CN107967432B - Safe storage device, system and method - Google Patents
Safe storage device, system and method Download PDFInfo
- Publication number
- CN107967432B CN107967432B CN201711184777.8A CN201711184777A CN107967432B CN 107967432 B CN107967432 B CN 107967432B CN 201711184777 A CN201711184777 A CN 201711184777A CN 107967432 B CN107967432 B CN 107967432B
- Authority
- CN
- China
- Prior art keywords
- terminal
- user identity
- key
- unit
- key information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2153—Using hardware token as a secondary aspect
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a safe storage device, a system and a method, wherein the device comprises: the method comprises the following steps: the device comprises a main control unit, a storage unit and an encryption unit, wherein: the main control unit is used for generating a control instruction according to the terminal request and sending the control instruction to the storage unit; the storage unit is used for determining first key information of a user corresponding to the control instruction according to the received logic address of the control instruction and sending the first key information to the encryption unit; and the encryption unit is used for receiving the first key information sent by the storage unit and the second key information sent by the terminal and generating a data key according to the first key information and the second key information. According to the safe storage device, the system and the method, the encryption unit is additionally arranged, and the secret key information is separately stored, so that an illegal user can be effectively prevented from acquiring the secret key, the safety of the secret key is ensured, and the safety of data is further ensured.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a secure storage apparatus, a system, and a method.
Background
With the acceleration of the informatization development process of China and the expansion of informatization coverage, the demand of hard disks as main data storage devices is increasing day by day. However, most of the existing hard disks do not have a data security protection function, and the storage process of data is very unsafe.
At present, various memory disks with encryption functions, such as an encryption memory card, an encryption U disk, an encryption hard disk and the like, are continuously introduced in the market, but the encryption memory disks mainly adopt a soft encryption mode, and the software encryption mode has the problems of occupying CPU time and a large amount of memories and having poor real-time performance.
The hardware-based encryption mode gradually becomes a development trend of data storage encryption due to the advantages of high speed, safe and reliable key storage mode and the like. Therefore, it is desirable to provide a hardware-based encryption method to implement data encrypted storage, so as to effectively improve the security of data storage.
Disclosure of Invention
The invention provides a safe storage device, a system and a method, which aim to solve the problem that a storage device in the prior art is difficult to ensure data security.
In one aspect, the present invention provides a secure storage device, comprising: the device comprises a main control unit, a storage unit and an encryption unit, wherein:
the main control unit is used for generating a control instruction according to a terminal request and sending the control instruction to the storage unit;
the storage unit is configured to determine first key information of a user corresponding to the terminal according to the received logical address of the control instruction, and send the first key information to the encryption unit;
the encryption unit is configured to receive first key information sent by the storage unit and second key information sent by the terminal, and generate a data key according to the first key information and the second key information.
Preferably, the encryption unit is further configured to encrypt the data requested by the terminal to be stored in the storage unit or decrypt the data requested by the terminal to be read from the storage unit according to the data key.
Preferably, the method further comprises the following steps: and the interface unit is used for receiving the terminal request and sending the terminal request to the main control unit.
Preferably, the storage unit is further configured to store a user information list in advance, where the user information list includes user identity information of all authorized terminals and respective corresponding first key information;
correspondingly, according to the logic address of the received control instruction, the user identity information corresponding to the terminal is determined, based on the user identity information, the corresponding first key information is determined from the user information list, and the first key information is sent to the encryption unit.
Preferably, the storage unit is further configured to erase the user identity information and the first key information according to the request of the terminal.
In one aspect, the present invention provides a secure storage system including the secure storage apparatus, further including: and the terminal for storing the second key information is used for sending the second key information to the encryption unit after passing the authentication of the storage device.
Preferably, the secure storage device authenticates the terminal by using the user information list according to the user identity information sent by the terminal.
Preferably, the terminal includes a user identity UKey, and the user identity UKey is used for storing user identity information of the terminal and the corresponding second key information;
and the safety storage device acquires the second key information corresponding to the user identity information according to the user identity information sent by the user identity UKey.
In one aspect, the present invention provides a secure storage method, including:
s1, generating a control instruction by the main control unit according to the terminal request, and sending the control instruction to the storage unit;
s2, determining first key information of a user corresponding to the terminal by using the storage unit according to the logic address of the received control instruction, and sending the first key information to the encryption unit;
s3, using the encryption unit to receive the first key information sent by the storage unit and the second key information sent by the terminal, generating a data key according to the first key information and the second key information, and encrypting the data requested by the terminal to be stored in the storage unit or decrypting the data requested by the terminal to be read from the storage unit according to the data key.
Preferably, before the step of S1, the method further includes:
and S0, receiving the terminal request by using the interface unit, and sending the terminal request to the main control unit.
According to the safe storage device, the system and the method, the encryption unit is additionally arranged in the safe storage device, so that all data operations are processed safely by the encryption unit when the data are stored and read, the hardware encryption protection of the data is realized, the reliability of the data is improved, and the safety of data storage is ensured. In addition, the key information of the encryption unit is stored separately, so that the encryption unit needs to perform key synthesis before encrypting and decrypting data, thereby effectively preventing an illegal user from obtaining the key, ensuring the security of the key, and simultaneously ensuring the security of the user identity through user identity authentication.
Drawings
FIG. 1 is a schematic diagram of an overall structure of a secure storage device according to an embodiment of the present invention;
fig. 2 is a schematic overall flow chart of the secure storage method according to the embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Fig. 1 is a schematic overall structure diagram of a secure storage device according to an embodiment of the present invention, and as shown in fig. 1, the present invention provides a secure storage device, including: main control unit 1, memory cell 2 and encryption unit 3, wherein: the main control unit 1 is configured to generate a control instruction according to a terminal request, and send the control instruction to the storage unit 2; the storage unit 2 is configured to determine, according to the received logical address of the control instruction, first key information of a user corresponding to the terminal, and send the first key information to the encryption unit 3; the encryption unit 3 is configured to receive the first key information sent by the storage unit 2 and the second key information sent by the terminal, and generate a data key according to the first key information and the second key information.
Specifically, in order to realize secure storage of data, the embodiment of the invention provides a secure storage device based on a conventional storage device, adopts a hardware encryption mode, and adopts a mode of additionally arranging an encryption unit on the conventional storage device. The safe storage device of the embodiment of the invention comprises: a main control unit 1, a storage unit 2 and an encryption unit 3. The keys required for encrypting and decrypting the data by the encryption unit 3 are stored separately in advance, wherein a part of the keys are stored in the storage unit 2 of the secure storage device, and the other part of the keys are stored in the terminal. Therefore, when the secure storage device of the present invention is used to store or read data, the key should be synthesized first, and then the encryption unit 3 encrypts or decrypts the data by using the synthesized key, so as to achieve secure storage or reading of the data, and all the data stored in the secure storage device is the data encrypted by the encryption unit 3, and all the data read from the secure storage device must be decrypted by the encryption unit 3 before being read.
As an implementation manner, the data operation flow of the secure storage apparatus according to the embodiment of the present invention is as follows.
The main control unit 1 receives the terminal request, generates a corresponding control instruction according to the terminal request, and sends the control instruction to the storage unit 2; after receiving the control instruction sent by the main control unit 1, the storage unit 2 determines a user corresponding to the terminal by identifying the logical address of the control instruction, searches for corresponding first key information and sends the first key information to the encryption unit 3; the encryption unit 3 receives the first key information sent by the storage unit 2, meanwhile, the encryption unit 3 receives the second key information sent by the corresponding terminal, and generates a data key required by the encryption unit 3 for encrypting and decrypting data according to the first key information and the second key information; the encryption unit 3 performs encryption or decryption operation on the data according to the generated data key, so that the safe storage of the data is ensured.
Specifically, the storage unit 2 stores in advance the correspondence between the user identity information of all authorized terminals and the first key information, so that the storage unit 2 can determine the user identity information of the terminal by identifying the logical address requested by the terminal, and then search for the corresponding first key information according to the user identity information. It should be noted that all authorized terminals refer to all authorized terminals that have requested registration and are allowed to perform data storage and reading operations through the secure storage device.
Further, in other embodiments, the keys required for encryption and decryption by the encryption unit 3 may be stored in the storage unit 2 in their entirety. On the basis, when the main control unit 1 receives a terminal request, a corresponding control instruction is generated according to the terminal request, and the control instruction is sent to the storage unit 2; after receiving the control instruction sent by the main control unit 1, the storage unit 2 determines user identity information corresponding to the terminal by identifying a logical address of the control instruction, searches for a corresponding data key and sends the data key to the encryption unit 3; the encryption unit 3 receives the data key sent by the storage unit 2, and performs encryption or decryption operation on the data according to the received data key, so that the safe storage of the data is ensured.
Further, in the above embodiment, the main control unit 1 of the secure storage device may be an 686 main control chip, the storage unit 2 may be a NAND memory, and the encryption unit 3 may be an FPGA encryption chip. The main control unit 1 is connected with the encryption unit 3 through an MMC interface, and the storage unit 2 transmits keys and data with the encryption unit 3 through an MMC interface protocol. In addition, the MMC interface may be integrated in the encryption unit 3, whereby the encryption unit 3 may be designed in a memory card manner of a standard MMC interface. The specific types and connection modes of the main control unit 1, the storage unit 2 and the encryption unit 3 may be set according to actual requirements, and are not specifically limited herein.
According to the safe storage device provided by the embodiment of the invention, the encryption unit is additionally arranged, so that the encryption and decryption operation is required to be carried out on the data through the encryption unit when the data are stored and read, the hardware encryption protection on the data is realized, the reliability of the data is increased, and the data safety is ensured. In addition, the key information is stored separately, so that the encryption unit needs to perform key synthesis before encrypting and decrypting the data, thereby effectively preventing an illegal user from acquiring the key, ensuring the security of the key, and simultaneously ensuring the security of the user identity through user identity authentication.
Based on any embodiment, a secure storage apparatus is provided, and the encryption unit is further configured to encrypt data requested by the terminal to be stored in the storage unit or decrypt data requested by the terminal to be read from the storage unit according to the data key.
As an embodiment, the data operation flow of the secure storage apparatus according to the embodiment of the present invention is as follows, based on the encryption unit 3 having obtained the data key required for the encryption/decryption operation.
The terminal initiates a data storage request, the main control unit 1 generates a corresponding data storage instruction after receiving the data storage request of the terminal, and sends the data storage instruction to the storage unit 2; after receiving a data storage instruction sent by the main control unit 1, the storage unit 2 acquires target data requested to be stored by the terminal, and then sends the target data to the encryption unit 3; the encryption unit 3 receives the target data transmitted from the storage unit 2, encrypts the target data using the data key, transmits the encrypted target data to the storage unit 2, and stores the encrypted target data in the storage unit 2.
The terminal initiates a data reading request, the main control unit 1 generates a corresponding data reading instruction after receiving the data reading request of a user, and sends the data reading instruction to the storage unit 2; after receiving a data storage instruction sent by the main control unit 1, the storage unit 2 acquires target data requested to be read by the terminal, and then sends the target data to the encryption unit 3; the encryption unit 3 receives the target data sent by the storage unit 2, decrypts the target data by using the data key, and sends the decrypted target data to the terminal.
According to the safe storage device provided by the invention, the encryption unit is additionally arranged, so that the encryption and decryption operation is required to be carried out on the data through the encryption unit when the data are stored and read, the hardware encryption protection on the data is realized, the reliability of the data is increased, and the data safety is ensured. In addition, the key information is stored separately, so that the encryption unit needs to perform key synthesis before encrypting and decrypting the data, thereby effectively preventing an illegal user from acquiring the key, ensuring the security of the key, and simultaneously ensuring the security of the user identity through user identity authentication.
Based on any one of the above embodiments, there is provided a secure storage apparatus, as shown in fig. 1, the secure storage apparatus further includes: and the interface unit 4 is used for receiving a terminal request and sending the terminal request to the main control unit 1.
Specifically, in practical application, the secure storage device in this embodiment further includes an interface unit 4, where the interface unit 4 is used as an interface for connecting the secure storage device with an external device, and when a terminal initiates a request for data storage or reading, the secure storage device receives a terminal request through the interface unit 4, and then sends the terminal request to the main control unit 1 for processing.
Further, in this embodiment, the secure storage device is implemented by adding an encryption chip to a conventional hard disk, where the conventional hard disk includes a solid state disk, a mechanical hard disk, a USB mobile hard disk, and the like. If the types of hard disks used in the secure storage device are different, the corresponding interface units 4 are also different. The interface unit 4 may include a SATA interface, SATA-SATA, USB-SATA, and the like, and the specific type of the interface unit 4 may be set according to actual needs, which is not specifically limited herein. Different types of interface units 4 are arranged to be matched with different types of hard disks, so that the safe storage function is realized.
According to the safe storage device provided by the invention, different interface units are arranged to be matched with different types of hard disks to realize a safe storage function, so that the data needs to be encrypted and decrypted by the encryption unit when being stored or read, the hardware encryption protection of the data is realized, the reliability of the data is increased, and the data safety is ensured.
Based on any of the above embodiments, a secure storage apparatus is provided, where the storage unit 2 is further configured to store a user information list in advance, where the user information list includes user identity information of all authorized terminals and first key information corresponding to the user identity information;
correspondingly, the user identity information corresponding to the terminal is determined according to the received logical address of the control instruction, the corresponding first key information is determined from the user information list based on the user identity information, and the first key information is sent to the encryption unit 3.
Specifically, at the time of terminal registration, a data key is first generated from input user identity information, the generated data key is decomposed into first key information and second key information, and the first key information and the second key information are distributed to the storage unit 2 and the terminal, respectively. The user identity information and the first key information are correspondingly updated to a user information list and stored in the storage unit 2, so that the storage unit 2 can judge the user identity information of the terminal corresponding to the control instruction according to the received logic address of the control instruction, and the first key information of the user can be obtained by searching the user information list.
Further, the user information list stores the user identity information of all authorized terminals and the corresponding first key information. Therefore, when the terminal initiates a request for data storage or reading, the storage unit 2 can obtain the user identity information of the terminal according to the logical address of the control instruction sent by the main control unit 1, then search the user identity information and the corresponding first key information in the user identity information of all authorized terminals in the user information list according to the user identity information, and finally send the first key information to the encryption unit 3.
According to the safe storage device provided by the invention, the user information list is pre-stored in the storage unit, and the identity information of all authorized users and the corresponding first key information are stored in the user information list, so that the storage unit can find the corresponding first key information according to the user identity information, the effective protection of the user key is realized, the storage unit can safely and effectively store or read data, and the safety of the data is further ensured.
Based on any of the above embodiments, a secure storage apparatus is provided, where the storage unit is further configured to erase the user identity information and the first key information according to a request of a terminal.
Specifically, when the user registers, the storage unit 2 correspondingly stores the user identity information and the first key information in the user information list, so that the storage unit stores or reads data by using the user information list according to a request of the terminal. After the user completes the storage or reading of the data, the user may request the storage unit to correspondingly erase the corresponding user identity information and the first key information in the user information list. In practical application, when a terminal requests logout, a user inputs user identity information and transmits the user identity information to the storage unit 2 through the API, the storage unit 2 erases corresponding user identity information and first key information according to the user identity information, meanwhile, the storage unit 2 sends an erasing instruction to the encryption unit 3, and the encryption unit 3 erases a data key corresponding to the user identity information according to the erasing instruction.
In addition, the storage unit 2 can also realize a logical channel for directly managing the key required by encryption and decryption of the encryption unit by a user, provide an API function, directly carry out operations such as key setting and key modification by the user, convert the operations into special SATA commands and transmit the SATA commands to the storage unit, and convert the SATA commands into MMC commands and transmit the MMC commands to the encryption unit, so as to realize setting and modification of the user key.
According to the safe storage device provided by the invention, when the terminal requests to logout, the storage unit can erase the user identity information and the first key information according to the terminal request, so that the effective management protection of the terminal key is realized, and the safety of data is further ensured.
Based on any one of the above embodiments, there is provided a secure storage system including the secure storage apparatus, further including: and the terminal for storing the second key information is used for sending the second key information to the encryption unit after passing the authentication of the storage device.
Specifically, at the time of user registration, the generated data key is distributed to the storage unit of the secure storage device and the terminal for storage, respectively. When the terminal requests to store or read data, the second key information stored in the terminal needs to be sent to the encryption unit of the secure storage device, and the storage unit of the secure storage device sends the stored first key information to the encryption unit, so that the encryption unit generates a data key according to the first key information and the second key information.
Further, before the terminal sends the second key information to the encryption unit, the terminal needs to send an authentication request to the storage device to authenticate whether the user identity information of the terminal is consistent with the user identity information of the storage device, and if so, the terminal passes the authentication. After the authentication is passed, the second key information stored in the terminal becomes readable, so that the terminal sends the second key information to the encryption unit, and the encryption unit synthesizes the data key.
According to the safe storage system provided by the invention, the terminal stores part of the key required by data encryption and decryption, so that when a user stores or reads data, part of the key stored on the terminal is required to be sent to the encryption unit to synthesize the data key, and then the data is stored or read through the synthesized data key, so that an illegal user can be effectively prevented from acquiring the key, and the security of the key is ensured. Meanwhile, the terminal needs to perform user identity authentication before sending part of the secret key to the encryption unit, so that the safety of the user identity is ensured, and the safety of data is further ensured.
Based on any of the above embodiments, a secure storage system is provided, where the secure storage apparatus authenticates the terminal by using the user information list according to the user identity information sent by the terminal.
Specifically, before the terminal sends the first key information to the encryption unit, the terminal first needs to pass user identity authentication. The terminal stores user identity information in advance, when the terminal sends an authentication request to the safety storage device, the terminal sends the stored user identity information to the safety storage device, after a control unit of the safety storage device receives the authentication request which is sent by the terminal and contains the user identity information through an interface unit, a pre-stored user information list is obtained from the storage unit, the user identity information sent by the terminal is searched in the pre-stored user information list, if the user identity information exists, the control unit judges that the terminal is a legal authorized terminal, and the terminal passes the authentication of the safety storage device.
In addition, the terminal may further include a unique identifier, and the unique identifier of each terminal may also be stored in advance in the user information list stored in the storage unit of the secure storage device, so that the control unit of the secure storage device may implement authentication of the terminal user identity by searching for the unique identifier of the terminal in the user information list.
In addition, in practical application, before the terminal receives the authentication of the secure storage device, it can be verified whether the user is a legal user of the terminal, so that it can be avoided that after an illegal user acquires the terminal, the data stored in the secure storage device is acquired through the terminal or stored in the secure storage device. The authentication mode of the terminal for the user can be performed by acquiring the biological characteristic information of the user or by inputting the identity information of the user, and the like, and the specific authentication mode can be set according to actual needs, and is not specifically limited here.
According to the safe storage system provided by the invention, the terminal is enabled to authenticate the terminal according to the user identity information by the safe storage device through pre-storing the user identity information, so that the terminal needs to perform user identity authentication before sending part of the secret key to the encryption unit, the safety of the user identity is ensured, and the safety of data is further ensured.
Based on any one of the embodiments, a secure storage system is provided, where the terminal further includes a user identity UKey, and the user identity UKey is used to store user identity information of the terminal and corresponding second key information; and the safety storage device acquires second key information corresponding to the user identity information according to the user identity information sent by the user identity UKey.
Specifically, in this embodiment, the terminal is a pre-distributed user identity UKey. UKey is a USB device integrating an intelligent card and a card reader, supports hot plug and play, and is small in size, light in weight and convenient to carry. The UKey is used as a key storage, the hardware structure of the UKey determines that a user can only access data through a manufacturer programming interface, so that the condition that a digital certificate stored in the UKey cannot be copied is ensured, and each UKey is protected by a PIN code, so that the hardware of the UKey and the PIN code form a double factor for identity authentication by using the UKey. If the UKey of the user is lost, the acquirer cannot impersonate the identity of a legal user because the acquirer does not know the PIN code of the hardware; if the PIN code of the user is revealed, the identity of the user can be ensured not to be impersonated as long as the UKey hardware is stored.
Further, the user identity UKey stores user identity information and corresponding second key information, when a terminal needs to store or read data, an authentication request is sent to the secure storage device through the user identity UKey, the stored user identity information is sent to the secure storage device together, after a main control unit of the secure storage device receives the authentication request containing the user identity information sent by the user identity UKey through an interface unit, a pre-stored user information list is obtained from the storage unit, the user identity information sent by the user identity UKey is searched in the pre-stored user information list, and if the user identity information exists, the main control unit judges that the user identity UKey is a legal terminal, namely the user identity UKey can be authenticated through the secure storage device.
Furthermore, after the user identity UKey is authenticated by the secure storage device, the main control unit of the secure storage device requests the user identity UKey to acquire second key information corresponding to the user identity information through the interface unit, after the user identity UKey receives the request of the secure storage device, the second key information corresponding to the user identity information is sent to the secure storage device, the control unit of the secure storage device receives the second key information sent by the user identity UKey through the interface unit and sends the second key information to the encryption unit, and then the encryption unit synthesizes a data key required for data encryption and decryption.
According to the safe storage system provided by the invention, the user prestores the user identity information and the corresponding second key information through the user identity UKey, so that the safe storage device authenticates the user identity UKey according to the user identity information, the user identity UKey needs to perform user identity authentication before sending the second key information to the safe storage device, the safety of the user identity is ensured, and the safety of data is further ensured.
Fig. 2 is a schematic overall flow chart of a secure storage method according to an embodiment of the present invention, and as shown in fig. 2, based on any of the foregoing embodiments, a secure storage method is provided, including:
s1, generating a control instruction by the main control unit according to the terminal request, and sending the control instruction to the storage unit;
s2, determining first key information of a user corresponding to the terminal by using the storage unit according to the logic address of the received control instruction, and sending the first key information to the encryption unit;
s3, using the encryption unit to receive the first key information sent by the storage unit and the second key information sent by the terminal, generating a data key according to the first key information and the second key information, and encrypting the data requested by the terminal to be stored in the storage unit or decrypting the data requested by the terminal to be read from the storage unit according to the data key.
Specifically, the method of the present embodiment is applied to the secure storage device in any one of the above embodiments, where the secure storage device includes: the device comprises a main control unit, a storage unit and an encryption unit. Wherein, the encryption unit is stored separately in advance, half of the keys are stored in the storage unit of the secure storage device, and the other half of the keys are stored in the terminal. Therefore, when the secure storage device of the present invention is used to store or read data, the encryption unit should first synthesize the key and then encrypt or decrypt the data using the synthesized key, so as to finally store or read the data.
On the basis, the secure storage method of the embodiment is specifically implemented as follows:
the main control unit receives the terminal request, generates a corresponding control instruction according to the terminal request and sends the control instruction to the storage unit; after receiving the control instruction sent by the main control unit, the storage unit determines a user corresponding to the terminal by identifying the logical address of the control instruction, searches for corresponding first key information and sends the first key information to the encryption unit; the encryption unit receives first key information sent by the storage unit, meanwhile, the encryption unit receives second key information sent by a corresponding terminal, and a data key required by the encryption unit for encrypting and decrypting data is generated according to the first key information and the second key information; the encryption unit encrypts or decrypts the data according to the generated data key, so that the safe storage of the data is ensured.
Further, in other embodiments, the keys required for encryption and decryption by the encryption unit may also be stored in the storage unit in their entirety. On the basis, when the main control unit receives a terminal request, a corresponding control instruction is generated according to the terminal request, and the control instruction is sent to the storage unit; after receiving the control instruction sent by the main control unit, the storage unit determines user identity information corresponding to the terminal by identifying the logical address of the control instruction, searches for a corresponding data key and sends the data key to the encryption unit; the encryption unit receives the data key sent by the storage unit, and encrypts or decrypts the data according to the received data key, so that the safe storage of the data is ensured.
According to the safe storage method provided by the invention, the encryption unit is additionally arranged, so that the encryption and decryption operation is required to be carried out on the data through the encryption unit when the data are stored and read, the hardware encryption protection on the data is realized, the reliability of the data is increased, and the data safety is ensured. In addition, the key information is stored separately, so that the encryption unit needs to perform key synthesis before encrypting and decrypting the data, thereby effectively preventing an illegal user from acquiring the key, ensuring the security of the key, and simultaneously ensuring the security of the user identity through user identity authentication.
Based on any one of the above embodiments, there is provided a secure storage method, as shown in fig. 2, before the step S1, the method further includes: and S0, receiving the terminal request by using the interface unit, and sending the terminal request to the main control unit.
Specifically, in this embodiment, when the terminal needs to store or read data, the terminal needs to send a data storage or reading request to the secure storage device, the secure storage device first receives the terminal request by using the interface unit, and sends the terminal request to the main control unit, the main control unit generates a control instruction according to the terminal request, and finally sends the control instruction to the storage unit, and then the storage unit sends the first key information to the encryption unit according to the control instruction, and finally the encryption unit synthesizes a data key required by the user to store or read data.
According to the safe storage method provided by the invention, the interface unit is utilized to receive the terminal request, the terminal request is sent to the main control unit, and then the main control unit generates the control instruction according to the terminal request so as to effectively control the storage or reading of the data, so that the data needs to be encrypted and decrypted by the encryption unit when the data is stored or read, the hardware encryption protection of the data is realized, the reliability of the data is increased, and the data safety is ensured.
In summary, according to the secure storage apparatus, the system, and the method provided by the present invention, by adding the encryption unit, the data needs to be encrypted and decrypted by the encryption unit when the data is stored and read, so that hardware encryption protection of the data is achieved, reliability of the data is increased, and data security is ensured. In addition, the key information is stored separately, so that the encryption unit needs to perform key synthesis before encrypting and decrypting the data, thereby effectively preventing an illegal user from acquiring the key, ensuring the security of the key, and simultaneously ensuring the security of the user identity through user identity authentication.
Finally, the method of the present application is only a preferred embodiment and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A secure storage device, comprising: the device comprises a main control unit, a storage unit and an encryption unit, wherein:
the main control unit is used for generating a control instruction according to a terminal request and sending the control instruction to the storage unit;
the storage unit is used for judging the user identity information of the terminal corresponding to the control instruction according to the received logic address of the control instruction, determining first key information of the user corresponding to the terminal, and sending the first key information to the encryption unit; the terminal is also used for erasing the user identity information and the first key information according to the request of the terminal and setting a logic channel for directly managing the key required by the encryption unit for encryption by the user;
the encryption unit is used for receiving first key information sent by the storage unit and second key information sent by the terminal, and generating a data key according to the first key information and the second key information;
wherein the further configured to erase the user identity information and the first key information according to the terminal request specifically includes:
when the terminal requests to be cancelled, the user inputs the user identity information and transmits the user identity information to the storage unit through an API (application programming interface), the storage unit erases the corresponding user identity information and the first key information according to the user identity information and sends an erasing instruction to the encryption unit, and the encryption unit erases the data key corresponding to the user identity information according to the erasing instruction.
2. The apparatus according to claim 1, wherein the encryption unit is further configured to encrypt the data requested by the terminal to be stored in the storage unit or decrypt the data requested by the terminal to be read from the storage unit according to the data key.
3. The apparatus of claim 1, further comprising: and the interface unit is used for receiving the terminal request and sending the terminal request to the main control unit.
4. The apparatus according to claim 1, wherein the storage unit is further configured to store a user information list in advance, where the user information list includes user identity information of all authorized terminals and respective corresponding first key information;
correspondingly, according to the logic address of the received control instruction, the user identity information corresponding to the terminal is determined, based on the user identity information, the corresponding first key information is determined from the user information list, and the first key information is sent to the encryption unit.
5. A secure storage system comprising the apparatus of any of claims 1 to 4, further comprising: and the terminal for storing the second key information is used for sending the second key information to the encryption unit after passing the authentication of the safety storage device.
6. The system according to claim 5, wherein the secure storage device authenticates the terminal using the user information list according to user identity information sent by the terminal.
7. The system according to claim 6, wherein the terminal includes a user identity UKey for storing user identity information of the terminal and the corresponding second key information;
and the safety storage device acquires the second key information corresponding to the user identity information according to the user identity information sent by the user identity UKey.
8. A secure storage method based on the device of any one of claims 1 to 4, comprising:
s1, generating a control instruction by the main control unit according to the terminal request, and sending the control instruction to the storage unit;
s2, the storage unit is used for judging the user identity information of the terminal corresponding to the control instruction according to the logic address of the received control instruction, determining the first key information of the user corresponding to the terminal, and sending the first key information to the encryption unit; erasing the user identity information and the first key information according to the terminal request; and setting a logic channel for directly managing the key required by the encryption of the encryption unit by a user;
s3, using the encryption unit to receive the first key information sent by the storage unit and the second key information sent by the terminal, generating a data key according to the first key information and the second key information, and encrypting the data requested by the terminal to be stored in the storage unit or decrypting the data requested by the terminal to be read from the storage unit according to the data key;
wherein, the erasing the user identity information and the first key information according to the request of the terminal specifically includes:
when the terminal requests to be cancelled, the user inputs the user identity information and transmits the user identity information to the storage unit through an API (application programming interface), the storage unit erases the corresponding user identity information and the first key information according to the user identity information and sends an erasing instruction to the encryption unit, and the encryption unit erases the data key corresponding to the user identity information according to the erasing instruction.
9. The method according to claim 8, wherein the step of S1 is preceded by the step of:
and S0, receiving the terminal request by using the interface unit, and sending the terminal request to the main control unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711184777.8A CN107967432B (en) | 2017-11-23 | 2017-11-23 | Safe storage device, system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711184777.8A CN107967432B (en) | 2017-11-23 | 2017-11-23 | Safe storage device, system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107967432A CN107967432A (en) | 2018-04-27 |
CN107967432B true CN107967432B (en) | 2020-10-16 |
Family
ID=62001474
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711184777.8A Active CN107967432B (en) | 2017-11-23 | 2017-11-23 | Safe storage device, system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107967432B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108984424A (en) * | 2018-07-19 | 2018-12-11 | 江苏华存电子科技有限公司 | A kind of communication method between host software and storage device |
CN113329239B (en) * | 2021-05-26 | 2023-02-21 | 北京字跳网络技术有限公司 | Data processing method and device, storage medium and electronic equipment |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101281495A (en) * | 2007-04-02 | 2008-10-08 | 北京华旗资讯数码科技有限公司 | Method for ciphering file using movable storage apparatus |
CN102270182B (en) * | 2011-07-04 | 2014-04-23 | 济南伟利迅半导体有限公司 | Encrypted mobile storage equipment based on synchronous user and host machine authentication |
CN103678174A (en) * | 2012-09-11 | 2014-03-26 | 联想(北京)有限公司 | Data safety method, storage device and data safety system |
US20150271146A1 (en) * | 2012-10-24 | 2015-09-24 | Brian Holyfield | Methods and systems for the secure exchange of information |
CN107169382A (en) * | 2017-03-29 | 2017-09-15 | 山东超越数控电子有限公司 | A kind of mobile hard disk and its secure storage method of data based on NFC technique |
-
2017
- 2017-11-23 CN CN201711184777.8A patent/CN107967432B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN107967432A (en) | 2018-04-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8572392B2 (en) | Access authentication method, information processing unit, and computer product | |
TWI463349B (en) | Method and system for secure data access among two devices | |
US9043610B2 (en) | Systems and methods for data security | |
US7802112B2 (en) | Information processing apparatus with security module | |
JP6275653B2 (en) | Data protection method and system | |
US8949626B2 (en) | Protection of security parameters in storage devices | |
EP1866873B1 (en) | Method, system, personal security device and computer program product for cryptographically secured biometric authentication | |
KR102024339B1 (en) | Memory system and binding method between the same and host | |
CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
US11405202B2 (en) | Key processing method and apparatus | |
CN101488111A (en) | Identification authentication method and system | |
KR20210132721A (en) | Secure communication when accessing the network | |
JP2003143131A (en) | Electronic information management device, portable information terminal device, management server device and program | |
CN107967432B (en) | Safe storage device, system and method | |
WO2017137481A1 (en) | A removable security device and a method to prevent unauthorized exploitation and control access to files | |
CN109960935B (en) | Method, device and storage medium for determining trusted state of TPM (trusted platform Module) | |
KR101711024B1 (en) | Method for accessing temper-proof device and apparatus enabling of the method | |
CN103699853B (en) | A kind of intelligent SD card and control system thereof and method | |
CN113569272B (en) | Secure computer implementation method and secure computer | |
CN112149167B (en) | Data storage encryption method and device based on master-slave system | |
CN111815821B (en) | IC card security algorithm applied to intelligent door lock | |
US11516215B2 (en) | Secure access to encrypted data of a user terminal | |
KR102295470B1 (en) | Secure usb dongle for usb memory without security | |
JP2007133892A (en) | Access method, memory device, and information apparatus | |
KR20150050899A (en) | Apparatus and method for security storage using re-encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |