[go: up one dir, main page]

CN116502291B - Data security storage equipment and data storage method based on three-dimensional heterogeneous integration - Google Patents

Data security storage equipment and data storage method based on three-dimensional heterogeneous integration Download PDF

Info

Publication number
CN116502291B
CN116502291B CN202310769745.3A CN202310769745A CN116502291B CN 116502291 B CN116502291 B CN 116502291B CN 202310769745 A CN202310769745 A CN 202310769745A CN 116502291 B CN116502291 B CN 116502291B
Authority
CN
China
Prior art keywords
data
module
write
memory access
storage device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310769745.3A
Other languages
Chinese (zh)
Other versions
CN116502291A (en
Inventor
曹玥
杨建国
韩永康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Lab
Original Assignee
Zhejiang Lab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Lab filed Critical Zhejiang Lab
Priority to CN202310769745.3A priority Critical patent/CN116502291B/en
Publication of CN116502291A publication Critical patent/CN116502291A/en
Application granted granted Critical
Publication of CN116502291B publication Critical patent/CN116502291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了基于三维异质集成的数据安全存储设备及数据存储方法,包括:访存端口模块,通过外部系统总线与外部处理器通信,用于接收外部处理器的访存指令,使得数据安全存储设备作为外接设备以访存指令的方式被访问;向安全处理模块传输需识别的信息与加密前数据,并向外部处理器反馈加密识别码、状态信息与解密数据,同时在安全处理模块反馈错误信息后锁死外部访存端口;若干个安全处理模块,分别与访存端口模块连接,接收写激活指令、读/写数据指令与加密前数据,进行秘钥生成、识别与数据加密、解密,将加密后的数据传输至存储模块;存储模块,通过三维通路分别与每个安全处理模块连接,用于存储加密后数据。

The invention discloses a data security storage device and a data storage method based on three-dimensional heterogeneous integration, including: a memory access port module, which communicates with an external processor through an external system bus and is used to receive memory access instructions from the external processor to ensure data security. The storage device is accessed as an external device in the form of memory access instructions; it transmits the information to be identified and pre-encrypted data to the security processing module, and feeds back the encryption identification code, status information and decrypted data to the external processor, and at the same time feeds back to the security processing module Lock the external memory access port after the error message; several security processing modules are respectively connected to the memory access port module, receive write activation instructions, read/write data instructions and pre-encrypted data, and perform secret key generation, identification and data encryption and decryption. , transmit the encrypted data to the storage module; the storage module is connected to each security processing module through a three-dimensional channel and is used to store the encrypted data.

Description

基于三维异质集成的数据安全存储设备及数据存储方法Data security storage device and data storage method based on three-dimensional heterogeneous integration

技术领域Technical field

本发明涉及数据安全存储技术领域,尤其涉及一种基于三维异质集成的数据安全存储设备及数据存储方法。The invention relates to the field of data security storage technology, and in particular to a data security storage device and data storage method based on three-dimensional heterogeneous integration.

背景技术Background technique

随着大数据与信息技术的不断发展,信息存储安全也成为了越来越受关注的问题。相比于软件攻击防护技术的飞速发展,关于硬件攻击防护与直接基于底层硬件的加密技术发展仍处于较为初级的阶段,然而随着数据重要性与软件攻击成本的逐步提升,针对硬件防护这一原有薄弱点的攻击频率也在逐年提升。因此,基于硬件防护的数据安全存储设备研究同样至关重要。With the continuous development of big data and information technology, information storage security has become an issue of increasing concern. Compared with the rapid development of software attack protection technology, the development of hardware attack protection and encryption technology directly based on the underlying hardware is still in its infancy. However, with the gradual increase in the importance of data and the cost of software attacks, hardware protection is The frequency of attacks on original weak points is also increasing year by year. Therefore, research on data security storage devices based on hardware protection is also crucial.

现有的数据安全存储设备多基于二维平面结构,存在以下问题:首先,由于加密逻辑与内存所需工艺不同,制造时加密模块将与存储模块分离,该结构使得加密模块更容易被物理定位,导致针对该模块的物理攻击更容易实现;同时,加密模块与存储模块间的数据传输通路容易被定位拆分,并进行信息窃取。另一方面,保密性强的加密模块设计一般需要占据较大的芯片面积,将影响存储设备的整体大小。Existing data security storage devices are mostly based on two-dimensional planar structures, which have the following problems: First, due to the different processes required for encryption logic and memory, the encryption module will be separated from the storage module during manufacturing. This structure makes the encryption module easier to be physically positioned. , making it easier to implement physical attacks on this module; at the same time, the data transmission path between the encryption module and the storage module is easy to be located and split, and information theft can be carried out. On the other hand, the design of encryption modules with strong confidentiality generally requires a larger chip area, which will affect the overall size of the storage device.

发明内容Contents of the invention

针对现有技术的不足,本发明提出了一种基于三维异质集成的数据安全存储设备及数据存储方法。In view of the shortcomings of the existing technology, the present invention proposes a data security storage device and data storage method based on three-dimensional heterogeneous integration.

根据本发明实施例的第一方面,提供了一种基于三维异质集成的数据安全存储设备,包括:According to the first aspect of the embodiment of the present invention, a data security storage device based on three-dimensional heterogeneous integration is provided, including:

访存端口模块,通过外部系统总线与外部处理器通信,用于接收外部处理器的访存指令,使得数据安全存储设备作为外接设备以访存指令的方式被访问;向安全处理模块传输需识别的信息与加密前数据,并向外部处理器反馈加密识别码、状态信息与解密数据,同时在安全处理模块反馈错误信息后锁死外部访存端口;其中,所述访存指令包括格式化指令、写激活指令与读、写数据指令及写完成指令;The memory access port module communicates with the external processor through the external system bus and is used to receive memory access instructions from the external processor, so that the data security storage device can be accessed as an external device in the form of memory access instructions; transmission to the security processing module requires identification information and pre-encrypted data, and feeds back the encrypted identification code, status information and decrypted data to the external processor, and at the same time locks the external memory access port after the security processing module feeds back the error information; wherein the memory access instructions include formatting instructions , write activation command, read and write data command and write completion command;

若干个安全处理模块,分别与访存端口模块连接,接收写激活指令、读/写数据指令与加密前数据,进行秘钥生成、识别与数据加密、解密,将加密后的数据传输至存储模块;并将安全处理模块的状态信息反馈至访存端口模块;Several security processing modules are respectively connected to the memory access port module, receive write activation instructions, read/write data instructions and pre-encrypted data, perform secret key generation, identification and data encryption and decryption, and transmit the encrypted data to the storage module. ; And feed back the status information of the security processing module to the memory access port module;

存储模块,通过三维通路分别与每个安全处理模块连接,用于存储加密后数据。The storage module is connected to each security processing module through three-dimensional channels and is used to store encrypted data.

根据本发明实施例的第二方面,提供了一种基于三维异质集成的数据安全存储设备的数据存储方法,通过上述的基于三维异质集成的数据安全存储设备实现,所述方法包括:According to a second aspect of the embodiment of the present invention, a data storage method based on a three-dimensional heterogeneous integration-based data security storage device is provided, which is implemented by the above-mentioned three-dimensional heterogeneous integration-based data security storage device. The method includes:

步骤S1,对数据安全存储设备进行格式化,获得写激活识别码Wi,i=1,...,n;Step S1, format the data security storage device and obtain the write activation identification code Wi , i=1,...,n;

步骤S2,向数据安全存储设备发送加密区间ID及对应的激活识别码Wi进行写激活;Step S2: Send the encrypted interval ID and the corresponding activation identification code Wi to the data security storage device for write activation;

步骤S3,写激活判定成功后,向数据安全存储设备发出写请求;Step S3: After the write activation is determined to be successful, a write request is sent to the data security storage device;

步骤S4,向数据存储设备写入写完成指令,判定访存识别端口,数据存储设备反馈写完成信号与对应的读识别码RiStep S4: Write a write completion command to the data storage device, determine the memory access identification port, and the data storage device feeds back the write completion signal and the corresponding read identification code Ri ;

步骤S5,向数据安全存储设备发出读请求。Step S5: Send a read request to the data security storage device.

