is generated by the file management module in the processor together with the descriptor. , therefore, in addition to obtaining the target random number by obtaining the extended descriptor, the UFS controller can also receive the storage address of the target random number directly sent by the file management module to the address register of the keystore, according to the storage address Get the target random number. That is, the UFS controller can be controlled to add the Address register of Meta Data (target random number) in the Register Space (key store) in the case of IO Memory/Register Space based on the extended protocol. The implementation method can refer to this protocol. UTRLBA/UTRLBAU registers section in . It can also be understood that the target random number is sent to the dynamic random access memory by the processor for storage.
例如:当UFS控制器收到一个UTP Transfer Request(第一请求)时,通过Address寄存器读取Meta Data的存储地址,再根据该存储地址获取Meta Data。同时UFS控制器也可以在收到一个UTP Transfer Request(第一请求)时通过UTRLBA/UTRLBAU registers从Memory Space(存储器)中读取描述符UTRD。这种文件管理模块直接发送目标随机数至UFS控制器中,UFS控制器再根据该目标随机数生成加密的密钥,该方法也保证了只有目标随机数会出现在处理器的文件管理模块(即,软件层面)里,而第一密钥只存在于可信执行环境TEE和UFS控制器里,使得密钥的安全系数提高。综上所述,本申请实施例可以通过至少三种获取方式获取目标随机数,然后再根据获取的目标随机数生成密钥的方式,保证了密钥只在硬件中存在并不会出现在软件层面,而软件层面只保存有目标随机数,大大降低了密钥泄露的风险,提高了目标文件的加密等级,而且这种目标随机数的获取方式也不会影响目标文件的存储效率,节省了资源。For example: when the UFS controller receives a UTP Transfer Request (first request), it reads the storage address of Meta Data through the Address register, and then obtains Meta Data according to the storage address. At the same time, the UFS controller can also read the descriptor UTRD from the Memory Space (memory) through the UTRLBA/UTRLBAU registers when receiving a UTP Transfer Request (the first request). This file management module directly sends the target random number to the UFS controller, and the UFS controller generates an encrypted key according to the target random number. This method also ensures that only the target random number will appear in the processor's file management module ( That is, at the software level), and the first key only exists in the trusted execution environment TEE and the UFS controller, so that the security factor of the key is improved. To sum up, the embodiment of the present application can obtain the target random number through at least three obtaining methods, and then generate the key according to the obtained target random number, which ensures that the key only exists in the hardware and does not appear in the software. At the software level, only the target random number is stored, which greatly reduces the risk of key leakage and improves the encryption level of the target file. Moreover, this method of obtaining the target random number will not affect the storage efficiency of the target file, saving resource.
步骤S304:通过UFS控制器根据目标随机数和预存储的第一密钥生成目标文件对应的第二密钥。Step S304: Generate a second key corresponding to the target file by the UFS controller according to the target random number and the pre-stored first key.
具体地,通过所述UFS控制器根据所述目标随机数和预存储的第一密钥生成所述目标文件对应的第二密钥,其中,第一密钥是硬件配置的初始密钥,第二密钥是用于对目标文件加密的密钥,通过随机数和初始密钥的结合生成用于加密目标文件的文件密钥,可以保证一文件一密钥,提高了加密后目标文件的安全系数。需要说明的是,预存储的第一密钥Class Key(即,初始密钥)是由处理器中的可信执行环境TEE在系统上电启动后或者初始化UFS控制器时,一次性配置至UFS控制器的Key Store中的,本申请实施例在避免了可信执行环境TEE和UFS控制器之间的频繁交互的情况下,通过目标随机数与第一密钥生成了用于文件加密的第二密钥,做到了一文一密,被攻破的可能几乎为零,提高了文件密钥的安全系数,大大降低了被攻破的可能性,同时也提高了使用效率高。Specifically, the UFS controller generates a second key corresponding to the target file according to the target random number and a pre-stored first key, where the first key is an initial key configured by hardware, and the first key is an initial key configured by hardware. The second key is the key used to encrypt the target file. The file key used to encrypt the target file is generated by the combination of the random number and the initial key, which can ensure one file and one key and improve the security of the encrypted target file. coefficient. It should be noted that the pre-stored first key Class Key (ie, the initial key) is configured to the UFS at one time by the trusted execution environment TEE in the processor after the system is powered on or when the UFS controller is initialized. In the Key Store of the controller, this embodiment of the present application generates the first key for file encryption by using the target random number and the first key without frequent interaction between the trusted execution environment TEE and the UFS controller. The second key has achieved one text and one password, and the possibility of being broken is almost zero, which improves the security factor of the file key, greatly reduces the possibility of being broken, and also improves the use efficiency.
可以理解的是,因为第一密钥是由TEE发送到UFS控制器,但是,第一密钥保存在UFS控制器无法被软件读取,又因为第二密钥是由第一密钥派生获得,所以用于文件加密只有目标随机数会出现在文件管理模块里(软件层面),第一密钥只存在于TEE和UFSHC里面,安全系数提高,所以本申请实施例中的硬件可以实现安全认证(Protection Profile forMobile Device,MDPP)3.0的密钥体系。It is understandable that because the first key is sent to the UFS controller by the TEE, however, the first key is stored in the UFS controller and cannot be read by the software, and because the second key is derived from the first key , so only the target random number used for file encryption will appear in the file management module (software level), and the first key only exists in TEE and UFSHC, and the security factor is improved, so the hardware in this embodiment of the application can realize security authentication. (Protection Profile for Mobile Device, MDPP) 3.0 key system.
可选的,在生成第二密钥之前,还可以通过随机数发生器生成变量参数,所述变量参数用于生成所述第二密钥;所述通过所述UFS控制器根据所述目标随机数和预存储的第一密钥生成所述目标文件对应的第二密钥,包括:通过所述UFS控制器根据所述目标随机数和所述变量参数生成第三密钥,其中,所述变量参数包括第一变量和第二变量,所述第一变量用于标识所述第二密钥的位宽,所述第二变量为预设固定位宽的随机数或者标识所述目标文件文件属性的预设固定位宽的数,其中,所述第二变量的所述预设固定位宽由所述第三密钥的位宽确定;通过所述UFS控制器根据所述第三密钥和预先存储的所述第一密钥通过派生算法生成所述第二密钥。Optionally, before generating the second key, a random number generator may also be used to generate variable parameters, and the variable parameters are used to generate the second key; and the pre-stored first key to generate the second key corresponding to the target file, comprising: generating, by the UFS controller, a third key according to the target random number and the variable parameter, wherein the The variable parameter includes a first variable and a second variable, the first variable is used to identify the bit width of the second key, and the second variable is a random number with a preset fixed bit width or identifies the target file file The number of preset fixed bit widths of attributes, wherein the preset fixed bit width of the second variable is determined by the bit width of the third key; and the pre-stored first key to generate the second key through a derivation algorithm.
可以理解是的,根据目标随机数、第一变量参数和第二变量参数生成第三密钥,该第三密钥唯一对应目标文件,进而,其根据第三密钥和预先存储的第一密钥生成的第二密钥也是唯一的,因此,一文件一密钥的加密方式,大大提高了文件的加密等级,降低了文件被窃取的风险。其中,例如:请参考附图6,图6是本申请实施例提供的一种应用于UFS控制器内的文件加密算法框架示意图。如图6所示,第三密钥Fix Data可以根据目标随机数,第一变量L,第二变量label通过根密钥模块fix data GEN生成。即,Fix data Gen有三个输入变量,Mata Data、label、L,输出一个固定位宽的第三密钥Fix Data。其中,L变量是个表示第三密钥的固定位宽的数值,Label变量可以由硬件随机数发生器trng随机产生可以表示目标文件的属性,也可以是一个固定位宽的数值。例如:第三密钥可以由Mata Data、label、L三个变量直接拼接获得。在一种可能实现的方式中,第三密钥Fix Data产生的具体算法还可以详见NIST Special Publication 800-108协议,本申请此处不再赘述。It can be understood that a third key is generated according to the target random number, the first variable parameter and the second variable parameter, the third key uniquely corresponds to the target file, and further, it is based on the third key and the pre-stored first key. The second key generated by the key is also unique. Therefore, the encryption method of one file and one key greatly improves the encryption level of the file and reduces the risk of the file being stolen. For example, please refer to FIG. 6. FIG. 6 is a schematic diagram of a file encryption algorithm framework applied in a UFS controller provided by an embodiment of the present application. As shown in FIG. 6 , the third key Fix Data can be generated by the root key module fix data GEN according to the target random number, the first variable L, and the second variable label. That is, Fix data Gen has three input variables, Mata Data, label, and L, and outputs a fixed bit-width third key Fix Data. The L variable is a value representing the fixed bit width of the third key, and the Label variable can be randomly generated by the hardware random number generator trng and can represent the attribute of the target file, or it can be a fixed bit width value. For example, the third key can be obtained by direct concatenation of three variables, Mata Data, label, and L. In a possible implementation manner, the specific algorithm for generating the third key Fix Data may also refer to the NIST Special Publication 800-108 protocol, which will not be repeated here in this application.
还可以理解的是,生成第三密钥后,还需要通过所述UFS控制器根据所述第三密钥和预先存储的所述第一密钥通过派生算法生成用于文件加密的第二密钥。还可以理解的是,该第二密钥是硬件逻辑派生出来的,软件无法感知和获取,降低了被不法分子窃取的风险。其中,该派生算法(Key Derivation Functions,KDF)也可以被称为密钥获取函数,该KDF可以包括以下算法中的一个:CMAC算法、HMAC算法等等。例如:如图6所示,第二密钥FEK可以根据第三密钥Fix Data和第一密钥Class Key通过密钥派生模块NIST-KDF生成,其使用的派生算法为256位的CMAC算法。其中,第二密钥FEK的位宽由第三密钥Fix Data和第一密钥Class Key确定。在一种可能实现的方式中,第二密钥FEK产生的具体算法还可以详见NIST Special Publication 800-108协议,本申请此处不再赘述。It can also be understood that after the third key is generated, the UFS controller also needs to generate a second key for file encryption through a derivation algorithm according to the third key and the pre-stored first key. key. It is also understandable that the second key is derived by hardware logic, and cannot be perceived and acquired by software, which reduces the risk of being stolen by criminals. The derivation algorithm (Key Derivation Functions, KDF) may also be called a key acquisition function, and the KDF may include one of the following algorithms: a CMAC algorithm, an HMAC algorithm, and so on. For example, as shown in FIG. 6 , the second key FEK can be generated by the key derivation module NIST-KDF according to the third key Fix Data and the first key Class Key, and the derivation algorithm used is a 256-bit CMAC algorithm. The bit width of the second key FEK is determined by the third key Fix Data and the first key Class Key. In a possible implementation manner, the specific algorithm for generating the second key FEK may also refer to the NIST Special Publication 800-108 protocol, which will not be repeated in this application.
