2. Overview

2.1. Overview

CIPHER is a security algorithm module provided by CVITEK digital media processing platform. It provides symmetric encryption and decryption algorithms, including AES / DES / SM4, asymmetric encryption and decryption algorithm RSA (Note SW), random number generation, and digest algorithm, HASH and HMAC. It is mainly used for encryption and decryption protection of audio and video stream, authentication of user legitimacy and other scenarios. Each function is divided as follows:

Symmetric Encryption and Decryption Algorithm

  • AES: supports ECB/CBC/CTR/CCM/GCM and other working modes. In CCM / GCM mode, the tag value needs to be obtained once after encryption and decryption.

  • DES: supports ECB/CBC/CTR/CFB/OFB and other working modes. The bit width of CFB and OFB mode can be 1 / 8 / 64.

  • SM4: supports ECB/CBC/CTR and other working modes.

Except CTR/CCM/GCM, the data length of the above algorithms and modes must be aligned by block size; N and A of CCM/GCM need to be encapsulated by software into block size aligned data blocks according to the standard.

Asymmetric Encryption and Decryption Algorithm

  • RSA (Note SW): supports key bit width 1024/2048/3072/4096

RSA key width 1024 and below are known insecure algorithms in the industry and should not be used.

Random Number Generation

  • RNG:Get random numbers at a high rate.

Digest Algorithm

  • HASH : supports SHA1/SHA2/ SHA512/SM3 (Note SW);

  • HMAC : support HMAC1/HMAC224/HMAC256/HMAC384/HMAC512 (Note SW);

The SHA1 algorithm is less secure and cannot be used in the scenario where it is involved in generating “digital signatures”, SHA2 (256 bits and above) algorithm is recommended.

2.2. Use Process

2.2.1. Single Packet Data Encryption and Decryption

Scene Description

When there is a piece of stream data in physical memory that needs to be encrypted/decrypted, the CIPHER module is called at the user level to encrypt/decrypt the single packet data after obtaining its physical address.

Working Process

The process of AES / DES / SM4 symmetric encryption and decryption is as follows:

Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2 : get the CIPHER handle, call interface CVI_UNF_CIPHER_CreateHandle to complete.

Step 3 : configure the CIPHER control information, including key, initial vector, encryption algorithm, working mode and other information, call interface CVI_UNF_CIPHER_ConfigHandle or CVI_UNF_CIPHER_ConfigHandleEx to complete.

Step 4 : encrypt / decrypt the data. Call any of the following interfaces for encryption and decryption.

  • Single packet encryption, CVI_UNF_CIPHER_Encrypt

  • Single packet decryption, CVI_UNF_CIPHER_Decrypt

Step 5 : if CCM and GCM (Note SW) modes are used, Call interface CVI_UNF_CIPHER_GetTag to get the TAG value.

Step 6 : destroy the CIPHER handle, call interface CVI_UNF_CIPHER_DestroyHandle to complete.

Step 7 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note

2.2.2. Multi Packet Data Encryption and Decryption

Scene Description

When there are multiple streams of data in physical memory that need to be encrypted/decrypted, the CIPHER module is called at the user level to encrypt/decrypt multiple packets of data after obtaining their physical addresses.

Working Process

The process of AES / DES / SM4 symmetric encryption and decryption is as follows:

Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2 : get the CIPHER handle, call interface CVI_UNF_CIPHER_CreateHandle to complete.

Step 3 : configure the CIPHER control information, including key, initial vector, encryption algorithm, working mode and other information, call interface CVI_UNF_CIPHER_ConfigHandle or CVI_UNF_CIPHER_ConfigHandleEx to complete.

Step 4 : encrypt / decrypt the data. Call any of the following interfaces for encryption and decryption.

  • Multi packet encryption, CVI_UNF_CIPHER_EncryptMulti

  • Multi packet decryption, CVI_UNF_CIPHER_DecryptMulti

Step 5 : destroy the CIPHER handle, call interface CVI_UNF_CIPHER_DestroyHandle to complete.

Step 6 : shut down CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note

2.2.3. HASH Calculation

Scene Description

The HASH value of calculated data can be SHA1/SHA2/ SHA512/SM3 (Note SW)

Working Process

Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2 : get the HASH handle, select HASH calculation, and call interface CVI_UNF_CIPHER_HashInit to complete.

Step 3 : input data and calculate HASH value one by one. Call interface CVI_UNF_CIPHER_HashUpdate to complete.

Step 4 : if the summary is not calculated, perform step 3 again.

Step 5 : complete the summary calculation, end the input, and obtain the calculation results. Call interface CVI_UNF_CIPHER_HashFinal to complete.

Step 6 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note

2.2.4. HMAC Calculation (NOTE SW)

Scene Description

Based on HASH algorithm, HMAC value of data is calculated.

Working Process

Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2 : get the HASH handle, select HASH calculation, configure the key of HMAC calculation , and call interface CVI_UNF_CIPHER_HashInit to complete.

Step 3 : input data and calculate HASH value one by one. Call interface CVI_UNF_CIPHER_HashUpdate to complete.

Step 4 : if the summary is not calculated, perform step 3 again.

Step 5 : complete the summary calculation, end the input, and obtain the calculation results. Call interface CVI_UNF_CIPHER_HashFinal to complete.

Step 6 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note

2.2.5. Generating Random Numbers

Scene Description

Get the true random number generated by the hardware.

Working Process

Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2 : get 256bits random numbers, call interface CVI_UNF_CIPHER_GetRandomNumber to complete.

Step 3 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note

2.2.6. RSA Encryption and Decryption Operation Steps (NOTE SW)

Scene Description

The data is encrypted and decrypted by RSA asymmetric algorithm. Data encrypted by public key must be decrypted by private key. On the contrary, data encrypted by private key must be decrypted by public key.

Working Process

Step 1: CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2: encryption and decryption or signature verification of data. Depending on the key used, call any of the following interfaces to perform encryption and decryption, signature verification, generate depending on the key used.

  • Public key encryption : CVI_UNF_CIPHER_RsaPublicEncrypt

  • Private key decryption : CVI_UNF_CIPHER_RsaPrivateDec

  • Private key encryption : CVI_UNF_CIPHER_RsaPrivateEnc

  • Public key decryption : CVI_UNF_CIPHER_RsaPublicDec

  • Private key signature : CVI_UNF_CIPHER_RsaSign

  • Public key verification : CVI_UNF_CIPHER_RsaVerify

Step 3 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note

2.2.7. RSA Signature and Signature Verification Procedures

Scene Description

When RSA is used to sign and verify the data, the private key is used to sign the data, and the public key is used to verify the data.

Working Process

Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.

Step 2 : verify the signature of the data.

  • Private key signature : CVI_UNF_CIPHER_RsaSign

  • Public key verification : CVI_UNF_CIPHER_RsaVerify

Step 3 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.

Note