根据本发明实施例的第三方面,提供了一种计算机可读存储介质,所述存储介质存储有计算机程序,所述计算机程序并处理器执行时实现上述的数据存储方法。According to a third aspect of the embodiment of the present invention, a computer-readable storage medium is provided. The storage medium stores a computer program. When the computer program is executed by a processor, the above-mentioned data storage method is implemented.

根据本发明实施例的第四方面,提供了一种电子设备,包括存储器、上述的基于三维异质集成的数据安全存储设备及存储在存储器上并可在基于三维异质集成的数据安全存储设备上运行的程序。According to a fourth aspect of the embodiment of the present invention, an electronic device is provided, including a memory, the above-mentioned three-dimensional heterogeneous integration-based data security storage device, and a data security storage device based on three-dimensional heterogeneous integration that is stored in the memory and can be stored in the memory. program running on it.

本发明的有益效果是,本发明提出了一种基于三维异质集成的数据安全存储设备及数据存储方法,通过三维异质集成技术,提升了加密逻辑与存储芯片的集成度,在提高芯片面积利用率的同时增加了加密逻辑被精准识别的难度,降低了该设备被针对性物理攻击破解的风险。加密模块与内存模块在二维层面紧密结合,极大提升加密模块与数据传输通路的分离定位难度。且利用三维集成结构中各逻辑模块仅与目标内存区间通过三维通路连接,访存范围有限且不可交互的特点,实现同一设备中不同用户分离管理的功能,并实现读写权限管理分离,进一步扩展该设备应用范围。The beneficial effect of the present invention is that the present invention proposes a data security storage device and a data storage method based on three-dimensional heterogeneous integration. Through the three-dimensional heterogeneous integration technology, the integration degree of encryption logic and memory chips is improved, and the chip area is increased. The utilization rate also increases the difficulty of accurately identifying the encryption logic and reduces the risk of the device being cracked by targeted physical attacks. The encryption module and the memory module are closely integrated at the two-dimensional level, which greatly increases the difficulty of separating and positioning the encryption module and the data transmission path. And by taking advantage of the characteristics that each logical module in the three-dimensional integrated structure is only connected to the target memory area through a three-dimensional path, the memory access range is limited and cannot be interacted with, it can realize the function of separate management of different users in the same device, and realize the separation of read and write permission management, further expanding Application scope of this equipment.

附图说明Description of the drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting any creative effort.

图1是本发明实施例提供的基于三维异质集成的数据安全存储设备在计算系统中的连接示意图;Figure 1 is a schematic diagram of the connection of a data security storage device based on three-dimensional heterogeneous integration in a computing system provided by an embodiment of the present invention;

图2是本发明实施例提供的基于三维异质集成的数据安全存储设备的内部结构示意图;Figure 2 is a schematic diagram of the internal structure of a data security storage device based on three-dimensional heterogeneous integration provided by an embodiment of the present invention;

图3是本发明实施例提供的访存端口模块的示意图;Figure 3 is a schematic diagram of a memory access port module provided by an embodiment of the present invention;

图4是本发明实施例提供的安全处理模块的示意图;Figure 4 is a schematic diagram of a security processing module provided by an embodiment of the present invention;

图5是本发明实施例提供的基于三维异质集成的数据安全存储设备的数据存储方法的流程示意图。FIG. 5 is a schematic flowchart of a data storage method based on a three-dimensional heterogeneous integrated data security storage device provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式,本示例中使用的各项安全存储设备设计数据仅作为本申请一些方面相一致的一个例子。在这里示出和讨论的所有示例中,任何具体值应被解释为仅仅是示例性的,而不是作为限制。因此,示例性实施例的其它示例可以具有不同的值。In order to make the purpose, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings. The implementations described in the exemplary embodiments do not represent all implementations consistent with the present application, and the various secure storage device design data used in this example are only used as an example of consistency with some aspects of the present application. In all examples shown and discussed herein, any specific values are to be construed as illustrative only and not as limiting. Accordingly, other examples of the exemplary embodiments may have different values.

本发明提出的一种基于三维异质集成的数据安全存储设备,在计算系统中的连接结构如图1所示。该数据安全存储设备可作为外接存储设备接入外部系统总线或外部处理器访存端口,使得外部系统总线对数据安全存储设备的访问控制指令均可通过访存指令的形式实现。本示例中,假设系统存储地址表示为32位,数据安全存储设备中的安全处理模块下的物理不可克隆函数(Physical unclonable function, PUF)模块、真随机数发生器(True random number generator, TRNG)模块生成128位数据,安全处理模块采用高级加密标准(Advanced Encryption Stanadard, AES)算法进行数据安全加密,为简化叙述,系统访存数据位宽为128位,实际情况中如访存位宽较小可通过多个周期传输数据。假设本发明提供的数据安全存储设备共分为8个加密区间。The invention proposes a data security storage device based on three-dimensional heterogeneous integration. The connection structure in the computing system is shown in Figure 1. The data secure storage device can be used as an external storage device and connected to an external system bus or an external processor memory access port, so that the access control instructions of the external system bus to the data secure storage device can be implemented in the form of memory access instructions. In this example, it is assumed that the system storage address is expressed as 32 bits, and the physical unclonable function (PUF) module and true random number generator (TRNG) under the security processing module in the data security storage device are The module generates 128-bit data, and the security processing module uses the Advanced Encryption Standard (AES) algorithm for data security encryption. To simplify the description, the system access data bit width is 128 bits. In actual situations, the memory access bit width is smaller. Data can be transferred over multiple cycles. It is assumed that the data security storage device provided by the present invention is divided into eight encryption intervals.

如图2所示,本发明提供的数据安全存储设备包括访存端口模块、若干安全处理模块与存储模块。As shown in Figure 2, the data security storage device provided by the present invention includes a memory access port module, several security processing modules and storage modules.

所述访存端口模块,通过外部系统总线与外部处理器通信,用于接收外部系统总线的访存指令,使得数据安全存储设备作为外接设备以访存指令的方式被访问;向安全处理模块传输需识别的信息与加密前数据,并向外部处理器反馈加密识别码、状态信息与解密数据,同时在安全处理模块反馈错误信息后锁死外部访存端口;其中,所述访存指令包括格式化指令、写激活指令与读、写数据指令及写完成指令;The memory access port module communicates with the external processor through the external system bus, and is used to receive memory access instructions from the external system bus, so that the data security storage device can be accessed as an external device in the form of memory access instructions; transmit to the security processing module The information to be identified and the data before encryption are fed back to the external processor with the encrypted identification code, status information and decrypted data. At the same time, the external memory access port is locked after the security processing module feeds back the error information; wherein, the memory access instruction includes a format ization instructions, write activation instructions, read and write data instructions, and write completion instructions;

所述若干个安全处理模块,分别与访存端口模块连接,接收写激活指令、读/写数据指令与加密前数据,进行秘钥生成、识别与数据加密、解密,将加密后的数据传输至存储模块;并将安全处理模块的状态信息反馈至访存端口模块;The several security processing modules are respectively connected to the memory access port module, receive write activation instructions, read/write data instructions and pre-encrypted data, perform secret key generation, identification and data encryption and decryption, and transmit the encrypted data to storage module; and feed back the status information of the security processing module to the memory access port module;

所述存储模块,通过三维通路分别与每个安全处理模块连接,用于存储加密后数据。The storage module is connected to each security processing module through a three-dimensional channel and is used to store encrypted data.