步骤S305:通过UFS控制器根据第二密钥对目标文件进行加密,得到加密后的目标文件。Step S305: Encrypt the target file according to the second key by the UFS controller to obtain the encrypted target file.
具体地,通过所述UFS控制器根据所述第二密钥对所述目标文件进行加密,得到加密后的目标文件。实施本申请实施例,获得目标文件唯一对应的第二密钥后,可以根据该第二密钥通过加密算法对目标文件进行加密后保存,其中,该加密算法可以为对称式加密算法,例如:加密算法可以包括以下方法中的至少一个:高级加密标准(Advanced EncryptionStandard,AES)、数据加密标准(Data Encryption Standard Lightweight Extension,DESL)、国际数据加密算法(International Data Encryption Algorithm,IDEA)等等。Specifically, the UFS controller encrypts the target file according to the second key to obtain the encrypted target file. After implementing the embodiment of the present application, after obtaining the second key uniquely corresponding to the target file, the target file can be encrypted by an encryption algorithm according to the second key and then saved, wherein the encryption algorithm can be a symmetric encryption algorithm, for example: The encryption algorithm may include at least one of the following methods: Advanced Encryption Standard (AES), Data Encryption Standard Lightweight Extension (DESL), International Data Encryption Algorithm (IDEA) and the like.
可选的,所述通过所述UFS控制器根据所述第二密钥对所述目标文件进行加密,得到加密后的目标文件,包括:通过所述UFS控制器将所述目标文件分为多个文件数据块;通过所述UFS控制器从所述多个文件数据块中所述DUN对应的一个文件数据块开始,依次根据所述第二密钥将所述多个文件数据块进行加密以得到所述加密后的目标文件。可以理解的是,本申请实施例可以将目标文件分为多组文件数据块,然后使用高级加密标准中的分组加密算法对目标文件进行加密,该分组加密算法区块长度可以为128比特,密钥长度则可以是128比特,192比特或256比特的加密算法,可以极大的提高文件加密存储的效率,同时也提高了文件加密的加密等级。其中,分组文件块的大小可以为128bit比特、256比特等等,本申请实施例对此不作限定。例如,如图6所示,图6中的plaintext[j]为第j个block的数据明文,大小为128bit;图6中的i为调整参数,在UFS控制器的加密引擎中,第一个block的调整参数初始化于UTRD中的DUN值,后续block的调整参数会根据第一个UTRD中的DUN值进行补偿调整;a[j]是和block[j]相关的计算分量;Cipher Text[j]为第j个block数据明文加密后得到的密文;图6中的AES-ENC(AES128分组加密算法)/AES-DEC(AES128分组解密算法)作为基础加密单元/基础解密单元对目标文件进行加密/解密。UFS控制器从DRAM中获取预定长度(如:128bit)的文件数据(即图6中的plaintext[j])后,用FEK作为文件密钥,以及输入的i等参数,加密后存储到存储器中,最后通知处理器中的文件管理模块存储完成。Optionally, the encrypting the target file by the UFS controller according to the second key to obtain the encrypted target file includes: dividing the target file into multiple pieces by the UFS controller. starting from one file data block corresponding to the DUN among the plurality of file data blocks, and encrypting the plurality of file data blocks according to the second key in sequence to The encrypted target file is obtained. It can be understood that, in this embodiment of the present application, the target file can be divided into multiple groups of file data blocks, and then the target file can be encrypted by using the block encryption algorithm in the Advanced Encryption Standard. The key length can be an encryption algorithm of 128 bits, 192 bits or 256 bits, which can greatly improve the efficiency of file encryption and storage, and also improve the encryption level of file encryption. The size of the grouped file block may be 128 bits, 256 bits, etc., which is not limited in this embodiment of the present application. For example, as shown in Figure 6, plaintext[j] in Figure 6 is the data plaintext of the jth block, with a size of 128 bits; i in Figure 6 is an adjustment parameter. In the encryption engine of the UFS controller, the first The adjustment parameters of the block are initialized with the DUN value in UTRD, and the adjustment parameters of subsequent blocks will be compensated and adjusted according to the DUN value in the first UTRD; a[j] is the calculation component related to block[j]; Cipher Text[j] ] is the ciphertext obtained after the jth block data plaintext encryption; AES-ENC (AES128 block encryption algorithm)/AES-DEC (AES128 block decryption algorithm) in Figure 6 is used as the basic encryption unit/basic decryption unit to perform encrypt and decode. After the UFS controller obtains the file data of a predetermined length (such as: 128bit) from the DRAM (that is, plaintext[j] in Figure 6), it uses FEK as the file key and the input parameters such as i, and stores it in the memory after encryption. , and finally notify the file management module in the processor that the storage is completed.
步骤S306:通过存储器存储加密后的目标文件。Step S306: Store the encrypted target file through the memory.
具体地,通过存储器存储所述加密后的目标文件,加密后存储到所述存储器中,最后通知处理器中的文件管理模块存储完成。可以理解的是,该存储器可以是智能终端的固态硬盘、UFS闪存(UFS Flash)、固态存储器等等,可以使得在智能终端加密文件后,有效保存目标文件。Specifically, the encrypted target file is stored in the memory, encrypted and stored in the memory, and finally the file management module in the processor is notified that the storage is completed. It can be understood that the memory may be a solid-state hard disk, UFS Flash (UFS Flash), solid-state memory, etc. of the smart terminal, so that the target file can be effectively saved after the smart terminal encrypts the file.
可选的,通过所述处理器向所述UFS控制器发送第二请求,所述第二请求用于请求对所述加密后的目标文件进行读取;通过所述UFS控制器根据所述第二请求,获取所述目标文件对应的所述第二密钥,根据所述第二密钥将所述加密后的目标文件解密后读取。可以理解是,UFS控制器接收到读取加密文件的请求时,可以根据该读取请求派生出来的第二秘钥对加密文件进行读取并解密。只有在有第二密钥的情况下才能够读取目标文件,有利于目标文件的保密,同时该第二密钥是硬件逻辑派生出来的,软件无法感知和获取,降低了被不法分子窃取的风险。例如:ufshc从ufs device中指定地址读取预定长度的数据后(与加密时获取的文件的预定长度一致),用FEK作为文件密钥,以及输入的i等参数,解密后存储到DRAM指定地址中,最后通知处理器中的文件管理模块读取完成。Optionally, send a second request to the UFS controller through the processor, where the second request is used to request to read the encrypted target file; The second request is to obtain the second key corresponding to the target file, and decrypt the encrypted target file according to the second key and read it. It can be understood that when the UFS controller receives the request to read the encrypted file, it can read and decrypt the encrypted file according to the second secret key derived from the read request. The target file can be read only when there is a second key, which is beneficial to the confidentiality of the target file. At the same time, the second key is derived from hardware logic, and cannot be sensed and acquired by software, which reduces the risk of being stolen by criminals. risk. For example: after ufshc reads data of a predetermined length from the specified address in the ufs device (consistent with the predetermined length of the file obtained during encryption), FEK is used as the file key, and the input parameters such as i are decrypted and stored in the specified address of DRAM , and finally notify the file management module in the processor that the reading is completed.
实施本申请实施例,UFS控制器可以通过处理器发送的第一请求,获取目标文件对应的随机数;再根据该随机数和预先存储的第一密钥加密后生成第二密钥,最后根据该第二密钥对该目标文件加密。首先在加密不同文件时,可以在相同的初始密钥(第一密钥)的基础上,通过不同文件分别对应的不同随机数,生成不同的文件密钥(第二密钥),最后根据不同文件对应的不同的文件密钥分别对不同的文件加密,其中,每一个文件都有一个唯一的文件密钥与之对应。可以理解的是,由于不同文件之间用于文件加密的密钥不同,可以保证在文件的加密存储后,被加密的文件不容易被攻破,造成信息泄露,该加密方式可以极大地提高文件的加密等级。其次,在每次的文件加密过程中,都可以在相同的初始密钥基础上使用不同的随机数生成文件密钥,可以避免为了提高文件的加密等级,可信执行环境TEE过于频繁的刷新初始密钥,使得文件的加密存储效率低下,浪费资源。再者,这种UFS控制器先获取目标随机数后,再根据该目标随机数生成文件加密的密钥,这种密钥的获取方式保证了加密密钥只存在于硬件层面里,第二密钥是硬件逻辑派生出来的,并不会被软件感知和获取,因此会使得密钥的安全系数大大提高,并且做到了一文一密,被攻破的可能几乎为零,同时也提高了目标文件的加密级别。最后芯片实现能保证TEE和文件管理模块的功能隔离,安全性能最佳,文件存储效率不受影响。Implementing the embodiment of the present application, the UFS controller can obtain the random number corresponding to the target file through the first request sent by the processor; and then encrypts the random number and the pre-stored first key to generate a second key, and finally generates a second key according to the random number and the pre-stored first key. The second key encrypts the target file. First, when encrypting different files, on the basis of the same initial key (first key), different file keys (second keys) can be generated through different random numbers corresponding to different files, and finally according to different Different file keys corresponding to the files respectively encrypt different files, wherein each file has a unique file key corresponding to it. It is understandable that due to the different keys used for file encryption between different files, it can be ensured that after the files are encrypted and stored, the encrypted files are not easily broken, resulting in information leakage. This encryption method can greatly improve the security of the files. Encryption level. Secondly, in each file encryption process, different random numbers can be used to generate the file key based on the same initial key, which can avoid the TEE from refreshing the initial file too frequently in order to improve the encryption level of the file. key, which makes the encrypted storage of files inefficient and wastes resources. Furthermore, this UFS controller first obtains the target random number, and then generates a file encryption key according to the target random number. This key acquisition method ensures that the encryption key only exists in the hardware level, and the second encryption key The key is derived from the hardware logic and cannot be perceived and acquired by the software, so the security factor of the key will be greatly improved, and it will be encrypted one by one, and the possibility of being broken is almost zero, and it also improves the security of the target file. Encryption level. Finally, the chip implementation can ensure the functional isolation of the TEE and the file management module, the security performance is the best, and the file storage efficiency is not affected.
上述详细阐述了本申请实施例的方法,下面提供了本申请实施例的相关装置。The methods of the embodiments of the present application are described in detail above, and the related apparatuses of the embodiments of the present application are provided below.
         请参见图7,图7是本申请实施例提供的另一种文件加密装置的结构示意图,该文件加密装置20可以包括第一发送单元701,第一获取单元702,密钥单元703,加密单元704,还可以包括第二获取单元705,第三获取单元706,第一生成单元707,第一扩展单元708,第二发送单元709,第三发送单元710,第二扩展单元711,第三发送单元7122,第四发送单元713,第二生成单元714,第五发送单元715,第一存储单元716,第二存储单元717,和解密单元718。其中,各个单元的详细描述如下。Please refer to FIG. 7. FIG. 7 is a schematic structural diagram of another file encryption device provided by an embodiment of the present application. The file encryption device 20 may include a first sending unit 701, a first obtaining unit 702, a 
第一发送单元701,用于通过处理器向通用闪存主机UFS控制器发送第一请求,所述第一请求用于请求对目标文件进行存储;A first sending unit 701, configured to send a first request to the universal flash host UFS controller through the processor, where the first request is used to request to store the target file;
第一获取单元702,用于通过所述UFS控制器获取所述目标文件对应的目标随机数;A first obtaining unit 702, configured to obtain a target random number corresponding to the target file through the UFS controller;
         密钥单元703,用于通过所述UFS控制器根据所述目标随机数和预存储的第一密钥生成所述目标文件对应的第二密钥;A 
加密单元704,用于通过所述UFS控制器根据所述第二密钥对所述目标文件进行加密,得到加密后的目标文件。An encryption unit 704, configured to encrypt the target file by the UFS controller according to the second key to obtain an encrypted target file.
         在一种可能实现的方式中,所述装置还包括:第二获取单元705,用于通过所述UFS控制器获取所述目标文件。In a possible implementation manner, the apparatus further includes: a second obtaining 
在一种可能实现的方式中,所述装置还包括:第三获取单元706,用于通过所述UFS控制器获取所述目标文件对应的所述第一请求的描述符,所述描述符包括数据单元号DUN;所述加密单元704,具体用于:通过所述UFS控制器将所述目标文件分为多个文件数据块;通过所述UFS控制器从所述多个文件数据块中所述DUN对应的一个文件数据块开始,依次根据所述第二密钥将所述多个文件数据块进行加密以得到所述加密后的目标文件。In a possible implementation manner, the apparatus further includes: a third obtaining unit 706, configured to obtain, through the UFS controller, the descriptor of the first request corresponding to the target file, where the descriptor includes data unit number DUN; the encryption unit 704 is specifically configured to: divide the target file into multiple file data blocks by the UFS controller; Starting from a file data block corresponding to the DUN, the plurality of file data blocks are sequentially encrypted according to the second key to obtain the encrypted target file.
         在一种可能实现的方式中,所述装置还包括:第一生成单元707,用于通过所述处理器在创建所述目标文件时,生成所述目标文件的所述目标随机数和所述描述符。In a possible implementation manner, the apparatus further includes: a 
         在一种可能实现的方式中,所述装置还包括:第一扩展单元708,用于通过所述处理器将所述描述符根据所述目标随机数扩展,获得扩展后的描述符,所述扩展后的描述符包括所述目标随机数和所述DUN;第二发送单元709,用于通过所述处理器向动态随机存储器发送所述扩展后的描述符;所述第一获取单元702,具体用于:通过所述UFS控制器根据所述第一请求,从所述动态随机存储器中获取所述扩展后的描述符;通过所述UFS控制器根据所述扩展后的描述符,获取所述目标随机数和所述DUN。In a possible implementation manner, the apparatus further includes: a 
在一种可能实现的方式中,所述装置还包括:第三发送单元710,用于通过所述处理器向动态随机存储器发送所述目标随机数;第二扩展单元711,用于通过所述处理器将所述描述符根据所述目标随机数的存储地址以及所述目标随机数的数据长度扩展,获得扩展后的描述符,所述扩展后的描述符包括所述目标随机数的存储地址、所述目标随机数的数据长度以及所述DUN;第三发送单元712,用于通过所述处理器向所述动态随机存储器发送所述扩展后的描述符;所述第一获取单元702,具体用于:通过所述UFS控制器根据所述第一请求,从所述动态随机存储器中获取所述扩展后的描述符;通过所述UFS控制器确定所述扩展后的描述符中的所述目标随机数的存储地址,并根据所述目标随机数的存储地址获取所述目标随机数;所述第三获取单元706,具体用于:通过所述UFS控制器根据所述扩展后的描述符获取所述DUN。In a possible implementation manner, the apparatus further includes: a third sending unit 710, configured to send the target random number to a dynamic random access memory through the processor; a second expansion unit 711, configured to send the target random number through the The processor extends the descriptor according to the storage address of the target random number and the data length of the target random number to obtain an extended descriptor, where the extended descriptor includes the storage address of the target random number , the data length of the target random number and the DUN; the third sending unit 712 is configured to send the expanded descriptor to the dynamic random access memory through the processor; the first obtaining unit 702, It is specifically used for: obtaining the expanded descriptor from the dynamic random access memory through the UFS controller according to the first request; determining through the UFS controller all of the expanded descriptors the storage address of the target random number, and obtain the target random number according to the storage address of the target random number; the third obtaining unit 706 is specifically configured to: use the UFS controller according to the expanded description character to obtain the DUN.
在一种可能实现的方式中,所述装置还包括:第四发送单元713,用于通过所述处理器向动态随机存储器发送所述描述符;通过所述处理器向所述UFS控制器中的地址寄存器发送所述目标随机数的存储地址;所述第一获取单元702,具体用于:通过所述UFS控制器根据所述第一请求,从所述动态随机存储器中获取所述描述符;通过所述UFS控制器根据所述UFS控制器中地址寄存器存储的所述目标随机数的存储地址,获取所述目标随机数。In a possible implementation manner, the apparatus further includes: a fourth sending unit 713, configured to send the descriptor to the dynamic random access memory through the processor; send the descriptor to the UFS controller through the processor The address register sends the storage address of the target random number; the first obtaining unit 702 is specifically configured to: obtain the descriptor from the dynamic random access memory through the UFS controller according to the first request ; Obtain the target random number by the UFS controller according to the storage address of the target random number stored in the address register in the UFS controller.
         在一种可能实现的方式中,所述装置还包括:第二生成单元714,用于通过随机数发生器生成变量参数,所述变量参数用于生成所述第二密钥;所述密钥单元703具体用于:通过所述UFS控制器根据所述目标随机数和所述变量参数生成第三密钥,其中,所述变量参数包括第一变量和第二变量,所述第一变量用于标识所述第二密钥的位宽,所述第二变量为预设固定位宽的随机数或者标识所述目标文件文件属性的预设固定位宽的数,其中,所述第二变量的所述预设固定位宽由所述第三密钥的位宽确定;通过所述UFS控制器根据所述第三密钥和预先存储的所述第一密钥通过派生算法生成所述第二密钥。In a possible implementation manner, the apparatus further includes: a 
在一种可能实现的方式中,所述目标随机数为文件属性的随机数,所述目标随机数的位宽包括以下位宽中的一个:128位、192位、256位、512位。In a possible implementation manner, the target random number is a random number of a file attribute, and the bit width of the target random number includes one of the following bit widths: 128 bits, 192 bits, 256 bits, and 512 bits.
         在一种可能实现的方式中,所述装置还包括:第一存储单元715,用于通过所述UFS控制器将所述加密后的目标文件存储至存储器;第二存储单元716,用于通过所述存储器存储所述加密后的目标文件。In a possible implementation manner, the apparatus further includes: a 
在一种可能实现的方式中,所述装置还包括:第五发送单元717,用于通过所述处理器向所述UFS控制器发送第二请求,所述第二请求用于请求对所述加密后的目标文件进行读取;解密单元718,用于通过所述UFS控制器根据所述第二请求,获取所述目标文件对应的所述第二密钥,根据所述第二密钥将所述加密后的目标文件解密后读取。In a possible implementation manner, the apparatus further includes: a fifth sending unit 717, configured to send a second request to the UFS controller through the processor, where the second request is used to request The encrypted target file is read; the decryption unit 718 is configured to obtain the second key corresponding to the target file through the UFS controller according to the second request, and according to the second key The encrypted target file is decrypted and read.
需要说明的是,本申请实施例中所描述的文件加密装置20中各功能单元的功能可参见上述图3中所述的方法实施例中步骤S301-步骤S306的相关描述,此处不再赘述。It should be noted that, for the functions of each functional unit in the file encryption device 20 described in the embodiment of the present application, reference may be made to the relevant descriptions of steps S301 to S306 in the method embodiment described above in FIG. 3 , and details are not repeated here. .
如图8所示,图8是本申请实施例提供的又一种文件加密装置的结构示意图,该装置30包括至少一个处理器801,至少一个存储器802、至少一个UFS控制器803。此外,该设备还可以包括天线等通用部件,在此不再详述。As shown in FIG. 8 , FIG. 8 is a schematic structural diagram of another file encryption apparatus provided by an embodiment of the present application. The apparatus 30 includes at least one processor 801 , at least one memory 802 , and at least one UFS controller 803 . In addition, the device may also include general components such as an antenna, which will not be described in detail here.
处理器801可以是通用中央处理器(CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制以上方案程序执行的集成电路。The processor 801 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of programs in the above solutions.
UFS控制器803,可以是固态硬盘,由控制单元和存储单元构成。The UFS controller 803, which may be a solid state disk, is composed of a control unit and a storage unit.
存储器802可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(ElectricallyErasable Programmable Read-Only Memory,EEPROM)、只读光盘(Compact Disc Read-Only Memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过总线与处理器相连接。存储器也可以和处理器集成在一起。Memory 802 may be read-only memory (ROM) or other type of static storage device that can store static information and instructions, random access memory (RAM), or other type of static storage device that can store information and instructions The dynamic storage device can also be an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, optical disk storage ( including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this. The memory can exist independently and be connected to the processor through a bus. The memory can also be integrated with the processor.
其中,所述存储器802用于存储执行以上方案的应用程序代码,并由处理器801和UFS控制器803来控制执行。所述处理器801和UFS控制器803用于执行所述存储器802中存储的应用程序代码。Wherein, the memory 802 is used to store the application code for executing the above solution, and the execution is controlled by the processor 801 and the UFS controller 803 . The processor 801 and the UFS controller 803 are used to execute the application code stored in the memory 802 .
存储器802存储的代码可执行以上图3提供的文件加密方法,比如通过处理器向通用闪存主机UFS控制器发送第一请求,所述第一请求用于请求对目标文件进行存储;通过所述UFS控制器获取所述目标文件对应的目标随机数;通过所述UFS控制器根据所述目标随机数和预存储的第一密钥生成所述目标文件对应的第二密钥;通过所述UFS控制器根据所述第二密钥对所述目标文件进行加密,得到加密后的目标文件。The code stored in the memory 802 can execute the file encryption method provided in FIG. 3 above. For example, the processor sends a first request to the universal flash memory host UFS controller, where the first request is used to request to store the target file; through the UFS The controller obtains the target random number corresponding to the target file; generates the second key corresponding to the target file according to the target random number and the pre-stored first key through the UFS controller; controls the UFS through the The device encrypts the target file according to the second key to obtain the encrypted target file.
需要说明的是,本申请实施例中所描述的文件加密装置30中各功能单元的功能可参见上述图3中所述的方法实施例中的步骤S301-步骤S306相关描述,此处不再赘述。It should be noted that, for the functions of each functional unit in the file encryption device 30 described in the embodiments of the present application, reference may be made to the related descriptions of steps S301 to S306 in the method embodiment described in FIG. 3 , and details are not repeated here. .
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference may be made to the relevant descriptions of other embodiments.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可能可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that, for the sake of simple description, the foregoing method embodiments are all expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence. Because in accordance with the present application, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置,可通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如上述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the device embodiments described above are only illustrative. For example, the division of the above-mentioned units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical or other forms.
上述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
上述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以为个人计算机、服务端或者网络设备等,具体可以是计算机设备中的处理器)执行本申请各个实施例上述方法的全部或部分步骤。其中,而前述的存储介质可包括:U盘、移动硬盘、磁碟、光盘、只读存储器(Read-Only Memory,缩写:ROM)或者随机存取存储器(Random Access Memory,缩写:RAM)等各种可以存储程序代码的介质。If the above-mentioned integrated units are implemented in the form of software functional units and sold or used as independent products, they may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions to enable a computer device (which may be a personal computer, a server, or a network device, etc., specifically a processor in the computer device) to execute all or part of the steps of the above methods in various embodiments of the present application. Wherein, the aforementioned storage medium may include: U disk, mobile hard disk, magnetic disk, optical disk, read-only memory (Read-Only Memory, abbreviation: ROM) or random access memory (Random Access Memory, abbreviation: RAM) and so on. A medium that can store program code.
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the present application.
Claims (22)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title | 
|---|---|---|---|
| CN201911343064.0A CN113094718A (en) | 2019-12-23 | 2019-12-23 | File encryption method and related device | 
| PCT/CN2020/137923 WO2021129557A1 (en) | 2019-12-23 | 2020-12-21 | File encryption method and related apparatus | 
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title | 
|---|---|---|---|
| CN201911343064.0A CN113094718A (en) | 2019-12-23 | 2019-12-23 | File encryption method and related device | 
Publications (1)
| Publication Number | Publication Date | 
|---|---|
| CN113094718A true CN113094718A (en) | 2021-07-09 | 
Family
ID=76575203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date | 
|---|---|---|---|
| CN201911343064.0A Pending CN113094718A (en) | 2019-12-23 | 2019-12-23 | File encryption method and related device | 
Country Status (2)
| Country | Link | 
|---|---|
| CN (1) | CN113094718A (en) | 
| WO (1) | WO2021129557A1 (en) | 
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN113722745A (en) * | 2021-07-13 | 2021-11-30 | 苏州柯里特信息科技有限公司 | eCTD universal technology document submission management method and system | 
| CN114357506A (en) * | 2021-12-21 | 2022-04-15 | 浪潮金融信息技术有限公司 | A file encryption method, system and medium for Android system | 
| CN114826696A (en) * | 2022-04-08 | 2022-07-29 | 中国电子科技集团公司第三十研究所 | File content hierarchical sharing method, device, equipment and medium | 
| CN115599025A (en) * | 2022-12-12 | 2023-01-13 | 南京芯驰半导体科技有限公司(Cn) | Resource grouping control system, method and storage medium of chip array | 
| CN116881934A (en) * | 2023-06-05 | 2023-10-13 | 珠海妙存科技有限公司 | Encryption and decryption method, system and device for data and storage medium | 
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN115865448B (en) * | 2022-11-24 | 2025-09-02 | 深圳安捷力特新技术有限公司 | Data self-encryption device and method | 
| CN115982761A (en) * | 2022-12-23 | 2023-04-18 | 美的集团股份有限公司 | Sensitive information processing method, device, electronic device and storage medium | 
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN104184586A (en) * | 2013-05-20 | 2014-12-03 | 硅工厂股份有限公司 | Method of generating message authentication code and authentication device and authentication request device using the method | 
| US20190034106A1 (en) * | 2017-07-27 | 2019-01-31 | Qualcomm Incorporated | Power down mode for universal flash storage (ufs) | 
| CN110023941A (en) * | 2016-12-29 | 2019-07-16 | 华为技术有限公司 | A system-on-chip and method for implementing secure operating system switching | 
| CN110046506A (en) * | 2017-12-27 | 2019-07-23 | 三星电子株式会社 | Store equipment and including the storage system for storing equipment and the method operated using it | 
| CN110110548A (en) * | 2019-04-12 | 2019-08-09 | 深圳市中易通安全芯科技有限公司 | The correlation technique that file encryption stores under credible performing environment based on encryption chip | 
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN102377564B (en) * | 2011-11-15 | 2015-03-11 | 华为技术有限公司 | Method and device for encrypting private key | 
| KR102447476B1 (en) * | 2015-08-20 | 2022-09-27 | 삼성전자주식회사 | Crypto device, storage device having the same, and enc/decryption method thereof | 
| CN107332670A (en) * | 2017-08-11 | 2017-11-07 | 北京中天信安科技有限责任公司 | Safety control, system, method and mobile device based on UFS interfaces | 
| CN110059499A (en) * | 2019-03-22 | 2019-07-26 | 华为技术有限公司 | A kind of file access purview certification method and electronic equipment | 
- 
        2019
        - 2019-12-23 CN CN201911343064.0A patent/CN113094718A/en active Pending
 
- 
        2020
        - 2020-12-21 WO PCT/CN2020/137923 patent/WO2021129557A1/en not_active Ceased
 
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN104184586A (en) * | 2013-05-20 | 2014-12-03 | 硅工厂股份有限公司 | Method of generating message authentication code and authentication device and authentication request device using the method | 
| CN110023941A (en) * | 2016-12-29 | 2019-07-16 | 华为技术有限公司 | A system-on-chip and method for implementing secure operating system switching | 
| US20190034106A1 (en) * | 2017-07-27 | 2019-01-31 | Qualcomm Incorporated | Power down mode for universal flash storage (ufs) | 
| US20200401333A1 (en) * | 2017-07-27 | 2020-12-24 | Qualcomm Incorporated | Power down mode for universal flash storage (ufs) | 
| CN110046506A (en) * | 2017-12-27 | 2019-07-23 | 三星电子株式会社 | Store equipment and including the storage system for storing equipment and the method operated using it | 
| CN110110548A (en) * | 2019-04-12 | 2019-08-09 | 深圳市中易通安全芯科技有限公司 | The correlation technique that file encryption stores under credible performing environment based on encryption chip | 
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title | 
|---|---|---|---|---|
| CN113722745A (en) * | 2021-07-13 | 2021-11-30 | 苏州柯里特信息科技有限公司 | eCTD universal technology document submission management method and system | 
| CN113722745B (en) * | 2021-07-13 | 2024-02-06 | 苏州柯里特信息科技有限公司 | eCTD general technical document submitting management method and system | 
| CN114357506A (en) * | 2021-12-21 | 2022-04-15 | 浪潮金融信息技术有限公司 | A file encryption method, system and medium for Android system | 
| CN114826696A (en) * | 2022-04-08 | 2022-07-29 | 中国电子科技集团公司第三十研究所 | File content hierarchical sharing method, device, equipment and medium | 
| CN114826696B (en) * | 2022-04-08 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | File content hierarchical sharing method, device, equipment and medium | 
| CN115599025A (en) * | 2022-12-12 | 2023-01-13 | 南京芯驰半导体科技有限公司(Cn) | Resource grouping control system, method and storage medium of chip array | 
| CN115599025B (en) * | 2022-12-12 | 2023-03-03 | 南京芯驰半导体科技有限公司 | Resource grouping control system, method and storage medium of chip array | 
| CN116881934A (en) * | 2023-06-05 | 2023-10-13 | 珠海妙存科技有限公司 | Encryption and decryption method, system and device for data and storage medium | 
| CN116881934B (en) * | 2023-06-05 | 2024-02-23 | 珠海妙存科技有限公司 | Encryption and decryption method, system and device for data and storage medium | 
Also Published As
| Publication number | Publication date | 
|---|---|
| WO2021129557A1 (en) | 2021-07-01 | 
Similar Documents
| Publication | Publication Date | Title | 
|---|---|---|
| CN113094718A (en) | File encryption method and related device | |
| WO2021114891A1 (en) | Key encryption method and decryption method, and, data encryption method and decryption method | |
| CN107689869B (en) | User password management method and server | |
| US11308241B2 (en) | Security data generation based upon software unreadable registers | |
| CN102355350B (en) | A kind of file encrypting method for mobile intelligent terminal and system | |
| EP3337088B1 (en) | Data encryption method, decryption method, apparatus, and system | |
| CN106301774A (en) | Safety chip, its encryption key generate method and encryption method | |
| CN113346998B (en) | Key update and file sharing method, device, device, and computer storage medium | |
| CN105577379A (en) | An information processing method and device | |
| CN107078904A (en) | Hybrid cryptographic key derivation | |
| JP2017538353A (en) | Method and apparatus for encrypting / decrypting data on a mobile terminal | |
| CN107612683A (en) | A kind of encipher-decipher method, device, system, equipment and storage medium | |
| CN108574567A (en) | Privacy file protection and encryption key management system and method, information processing terminal | |
| US8751819B1 (en) | Systems and methods for encoding data | |
| WO2019214069A1 (en) | Method and apparatus for encrypted user communication on blockchain, and terminal device and storage medium | |
| US11902428B2 (en) | Key exchange system, communication apparatus, key exchange method and program | |
| US20200076591A1 (en) | Systems and Methods for Automated Generation and Update of Cipher Parameters | |
| WO2023051337A1 (en) | Data processing method and apparatus, and device and storage medium | |
| EP3848837B1 (en) | Storage controller and file processing method, apparatus, and system | |
| CN106257858A (en) | The data ciphering method of a kind of remote storage device, Apparatus and system | |
| CN115022057A (en) | Security authentication method, device and device, and storage medium | |
| US9712324B2 (en) | Methods and apparatuses for reducing or eliminating unauthorized access to tethered data | |
| WO2018054144A1 (en) | Method, apparatus, device and system for dynamically generating symmetric key | |
| US20130198528A1 (en) | Modifying a Length of an Element to Form an Encryption Key | |
| CN115834053A (en) | A key distribution method, device, electronic equipment and storage medium | 
Legal Events
| Date | Code | Title | Description | 
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date: 20210709 |