阅读说明：本技术 一种基于嵌入式信任根的智能设备安全代码更新方法 (Intelligent equipment security code updating method based on embedded trust root ) 是由 王纪军 徐超 程伟华 承轶青 吉慎 于 2021-07-01 设计创作，主要内容包括：本发明公开了一种基于嵌入式信任根的智能设备安全代码更新方法,包括安全擦除：基于信任根密钥派生的伪随机数在更新前对智能设备可疑空间进行清理,确保更新前的安全；采用现代智能设备上普遍存在的硬件构建嵌入式信任根,为嵌入式系统维护一个小的可信执行环境和安全存储空间,确保更新时的安全；对更新代码安装后的嵌入式智能设备系统环境进行完整性证明,确保更新后的安全。本发明借鉴嵌入式信任根、安全擦除和远程证明技术,为嵌入式智能设备提供一个涵盖更新前、更新时和更新后全方位保护的安全代码更新方法。(The invention discloses an intelligent equipment security code updating method based on an embedded trust root, which comprises the following steps of: cleaning suspicious spaces of the intelligent equipment before updating based on pseudo-random numbers derived from the trust root key, and ensuring the safety before updating; an embedded trust root is constructed by adopting ubiquitous hardware on modern intelligent equipment, a small trusted execution environment and a safe storage space are maintained for an embedded system, and the safety during updating is ensured; and the integrity of the embedded intelligent equipment system environment after the update code is installed is proved, so that the updated safety is ensured. The invention provides a safe code updating method covering all-round protection before, during and after updating for embedded intelligent equipment by using embedded trust root, safe erasing and remote certification technologies.)

1. An intelligent device security code updating method based on an embedded trust root is characterized by comprising the following steps:

(1) and (4) safely erasing: cleaning suspicious spaces of the intelligent equipment before updating based on pseudo-random numbers derived from the trust root key, and ensuring the safety before updating;

(2) the embedded trust root is constructed by adopting the ubiquitous hardware on modern intelligent equipment, a trusted execution environment and a safe storage space are maintained for an embedded system, and the safety during updating is ensured;

(3) and the integrity of the embedded intelligent equipment system environment after the update code is installed is proved, so that the updated safety is ensured.

2. The intelligent device security code updating method based on the embedded trust root as claimed in claim 1, wherein the specific steps are as follows:

1) the intelligent equipment side prepares an update package to be shared with the verification side;

2) initializing and configuring intelligent equipment on the intelligent equipment side;

3) the intelligent equipment side and the verifying side carry out temporary session key negotiation;

4) the intelligent equipment side notifies the verifier of updating after issuing the new code;

5) initializing an equipment updating environment on the intelligent equipment side;

6) the intelligent equipment sends a challenge and a secret key to a verifier;

7) the verifying party verifies the challenge, encrypts the update package after success and sends the update package to the intelligent equipment party;

8) the intelligent equipment side decrypts and verifies the update package, and deploys and updates the update package after the update package is successfully deployed;

9) the intelligent equipment side carries out integrity measurement and sends the result to the verification side;

10) the verifier verifies the measurement result and synchronizes the measurement result to the intelligent equipment;

11) the intelligent equipment side ensures sustainable safety through safe starting;

12) the intelligent device side and the verifying side guarantee the continuous credibility of the intelligent device through a remote attestation mechanism.

3. The intelligent device security code updating method based on the embedded trust root according to claim 2, wherein in step 1), the device side prepares a latest security update package cupkg, which at least comprises a binary update code cupkg.code, a version number cupkg.ver of a current security update package, and a hash value cupkg.hash of an expected value of memory content on the device after successful update; the device side shares the prepared latest security update package cupkg with the verifier.

4. The embedded trust root-based intelligent device security code updating method according to claim 2, wherein the intelligent device configures or deploys the embedded trust root, the fixed trust root code RoT and the device root key rk in step 2), and stores integrity metadata of a currently running code of the device in a security storage space R maintained by the embedded trust root.

5. The embedded trust root-based intelligent device security code updating method according to claim 2, wherein the intelligent device side and the verifier in step 3): negotiating cryptographic parameters, selecting a proper lightweight symmetric encryption algorithm, establishing a shared temporary session key tsk through a key exchange protocol, encrypting information interacted between an intelligent equipment side and a verification side by using tsk in an interaction process of an updating protocol, and updating the period of tsk in a self-defined way according to actual requirements.

6. The embedded trust root-based intelligent device security code updating method according to claim 2, wherein after the intelligent device side issues the latest version of the embedded intelligent device code in step 4), the intelligent device side notifies the verifier to update all the intelligent devices, and the verifier sends an update request R1 to the intelligent device side.

7. The embedded root of trust based smart device security code update method of claim 2, wherein in step 5), after the RoT code on the smart device receives R1, a random sub-key k1 is derived based on the device root key rk; based on k1 and R1, the RoT code uses a pseudo-random generator to generate pseudo-random numbers, overwrites suspect and redundant memory areas of the device, erases potentially malicious code, and provides an initial trusted environment for updates.

8. The embedded root of trust based smart device security code update method of claim 2, wherein the RoT code on the smart device in step 6) re-derives a second random sub-key k2 based on the device root key rk and generates a random challenge value Np, and sends the message M1 ═ { R1, k1, k2, Np } to the verifier after being encrypted with tsk.

9. The embedded trust root-based intelligent device security code updating method of claim 2, wherein after the verifier uses tsk to decrypt and obtain the message M1 in step 7), the verifier verifies R1 ensures the freshness of the session; then, k2 is used for encrypting the latest security update package cupkg issued by the intelligent equipment side to obtain a ciphertext message epkg, namely epkg is Enc (k2, cupkg), so that the confidentiality of the security update package is ensured; performing MAC operation on the { Np, hash (epkg) } by using k1 to generate an authentication code MAC1, so as to ensure the integrity of a security update package; and generating a random challenge value Nv, and encrypting the message M2 { (Np, epkg, mac1, Nv } by using tsk and then sending the message M2 to the intelligent equipment side.

10. The embedded trust root-based intelligent device security code updating method according to claim 2, wherein in step 8), after the RoT code on the intelligent device side decrypts the message M2 by using tsk, hash operation is performed on epkg first, and k1 and Np are used to verify whether the message authentication code mac1 is tampered; if the data is tampered, exiting the updating; if not tampered, decrypting epkg by using k2 to obtain cupkg, namely cupkg ═ Dec (k2, epkg); verifying whether the cupkg.ver is larger than the previously stored version or not, and preventing the version rollback attack of the safe updating code; and continuing the operation after the verification is passed, installing the decrypted cupkg, and storing the corresponding latest integrity metadata cupkg.ver and cupkg.hash into a secure storage space R maintained by the embedded trust root.

11. The intelligent device security code updating method based on the embedded trust root according to claim 2, wherein in step 9), after the RoT code of the intelligent device measures the latest memory state of the device (the key area where the security update is located can be selected, or the whole memory area can be selected) by using a hash algorithm, an integrity measurement result h is obtained; performing MAC operation on the { Nv, h } by using k1 to generate an authentication code MAC 2; and sending the message M3 ═ { Nv, h, mac2} to the verifier after being encrypted by tsk.

12. The embedded trust root-based intelligent device security code updating method according to claim 2, wherein the verifier verifies the authentication code mac2 with k1 and cupkg in step 10) to determine whether the intelligent device successfully installs the latest code update package cupkg, and synchronizes the intelligent device ID and the verification result to the intelligent device.

13. The intelligent device security code updating method based on the embedded trust root according to claim 2, wherein in step 11), after the intelligent device side completes the installation of the latest code updating package cupkg, the embedded system loads the RoT code first through security guidance each time the intelligent device is restarted; and then, the RoT code compares the integrity hash measurement of the cupkg code in the key area of the memory with the cupkg-hash stored in the R area, and the cupkg code is loaded only when the comparison is passed, so that the sustainable safety of the intelligent device after updating is ensured.

14. The embedded trust root-based intelligent device security code updating method according to claim 13, wherein when the device is started, the ROM measures and loads the trust root code RoT first, and then measures and loads cupkg; starting a verification function of firmware by relying on a ROM, and safely guiding a root of trust code RoT; the cupkg is any updateable embedded code.

15. The embedded root of trust based smart device security code update method of claim 1, wherein the embedded root of trust provides an isolated trusted execution environment and a secure storage space for a device; the embedded trust root is provided by an SRAM PUF and an ARM TrustZone-M; the root-of-trust code RoT refers to a code running in an isolated trusted execution environment, and comprises a hash algorithm, a pseudo-random number generation algorithm, a symmetric encryption and decryption algorithm, a message authentication code and a comparison detection code which are necessary for executing security code updating.

Technical Field

The invention belongs to the field of trusted Internet of things and embedded system security, and particularly relates to an intelligent device security code updating method based on an embedded trust root.

Background

With the continuous development of the internet of things, industrial 4.0 and industrial internet, various embedded intelligent devices have been widely applied to various scenes in the real world, such as industrial control systems, smart homes, wireless sensor networks and the like. However, these embedded smart devices are vulnerable to attacks because they lack the security mechanisms of traditional desktop machines. In many cases, devices that have vulnerabilities or are under attack often need to be recalled, causing significant economic loss to the device vendor. For example, Dyn DNS DDoS attacks infect a large number of internet of things device zombie nodes, and many network cameras with the problem are withdrawn by manufacturers; with the development of unmanned technology, various embedded sensors and intelligent functions are also configured on the automobile, which also results in the increase of automobile leaks and security risks, and the probability of being recalled is higher. Because embedded intelligent equipment goes deep into various industries and is deployed in a large scale in many scenes, the cost of recalling safety problems is hard to bear by manufacturers.

Therefore, a code updating technology is provided, which can remotely repair bugs existing in the embedded intelligent equipment, remotely add new features or system functions, start a certain safety function, forbid the vulnerability function of a certain equipment product and the like, improve the safety and flexibility of the intelligent equipment in the life cycle use, reduce the economic loss of factory return or recall, and solve the function or safety problems existing in most of the equipment in a remote mode. However, if the code update technology itself has a security problem, it can be used by an attacker to destroy the security of the embedded smart device, which is contrary to the original design purpose.

Therefore, in order to design a safely usable code updating method, the safety of the code updating technology itself needs to be deeply considered. The code update is not only a simple download of the latest version of firmware or software code to the intelligent embedded device, but also should take into account various security attributes of the code update, such as freshness, integrity, authentication, confidentiality, verifiability, recoverability, persistence, etc. Thus, some researchers began to design security code update mechanisms taking into account some of the security attributes. The university of Perito et al in 2010 proposes a security code updating scheme of pose (pro of Secure erase), and before downloading a security code to an embedded intelligent device, a pure environment is created on the device in a Secure erasing manner; 2016, Kohnhauser et al designed a secure code update mechanism for low-end embedded devices based on a hardware secure immune environment and a public key cryptographic algorithm.

While these solutions can satisfy most of the security attributes, there are significant drawbacks: firstly, the hardware security immune environment on which the hardware security immune environment depends does not necessarily exist on the embedded intelligent equipment, and the universality is not realized; secondly, the available software and hardware resources of the embedded intelligent device are limited, and the performance and storage cost brought by using a public key cryptographic algorithm cannot be accepted by many embedded devices; thirdly, the PoSE needs to send a large amount of pseudo-random values through the network to fill redundant memory space of the embedded intelligent equipment so as to erase potential malicious codes, and the network flow cost caused by the potential malicious codes can hardly be applied to an actual scene; finally, the security mechanisms they provide typically only consider a portion of the secure code update, lacking a systematic security build on the overall update flow. Therefore, the characteristics of the software and hardware environment of the embedded device need to be considered, a more practical and available security code updating method needs to be designed, and the requirements of more complete and systematic security code updating before, during and after updating are met.

Disclosure of Invention

The invention aims to provide an intelligent equipment security code updating method based on an embedded trust root, which covers all-round protection before, during and after updating. Safely erasing pseudo-random numbers derived based on the trust root key to clean suspicious spaces of the intelligent equipment before updating, and ensuring the safety before updating; the invention solves the trust problem of the embedded Internet of things equipment, innovatively provides a security code updating method on the embedded equipment, and can prevent an untrusted party from damaging the embedded equipment when the equipment code is updated.

The purpose of the invention is realized by the following technical scheme:

an intelligent device security code updating method based on an embedded trust root is characterized by comprising the following steps:

(1) and (4) safely erasing: cleaning suspicious spaces of the intelligent equipment before updating based on pseudo-random numbers derived from the trust root key, and ensuring the safety before updating;

(2) an embedded trust root such as an SRAM PUF or an ARM TrustZone-M is constructed by adopting ubiquitous hardware on modern intelligent equipment, a trusted execution environment and a safe storage space can be maintained for an embedded system, and the safety during updating is ensured;

(3) and the integrity of the embedded intelligent equipment system environment after the update code is installed is proved, so that the updated safety is ensured.

The method comprises the following specific steps:

1) the intelligent equipment side prepares an update package to be shared with the verification side;

2) initializing and configuring intelligent equipment on the intelligent equipment side;

3) the intelligent equipment side and the verifying side carry out temporary session key negotiation;

4) the intelligent equipment side notifies the verifier of updating after issuing the new code;

5) initializing an equipment updating environment on the intelligent equipment side;

6) the intelligent equipment sends a challenge and a secret key to a verifier;

7) the verifying party verifies the challenge, encrypts the update package after success and sends the update package to the intelligent equipment party;

8) the intelligent equipment side decrypts and verifies the update package, and deploys and updates the update package after the update package is successfully deployed;

9) the intelligent equipment side carries out integrity measurement and sends the result to the verification side;

10) the verifier verifies the measurement result and synchronizes the measurement result to the intelligent equipment;

11) the intelligent equipment side ensures sustainable safety through safe starting;

12) the intelligent device side and the verifying side guarantee the continuous credibility of the intelligent device through a remote attestation mechanism.

The invention has the following construction principle and steps:

1. before updating the security code:

a. the intelligent device side and the verification side: the method comprises the steps that a device side prepares a latest safety updating package cupkg which at least comprises a binary updating code cupkg.code, a version number cupkg.ver of a current safety updating package, and a hash value cupkg.hash of an expected value of memory content on the device after successful updating; the device side shares the prepared latest security update package cupkg with the verifier.

b. The intelligent equipment side: the method comprises the steps of configuring or deploying an embedded trust root (SRAM PUF or ARM TrustZone-M), a fixed trust root code RoT and an equipment root key rk (which can be a root key solidified in a secure storage space and can also be a root key automatically generated when equipment is started based on the SRAM PUF), and storing integrity metadata (including cupkg.ver and cupkg.hash) of a current running code of the equipment in a secure storage space R maintained by the embedded trust root.

c. The intelligent device side and the verification side: negotiating cryptographic parameters, selecting a proper lightweight symmetric encryption algorithm, establishing a shared temporary session key tsk through a key exchange protocol, encrypting information interacted between an intelligent equipment side and a verification side by using tsk in an interaction process of an updating protocol, and updating the period of tsk in a self-defined way according to actual requirements.

d. The intelligent device side and the verification side: after the intelligent equipment side issues the embedded intelligent equipment code of the latest version, the intelligent equipment side informs the verifying side to update all the intelligent equipment, and the verifying side sends an update request R1 to the intelligent equipment side.

e. The intelligent equipment side: after receiving R1, the RoT code on the intelligent device derives a random sub-key k1 based on the device root key rk; based on k1 and R1, the RoT code uses a pseudo random number generator to generate pseudo random numbers, overwrites suspicious memory and redundant memory areas of the device, erases potential malicious codes, and provides an initial trusted environment for updating.

2. When the security code is updated:

a. the intelligent equipment side: the RoT code on the smart device re-derives a second random sub-key k2 based on the device root key rk and generates a random challenge value Np, and sends the message M1 { R1, k1, k2, Np } to the verifier after being encrypted with tsk.

b. And (3) a verifying party: after obtaining message M1 using tsk decryption, verify that R1 ensures the freshness of the session; then, k2 is used for encrypting the latest security update package cupkg issued by the intelligent equipment side to obtain a ciphertext message epkg, namely epkg is Enc (k2, cupkg), so that the confidentiality of the security update package is ensured; performing MAC operation on the { Np, hash (epkg) } by using k1 to generate an authentication code MAC1, so as to ensure the integrity of a security update package; and generating a random challenge value Nv, and encrypting the message M2 { (Np, epkg, mac1, Nv } by using tsk and then sending the message M2 to the intelligent equipment side.

c. The intelligent equipment side: after the RoT code decrypts to obtain a message M2 by using tsk, hash operation is carried out on epkg, and whether the message authentication code mac1 is tampered or not is verified by using k1 and Np; if the data is tampered, exiting the updating; if not tampered, decrypting epkg by using k2 to obtain cupkg, namely cupkg ═ Dec (k2, epkg); verifying whether the cupkg.ver is larger than the previously stored version or not, and preventing the version rollback attack of the safe updating code; and continuing to operate after the verification is passed, installing the decrypted cupkg, and storing the corresponding latest integrity metadata cupkg.ver and cupkg.hash into a secure storage space R (namely covering the old value in the 1. b) maintained by the embedded trust root.

3. After the security code is updated:

a. the intelligent equipment side: the RoT code measures the latest memory state of the device (a key area where safe updating is located can be selected, and the whole memory area can also be selected) by using a hash algorithm, and then obtains an integrity measurement result h; performing MAC operation on the { Nv, h } by using k1 to generate an authentication code MAC 2; and sending the message M3 ═ { Nv, h, mac2} to the verifier after being encrypted by tsk.

b. And (3) a verifying party: the verifier verifies the authentication code mac2 with k1 and cupkg to determine whether the smart device successfully installs the latest code update package cupkg, and synchronizes the smart device ID and the verification result to the smart device side.

c. The intelligent equipment side: after the latest code updating packet cupkg is installed, the embedded system loads the RoT code through safe guidance each time the intelligent equipment is restarted; and then, the RoT code compares the integrity hash measurement of the cupkg code in the key area of the memory with the cupkg-hash stored in the R area, and the cupkg code is loaded only when the comparison is passed, so that the sustainable safety of the intelligent device after updating is ensured.

d. The intelligent device side and the verification side: if the intelligent device wants to interact with an intelligent device side, a verifying side or other trusted third parties, in order to know the security state of the intelligent device first, the remote certification mechanisms similar to those in 3.a and 3.b can be adopted to certify the integrity state of the intelligent device, so as to ensure the continuous credibility of the intelligent device in the network environment of the internet of things.

The embedded trust root is constructed by adopting ubiquitous hardware on modern intelligent equipment, such as SRAM PUF or ARM TrustZone-M, so that a small trusted execution environment and a safe storage space can be maintained for an embedded system, and the safety during updating is ensured; and the remote certification technology is used for carrying out integrity certification on the embedded intelligent equipment system environment after the update code is installed, so that the updated safety is ensured.

The invention has the following advantages:

1. compared with the existing security code updating method, the method uses the device root key pseudo-random derivation method to perform security erasure before updating, so that the network bandwidth is saved; and a lightweight symmetric cryptographic algorithm is adopted to replace a public key mechanism to design a safe updating protocol, so that the embedded intelligent device with limited resources is more friendly.

2. The invention carries out comprehensive system design on the safety of the equipment before, during and after updating, and protects each updating stage in an all-around way, thereby improving the safety of the whole ecological environment of the intelligent equipment. The safety code updating scheme of F carries out all-round protection before, during and after updating. Before updating, the random memory filling based on the device root key ensures that no potential malicious code exists before the updating code is installed; when updating, the source of the verification code is legal and latest, the confidentiality and the integrity of the update code are reliable, and the equipment to be updated is subjected to security authentication to prevent attacks such as replay, rollback and the like; after updating, integrity verification is carried out before the updating code is loaded and operated every time, remote certification is carried out every time network interaction is carried out, and sustainable safety of the equipment associated with the network environment is ensured.

Drawings

FIG. 1 is a schematic diagram of the three stages of security code update in the present invention.

Detailed Description

The following describes a specific implementation manner of the present invention, taking an ordinary PC device as a verifier and an embedded device equipped with SRAM and ARM TrustZone-M as an intelligent device:

an intelligent device security code updating method based on an embedded trust root comprises the following steps: (1) and (4) safely erasing: cleaning suspicious spaces of the intelligent equipment before updating based on pseudo-random numbers derived from the trust root key, and ensuring the safety before updating; (2) an embedded trust root such as an SRAM PUF or an ARM TrustZone-M is constructed by adopting ubiquitous hardware on modern intelligent equipment, a trusted execution environment and a safe storage space can be maintained for an embedded system, and the safety during updating is ensured; (3) and the integrity of the embedded intelligent equipment system environment after the update code is installed is proved, so that the updated safety is ensured. The method comprises the following specific steps:

1. the intelligent equipment side prepares an update package to be shared with the verification side; the method comprises the steps that a device side prepares a latest safety updating package cupkg which at least comprises a binary updating code cupkg.code, a version number cupkg.ver of a current safety updating package, and a hash value cupkg.hash of an expected value of memory content on the device after successful updating; the device side shares the prepared latest security update package cupkg with the verifier.

2. Initializing and configuring intelligent equipment on the intelligent equipment side; an embedded trust root, a fixed trust root code RoT and a device root key rk (which may be a root key solidified in a secure storage space or a root key automatically generated when a device is started based on an SRAM PUF) are configured or deployed on an intelligent device side, and integrity metadata (including cupkg.ver and cupkg.hash) of a current running code of the device is stored in a secure storage space R maintained by the embedded trust root;

the embedded trust root provides an isolated trusted execution environment and a safe storage space for the equipment; the embedded trust root is provided by an SRAM PUF and an ARM TrustZone-M; the root-of-trust code RoT is a code running in an isolated trusted execution environment and comprises a hash algorithm, a pseudo-random number generation algorithm, a symmetric encryption and decryption algorithm, a message authentication code and a comparison detection code which are necessary for executing security code updating;

3. the intelligent equipment side and the verifying side carry out temporary session key negotiation; the intelligent device side and the verification side: negotiating cryptographic parameters, selecting a proper lightweight symmetric encryption algorithm, establishing a shared temporary session key tsk through a key exchange protocol, encrypting information interacted between an intelligent equipment side and a verification side by using tsk in an interaction process of an updating protocol, and updating the period of tsk in a self-defined way according to actual requirements.

4. The intelligent equipment side notifies the verifier of updating after issuing the new code; after the intelligent equipment side issues the embedded intelligent equipment code of the latest version, the intelligent equipment side informs the verifying side to update all the intelligent equipment, and the verifying side sends an update request R1 to the intelligent equipment side.

5. Initializing an equipment updating environment on the intelligent equipment side; after receiving R1, the RoT code on the intelligent device derives a random sub-key k1 based on the device root key rk; based on k1 and R1, the RoT code uses a pseudo-random generator to generate pseudo-random numbers, overwrites suspect and redundant memory areas of the device, erases potentially malicious code, and provides an initial trusted environment for updates.

6. The intelligent equipment sends a challenge and a secret key to a verifier; the RoT code on the smart device re-derives a second random sub-key k2 based on the device root key rk and generates a random challenge value Np, and sends the message M1 { R1, k1, k2, Np } to the verifier after being encrypted with tsk.

7. The verifying party verifies the challenge, encrypts the update package after success and sends the update package to the intelligent equipment party; after the verifier decrypts the message M1 by using tsk, the verifier R1 ensures the freshness of the session; then, k2 is used for encrypting the latest security update package cupkg issued by the intelligent equipment side to obtain a ciphertext message epkg, namely epkg is Enc (k2, cupkg), so that the confidentiality of the security update package is ensured; performing MAC operation on the { Np, hash (epkg) } by using k1 to generate an authentication code MAC1, so as to ensure the integrity of a security update package; and generating a random challenge value Nv, and encrypting the message M2 { (Np, epkg, mac1, Nv } by using tsk and then sending the message M2 to the intelligent equipment side.

8. The intelligent equipment side decrypts and verifies the update package, and deploys and updates the update package after the update package is successfully deployed; after the RoT code of the intelligent equipment side decrypts to obtain a message M2 by using tsk, hash operation is carried out on epkg, and whether a message authentication code mac1 is tampered or not is verified by using k1 and Np; if the data is tampered, exiting the updating; if not tampered, decrypting epkg by using k2 to obtain cupkg, namely cupkg ═ Dec (k2, epkg); verifying whether the cupkg.ver is larger than the previously stored version or not, and preventing the version rollback attack of the safe updating code; and continuing to operate after the verification is passed, installing the decrypted cupkg, and storing the corresponding latest integrity metadata cupkg.ver and cupkg.hash into a secure storage space R (namely covering the old value in the 1. b) maintained by the embedded trust root.

9. The intelligent equipment side carries out integrity measurement and sends the result to the verification side; the method comprises the steps that after an RoT code on the intelligent equipment side measures the latest memory state (a key area where safety updating is located can be selected, and the whole memory area can also be selected) of the equipment by using a Hash algorithm, an integrity measurement result h is obtained; performing MAC operation on the { Nv, h } by using k1 to generate an authentication code MAC 2; and sending the message M3 ═ { Nv, h, mac2} to the verifier after being encrypted by tsk.

10. The verifier verifies the measurement result and synchronizes the measurement result to the intelligent equipment; the verifier verifies the authentication code mac2 with k1 and cupkg to determine whether the smart device successfully installs the latest code update package cupkg, and synchronizes the smart device ID and the verification result to the smart device side.

11. The intelligent equipment side ensures sustainable safety through safe starting; after the intelligent equipment side finishes installing the latest code updating package cupkg, when the intelligent equipment is restarted each time, the embedded system loads the RoT code firstly through safe guidance; and then, the RoT code compares the integrity hash measurement of the cupkg code in the key area of the memory with the cupkg-hash stored in the R area, and the cupkg code is loaded only when the comparison is passed, so that the sustainable safety of the intelligent device after updating is ensured. When the equipment is started, the ROM measures and loads a root of trust code RoT, and the RoT code measures and loads cupkg; starting a verification function of firmware by relying on a ROM, and safely guiding a root of trust code RoT; the cupkg is any updateable embedded code.

12. The intelligent device side and the verifying side guarantee the continuous credibility of the intelligent device through a remote attestation mechanism. If the intelligent device wants to interact with an intelligent device side, a verification side or other trusted third parties, in order to know the security state of the intelligent device first, a remote certification mechanism can be adopted to certify the integrity state of the intelligent device first, so that the continuous credibility of the intelligent device in the network environment of the internet of things is ensured.

For those skilled in the art, a corresponding system safety protection system can be designed and implemented by referring to the method.

1. Intelligent equipment side, verification side: the lightweight symmetric cryptographic algorithm can select AES and also can select SM4 following the standard of commercial cryptographic algorithm in China; the Hash algorithm can select SHA256 and can also select SM3 which follows the standard of China's commercial cipher algorithm; the shared temporary session key tsk may be generated using the Diffie-Hellman or ECDH key exchange algorithm; the network connection can be a wired connection or various wireless interface modes; the cupkg secure update code package may be an embedded operating system, or any updateable embedded firmware or embedded application software.

2. The intelligent equipment side: the RoT trust root code is placed in a safety zone isolated by the ARM TrustZone-M, the RoT trust root code in the safety zone is automatically guided to be executed when the equipment is started, the ARM TrustZone-M ensures the credibility of the RoT execution environment, and the hardware isolation ensures that the RoT trust root code is not influenced by other codes on the equipment; when the equipment is powered on, reading an initial value of an SRAM (static random access memory), and automatically generating a unique root key rk of the equipment based on an SRAM PUF (static random access memory); derivation of k1 from the root key rk may employ a KDF key derivation algorithm; the pseudo-random number that erases the device memory may be replaced with a hash algorithm, with the memory address also included in the hash calculation message.

3. The intelligent equipment side: the RoT trust root code runs in a safety zone of the ARM TrustZone-M; derivation of k2 from the root key rk may employ a KDF key derivation algorithm; the RoT root-of-trust code comprises a hash algorithm and a message authentication code, wherein the hash algorithm can be realized by SHA256 or SM3, and the message authentication code can be realized by HMAC or SM 4; after the integrity of the security code update package message is authenticated by using the HMAC, the security code update package message is decrypted by using the SM4, and after the version of the security code update package is verified, the latest code is installed and loaded in the corresponding memory area.

4. And (3) a verifying party: the security code updating packet is encrypted by adopting an SM4 algorithm, and then the encrypted ciphertext packet is subjected to HMAC operation to generate a message authentication code, and confidentiality and integrity are provided.

5. The intelligent equipment side: the hash algorithm is realized by SHA256 or SM3, and the message authentication code can be realized by HMAC or SM 4; when the whole memory measurement is selected, performing hash integrity calculation on all writable memories of the equipment; when the measurement of the key area is selected, two parameters of the initial address and the length of the key area are provided, and the Hash integrity calculation is carried out on the memory in the designated area according to the parameters; the remote attestation originally signs the hash integrity calculation result, and the operation of the message authentication code on the hash integrity result is equivalent to the signature in the remote attestation.

6. And (3) a verifying party: and (4) verifying the result of the message authentication code through an HMAC or SM4 algorithm, and feeding back the result of whether the equipment successfully installs the latest code update to the verifier.

7. The intelligent equipment side: the RoT code can be verified in the equipment ROM in a mode of Hash measurement values and certificates, and a trusted boot process is constructed; before loading cupkg, the integrity of the RoT code is verified by using SHA256 or SM 3; if the verification fails, a secure erase operation may be performed to restore the device to the original trusted environment, and then a new round of update procedures may be actively requested to restore the device to the latest state.

8. The intelligent device side and the verification side: and the integrity state of the intelligent equipment is proved to any trusted third party authorized by the intelligent equipment party by adopting a remote proving mode based on the message authentication code, so that the integrity state of the intelligent equipment is extended to a network environment.