2. Overview¶
2.1. Overview¶
CIPHER is a security algorithm module provided by CVITEK digital media processing platform. It provides symmetric encryption and decryption algorithms, including AES / DES / SM4, asymmetric encryption and decryption algorithm RSA (Note SW), random number generation, and digest algorithm, HASH and HMAC. It is mainly used for encryption and decryption protection of audio and video stream, authentication of user legitimacy and other scenarios. Each function is divided as follows:
Symmetric Encryption and Decryption Algorithm
AES: supports ECB/CBC/CTR/CCM/GCM and other working modes. In CCM / GCM mode, the tag value needs to be obtained once after encryption and decryption.
DES: supports ECB/CBC/CTR/CFB/OFB and other working modes. The bit width of CFB and OFB mode can be 1 / 8 / 64.
SM4: supports ECB/CBC/CTR and other working modes.
Except CTR/CCM/GCM, the data length of the above algorithms and modes must be aligned by block size; N and A of CCM/GCM need to be encapsulated by software into block size aligned data blocks according to the standard.
Asymmetric Encryption and Decryption Algorithm
RSA (Note SW): supports key bit width 1024/2048/3072/4096
RSA key width 1024 and below are known insecure algorithms in the industry and should not be used.
Random Number Generation
RNG:Get random numbers at a high rate.
Digest Algorithm
HASH : supports SHA1/SHA2/ SHA512/SM3 (Note SW);
HMAC : support HMAC1/HMAC224/HMAC256/HMAC384/HMAC512 (Note SW);
The SHA1 algorithm is less secure and cannot be used in the scenario where it is involved in generating “digital signatures”, SHA2 (256 bits and above) algorithm is recommended.
2.2. Use Process¶
2.2.1. Single Packet Data Encryption and Decryption¶
Scene Description
When there is a piece of stream data in physical memory that needs to be encrypted/decrypted, the CIPHER module is called at the user level to encrypt/decrypt the single packet data after obtaining its physical address.
Working Process
The process of AES / DES / SM4 symmetric encryption and decryption is as follows:
Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2 : get the CIPHER handle, call interface CVI_UNF_CIPHER_CreateHandle to complete.
Step 3 : configure the CIPHER control information, including key, initial vector, encryption algorithm, working mode and other information, call interface CVI_UNF_CIPHER_ConfigHandle or CVI_UNF_CIPHER_ConfigHandleEx to complete.
Step 4 : encrypt / decrypt the data. Call any of the following interfaces for encryption and decryption.
Single packet encryption, CVI_UNF_CIPHER_Encrypt
Single packet decryption, CVI_UNF_CIPHER_Decrypt
Step 5 : if CCM and GCM (Note SW) modes are used, Call interface CVI_UNF_CIPHER_GetTag to get the TAG value.
Step 6 : destroy the CIPHER handle, call interface CVI_UNF_CIPHER_DestroyHandle to complete.
Step 7 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note
2.2.2. Multi Packet Data Encryption and Decryption¶
Scene Description
When there are multiple streams of data in physical memory that need to be encrypted/decrypted, the CIPHER module is called at the user level to encrypt/decrypt multiple packets of data after obtaining their physical addresses.
Working Process
The process of AES / DES / SM4 symmetric encryption and decryption is as follows:
Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2 : get the CIPHER handle, call interface CVI_UNF_CIPHER_CreateHandle to complete.
Step 3 : configure the CIPHER control information, including key, initial vector, encryption algorithm, working mode and other information, call interface CVI_UNF_CIPHER_ConfigHandle or CVI_UNF_CIPHER_ConfigHandleEx to complete.
Step 4 : encrypt / decrypt the data. Call any of the following interfaces for encryption and decryption.
Multi packet encryption, CVI_UNF_CIPHER_EncryptMulti
Multi packet decryption, CVI_UNF_CIPHER_DecryptMulti
Step 5 : destroy the CIPHER handle, call interface CVI_UNF_CIPHER_DestroyHandle to complete.
Step 6 : shut down CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note
2.2.3. HASH Calculation¶
Scene Description
The HASH value of calculated data can be SHA1/SHA2/ SHA512/SM3 (Note SW)
Working Process
Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2 : get the HASH handle, select HASH calculation, and call interface CVI_UNF_CIPHER_HashInit to complete.
Step 3 : input data and calculate HASH value one by one. Call interface CVI_UNF_CIPHER_HashUpdate to complete.
Step 4 : if the summary is not calculated, perform step 3 again.
Step 5 : complete the summary calculation, end the input, and obtain the calculation results. Call interface CVI_UNF_CIPHER_HashFinal to complete.
Step 6 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note
2.2.4. HMAC Calculation (NOTE SW)¶
Scene Description
Based on HASH algorithm, HMAC value of data is calculated.
Working Process
Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2 : get the HASH handle, select HASH calculation, configure the key of HMAC calculation , and call interface CVI_UNF_CIPHER_HashInit to complete.
Step 3 : input data and calculate HASH value one by one. Call interface CVI_UNF_CIPHER_HashUpdate to complete.
Step 4 : if the summary is not calculated, perform step 3 again.
Step 5 : complete the summary calculation, end the input, and obtain the calculation results. Call interface CVI_UNF_CIPHER_HashFinal to complete.
Step 6 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note
2.2.5. Generating Random Numbers¶
Scene Description
Get the true random number generated by the hardware.
Working Process
Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2 : get 256bits random numbers, call interface CVI_UNF_CIPHER_GetRandomNumber to complete.
Step 3 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note
2.2.6. RSA Encryption and Decryption Operation Steps (NOTE SW)¶
Scene Description
The data is encrypted and decrypted by RSA asymmetric algorithm. Data encrypted by public key must be decrypted by private key. On the contrary, data encrypted by private key must be decrypted by public key.
Working Process
Step 1: CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2: encryption and decryption or signature verification of data. Depending on the key used, call any of the following interfaces to perform encryption and decryption, signature verification, generate depending on the key used.
Public key encryption : CVI_UNF_CIPHER_RsaPublicEncrypt
Private key decryption : CVI_UNF_CIPHER_RsaPrivateDec
Private key encryption : CVI_UNF_CIPHER_RsaPrivateEnc
Public key decryption : CVI_UNF_CIPHER_RsaPublicDec
Private key signature : CVI_UNF_CIPHER_RsaSign
Public key verification : CVI_UNF_CIPHER_RsaVerify
Step 3 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note
2.2.7. RSA Signature and Signature Verification Procedures¶
Scene Description
When RSA is used to sign and verify the data, the private key is used to sign the data, and the public key is used to verify the data.
Working Process
Step 1 : CIPHER device initialization, call interface CVI_UNF_CIPHER_Init to complete.
Step 2 : verify the signature of the data.
Private key signature : CVI_UNF_CIPHER_RsaSign
Public key verification : CVI_UNF_CIPHER_RsaVerify
Step 3 : shut down the CIPHER device, call interface CVI_UNF_CIPHER_Deinit to complete.
Note