如图3所示,所述访存端口模块由状态存储模块、判定模块、格式化控制模块组成。As shown in Figure 3, the memory access port module is composed of a status storage module, a determination module, and a format control module.

所述状态存储模块,用于存储各个安全处理模块的状态信息,包含:安全处理模块的写激活状态、各安全处理模块反馈的识别失败次数、判定模块反馈的写入失败次数、访存端口是否为锁死状态。The status storage module is used to store the status information of each security processing module, including: the write activation status of the security processing module, the number of identification failures fed back by each security processing module, the number of writing failures fed back by the determination module, and whether the memory access port In a locked state.

判定模块,用于识别外部处理器的访存指令,判定访存指令的顺序及区域,更新状态存储模块;获取反馈的错误信息,判定访存端口是否为锁死状态;其中,识别外部处理器的访存指令包括:识别写激活指令、写指令、密钥清空指令、写完成指令、读指令、格式化指令。The determination module is used to identify the memory access instructions of the external processor, determine the order and area of the memory access instructions, and update the status storage module; obtain feedback error information and determine whether the memory access port is in a locked state; among them, identify the external processor The memory access instructions include: identify write activation instructions, write instructions, key clear instructions, write completion instructions, read instructions, and format instructions.

格式化控制模块,用于当判定模块识别到格式化指令时,对所有的安全处理模块发送格式化指令。实现全体加密区间的格式化,并将所述状态存储模块中各项状态全部清零,并向外部系统总线反馈所有写激活识别码与默认读识别码。The formatting control module is used to send formatting instructions to all security processing modules when the determination module recognizes the formatting instructions. Realize the formatting of the entire encryption interval, clear all states in the state storage module, and feed back all write activation identification codes and default read identification codes to the external system bus.

接下来,对判定模块识别外部处理器的访存指令的过程进行详细说明:Next, the process of the determination module identifying the memory access instructions of the external processor is explained in detail:

需要说明的是,根据状态存储模块中得到的访存端口锁死状态信息,判定数据安全存储设备是否处于锁死状态;若处于锁死状态,则判定模块不根据除格式化以外任意外部指令传递或更新数据及信息。It should be noted that based on the access port lock status information obtained in the status storage module, it is determined whether the data security storage device is in a locked state; if it is in a locked state, the determination module does not pass any external instructions except formatting. or update data and information.

(1.1)识别写激活指令:(1.1) Identify write activation instructions:

从地址位识别加密区间id、是否强行写入与是否使用新读秘钥;从数据位读取写激活识别码;将写激活指令及以上信息传输至对应的安全处理模块;同时等待该安全处理模块反馈识别结果,并根据反馈识别结果更新状态存储模块存储的安全处理模块写激活状态与是否访存端口锁死的状态信息。Identify the encrypted interval id from the address bit, whether to force write and whether to use a new read key; read the write activation identification code from the data bit; transmit the write activation command and the above information to the corresponding security processing module; and wait for the security processing The module feeds back the identification results, and updates the status information of the security processing module write activation status and whether the access port is locked based on the feedback identification results stored in the status storage module.

(1.2)识别写指令:(1.2) Identify write instructions:

从地址位读取写入地址,从数据位读取写入数据;从状态存储模块存储的各安全处理模块写激活状态判定当前是否有安全处理模块处于写激活状态,若不处于写激活状态,则反馈写入失败至外部处理器;若处于写激活状态,判定获取写入地址是否在已激活安全处理模块对应存储区间,若没有激活安全处理模块对应存储区间,则反馈写入失败至外部处理器,并更新状态存储模块中的判定模块反馈的写入失败次数与各安全处理模块写激活状态信息;若已激活安全处理模块对应存储区间,将写指令、获取的写入地址及数据传输至对应安全处理模块。Read the write address from the address bit, read and write the data from the data bit; determine whether any security processing module is currently in the write activation state from the write activation status of each security processing module stored in the status storage module. If it is not in the write activation state, Then feedback the write failure to the external processor; if it is in the write activation state, determine whether the obtained write address is in the storage area corresponding to the activated security processing module. If the storage area corresponding to the security processing module is not activated, feedback the write failure to the external processor. device, and update the number of write failures fed back by the judgment module in the status storage module and the write activation status information of each security processing module; if the corresponding storage area of the security processing module has been activated, the write instructions, the obtained write address and the data are transmitted to Corresponds to the security processing module.

(1.3)识别密钥清空指令:(1.3) Identify key clearing instructions:

从地址位识别加密区间id,从数据位读取读识别码;判定激活状态,如激活状态为已激活,将密钥清空指令、获取的读识别码传输至对应安全处理模块;同时等待该安全处理模块反馈成功、失败信号,将其传输至外部处理器。Identify the encrypted interval ID from the address bit and read the reading identification code from the data bit; determine the activation status. If the activation status is activated, transmit the key clearing command and the obtained reading identification code to the corresponding security processing module; at the same time, wait for the security The processing module feeds back success and failure signals and transmits them to the external processor.

(1.4)识别写完成指令:(1.4) Identify write completion instructions:

从地址位识别加密区间id;判定激活状态,如激活状态为已激活,向对应安全处理模块发送写完成指令,将所述状态存储模块中判定模块反馈写入失败次数与各安全处理模块写激活状态信息清零;同时等待所述安全处理模块反馈的读识别码,将其通过数据为传输至外部系统。Identify the encryption interval ID from the address bit; determine the activation status. If the activation status is activated, send a write completion instruction to the corresponding security processing module, and feedback the number of write failures from the determination module in the status storage module and the write activation of each security processing module. The status information is cleared; at the same time, it waits for the reading identification code fed back by the security processing module, and transmits it to the external system through data.

(1.5)识别读指令:(1.5) Identify read instructions:

从地址位读取读出地址,从数据位读取读识别码;根据获取读取地址判定对应的安全处理模块id,将读指令及以上信息传输至对应安全处理模块;同时等待该安全处理模块反馈识别结果,若识别错误,则反馈识别错误信息至外部处理器,并根据反馈结果更新状态存储模块中存储的安全处理模块反馈的识别失败次数与访存端口是否锁死的状态信息;若识别正确,则传输该安全处理模块的读取数据至外部处理,并将状态存储模块存储的对应安全处理模块反馈的识别失败次数清零。Read the read address from the address bit, read the read identification code from the data bit; determine the corresponding security processing module id based on the read address, and transmit the read command and the above information to the corresponding security processing module; at the same time, wait for the security processing module Feed back the recognition results. If the recognition is wrong, then feedback the recognition error information to the external processor, and update the status information stored in the status storage module based on the number of recognition failures fed back by the security processing module and whether the memory access port is locked; if the recognition If correct, the read data of the security processing module is transmitted to external processing, and the number of identification failures stored in the status storage module and fed back by the corresponding security processing module is cleared.

(1.6)识别格式化指令:(1.6) Identify formatting instructions:

当判定模块识别到格式化指令时,发出激活请求以激活格式化控制模块。When the determination module recognizes the formatting instruction, it issues an activation request to activate the formatting control module.

如图4所示,所述安全处理模块包括物理不可克隆函数(Physical unclonablefunction, PUF)模块、真随机数发生器(True random number generator, TRNG)模块、秘钥管理模块、加密解密模块、数据传输模块与格式化模块。As shown in Figure 4, the security processing module includes a physical unclonable function (PUF) module, a true random number generator (TRNG) module, a secret key management module, an encryption and decryption module, and a data transmission module. Modules and formatting modules.

所述物理不可克隆函数模块,用于生成每个安全处理模块对应的唯一且不可变的数据;具体地,所述物理不可克隆函数模块生成第一随机数和第二随机数,利用高级加密标准算法(Advanced Encryption Stanadard, AES)加密第一随机数和第二随机数,得到默认读识别码与写激活识别码。The physical unclonable function module is used to generate unique and immutable data corresponding to each security processing module; specifically, the physical unclonable function module generates a first random number and a second random number, using advanced encryption standards. The algorithm (Advanced Encryption Stanadard, AES) encrypts the first random number and the second random number to obtain the default read identification code and write activation identification code.

所述真随机数发生器模块,用于多次生成真随机数,将其作为密钥。The true random number generator module is used to generate true random numbers multiple times as a key.

秘钥管理模块,用于将默认读识别码与写激活识别码反馈至访存端口模块;接收写激活指令及写识别码,比较写识别码与写激活识别码的一致性,判定激活是否成功;The secret key management module is used to feed back the default read identification code and write activation identification code to the memory access port module; receive the write activation command and write identification code, compare the consistency of the write identification code and the write activation identification code, and determine whether the activation is successful. ;

当激活失败时,接收写指令,判定是否可写,当可写时,利用物理不可克隆函数模块生成加密识别码,利用真随机数发生器模块生成密钥并发送至加密解密模块;当不可写时,利用默认读识别码发起加密请求;When activation fails, receive the write command and determine whether it is writable. When it is writable, use the physical unclonable function module to generate an encryption identification code, and use the true random number generator module to generate the key and send it to the encryption and decryption module; when it is not writable, When, use the default reading identification code to initiate an encryption request;

当激活成功时,接收写指令,利用物理不可克隆函数模块生成加密识别码,利用真随机数发生器模块生成密钥并发送至加密解密模块;When the activation is successful, the write command is received, the physical unclonable function module is used to generate the encryption identification code, and the true random number generator module is used to generate the key and send it to the encryption and decryption module;

当激活成功时,秘钥管理模块还包括:接收密钥清空指令,根据密钥清空指令将收到的密钥清除相应记录。When the activation is successful, the key management module also includes: receiving a key clearing instruction, and clearing corresponding records of the received key according to the key clearing instruction.

秘钥管理模块还包括:当接收到写完成指令时,将加密识别码反馈给访存端口模块;当接收到读指令时,进行秘钥解码,并判定解码是否成功;解码不成功,则向访存端口模块反馈错误信息;解码成功,则向加密解密模块发起解密请求并传输对应的秘钥。The secret key management module also includes: when receiving the write completion instruction, feedback the encrypted identification code to the memory access port module; when receiving the read instruction, decode the secret key and determine whether the decoding is successful; if the decoding is unsuccessful, send the The memory access port module feeds back error information; if the decoding is successful, it initiates a decryption request to the encryption and decryption module and transmits the corresponding secret key.

所述加密解密模块,用于接收到加密请求与对应的秘钥,根据该秘钥将访存端口传来的数据进行加密,并将加密后数据传输至数据传输模块,发起写数据请求;接收解密请求与对应的秘钥,向数据传输模块发起读数据请求,将获得的数据根据该秘钥进行解密,并将解密后的数据传输至访存端口。The encryption and decryption module is used to receive the encryption request and the corresponding secret key, encrypt the data transmitted from the memory access port according to the secret key, and transmit the encrypted data to the data transmission module to initiate a write data request; receive The decryption request and the corresponding secret key initiate a read data request to the data transmission module, decrypt the obtained data according to the secret key, and transmit the decrypted data to the memory access port.

所述数据传输模块,根据加密解密模块发出的写数据请求与读数据请求,向存储模块发起写数据请求与读数据请求,进行读/写数据的传输。还包括:读/写数据的传输完成后,向访存端口模块反馈成功信号。The data transmission module initiates a write data request and a read data request to the storage module according to the write data request and read data request issued by the encryption and decryption module, and performs read/write data transmission. It also includes: after the transmission of read/write data is completed, a success signal is fed back to the memory access port module.

所述格式化模块,用于在接收到格式化请求时将向数据传输模块依次发送写数据请求,直至该安全处理模块对应存储区间被完全覆盖,并多次重复以上过程,完成后向所述秘钥管理模块反馈格式化完成信号。The formatting module is used to send write data requests to the data transmission module in sequence when receiving the formatting request until the corresponding storage interval of the security processing module is completely covered, and repeat the above process multiple times. After completion, the formatting module sends write data requests to the data transmission module. The secret key management module feeds back the formatting completion signal.

接下来,对秘钥管理模块进行详细说明:Next, a detailed description of the secret key management module:

所述秘钥管理模块需包含一个密钥缓存模块,假设存储空间为16,即可存储16个密钥,可实现访问时间新旧判定,除空项外,优先写入最长时间未被访问的项目;所述秘钥管理模块可实现以下功能:The secret key management module needs to include a key cache module. Assuming that the storage space is 16, 16 keys can be stored, and the access time can be determined. Except for empty items, the ones that have not been accessed for the longest time are written first. Project; the key management module can realize the following functions:

(2.1)在接收格式化时两次激活真随机数发生器模块,获得并存储第一随机数TR、第二随机数Tw,并激活物理不可克隆函数模块获得标识符Pi,以Pi为密钥,通过高级加密标准(Advanced Encryption Stanadard, AES)算法加密第一随机数TR、第二随机数Tw,生成默认读识别码Ri与写激活识别码Wi,并在格式化模块反馈格式化完成后将默认读识别码Ri与写激活识别码Wi传输给访存端口模块。(2.1) When receiving formatting, activate the true random number generator module twice, obtain and store the first random number TR and the second random number T w , and activate the physical unclonable function module to obtain the identifier Pi , with P i is the key, and the first random number TR and the second random number T w are encrypted through the Advanced Encryption Standard (Advanced Encryption Stanadard, AES) algorithm to generate the default reading identification code R i and the write activation identification code Wi , and in the format After the formatting module feedback formatting is completed, the default reading identification code Ri and the write activation identification code Wi are transmitted to the memory access port module.

(2.2)在接收到写激活指令后与对应识别码后用密钥Pi解密,获得待识别数Tw’,将待识别数Tw’与第二随机数Tw比较,若不一致,则激活失败,向判定模块传输识别错误信号;若一致,则激活成功,向所述判定模块传输激活成功信号,存储是否为强行写入;若需生成新识别码,则激活真随机数发生器模块,获得并临时存储随机数T,以Pi为密钥,通过AES算法加密获得并临时存储新识别码R。(2.2) After receiving the write activation command and the corresponding identification code, use the key Pi to decrypt it to obtain the number to be identified T w' . Compare the number to be identified T w' with the second random number T w . If they are inconsistent, then If the activation fails, the identification error signal is transmitted to the determination module; if consistent, the activation is successful, the activation success signal is transmitted to the determination module, and whether it is a forced write is stored; if a new identification code needs to be generated, the true random number generator module is activated , obtain and temporarily store the random number T, use Pi as the key, and obtain and temporarily store the new identification code R through AES algorithm encryption.

(2.3)在接收到写指令后根据是否生成新识别码进行判定;若生成新识别码,则查看当前缓存是否已满,若已满且状态为不强行写入,则读取密钥缓存中最长时间未被访问的项目T0, 以Pi为密钥,通过AES算法加密获得即将失效的识别码R0,反馈至访存端口模块并拉高写入失败信号,等待新指令;若缓存未满或状态为强行写入,则将新生成的密钥T存入缓存;若未生成新识别码,以下加密过程以默认读密钥TR为准;将密钥T或默认读密钥TR(后续统称为TR)传输至加密解密模块,并发起加密请求。(2.3) After receiving the write command, make a judgment based on whether a new identification code is generated; if a new identification code is generated, check whether the current cache is full. If it is full and the status is no forced writing, read the key cache. The project T0 that has not been accessed for the longest time uses Pi as the key and is encrypted by the AES algorithm to obtain the soon-to-expire identification code R 0 . It is fed back to the memory access port module and raises the write failure signal to wait for new instructions; if cached If it is not full or the status is forced write, the newly generated key T will be stored in the cache; if a new identification code is not generated, the following encryption process shall be based on the default read key T R ; the key T or the default read key TR (hereinafter collectively referred to as TR ) is transmitted to the encryption and decryption module and initiates an encryption request.

(2.4)在接收到密钥清空指令时将获取识别码使用密钥Pi解密,获得默认读密钥TR’,与密钥缓存中所有密钥进行对比,若存在一致项,则清空该项,向访存端口发送成功信号;若不一致,向访存端口发送失败信号。(2.4) When receiving the key clearing instruction, the identification code will be decrypted using the key Pi to obtain the default read key TR' , which will be compared with all keys in the key cache. If there is a consistent item, the key will be cleared. item, send a success signal to the memory access port; if inconsistent, send a failure signal to the memory access port.

(2.5)在接收到写完成指令时跟据识别码更新状态将新识别码R或默认读密钥Ri传输至所述访存端口模块。(2.5) When receiving the write completion command, the new identification code R or the default read key Ri is transmitted to the memory access port module according to the identification code update status.

(2.6)在接收到读指令时将获取识别码使用密钥Pi解密,获得默认读密钥TR’,与密钥缓存中所有密钥及默认密钥TR做对比,若存在一致项,将该密钥Pi传输至所述加密解密模块,并发起解密请求;若不存在,向访存端口模块发送识别错误信号。(2.6) When receiving the read command, the identification code will be decrypted using the key Pi to obtain the default read key TR' . Compare it with all keys in the key cache and the default key TR . If there is a consistent item , transmit the key Pi to the encryption and decryption module, and initiate a decryption request; if it does not exist, send an identification error signal to the memory access port module.

(2.7)在接收到读指令时向格式化模块发起格式化请求。(2.7) Initiate a format request to the format module when receiving a read command.

如图5所示,本发明实施例还提供了一种基于三维异质集成的数据安全存储设备及数据存储方法,本发明仅叙述初始化-写入-读出的步骤以展示所述数据安全存储设备所有功能,并假设只针对加密区间i进行上述操作,但实际情况中可多次进行读、写操作,且可对不同区间进行读写;所述方法包含以下步骤:As shown in Figure 5, the embodiment of the present invention also provides a data secure storage device and data storage method based on three-dimensional heterogeneous integration. The present invention only describes the steps of initialization-writing-reading to demonstrate the secure storage of data. All functions of the device, and it is assumed that the above operations are only performed on the encrypted interval i, but in actual situations, reading and writing operations can be performed multiple times, and different intervals can be read and written; the method includes the following steps:

步骤S1,进行系统初始化时,向数据安全存储设备发送格式化指令,获得写激活识别码Wi,i=1,...,n; n为正实数。Step S1: During system initialization, a formatting instruction is sent to the data security storage device to obtain the write activation identification code Wi , i=1,...,n; n is a positive real number.

步骤S2,向数据安全存储设备发送加密区间ID及对应的激活识别码Wi进行写激活;Step S2: Send the encrypted interval ID and the corresponding activation identification code Wi to the data security storage device for write activation;

具体地,所述步骤S2具体包含以下子步骤:Specifically, the step S2 specifically includes the following sub-steps:

步骤S201,外部处理器通过外部系统总线向数据安全存储设备发送写激活指令,地址区间包含加密区间id、是否强行写入与是否使用新读秘钥信息,数据区间传输对应激活识别码WiStep S201, the external processor sends a write activation instruction to the data security storage device through the external system bus. The address interval contains the encryption interval id, whether to force write and whether to use a new read key information, and the data interval transmission corresponds to the activation identification code Wi .

步骤S202,数据安全存储设备中的访存端口模块将写激活指令及对应的地址区间传输至对应的安全处理模块i。Step S202: The memory access port module in the data security storage device transmits the write activation command and the corresponding address range to the corresponding security processing module i.

步骤S203,安全处理模块判定激活识别码Wi是否正确。Step S203: The security processing module determines whether the activation identification code Wi is correct.

当写激活识别码Wi正确时,对数据安全存储设备进行写激活;存储指令信息并按需求生成读识别码,反馈完成信号;访存端口模块接收到完成信号,清除对应安全处理模块反馈识别失败次数,将完成信号传输至外部处理器。When the write activation identification code Wi is correct, write activation is performed on the data security storage device; the instruction information is stored and the read identification code is generated as required, and a completion signal is fed back; the memory access port module receives the completion signal and clears the feedback identification of the corresponding security processing module Number of failures to transmit completion signal to external processor.

当写激活识别码Wi错误时,反馈识别错误信号,将对应的安全处理模块的反馈识别失败次数+1,若更新后识别错误次数超过阈值(在本实例中,假设阈值为3次),将锁死状态拉高,锁死外部访存端口之后该安全处理模块不对格式化指令外的任何指令作出反应。When the write activation identification code Wi is wrong, a recognition error signal will be fed back, and the number of feedback recognition failures of the corresponding security processing module will be +1. If the number of recognition errors after the update exceeds the threshold (in this example, assuming the threshold is 3 times), After the lock state is raised and the external memory access port is locked, the security processing module does not respond to any instructions other than the formatting instruction.

若写激活指令包含使用新读秘钥,则安全处理模块重新生成读秘钥及对应识别码Ri’;若不包含,则使用默认读秘钥及对应识别码RiIf the write activation command includes the use of a new read key, the security processing module regenerates the read key and the corresponding identification code R i' ; if not, the default read key and the corresponding identification code R i are used.

步骤S3,写激活判定成功后,向数据安全存储设备发出写请求。Step S3: After the write activation determination is successful, a write request is sent to the data security storage device.

具体地,所述步骤S3具体包括以下子步骤:Specifically, the step S3 includes the following sub-steps:

步骤S301,外部处理器向数据安全存储设备发送写指令、写请求目标区域及写入数据。Step S301: The external processor sends a write instruction, a write request target area, and write data to the data secure storage device.

步骤S302,访存端口模块判定写请求目标区域是否与安全处理模块的已激活区域一致。Step S302: The memory access port module determines whether the write request target area is consistent with the activated area of the security processing module.

当区域不一致时,记载失败次数,当失败次数大于阈值时(在本实例中,假设阈值为3次),清除安全处理模块的激活状态。When the areas are inconsistent, the number of failures is recorded. When the number of failures is greater than the threshold (in this example, assuming the threshold is 3 times), the activation status of the security processing module is cleared.

当区域一致时,根据写请求目标区域将写指令、写入数据传输至安全处理模块。When the areas are consistent, the write instructions and write data are transmitted to the security processing module according to the write request target area.

步骤S303,安全处理模块对写入数据进行加密。Step S303: The security processing module encrypts the written data.

具体地,安全处理模块根据识别码更新及强行写入情况判定当前是否可写,若不可写,则反馈写入失败信号及失效密钥;若可写,则更新密钥缓存模块,并对写入数据进行加密,传输至存储模块。Specifically, the security processing module determines whether it is currently writable based on the identification code update and forced writing. If it is not writable, it feeds back the writing failure signal and the invalid key; if it is writable, it updates the key cache module and checks the write The incoming data is encrypted and transmitted to the storage module.

同时,安全处理模块根据写指令判定写入是否成功,若不进行强行写入,若已存储写记录已满且包含使用新读秘钥,则反馈写入失败与下一条覆盖记录信息;若记录未满或进行强行写入,则安全处理模块对写入数据进行加密,完成后反馈成功信息;同时外部控制器系统向数据安全存储设备发送写清空指令,安全处理模块将根据接收写清空指令清除相应记录。At the same time, the security processing module determines whether the write is successful based on the write command. If no forced write is performed, if the stored write record is full and includes the use of a new read key, it will feedback write failure and the next overwrite record information; if the record If it is not full or forced writing is performed, the security processing module will encrypt the written data and feedback success information after completion; at the same time, the external controller system will send a write clear command to the data security storage device, and the security processing module will clear it according to the received write clear command. Record accordingly.

步骤S4,写指令执行完毕后,外部控制器向数据存储设备写入写完成指令,判定访存识别端口,数据存储设备向外部控制器反馈写完成信号与对应的读识别码RiStep S4: After the write instruction is executed, the external controller writes the write completion instruction to the data storage device, determines the memory access identification port, and the data storage device feeds back the write completion signal and the corresponding read identification code Ri to the external controller.

步骤S5,向数据安全存储设备发出读请求。Step S5: Send a read request to the data security storage device.

具体地,所述步骤S5具体包括以下子步骤:Specifically, the step S5 includes the following sub-steps:

步骤S501,外部处理器向数据安全存储设备发送读指令,读取地址,数据区间传输读识别码Ri’。 Step S501: The external processor sends a read instruction to the data security storage device, reads the address, and transmits the reading identification code Ri ' in the data interval.

步骤S502,访存端口模块根据读取地址判定对应的安全处理模块,将读指令、读识别码Ri’传输至对应的安全处理模块。Step S502: The memory access port module determines the corresponding security processing module according to the read address, and transmits the read instruction and the read identification code Ri ' to the corresponding security processing module.

步骤S503,安全处理模块将读识别码解密为密钥,与存储密钥进行对比;若密钥与存储密钥不一致,反馈识别错误信号,记录识别错误次数,当识别错误次数大于阈值时(在本实例中,假设阈值为3次),则锁死外部访存端口;若密钥与存储密钥一致,向存储模块发送读取请求,并将获取数据使用该密钥进行解密,传输至访存端口模块并反馈读完成信号。Step S503, the security processing module decrypts the read identification code into a key and compares it with the stored key; if the key is inconsistent with the stored key, a recognition error signal is fed back and the number of recognition errors is recorded. When the number of recognition errors is greater than the threshold (in In this example, assuming the threshold is 3 times), the external memory access port is locked; if the key is consistent with the storage key, a read request is sent to the storage module, and the obtained data is decrypted using the key and transferred to the access port. Store the port module and feedback the read completion signal.

访存端口模块根据安全处理模块反馈的读完成信号进行处理,当获得读完成信号,清除对应安全处理模块反馈的识别错误次数,将读完成信号及解秘数据传输至外部处理器。The memory access port module processes the read completion signal fed back by the security processing module. When the read completion signal is obtained, it clears the number of identification errors corresponding to the security processing module feedback, and transmits the read completion signal and decryption data to the external processor.

综上所述,本发明通过三维通路连接加密逻辑与存储模块,利用PUF及TRNG模块在加密模块中生成密钥及识别码,实现硬件层级的数据加密与存储。本发明通过三维异质集成技术,提升了加密逻辑与存储芯片的集成度,在提高芯片面积利用率的同时增加了加密逻辑被精准识别的难度,降低了该设备被针对性物理攻击破解的风险,且利用三维集成结构中各逻辑模块仅与特定内存区间通过三维通路连接,访存范围有限且不可交互的特点,实现同一设备中不同用户分离管理的功能,并实现读写权限管理分离,进一步扩展该设备应用范围。To sum up, the present invention connects the encryption logic and the storage module through a three-dimensional path, uses the PUF and TRNG modules to generate keys and identification codes in the encryption module, and realizes hardware-level data encryption and storage. The present invention improves the integration of encryption logic and storage chips through three-dimensional heterogeneous integration technology, improves chip area utilization, increases the difficulty of accurately identifying the encryption logic, and reduces the risk of the device being cracked by targeted physical attacks. , and by taking advantage of the characteristics that each logical module in the three-dimensional integrated structure is only connected to a specific memory interval through a three-dimensional path, the memory access range is limited and cannot be interacted with, it realizes the function of separate management of different users in the same device, and realizes the separation of read and write permission management, further Expand the application range of this equipment.

相应的,本发明还提供了一种计算机可读存储介质,其上存储有计算机指令,该指令被处理器执行时实现如上述的基于三维异质集成的数据安全存储设备的数据存储方法。所述计算机可读存储介质可以是前述任一实施例所述的任意具备数据处理能力的设备的内部存储单元,例如硬盘或内存。所述计算机可读存储介质也可以是外部存储设备,例如所述设备上配备的插接式硬盘、智能存储卡(Smart Media Card,SMC)、SD卡、闪存卡(FlashCard)等。进一步的,所述计算机可读存储介还可以既包括任意具备数据处理能力的设备的内部存储单元也包括外部存储设备。所述计算机可读存储介质用于存储所述计算机程序以及所述任意具备数据处理能力的设备所需的其他程序和数据,还可以用于暂时地存储已经输出或者将要输出的数据。Correspondingly, the present invention also provides a computer-readable storage medium on which computer instructions are stored. When the instructions are executed by a processor, the above-mentioned data storage method based on a three-dimensional heterogeneous integrated data security storage device is implemented. The computer-readable storage medium may be an internal storage unit of any device with data processing capabilities as described in any of the foregoing embodiments, such as a hard disk or a memory. The computer-readable storage medium may also be an external storage device, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), an SD card, a flash card (FlashCard), etc. equipped on the device. Furthermore, the computer-readable storage medium may also include an internal storage unit of any device with data processing capabilities and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by any device with data processing capabilities, and can also be used to temporarily store data that has been output or is to be output.

相应的,本发明还提供了一种电子设备,其特征在于,包括存储器、上述的基于三维异质集成的数据安全存储设备及存储在存储器上并可在基于三维异质集成的数据安全存储设备上运行的程序。Correspondingly, the present invention also provides an electronic device, which is characterized in that it includes a memory, the above-mentioned data security storage device based on three-dimensional heterogeneous integration, and a data security storage device based on three-dimensional heterogeneous integration that is stored in the memory and can be stored in the memory. program running on it.

本领域技术人员在考虑说明书及实践这里公开的内容后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的。Other embodiments of the present application will be readily apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary technical means in the technical field that are not disclosed in this application. . The specification and examples are to be considered as illustrative only.

应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。It is to be understood that the present application is not limited to the precise structures described above and illustrated in the accompanying drawings, and that various modifications and changes may be made without departing from the scope thereof.

Claims (10)

1.一种基于三维异质集成的数据安全存储设备,其特征在于,包括:1. A data security storage device based on three-dimensional heterogeneous integration, which is characterized by including: 访存端口模块,通过外部系统总线与外部处理器通信,用于接收外部处理器的访存指令,使得数据安全存储设备作为外接设备以访存指令的方式被访问;向安全处理模块传输需识别的信息与加密前数据,并向外部处理器反馈加密识别码、状态信息与解密数据,同时在安全处理模块反馈错误信息后锁死外部访存端口;其中,所述访存指令包括格式化指令、写激活指令与读、写数据指令及写完成指令;The memory access port module communicates with the external processor through the external system bus and is used to receive memory access instructions from the external processor, so that the data security storage device can be accessed as an external device in the form of memory access instructions; transmission to the security processing module requires identification information and pre-encrypted data, and feeds back the encrypted identification code, status information and decrypted data to the external processor, and at the same time locks the external memory access port after the security processing module feeds back the error information; wherein the memory access instructions include formatting instructions , write activation command, read and write data command and write completion command; 若干个安全处理模块,分别与访存端口模块连接,接收写激活指令、读/写数据指令与加密前数据,进行密钥生成、识别与数据加密、解密,将加密后的数据传输至存储模块;并将安全处理模块的状态信息反馈至访存端口模块;Several security processing modules are respectively connected to the memory access port module, receive write activation instructions, read/write data instructions and pre-encrypted data, perform key generation, identification and data encryption and decryption, and transfer the encrypted data to the storage module ; And feed back the status information of the security processing module to the memory access port module; 存储模块,通过三维通路分别与每个安全处理模块连接,用于存储加密后数据。The storage module is connected to each security processing module through three-dimensional channels and is used to store encrypted data. 2.根据权利要求1所述的基于三维异质集成的数据安全存储设备,其特征在于,所述访存端口模块包括:2. The data security storage device based on three-dimensional heterogeneous integration according to claim 1, characterized in that the memory access port module includes: 状态存储模块,用于存储各个安全处理模块的状态信息,包括安全处理模块的写激活状态、各安全处理模块反馈的识别失败次数、判定模块反馈的写入失败次数、访存端口是否为锁死状态;The status storage module is used to store the status information of each security processing module, including the write activation status of the security processing module, the number of identification failures fed back by each security processing module, the number of writing failures fed back by the judgment module, and whether the memory access port is locked. state; 判定模块,用于识别外部处理器的访存指令,判定访存指令的顺序及区域,更新状态存储模块;获取反馈的错误信息,判定访存端口是否为锁死状态;其中,识别外部处理器的访存指令包括:识别写激活指令、写指令、密钥清空指令、写完成指令、读指令、格式化指令;The determination module is used to identify the memory access instructions of the external processor, determine the order and area of the memory access instructions, and update the status storage module; obtain feedback error information and determine whether the memory access port is in a locked state; among them, identify the external processor The memory access instructions include: identification of write activation instructions, write instructions, key clear instructions, write completion instructions, read instructions, and format instructions; 格式化控制模块,用于当判定模块识别到格式化指令时,对所有的安全处理模块发送格式化指令。The formatting control module is used to send formatting instructions to all security processing modules when the determination module recognizes the formatting instructions. 3.根据权利要求1所述的基于三维异质集成的数据安全存储设备,其特征在于,所述安全处理模块包括:3. The data security storage device based on three-dimensional heterogeneous integration according to claim 1, characterized in that the security processing module includes: 物理不可克隆函数模块,用于生成默认读识别码与写激活识别码;Physical unclonable function module, used to generate default read identification code and write activation identification code; 真随机数发生器模块,用于多次生成真随机数作为密钥;True random number generator module, used to generate true random numbers as keys multiple times; 密钥管理模块,用于将默认读识别码与写激活识别码反馈至访存端口模块;接收写激活指令及写识别码,比较写识别码与写激活识别码的一致性,判定激活是否成功;The key management module is used to feed back the default read identification code and write activation identification code to the memory access port module; receive the write activation command and write identification code, compare the consistency of the write identification code and the write activation identification code, and determine whether the activation is successful. ; 当激活失败时,接收写指令,判定是否可写,当可写时,利用物理不可克隆函数模块生成加密识别码,利用真随机数发生器模块生成密钥并发送至加密解密模块;当不可写时,利用默认读识别码发起加密请求;When activation fails, receive the write command and determine whether it is writable. When it is writable, use the physical unclonable function module to generate an encryption identification code, and use the true random number generator module to generate the key and send it to the encryption and decryption module; when it is not writable, When, use the default reading identification code to initiate an encryption request; 当激活成功时,接收写指令,利用物理不可克隆函数模块生成加密识别码,利用真随机数发生器模块生成密钥并发送至加密解密模块;When the activation is successful, the write command is received, the physical unclonable function module is used to generate the encryption identification code, and the true random number generator module is used to generate the key and send it to the encryption and decryption module; 加密解密模块,用于接收到加密请求与对应的密钥,对数据进行加密,并将加密后数据传输至数据传输模块,发起写数据请求;接收解密请求与对应的密钥,对数据进行解密,并将解密后的数据传输至数据传输模块,发起读数据请求;The encryption and decryption module is used to receive the encryption request and the corresponding key, encrypt the data, transfer the encrypted data to the data transmission module, and initiate a write data request; receive the decryption request and the corresponding key, and decrypt the data. , and transmit the decrypted data to the data transmission module and initiate a read data request; 数据传输模块,根据加密解密模块发出的写数据请求与读数据请求,向存储模块发起写数据请求与读数据请求,进行读/写数据的传输;The data transmission module, according to the write data request and read data request issued by the encryption and decryption module, initiates a write data request and a read data request to the storage module to transmit read/write data; 格式化模块,用于在接收到格式化请求时将向数据传输模块依次发送写数据请求,直至安全处理模块对应存储区间被完全覆盖。The formatting module is used to send write data requests to the data transmission module in sequence when receiving the formatting request until the corresponding storage area of the security processing module is completely covered. 4.根据权利要求3所述的基于三维异质集成的数据安全存储设备,其特征在于,所述密钥管理模块还包括:4. The data security storage device based on three-dimensional heterogeneous integration according to claim 3, characterized in that the key management module further includes: 当接收到写完成指令时,将加密识别码反馈给访存端口模块;When receiving the write completion command, the encrypted identification code is fed back to the memory access port module; 当接收到读指令时,进行密钥解码,并判定解码是否成功;解码不成功,则向访存端口模块反馈错误信息;解码成功,则向加密解密模块发起解密请求并传输对应的密钥。When the read command is received, the key is decoded and whether the decoding is successful; if the decoding is unsuccessful, error information is fed back to the memory access port module; if the decoding is successful, a decryption request is initiated to the encryption and decryption module and the corresponding key is transmitted. 5.一种基于三维异质集成的数据安全存储设备的数据存储方法,其特征在于,通过权利要求1-4任一项所述的基于三维异质集成的数据安全存储设备实现,所述方法包括:5. A data storage method based on a three-dimensional heterogeneous integration data security storage device, characterized in that it is implemented by a three-dimensional heterogeneous integration-based data security storage device according to any one of claims 1-4, the method include: 步骤S1,对数据安全存储设备进行格式化,获得写激活识别码Wi,i=1,...,n;Step S1, format the data security storage device and obtain the write activation identification code Wi , i=1,...,n; 步骤S2,向数据安全存储设备发送加密区间ID及对应的写激活识别码Wi进行写激活;Step S2: Send the encrypted interval ID and the corresponding write activation identification code Wi to the data security storage device for write activation; 步骤S3,写激活判定成功后,向数据安全存储设备发出写请求;Step S3: After the write activation is determined to be successful, a write request is sent to the data security storage device; 步骤S4,向数据存储设备写入写完成指令,判定访存识别端口,数据存储设备反馈写完成信号与对应的读识别码Ri; Step S4: Write a write completion command to the data storage device, determine the memory access identification port, and the data storage device feeds back the write completion signal and the corresponding read identification code R i; 步骤S5,向数据安全存储设备发出读请求。Step S5: Send a read request to the data security storage device. 6.根据权利要求5所述的基于三维异质集成的数据安全存储设备的数据存储方法,其特征在于,所述步骤S2具体包括以下子步骤:6. The data storage method of data security storage device based on three-dimensional heterogeneous integration according to claim 5, characterized in that the step S2 specifically includes the following sub-steps: 步骤S201,向数据安全存储设备发送写激活指令及对应的地址区间,包括:地址区间、数据区间传输对应的写激活识别码WiStep S201: Send the write activation instruction and the corresponding address interval to the data secure storage device, including: the write activation identification code Wi corresponding to the address interval and data interval transmission; 步骤S202,数据安全存储设备中的访存端口模块将写激活指令及对应的地址区间传输至对应的安全处理模块;Step S202, the memory access port module in the data security storage device transmits the write activation command and the corresponding address range to the corresponding security processing module; 步骤S203,安全处理模块判定写激活识别码Wi是否正确;Step S203, the security processing module determines whether the write activation identification code Wi is correct; 当写激活识别码Wi正确时,对数据安全存储设备进行写激活;When the write activation identification code Wi is correct, perform write activation on the data security storage device; 当写激活识别码Wi错误时,反馈识别错误信号,当识别错误次数超过阈值时,则锁死外部访存端口。When the write activation identification code Wi is wrong, a recognition error signal is fed back. When the number of recognition errors exceeds the threshold, the external memory access port is locked. 7.根据权利要求5所述的基于三维异质集成的数据安全存储设备的数据存储方法,其特征在于,所述步骤S3具体包括以下子步骤:7. The data storage method of a three-dimensional heterogeneous integrated data security storage device according to claim 5, characterized in that step S3 specifically includes the following sub-steps: 步骤S301,外部处理器向数据安全存储设备发送写指令、写请求目标区域及写入数据;Step S301, the external processor sends a write instruction, a write request target area, and write data to the data security storage device; 步骤S302,访存端口模块判定写请求目标区域是否与安全处理模块的已激活区域一致;Step S302: The memory access port module determines whether the write request target area is consistent with the activated area of the security processing module; 当区域不一致时,记载失败次数,当失败次数大于阈值时,清除安全处理模块的激活状态;When the areas are inconsistent, the number of failures is recorded. When the number of failures is greater than the threshold, the activation status of the security processing module is cleared; 当区域一致时,根据写请求目标区域将写指令、写入数据传输至安全处理模块;When the areas are consistent, the write instructions and write data are transmitted to the security processing module according to the write request target area; 步骤S303,安全处理模块对写入数据进行加密。Step S303: The security processing module encrypts the written data. 8.根据权利要求5所述的基于三维异质集成的数据安全存储设备的数据存储方法,其特征在于,所述步骤S5具体包括以下子步骤:8. The data storage method of data security storage device based on three-dimensional heterogeneous integration according to claim 5, characterized in that the step S5 specifically includes the following sub-steps: 步骤S501,外部处理器向数据安全存储设备发送读指令、读取地址、读识别码;Step S501, the external processor sends a read instruction, read address, and read identification code to the data security storage device; 步骤S502,访存端口模块根据读取地址判定对应的安全处理模块,将读指令、读识别码传输至对应的安全处理模块;Step S502: The memory access port module determines the corresponding security processing module according to the read address, and transmits the read instruction and read identification code to the corresponding security processing module; 步骤S503,安全处理模块将读识别码解密为密钥,与存储密钥进行对比;Step S503, the security processing module decrypts the read identification code into a key and compares it with the stored key; 当密钥与存储密钥不一致时,反馈识别错误信号,记录识别错误次数,当识别错误次数大于阈值时,则锁死外部访存端口;When the key is inconsistent with the storage key, a recognition error signal is fed back and the number of recognition errors is recorded. When the number of recognition errors is greater than the threshold, the external memory access port is locked; 若密钥与存储密钥一致时,向存储模块发送读取请求,并将获取数据使用该密钥进行解密,传输至访存端口模块并反馈读完成信号。If the key is consistent with the storage key, a read request is sent to the storage module, and the obtained data is decrypted using the key, transmitted to the memory access port module, and a read completion signal is fed back. 9.一种计算机可读存储介质,其特征在于,所述存储介质存储有计算机程序,所述计算机程序并处理器执行时实现上述权利要求5-8任一项所述的数据存储方法。9. A computer-readable storage medium, characterized in that the storage medium stores a computer program, and when the computer program is executed by a processor, the data storage method according to any one of claims 5-8 is implemented. 10.一种电子设备,其特征在于,包括存储器、如权利要求1-4任一项所述的基于三维异质集成的数据安全存储设备及存储在存储器上并可在基于三维异质集成的数据安全存储设备上运行的程序。10. An electronic device, characterized in that it includes a memory, a three-dimensional heterogeneous integration-based data security storage device as claimed in any one of claims 1 to 4, and a three-dimensional heterogeneous integration-based data storage device stored in the memory and capable of being stored in the memory. Programs running on devices where data is securely stored.
CN202310769745.3A 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration Active CN116502291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310769745.3A CN116502291B (en) 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310769745.3A CN116502291B (en) 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration

Publications (2)

Publication Number Publication Date
CN116502291A CN116502291A (en) 2023-07-28
CN116502291B true CN116502291B (en) 2023-10-03

Family

ID=87325277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310769745.3A Active CN116502291B (en) 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration

Country Status (1)

Country Link
CN (1) CN116502291B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833090A (en) * 2018-05-25 2018-11-16 四川斐讯信息技术有限公司 It is a kind of to store the encryption method of equipment, decryption method and storage equipment
CN113946290A (en) * 2021-10-14 2022-01-18 西安紫光国芯半导体有限公司 Storage device based on three-dimensional heterogeneous integration and storage system
CN114115752A (en) * 2022-01-27 2022-03-01 浙江大华技术股份有限公司 Data storage method and computer equipment
CN115576892A (en) * 2022-09-29 2023-01-06 西安紫光国芯半导体有限公司 Three-dimensional memory and data processing method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11487665B2 (en) * 2019-06-05 2022-11-01 Pure Storage, Inc. Tiered caching of data in a storage system
US11614892B2 (en) * 2020-12-17 2023-03-28 Micron Technology, Inc. Memory system architecture for heterogeneous memory technologies

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833090A (en) * 2018-05-25 2018-11-16 四川斐讯信息技术有限公司 It is a kind of to store the encryption method of equipment, decryption method and storage equipment
CN113946290A (en) * 2021-10-14 2022-01-18 西安紫光国芯半导体有限公司 Storage device based on three-dimensional heterogeneous integration and storage system
CN114115752A (en) * 2022-01-27 2022-03-01 浙江大华技术股份有限公司 Data storage method and computer equipment
CN115576892A (en) * 2022-09-29 2023-01-06 西安紫光国芯半导体有限公司 Three-dimensional memory and data processing method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Three dimensional heterogeneous chip integration process;David R. et al;《Pan Pacific Microelectronics Sympoisium 》;第1-7页 *
基于专用加密芯片的单片机软件加密系统设计;张炜轩 等;《单片机与嵌入式系统应用》;第2013年卷(第09期);第56-59页 *

Also Published As

Publication number Publication date
CN116502291A (en) 2023-07-28

Similar Documents

Publication Publication Date Title
US11089018B2 (en) Global unique device identification code distribution method
US8886956B2 (en) Data storage apparatus having cryption and method thereof
US11783044B2 (en) Endpoint authentication based on boot-time binding of multiple components
US11088832B2 (en) Secure logging of data storage device events
CN113316915B (en) Unlocking a data storage device
US11334677B2 (en) Multi-role unlocking of a data storage device
CN113545021B (en) Registration of pre-authorized devices
CN114730342B (en) Data storage device encryption
CN107908574A (en) The method for security protection of solid-state disk data storage
CN116070241A (en) Mobile hard disk encryption control method
US11423182B2 (en) Storage device providing function of securely discarding data and operating method thereof
CN104901810A (en) Data encryption storage method based on domestic cryptographic algorithm
US12058259B2 (en) Data storage device encryption
AU2023201855B2 (en) Module and method for authenticating data transfer between a storage device and a host device
JP2021090151A (en) Storage system and data protection method thereof
US8234501B2 (en) System and method of controlling access to a device
CN116502291B (en) Data security storage equipment and data storage method based on three-dimensional heterogeneous integration
CN112149167B (en) Data storage encryption method and device based on master-slave system
CN115544547A (en) Mobile hard disk encryption method and device, electronic equipment and storage medium
CN113342896A (en) Scientific research data security protection system based on cloud fusion and working method thereof
US12278805B2 (en) Method of controlling security key of vehicle
CN113342467B (en) Virtual machine snapshot saving, reading methods, devices and related equipment
CN104580181A (en) Device and method for data encryption and encryption accelerator engine
US11677560B2 (en) Utilization of a memory device as security token
CN119783175A (en) An embedded data protection processing system with an external security encryption chip and NVME solid-state storage device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant