Dynamic encryption verification system and method for chip security programming
By employing technologies such as dynamic multi-factor key generation and PUF hardware unique binding, a secure closed loop is constructed throughout the entire process, solving the security, universality, and compliance issues in chip programming technology and enabling efficient and secure mass production programming of chips.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHONGQING PAOZUOBA TECHNOLOGY CO LTD
- Filing Date
- 2026-04-16
- Publication Date
- 2026-06-05
AI Technical Summary
Existing chip programming technologies suffer from problems such as insufficient static encryption protection, lagging verification mechanisms, lack of unique hardware binding, missing key management, weak anomaly handling capabilities, and insufficient traceability, failing to meet the mass production requirements of high security, high versatility, high programming efficiency, and high compliance.
By employing technologies such as dynamic multi-factor key generation, PUF hardware unique binding, two-way challenge-response identity authentication, streaming block-by-block real-time verification, six-state adaptive security state machine management, key lifecycle closed-loop management, and end-to-end encrypted log traceability, a full-process security closed loop is constructed to achieve secure burning of one key per session, one binding per chip, and one verification per block.
Significantly improves the security, mass production compatibility and compliance of chip programming, meeting the full-dimensional needs of mass production programming, intellectual property protection, compliance auditing and fault traceability of high-security level chips. Security is improved by more than 80%, programming success rate is ≥99.99%, and mass production efficiency is improved by 150%.
Smart Images

Figure CN122160033A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the intersection of chip programming technology and information security encryption technology. Specifically, it relates to a chip security programming dynamic encryption verification system and method that integrates chip physical unclonable function (PUF) unique binding, two-way challenge-response identity authentication, streaming segmented chain dynamic encryption, block-by-block real-time cryptographic verification, six-state adaptive security state machine, closed-loop management of the key's entire lifecycle, and traceability of the entire process encryption log. Background Technology
[0002] Chip programming is a core manufacturing process in chip packaging, testing, and mass production. It is a crucial process for writing core data such as firmware programs, hardware configuration parameters, encryption keys, secure boot configurations, and functional authorization information into non-volatile storage units such as Flash, EEPROM, OTP, eMMC, and UFS within the chip. As the semiconductor industry develops towards high-end and secure technologies, chips have become the core computing power carrier in key fields such as automotive electronics, industrial control, medical devices, financial payments, IoT terminals, and national defense. As the core logic and security foundation of device operation, the security of the chip firmware programming process directly determines the chip's operational reliability, data security, and intellectual property protection capabilities. Automotive-grade chips require a failure rate of less than 1ppm, industrial control chips need to withstand complex electromagnetic environments and malicious physical attacks, and financial chips need to meet the national cryptographic level 2 security standard. These stringent requirements have amplified the security flaws of traditional chip programming technologies, making them unsuitable for the mass production programming needs of modern high-security chips.
[0003] Current chip programming technologies are mainly divided into three categories: unencrypted plaintext programming, static encrypted programming, and single improved encrypted programming. All of them have irreparable technical defects, as detailed below:
[0004] 1. Unencrypted plaintext burning: Firmware is transmitted in plaintext through interfaces such as JTAG, SWD, and UART. It is simple to operate and low in cost, but the security is extremely poor. Attackers can directly intercept firmware data through logic analyzers and protocol sniffing tools to achieve chip cloning, firmware reverse engineering, and malicious code injection. It can only be used in low-end consumer electronics and cannot be applied to high-security scenarios.
[0005] 2. Static Encryption Flashing: This method uses a fixed key and a single algorithm to encrypt the firmware once, and only performs CRC32 and simple hash verification after flashing. While this improves basic security, it has six major drawbacks:
[0006] (1) Static keys are easily leaked and cracked: the keys are reused for a long time and stored in the ordinary storage unit of the burning device. Attackers can easily obtain the keys through reverse engineering, physical probes and side-channel attacks. Once leaked, the firmware of the entire batch of chips will face the risk of being cracked.
[0007] (2) The verification mechanism is seriously lagging and singular: it only performs a one-time verification after burning, and cannot verify the data transmission, device identity and firmware validity during the burning process in real time. It is easy to have hidden faults such as "burning is successful but the firmware has been tampered with", which leads to chip crashes, functional malfunctions and data leakage.
[0008] (3) No unique chip hardware binding: Without combining chip PUF, unique UID and other physical characteristics, firmware can be burned across chips at will, making it impossible to control the overproduction of foundries and chip piracy and cloning, and the ability to protect intellectual property rights is insufficient.
[0009] (4) Lack of full lifecycle control for key management: There are no standardized processes for key generation, storage, distribution, updating and destruction, no hardware encryption protection, no dynamic update mechanism, no audit traceability, and the key cannot be quickly traced and dealt with after reuse or leakage;
[0010] (5) Weak anomaly handling and anti-attack capabilities: It only supports simple retry or termination of burning, without precise anomaly location, hierarchical processing, and hardware fuse mechanism. When encountering electromagnetic interference, fault injection, or side channel attacks, it cannot quickly block the risk, resulting in low burning reliability.
[0011] (6) Traceability fails to meet compliance requirements: There is no full-process encrypted log and audit chain, and it is impossible to record information such as burning equipment, operators, key operations, verification results, and abnormal events, which does not meet the compliance audit requirements of automotive, industrial, and financial fields.
[0012] 3. Single Improved Encryption Programming: Some existing technologies propose two-way challenge-response authentication and segmented chain encryption schemes, which solve the problems of identity authentication and data transmission security to a certain extent. However, they lack key lifecycle management, multi-channel parallel adaptation, full-process log traceability, and hardware circuit breaker functions, and cannot meet the needs of mass production scenarios. Other existing technologies propose PUF physical binding and streaming block-by-block verification schemes, which enhance hardware security and real-time verification. However, they rely on chip PUF hardware customization, have extremely poor universality, and lack multi-channel parallel programming, mass production efficiency optimization, and offline mass production adaptation capabilities. They can only be used for dedicated security chips and cannot be promoted on a large scale.
[0013] In summary, existing technologies have not formed a complete security closed loop encompassing dynamic encryption, hardware binding, two-way verification, streaming verification, key management, circuit breaking for anomalies, and end-to-end traceability, thus failing to simultaneously meet the mass production requirements of high security, high versatility, high programming efficiency, and high compliance. Therefore, this invention systematically optimizes and innovates upon the shortcomings of existing technologies, constructing a dynamic encryption and verification system for secure chip programming that covers the entire programming process, adapts to all scenarios, and can be directly mass-produced and deployed. Summary of the Invention
[0014] This invention aims to overcome six core pain points of existing chip programming technologies: insufficient static encryption protection, lagging verification mechanisms, lack of unique hardware binding, missing key management, weak anomaly handling capabilities, and insufficient traceability. It provides a dynamic encryption verification system and method for secure chip programming. Through seven core technical means—dynamic multi-factor key generation, PUF hardware unique binding, two-way challenge-response identity authentication, streaming block-by-block real-time verification, six-state adaptive security state machine management, closed-loop management of the key's entire lifecycle, and end-to-end encrypted log traceability—it constructs a full-process security closed loop: "pre-programming two-way authentication → dynamic multi-factor key generation → streaming segmented encryption → block-by-block real-time verification → adaptive state machine management → anomaly-level circuit breaking → post-programming hardware locking → end-to-end encrypted traceability." This achieves the goal of secure programming with one key per session, one binding per chip, and one verification per block, significantly improving the security, mass production adaptability, and compliance of chip programming. It meets the full-dimensional needs of mass production programming, intellectual property protection, compliance auditing, and fault traceability for high-security-level chips.
[0015] To achieve the above objectives, the technical solution adopted by the present invention is as follows:
[0016] I. Dynamic Encryption Verification System for Secure Chip Programming
[0017] This system adopts a modular and streamlined architecture, consisting of 7 core modules. These modules work collaboratively without any disconnect in the workflow, achieving comprehensive and secure control over the entire burning process. The specific structure and functions are as follows:
[0018] 1. Programming terminal module
[0019] As the core execution unit of the system, it is the core bridge connecting the host computer management module and the target chip. It is responsible for firmware reading and parsing, burning instruction generation, multi-module collaborative control, and multi-channel parallel burning. It has the characteristics of high adaptability, high efficiency, high stability, and low latency, and is suitable for mass production burning scenarios.
[0020] Firmware reading unit: It obtains firmware data to be burned from the host computer management module, supports fully automatic parsing of mainstream firmware formats such as BIN, HEX, ELF, and S19, automatically removes redundant padding data and invalid configuration segments, and adaptively divides the firmware into 1KB-4KB data blocks according to the chip storage page size; it also extracts basic data such as firmware version number, compatible chip model, total firmware size, SHA-256 verification benchmark value, and digital signature information, providing core support for subsequent firmware verification and data verification.
[0021] Instruction generation unit: Based on the programming start address, programming rate, programming mode (batch / single chip), and erasure method issued by the host computer, combined with the target chip's storage specifications, interface timing, and operation instruction set, it automatically generates chip-adapted erase instructions, write instructions, read instructions, verification instructions, and status query instructions. It strictly follows the chip programming timing requirements to ensure accurate instruction execution and eliminates programming failures caused by timing errors.
[0022] Collaborative control unit: Employing a real-time operating system scheduling mechanism, it coordinates the synchronous operation of the dynamic encryption module, multi-dimensional verification module, key management module, and adaptive exception handling module to achieve seamless connection between firmware encryption, data transmission, real-time verification, and chip writing. This ensures that encrypted data and verification commands arrive synchronously, and that verification results and burning actions are executed synchronously, avoiding security vulnerabilities and data deviations caused by process disconnection.
[0023] Multi-channel adapter unit: Supports 1-8 channels of independent parallel programming. The channels adopt a dual design of opto-isolation and electromagnetic shielding, with no data crosstalk and no electromagnetic interference. It automatically identifies and adapts to mainstream programming interfaces such as SWD, JTAG, UART, SPI, I2C, and QSPI, and is compatible with UFS4.1 and eMMC5.3 high-speed storage interface programming protocols. It can dynamically allocate channel resources according to the number of chips to be programmed, and supports mixed programming of multiple chip models to improve batch production efficiency.
[0024] 2. Dynamic encryption module
[0025] The core implementation dynamically encrypts firmware data and burning commands, preventing key reuse, data eavesdropping, and ciphertext regularization. It integrates multi-dynamic factor key generation and segmented chain encryption technology to balance high security and burning efficiency. Hardware acceleration ensures that the encryption speed matches the burning rate.
[0026] Encryption Algorithm Selection Unit: Built-in three high-security encryption algorithms: AES-256, SM4 (Chinese national cryptography), and HMAC-SHA256. Dynamically selects the appropriate algorithm based on the target chip's security level, application scenario, and hardware resources: AES-256 is used for automotive-grade and financial-grade chips, SM4 (Chinese national cryptography) is used for consumer electronics and IoT chips, and HMAC-SHA256 is used for the verification process. It supports flexible configuration of parameters such as encryption rounds, block length, and initialization vector, and integrates a hardware encryption acceleration engine, achieving encryption speeds of up to 1Gbps, matching the maximum 500Mbps programming speed without affecting mass production efficiency.
[0027] Dynamic Key Generation Unit: A one-time session key is generated using a TOTP time window + multi-hardware factor composite mechanism. Combining four dynamic factors—the burning timestamp (30-second time window), the chip PUF unique identifier, the burning device ID, and the firmware version number—a 128-bit / 192-bit / 256-bit adaptive length session key is generated through the HKDF key derivation function. A unique key is generated for each burning session and for each target chip. After key generation, it is immediately encrypted and stored using the root key, and is not exposed to ordinary storage units. It becomes invalid immediately after burning, eliminating the risk of key reuse.
[0028] Data encryption unit: Performs chained dynamic encryption on firmware segment data. When encrypting each firmware segment, a random offset of 0-255 bits is added to break the regularity of the ciphertext. Simultaneously, the burning control command, verification command, and key transmission data are encrypted to ensure that all data transmitted in the entire burning link is ciphertext. For each encrypted firmware data segment, a corresponding SHA-256 checksum is automatically generated to provide an accurate verification benchmark for streaming real-time verification.
[0029] Encryption synchronization unit: It synchronously transmits core encryption information such as encryption algorithm type, key generation time, encrypted data length, segment check value, and random offset to the multi-dimensional verification module and log traceability module to ensure that the three major processes of encryption, verification, and traceability are completely synchronized, with no data deviation and no time delay.
[0030] 3. Multi-dimensional verification module
[0031] By integrating two-way challenge-response identity authentication with streaming block-by-block real-time verification technology, it achieves real-time verification of the entire process of burning devices, firmware, data, and keys in four dimensions, building a multi-layered security protection barrier to prevent illegal burning, firmware tampering, and key abnormalities from the source.
[0032] Device verification unit: Performs bidirectional challenge-response identity authentication between the programming terminal and the target chip. The programming terminal generates a 256-bit random challenge number and sends it to the target chip. The chip combines its own PUF identifier and preset root key to generate a response value and feeds it back to the terminal. The terminal compares and verifies the response value with the legitimate device database. At the same time, the chip verifies the identity of the programming terminal in reverse. Programming can only start after the bidirectional verification is successful. During the programming process, the device connection status and interface level are monitored in real time. If an illegal device is detected or the connection is interrupted, the programming is terminated immediately.
[0033] Firmware verification unit: Performs dual verification of firmware through digital signature verification and basic information comparison, verifying the validity of the firmware's authorized signature, comparing firmware version, compatible chip model, and verification benchmark value, and preventing the burning of malicious firmware, faulty firmware, expired firmware, and unauthorized firmware; supports segmented differentiated verification of firmware, using SHA-256 high-strength verification for critical areas such as the chip boot area and security configuration area, and using CRC32 fast verification for ordinary application areas, balancing verification security and efficiency.
[0034] Streaming data verification unit: It adopts a dual mechanism of block-by-block real-time verification + full verification after burning. Before the firmware is written to the chip storage, cryptographic verification is completed. The verification value of the encrypted data segment is extracted and compared with the baseline value generated by the dynamic encryption module to accurately locate the offset of the erroneous data segment, the expected value and the actual value, and prevent data tampering during transmission. After burning, all firmware in the chip is read and a full hash comparison is performed to ensure that the firmware data is complete, without missing or tampered data.
[0035] Key verification unit: Cross-compares the hash feature values of the session keys of the programming terminal, the target chip, and the key management module, and extracts the SHA-256 hash value of the session key. Programming can continue only if the feature values of the three parties are completely consistent. If the key is transmitted incorrectly or tampered with, the abnormality handling is triggered immediately to avoid encryption and decryption failure and data leakage caused by key abnormality.
[0036] 4. Key Management Module
[0037] It achieves closed-loop management of the entire lifecycle of key generation, storage, distribution, update, destruction and auditing, which complies with the national cryptographic key management specifications and the NISTSP800-57 key standard, and prevents the risks of key leakage, reuse, tampering and illegal reading from the root.
[0038] Key storage unit: It adopts hierarchical hardware encryption storage. The root key is stored in the HSM hardware security module, the device key is stored in the hardware encryption chip, and the session key is stored in the encrypted flash memory. All keys are encrypted twice by the root key before storage. It has power failure protection and anti-tamper self-destruct function. The keys are not lost or leaked after power failure. Hierarchical storage realizes key isolation and control and avoids cross leakage.
[0039] Key distribution unit: The session key is distributed to the corresponding programming channel and target chip using the AES-256 encryption transmission mechanism. The key distribution process is encrypted throughout and there is no plaintext transmission. The key distribution time, distribution object, key type, channel number and other log information are automatically recorded to ensure that the key distribution is controllable and traceable.
[0040] Key update unit: The session key expires automatically after the burning is completed, and the root key and device key are updated regularly on a 90-day cycle; a key transition mechanism is adopted during the update, and the new key is enabled normally before the old key expires, ensuring that the burning process is uninterrupted and error-free, and adapting to continuous mass production scenarios.
[0041] Key destruction unit: After successful programming, the session key is securely erased and destroyed, completely removing key storage traces from the programming terminal, chip, encryption module, and key module, making it impossible to restore using data recovery tools; when key leakage, illegal use, or malicious reading is detected, a forced destruction command can be manually triggered to immediately destroy the relevant keys and reduce security risks.
[0042] Key auditing unit: Records all operation information of key generation, distribution, update, destruction, and abnormal reading throughout the entire process, including operation time, operator, key type, operation result, and reason for abnormality, forming a complete key auditing chain; monitors illegal key operations in real time and triggers dual alarms of sound and light + host computer.
[0043] 5. Chip Interface Module
[0044] It enables secure, stable, and interference-resistant communication between the system and the target chip, adapts to complex industrial production environments, and features automatic multi-protocol adaptation, signal isolation, and data buffering.
[0045] Interface adapter unit: Automatically identifies the programming interface type of the target chip, and switches the communication protocol, interface mode and communication baud rate with one click without manual configuration; supports JTAG daisy chain connection and multi-chip serial programming, adapts to the programming needs of chips with different packages, specifications and interfaces, and has strong versatility.
[0046] Signal isolation unit: Adopting opto-isolation technology, with an isolation voltage ≥2500V, it effectively resists electromagnetic interference, voltage fluctuations, ground loop interference, and electrostatic shocks in the production environment, protecting the system hardware and target chips from damage and avoiding programming failures and verification errors caused by signal distortion.
[0047] Data buffer unit: Adopts FIFO high-speed cache chip, with dynamically adjustable cache capacity (maximum 16KB), cached data transmission avoids data loss due to mismatch in transmission rate; supports data resumption after communication interruption, and does not require retransmission of all data after interruption recovery, improving data transmission stability and burning efficiency.
[0048] 6. Adaptive Exception Handling Module
[0049] It integrates a six-state adaptive security state machine (idle state, handshake authentication state, key negotiation state, programming verification state, completion locking state, and anomaly circuit breaker state) to achieve rapid anomaly detection, accurate location, hierarchical processing, and hardware circuit breaker, and has anti-attack and anti-interference capabilities.
[0050] Anomaly detection unit: Real-time monitoring of six parameters: device connection status, data transmission integrity, key consistency, communication quality, power supply voltage, ambient temperature, and interface level. It presets anomaly thresholds such as communication timeout (100ms), number of verification failures (3 times), and voltage fluctuation range (±5%). If the threshold is exceeded, anomaly detection is triggered immediately.
[0051] Anomaly Location Unit: By analyzing the work logs, transmitted data, and verification results of each module, it accurately distinguishes the anomaly type (data verification anomaly, key anomaly, communication interruption, chip failure, unauthorized access, environmental anomaly), locates the anomaly location (channel number, data segment offset, module number) and the cause of the anomaly, and provides accurate basis for troubleshooting.
[0052] Anomaly Handling Unit: Anomalies are handled in three levels: mild, moderate and severe. (1) Mild anomaly (single verification failure, brief communication jitter): Automatically retry 3 times. If the retry is successful, continue burning and record the anomaly information. (2) Moderate anomaly (multiple verification failures, temporary loss of key, loose chip connection): Pause burning, save burning progress and core data, wait for manual investigation, and resume burning after investigation. (3) Severe anomaly (illegal device access, key leakage, firmware tampering, chip failure, malicious attack): Immediately terminate burning, clear the firmware data written in the chip, destroy the current session key, trigger hardware fuse, and lock the chip burning function.
[0053] Alarm Unit: It adopts a dual mode of audible and visual alarm + upper computer pop-up alarm, outputs information such as abnormality type, abnormality location, abnormality cause, processing result, and processing suggestions, and simultaneously transmits alarm records to the log traceability module to facilitate quick handling by operators.
[0054] 7. Log Traceability and Host Computer Management Module
[0055] It enables encrypted, traceable, and visualized intelligent management and control of the entire programming process, meeting the compliance audit, accountability, and fault diagnosis needs of automotive-grade, industrial-grade, and financial-grade chips.
[0056] Log collection unit: Real-time collection of core data throughout the entire burning process, with collection accuracy down to the millisecond level, including device information (chip PUF / UID, burning terminal ID, channel number), firmware information (version, size, checksum, signature result), encryption information (algorithm, key type, generation time), burning information (time, address, rate, progress), verification results (four-dimensional verification status, checksum), anomaly information (type, location, processing result), and key operation information (generation, distribution, destruction, auditing), with no critical information missing.
[0057] Log storage unit: Log data is encrypted using the SM4 national cryptographic algorithm, and the storage period can be customized from 1 to 3 years; it is partitioned and stored according to six types: device log, firmware log, encrypted log, verification log, exception log and key log, and uses industrial-grade encrypted hard drive with anti-interference, anti-tampering and power loss protection functions.
[0058] Log query unit: Supports multi-condition queries such as burning time, chip model, operator, anomaly type, verification result, and channel number, and can export logs in standard Excel, PDF, and CSV formats; It has hierarchical access control, with administrators, operators, and auditors querying according to their respective permissions to ensure log data security.
[0059] The host computer control unit provides a visual operation interface, realizing integrated parameter configuration, status monitoring, data management, hierarchical permission, batch configuration, and automatic backup; it displays the burning progress, module status, verification results, and abnormal information in real time, supports batch import and export of parameters and automatic data backup, and is easy to operate, requiring no professional encryption knowledge to get started.
[0060] II. Dynamic Encryption Verification Method for Secure Chip Programming
[0061] This method consists of three stages: pre-programming preparation, dynamic encryption and real-time verification during programming, and post-programming verification and cleanup, forming a complete security closed loop. The specific steps are as follows:
[0062] 1. Preparation stage before burning
[0063] System initialization: The operator starts the system through the host computer and automatically completes the hardware self-test and software initialization of seven modules: terminal programming, dynamic encryption, multi-dimensional verification, key management, chip interface, exception handling, and log traceability. It checks the module working status, HSM key storage status, hardware encryption chip validity, and channel connection status. If a module fails, it immediately triggers an exception alarm, indicating the fault location and troubleshooting suggestions. After troubleshooting is completed, the system is restarted.
[0064] Parameter configuration: Operators configure core parameters via a host computer, including programming parameters (rate, address, mode, number of channels), encryption parameters (algorithm, key length, number of encryption rounds), verification parameters (verification algorithm, number of retries, threshold), exception handling parameters (level classification, alarm method, circuit breaker condition), and log parameters (storage period, collection frequency). The system automatically verifies the compatibility of the parameters with the target chip, and saves and applies the parameters after successful verification to avoid programming failures caused by incorrect parameters.
[0065] Two-way authentication: The target chip is connected to the programming terminal through the chip interface module. The programming terminal reads the chip's unique PUF identifier and its own device ID, and initiates a two-way challenge-response authentication. The terminal generates a random challenge number and sends it to the chip. The chip combines the PUF identifier and the root key to generate a response value and sends it back. The terminal compares the response value with the legitimate device database, and the chip verifies the terminal's identity in reverse. Only after the two-way authentication is successful can the programming process begin. Illegal devices will be directly denied access and an alarm will be triggered.
[0066] Firmware validity verification: The firmware to be burned is imported through the host computer. The firmware reading unit completes format parsing, redundancy removal, segmentation processing, and extracts basic firmware information. The firmware verification unit verifies the firmware digital signature, compares the firmware version, compatible chip model, and verification benchmark value. If the verification is successful, the firmware is confirmed to be legal and valid. Illegal firmware is prohibited from being burned and an alarm is triggered.
[0067] Dynamic key generation and distribution: The key management module calls the root key in the HSM, and the dynamic encryption module combines the burning timestamp, chip PUF identifier, burning device ID, and firmware version number to generate a one-time session key through the HKDF derived function. After the session key is encrypted and stored again by the root key, it is distributed to the burning terminal, multi-dimensional verification module, and target chip through the AES-256 encryption channel. Each module completes key decryption and preparation, and the key verification unit performs a three-way consistency comparison.
[0068] 2. Dynamic encryption and real-time verification burning stage
[0069] Firmware segmented dynamic encryption: The firmware reading unit transmits segmented firmware to the dynamic encryption module, the encryption algorithm selection unit selects the encryption algorithm, the data encryption unit uses the session key to perform chain encryption on the firmware segments, adds a random offset, and generates a SHA-256 check value for each segment; the encryption synchronization unit synchronizes the encrypted information to the verification module and the log module.
[0070] Encrypted instructions and data transmission: The instruction generation unit generates burning control instructions, which are encrypted synchronously with the encrypted firmware data and segment check value. The instructions are then transmitted to the target chip and the multi-dimensional verification module through the chip interface module, preventing the instructions and data from being eavesdropped on or tampered with during transmission.
[0071] Streaming multi-dimensional real-time verification: The multi-dimensional verification module synchronously performs four-dimensional verification: the streaming data verification unit compares the verification value block by block, the key verification unit compares the key feature value three times, the device verification unit monitors the connection status in real time, and the firmware verification unit verifies the firmware validity; any verification failure immediately triggers the corresponding level of exception handling.
[0072] Firmware writing and synchronization verification: After receiving encrypted data, the target chip decrypts the burning command and firmware data, performs an erase operation, and writes the firmware to the specified storage address. The chip provides real-time feedback of the verification value of the written data. The multi-dimensional verification module compares the value with the baseline verification value of the dynamic encryption module. If they match, the writing continues; otherwise, a retry or termination of the burning process is triggered.
[0073] Multi-channel parallel programming: The multi-channel adapter unit allocates independent encryption, verification, communication, and storage resources to each channel. The channels operate independently and do not interfere with each other, and synchronously complete the encryption, verification, and writing operations of multiple chips, improving the efficiency of batch programming.
[0074] Adaptive state machine monitoring: The six-state adaptive state machine manages the programming process in real time, dynamically adjusting the programming clock frequency based on verification results, environmental parameters, and device status; it maintains full-speed programming in normal state, automatically reduces the frequency and retryes in abnormal state, and directly switches to the abnormal circuit breaker state when malicious attacks are detected.
[0075] Burning completion judgment: The burning terminal detects that all firmware segments have completed encryption, transmission, verification and writing operations, confirms that the core burning process is complete, and automatically enters the post-burning verification and closing stage.
[0076] 3. Post-programming verification and finalization stage
[0077] Full firmware verification: The burning terminal sends a read command through the chip interface module to read all the burned firmware in the chip and transmit it to the multi-dimensional verification module; the data verification unit performs a full SHA-256 hash comparison. If it matches the verification benchmark value before burning, the burning is confirmed to be successful. If it does not match, the burning is determined to be a failure and an alarm is triggered.
[0078] Hardware fuse lock (high security scenario): After automotive-grade, industrial-grade, and financial-grade chips are successfully programmed and pass full verification, the system generates a hardware fuse path based on the chip's unique PUF identifier, triggers the chip debugging interface fuse operation, permanently closes the JTAG / SWD debugging interface, and prohibits subsequent firmware reading, tampering, and reprogramming, thus achieving hardware-level security lock.
[0079] Secure destruction of session keys: Upon receiving a successful burning instruction, the key management module securely erases and destroys the session keys burned this time, thoroughly removing all key storage traces from the burning terminal, chip, encryption module, and key module, ensuring that there are no key residues, leaks, or recovery possibilities.
[0080] Log archiving and auditing: The log collection unit completes the entire process of data collection, the log storage unit encrypts and stores the log data and archives it in partitions; the log analysis unit automatically generates a burning analysis report, which includes information such as burning success rate, anomaly rate, key operation records, and verification results, and supports compliance auditing, fault tracing, and responsibility identification.
[0081] System Reset: The system automatically clears the temporary cache data, programming progress information, and temporary checksums from this programming session, restoring the initial state; the operator disconnects the chip from the system, completing the programming process and preparing for the next batch of chip mass production programming.
[0082] This invention systematically optimizes the core defects of existing technologies, and compared with existing technologies and single improvement solutions, it has the following core advantages:
[0083] 1. Significantly Enhanced Security: This invention completely eliminates security risks such as key reuse, replay attacks, and man-in-the-middle attacks by using a combination of one-time session key and chip PUF physical unique binding and two-way challenge-response authentication. Through streaming block-by-block real-time verification and hardware-level circuit breaker locking mechanism, it achieves security protection throughout the entire programming process. Even if key leakage occurs, it only affects a single session and a single chip, and the security risk is completely controllable. Through hardware encryption management of the entire key lifecycle, it prevents the risk of key leakage from the root, improving security by more than 80% compared to traditional static encryption schemes.
[0084] 2. Strong technical solution integrity: This invention deeply integrates seven technologies: dynamic multi-factor key generation, PUF hardware unique binding, two-way challenge-response identity authentication, streaming block-by-block real-time verification, six-state adaptive security state machine management, key lifecycle closed-loop management, and full-link encrypted log traceability. It constructs a complete end-to-end security closed loop, overcomes the technical bottlenecks of existing technologies where a single improvement scheme cannot simultaneously achieve high security, high versatility, high programming efficiency, and high compliance, and solves six common technical pain points that have long existed in this field.
[0085] 3. Excellent mass production adaptability: This invention is compatible with existing programming production lines without the need for large-scale hardware modifications; it is compatible with multiple interfaces, multiple channels, and multiple chips for all scenarios, including automotive-grade, industrial-grade, consumer electronics, and financial payment chips; according to actual tests, the programming success rate is ≥99.99%, and the programming efficiency in 8-channel parallel mode is 150% higher than that in single-channel mode. It can be directly applied to mass production scenarios, and is easy to operate and has low maintenance costs.
[0086] 4. Enhanced Compliance and Traceability: This invention forms an immutable audit chain through full-process encrypted log collection, full-process key auditing, and hierarchical control of operation permissions. It fully meets the industry compliance requirements of IATF16949, AEC-Q100, ISO26262, and national cryptographic security standards, facilitating fault diagnosis, responsibility tracing, supply chain auditing, and product acceptance. Attached Figure Description
[0087] Figure 1 This is a block diagram of the overall module structure of the dynamic encryption verification system for secure chip programming of the present invention;
[0088] Figure 2 This is a block diagram of the internal structure of the dynamic encryption module of the present invention;
[0089] Figure 3 This is a block diagram of the internal structure of the multi-dimensional verification module of the present invention;
[0090] Figure 4 This is a schematic diagram of the overall process of the dynamic encryption verification method for secure chip programming of the present invention.
[0091] Explanation of reference numerals in the attached diagram: 1. Programming terminal module; 2. Dynamic encryption module; 3. Multi-dimensional verification module; 4. Key management module; 5. Chip interface module; 6. Adaptive exception handling module; 7. Log tracing and host computer management module; 8. Target chip; 11. Firmware reading unit; 12. Instruction generation unit; 13. Cooperative control unit; 14. Multi-channel adaptation unit; 21. Encryption algorithm selection unit; 22. Dynamic key generation unit; 23. Data encryption unit; 24. Encryption synchronization unit; 31. Device verification unit; 32. Firmware verification unit; 33. Streaming data verification unit; 34. Key verification unit. Detailed Implementation
[0092] This embodiment uses the mass production programming of automotive-grade STM32H743 MCU as a typical scenario to describe the specific implementation of the present invention in detail. The core technical solution can be adapted to various devices such as industrial FPGA, consumer electronics SoC, financial security chip, and IoT chip by adjusting the encryption algorithm, programming parameters, interface configuration, and anomaly strategy, and is not limited to this embodiment.
[0093] I. System Hardware and Software Configuration
[0094] 1. Hardware Configuration
[0095] Programming terminal module: Industrial-grade STM32F429IGT6 embedded motherboard, 180MHz main frequency, built-in 1MB Flash, 256KB RAM, 8 independent programming units, opto-isolation between channels, and supports automatic switching between SWD / JTAG.
[0096] Dynamic encryption module: AT88SC0104CA hardware encryption chip, supports AES-256, SM4, HMAC-SHA256 algorithms, built-in TRNG true random number generator, encryption speed 1Gbps;
[0097] Multi-dimensional verification module: XC7K325TFPGA chip, parallel verification processing latency ≤100ns, supports bidirectional challenge-response authentication, streaming block-by-block verification, and precise error location;
[0098] Key management module: SafenetLunaHSM7000 hardware security module, encrypted flash storage, power failure protection, root key hardware-level encryption protection;
[0099] Chip interface module: TLP181 opto-isolator (isolation voltage ≥2500V), IDT7202 FIFO buffer chip, supporting automatic switching of multiple protocols;
[0100] Adaptive anomaly handling module: voltage / current / communication monitoring chip, LTE-1101 audible and visual alarm, hardware fuse control unit;
[0101] Log traceability module: 1TB industrial-grade encrypted hard drive, SM4 algorithm encrypted storage, storage period of 3 years;
[0102] Host computer module: Intel Core i7-12700H industrial computer, Windows 10 IoT Enterprise system, visual management interface;
[0103] Target chip: STM32H743 automotive-grade MCU with built-in PUF (Physically Unclonable Function), compliant with AEC-Q100 standard, and failure rate <1ppm.
[0104] 2. Software Configuration
[0105] Burning terminal software: Developed based on the FreeRTOS operating system, it supports firmware multi-format parsing, segmented processing, multi-channel collaborative control, and automatic interface adaptation.
[0106] Dynamic encryption software: TOTP time window key generation, segmented chain encryption, hardware-accelerated processing, and synchronous uploading of encrypted information;
[0107] Verification software: Two-way challenge-response authentication protocol, streaming block-by-block SHA-256 verification, three-party key consistency comparison, firmware RSA-2048 signature verification;
[0108] Key management software: provides full lifecycle control over keys, automatically generates, distributes, updates, and destroys session keys, and records key audit logs;
[0109] Exception handling software: six-state adaptive safety state machine, hierarchical exception handling logic, hardware circuit breaker control, and real-time exception alarm;
[0110] Log software: end-to-end data collection, encrypted storage, multi-condition query, export, analysis, and compliance report generation;
[0111] Host computer software: integrates parameter configuration, status monitoring, data management, hierarchical access control, batch configuration, and automatic backup.
[0112] II. System Workflow
[0113] 1. Preparation stage before burning
[0114] System initialization: After startup, complete all module hardware and software self-tests, confirm that the module status is normal, the HSM key is valid, and the channel connection is correct, and enter the programming ready state;
[0115] Parameter configuration: Set the burning rate to 500Mbps, the burning address to 0x08000000, the 8-channel parallel mode, the encryption algorithm to AES-256, the verification algorithm to SHA-256, the abnormal retry to 3 times, and the log storage period to 3 years.
[0116] Two-way authentication: The programming terminal reads the PUF identifiers of 8 chips, generates a random challenge number to initiate two-way authentication, compares it with the legitimate device database, and all verifications pass;
[0117] Firmware verification: Import V1.0 automotive-grade firmware (256KB, HEX format), parse the format, verify the RSA-2048 digital signature, and confirm that the firmware is legal and valid;
[0118] Dynamic key generation: Combining the burning timestamp, chip PUF identifier, device ID, and firmware version, a 256-bit one-time session key is generated for each channel, which is encrypted and distributed to each module and chip. The three-party key comparison is consistent.
[0119] 2. Dynamic encryption and real-time verification burning stage
[0120] Firmware segmented encryption: Divide the 256KB firmware into 256 1KB data blocks, encrypt each segment with AES-256, add a random offset, and generate a SHA-256 check value for each segment.
[0121] Encrypted transmission: The burning command and the encrypted firmware are transmitted synchronously and sent to the multi-dimensional verification module for real-time verification.
[0122] Real-time streaming verification: verifies data integrity block by block, compares key consistency among three parties, and monitors device connection in real time; automatically retryes if a single verification fails, and pauses the burning process for troubleshooting after 3 failures;
[0123] Firmware writing: After the chip decrypts the data, it is written to Flash. The verification value is fed back in real time. After the verification module compares and confirms that the value is consistent, the next segment of writing is continued.
[0124] Multi-channel parallel processing: 8 channels are independently encrypted, verified and written, with no interference between channels, and the burning progress is advanced synchronously;
[0125] State machine monitoring: Adaptive state machine real-time management, automatic frequency reduction during voltage fluctuations and electromagnetic interference, and immediate fuse tripping upon detection of unauthorized access;
[0126] Burning complete: All 256 firmware segments have been processed, and the core burning process is complete.
[0127] 3. Post-programming verification and finalization stage
[0128] Full verification: Read the firmware inside the chip, perform a full SHA-256 hash comparison, and if it matches the baseline value, the programming is confirmed to be successful;
[0129] Hardware fuse: Triggers the hardware fuse of the SWD debug interface, permanently closing the firmware modification channel;
[0130] Key Destruction: Securely destroys the session keys for all 8 channels, erasing all storage traces;
[0131] Log archiving: Encrypt and store the entire process logs, generate burning and analysis reports, and complete compliant archiving;
[0132] System Reset: Clears temporary data, restores the initial state, and prepares for the next batch of burning.
[0133] III. Implementation Results
[0134] A batch programming test was conducted on 1000 STM32H743 automotive-grade chips. The results, compared with a traditional static encryption programming system, are as follows:
[0135] Security: It can completely resist firmware tampering, key leakage, replay attacks, and man-in-the-middle attacks, improving security by more than 80% compared to traditional solutions;
[0136] Programming efficiency: In 8-channel parallel mode, the programming efficiency can reach 1000 chips / hour, which is 150% higher than that of single-channel mode;
[0137] Reliability: Programming failure rate ≤0.01%, meeting the failure rate requirements for automotive-grade chips;
[0138] Compliance: The entire process is traceable and complies with the relevant standards of IATF16949, AEC-Q100, and ISO26262.
[0139] Versatility: It can be quickly adapted to industrial, consumer, financial, and IoT chips without requiring large-scale modifications to existing production lines.
[0140] This invention can adapt to the programming needs of different types and security levels of chips by adjusting the encryption algorithm, programming parameters, interface configuration, and exception handling strategy. The core technical solution remains unchanged and all of them fall within the protection scope of this invention.
[0141] The present invention and its embodiments have been described above. This description is not restrictive, and the accompanying drawings are only one embodiment of the present invention, and are not actually limited thereto. In conclusion, if those skilled in the art are inspired by this description and design similar embodiments without departing from the spirit of the present invention, such embodiments should fall within the protection scope of the present invention.
Claims
1. A dynamic encryption verification system for secure chip programming, characterized in that: The system includes a programming terminal module, a dynamic encryption module, a multi-dimensional verification module, a key management module, a chip interface module, an adaptive exception handling module, and a log traceability and host computer management module. The system integrates chip PUF physical unique binding, two-way challenge-response identity authentication, streaming segmented chain dynamic encryption, block-by-block real-time cryptographic verification, six-state adaptive security state machine control, key lifecycle closed-loop control, and full-process encrypted log traceability technology to build a secure closed loop for the entire programming process, achieving secure programming with one key per session, one binding per chip, and one verification per block.
2. The dynamic encryption verification system for secure chip programming according to claim 1, characterized in that: The programming terminal module includes a firmware reading unit, an instruction generation unit, a collaborative control unit, and a multi-channel adaptation unit. The firmware reading unit supports mainstream firmware format parsing and adaptive segmentation. The multi-channel adaptation unit adopts an opto-isolation + electromagnetic shielding design, supports 1-8 channels of independent parallel programming, and automatic adaptation of multiple programming interfaces.
3. The dynamic encryption verification system for secure chip programming according to claim 1, characterized in that: The dynamic encryption module integrates AES-256, SM4 national cryptographic, and HMAC-SHA256 algorithms with a hardware encryption acceleration engine. Based on multiple dynamic factors such as the burning timestamp, chip PUF identifier, burning device ID, and firmware version number, it generates a one-time session key through the HKDF key derivation function, performs segmented chain encryption on the firmware, and adds a random offset.
4. The dynamic encryption verification system for secure chip programming according to claim 1, characterized in that: The multi-dimensional verification module includes a device verification unit, a firmware verification unit, a streaming data verification unit, and a key verification unit; it enables bidirectional challenge-response authentication between the burning terminal and the target chip, firmware digital signature verification, real-time cryptographic verification block by block + full hash verification after burning, and consistency comparison of three-party session keys.
5. The dynamic encryption verification system for secure chip programming according to claim 1, characterized in that: The key management module adopts a hierarchical hardware encryption storage architecture. The root key is stored in the HSM hardware security module to realize closed-loop management of the entire life cycle of key generation, storage, distribution, update, destruction and auditing. It has key anti-tampering self-destruction, power failure protection and illegal operation alarm functions.
6. The dynamic encryption verification system for secure chip programming according to claim 1, characterized in that: The adaptive anomaly handling module is equipped with a six-state adaptive security state machine, which handles anomalies in three levels: mild, moderate, and severe. Severe anomalies trigger firmware clearing, key destruction, and chip hardware meltdown to block malicious attacks and data leakage risks.
7. A dynamic encryption verification method for secure chip programming, applied to the system described in any one of claims 1-6, characterized in that, The process includes three stages: pre-programming preparation, dynamic encryption and real-time verification during programming, and post-programming verification and finalization. The entire process involves two-way authentication, dynamic multi-factor key generation, streaming segmented encryption, block-by-block real-time verification, adaptive state machine management, hardware locking, and key destruction.
8. The dynamic encryption verification method for secure chip programming according to claim 7, characterized in that: The pre-programming preparation includes system hardware and software self-test, programming and encryption parameter configuration, two-way challenge-response identity authentication between programming terminal and chip, firmware digital signature and validity verification, one-time session key generation and encrypted distribution.
9. The dynamic encryption verification method for secure chip programming according to claim 7, characterized in that: In the dynamic encryption and real-time verification burning stage, the firmware is adaptively segmented and then chained dynamic encryption is performed. The encrypted data and burning instructions are transmitted synchronously in ciphertext. The cryptographic verification is completed block by block, and multiple channels are burned independently in parallel. The burning process is controlled in real time by a six-state security state machine.
10. The dynamic encryption verification method for secure chip programming according to claim 7, characterized in that: The post-programming verification and cleanup process includes full hash verification of the chip firmware, hardware fuse locking of the chip debugging interface in high-security scenarios, secure erasure and destruction of session keys, and full-process encrypted log archiving and compliance auditing.