[go: up one dir, main page]

CN118504007A - Access control method, device, equipment and medium for data storage equipment - Google Patents

Access control method, device, equipment and medium for data storage equipment Download PDF

Info

Publication number
CN118504007A
CN118504007A CN202410735017.5A CN202410735017A CN118504007A CN 118504007 A CN118504007 A CN 118504007A CN 202410735017 A CN202410735017 A CN 202410735017A CN 118504007 A CN118504007 A CN 118504007A
Authority
CN
China
Prior art keywords
data storage
storage device
data
information
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410735017.5A
Other languages
Chinese (zh)
Inventor
朱晓伟
袁涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Goke Microelectronics Co Ltd
Original Assignee
Hunan Goke Microelectronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Goke Microelectronics Co Ltd filed Critical Hunan Goke Microelectronics Co Ltd
Priority to CN202410735017.5A priority Critical patent/CN118504007A/en
Publication of CN118504007A publication Critical patent/CN118504007A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data storage device access control method, a device, equipment and a medium, and relates to the technical field of data processing. The method comprises the following steps: receiving a data access request; verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by a PUF; and if the verification is passed, allowing access to the data storage device. By the technical scheme, a more reliable data storage and protection scheme can be provided, and the safety of the data storage equipment is further protected.

Description

Access control method, device, equipment and medium for data storage equipment
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for controlling access to a data storage device.
Background
In the prior art, solutions are provided to protect the security of data storage devices. One common solution is to encrypt data stored on a data storage device using a password to prevent unauthorized access; another solution is to use digital signatures to verify the integrity of the data to ensure that the data has not been tampered with. However, there are some problems or limitations in the prior art: firstly, encrypting data by using a password requires a user to input the password to access the data, which increases the complexity of the use process and the complexity of operation; second, verification of the digital signature only ensures that the data has not been tampered with during transmission, but does not ensure that the data storage device itself has not been replaced or that the data has not been altered without authorization. Thus, the prior art has limitations in protecting the physical security of data storage devices.
Therefore, how to provide a solution to the above technical problem is a problem that a person skilled in the art needs to solve at present.
Disclosure of Invention
Accordingly, the present invention is directed to a method, apparatus, device and medium for controlling access to a data storage device, which can effectively prevent the data storage device from being replaced or from being altered without permission, thereby improving the physical security of the data storage device. The specific scheme is as follows:
In a first aspect, the present application discloses a method for controlling access to a data storage device, including:
Receiving a data access request;
Verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by a PUF;
And if the verification is passed, allowing access to the data storage device.
Optionally, the verifying the data storage device includes:
And acquiring the verification information, wherein the verification information comprises the unique identifier obtained by encrypting the identifier of the data storage device generated by the PUF through a first preset encryption algorithm, and the unique identifier is stored in a read-only memory space of the data storage device.
Optionally, the verifying the data storage device further includes:
The access device sends first data information; the first data information comprises identification information of the access equipment and a first random array;
Searching corresponding pairing information in the data storage equipment according to the first data information, and performing data processing on the pairing information, the first random array and the unique identifier by using a second preset encryption algorithm to obtain first processed data;
Verifying the data storage device based on the first processed data;
and/or the data storage device transmits second data information; the second data information includes the unique identification and a second random array;
Searching corresponding pairing information in the access equipment according to the second data information, and performing data processing on the pairing information, the second random array and the identity information of the access equipment by using a fourth preset encryption algorithm to obtain second processed data;
And verifying the data storage device based on the second processed data.
Optionally, the pairing information is generated by encrypting the binding result of the identity information and the unique identifier by using a third preset encryption algorithm, and the pairing information is respectively stored in read-only memory spaces of the access device and the data storage device.
Optionally, the first preset encryption algorithm, the second preset encryption algorithm, the third preset encryption algorithm and the fourth preset encryption algorithm are different encryption algorithms.
Optionally, the verifying the data storage device based on the first processed data includes:
performing inverse processing on the first processed data to obtain pairing information after the first inverse processing, and if the pairing information after the first inverse processing is consistent with the pairing information, passing the verification;
The verifying the data storage device based on the second processed data includes:
And carrying out inverse processing on the second processed data to obtain pairing information after the second inverse processing, and if the pairing information after the second inverse processing is consistent with the pairing information, passing the verification.
Optionally, the data storage device access control method further includes:
And if the verification is not passed, triggering an alarm mechanism and prohibiting access to the data storage device.
In a second aspect, the present application discloses a data storage device access control apparatus, comprising:
the request acquisition module is used for receiving a data access request;
The pairing verification module is used for verifying the data storage device, and the verification information comprises a unique identifier of the data storage device generated by the PUF;
and the access control module is used for allowing access to the data storage device if the verification passes.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein the memory is for storing a computer program that is loaded and executed by the processor to implement the data storage device access control method as described above.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements a data storage device access control method as described above.
The application provides a data storage device access control method, which comprises the following steps: receiving a data access request; verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by a PUF; and if the verification is passed, allowing access to the data storage device. Therefore, the unique identifier of the data storage device is generated by using the PUF, the access operation of the data storage device can be performed only when verification passes, the PUF utilizes the defects of the data storage device, such as randomness and uncertainty in the production and manufacturing process, and the unique non-replicable unique identifier is generated, so that the data of the data storage device can be effectively prevented from being tampered maliciously, and the integrity of the data is ensured; meanwhile, the data storage device can be prevented from being replaced, and the physical safety of the data storage device is improved.
In addition, the data storage device access control device and the data storage medium provided by the application correspond to the data storage device access control method and have the same effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for controlling access to a data storage device according to the present disclosure;
FIG. 2 is a schematic diagram of an access control device for a data storage device according to the present disclosure;
Fig. 3 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Currently, the prior art has some problems or disadvantages in protecting the physical security of data storage devices. Therefore, the application provides a data storage device access control scheme which can provide more reliable data storage and protection and further protect the safety of the data storage device.
The embodiment of the invention discloses a data storage device access control method, wherein the data storage device can be a Solid-state disk (SSD-STATE DRIVE), or can be a data storage device such as a U disk, and the like, and the method is not particularly limited. Taking a solid state disk as an example, the solid state disk is easy to replace or change data without permission due to its mobility and high performance, which may cause security problems. Thus, for ease of understanding, in one possible implementation, the data storage device is a solid state disk. It can be understood by those skilled in the art that the data storage device is a solid state disk, which is only schematic and not limited to the types of the data storage device, and the solid state disk is taken as an example in the following embodiments, and details are not repeated. A brief description of the solid state disk is provided below.
Solid state disks are a type of hard disk that uses flash memory particles as the data storage medium. Compared with the traditional mechanical hard disk, the magnetic disk has higher read-write speed, lower energy consumption and higher reliability. The data of the solid state disk is stored on flash memory particles (NandFlash) therein, which particles can be detached. A main control module is usually arranged in the solid state disk, and the main control module can control a host (such as a computer, a server, a PC and the like) to access the flash memory particles.
Referring to fig. 1, the method includes:
step S11: a data access request is received.
In order to effectively prevent the solid state disk itself or the flash memory particles in the hard disk from being detached and replaced or the data in the flash memory particles from being unauthorized to be changed, in the embodiment of the application, aiming at the data access request, the main control module of the solid state disk can be used for applying for the data access request for accessing the flash memory particles in the solid state disk; in another specific embodiment, an external server may apply for a data access request for accessing the solid state disk.
Step S12: the data storage device is verified, and the verification information comprises a unique identification of said data storage device generated by the PUF.
In the embodiment of the application, based on a physical unclonable function (Physical Unclonable Function, abbreviated as PUF), a unique and unclonable identifier (Chip ID) of the solid state disk is generated, wherein the unique identifier can be a number, a character string, a binary code or identifiers in other forms, and is bound and paired with the ID of the CPU to realize the verification of the solid state disk. It should be noted that Chip IDs are usually burned or set by the Chip manufacturer during the Chip production process, and the hard disk binds the PUF to the hard disk Chip during the manufacturing process, ensuring that each hard disk has a unique identification. When the data access request characterizes a main control module of the solid state disk to apply for accessing the flash memory particles in the solid state disk, the unique identifier is an identifier which is generated by utilizing a PUF and corresponds to the flash memory particles of the solid state disk; when the data access request characterizes the server to apply for accessing the solid state disk, the unique identifier is an identifier which is generated by using the PUF and corresponds to a main control module of the solid state disk.
Specifically, the verification information is obtained, the verification information comprises the unique identifier obtained by encrypting the identifier of the data storage device generated by the PUF through a first preset encryption algorithm, and the unique identifier is stored in a read-only memory space of the data storage device. The first preset encryption algorithm may be any possible function or encryption algorithm, which is not specifically limited herein. It can be seen that the unique identifier generated by using the PUF is subjected to a function or encryption process to generate a processed non-plaintext unique identification Chip ID, and since other operation units do not know what function or encryption process the Chip ID is subjected to, the processed Chip ID cannot be directly read, and the original Chip ID before being processed cannot be obtained in the reverse direction. In this way, the security of the data can be improved.
In addition, in the process of generating the unique identifier of the data storage device by using the PUF, the unique identifier is generated based on the hardware characteristics of the target hardware in the solid state disk, that is, the unique identifier is generated as the Chip ID of the solid state disk by using some random process in hardware manufacturing. Illustratively, a PUF is formed by using a series of registers or random access memories, wherein the stored data is all 1 when initialized, but some devices inevitably generate defects due to randomness and uncertainty of the solid state disk manufacturing process, the driving of the defects can cause voltage changes of the devices, so that part of data in the registers or the random access memories changes from 1 jump to 0, part of the data is kept unchanged, and the unpredictable defects generated by the solid state disk manufacturing process are used for generating unique and non-replicable identifiers by using the PUF. Illustratively, the PUF also ensures that each solid state disk has a unique identification that is not replicable by generating a unique key using hardware features of the solid state disk, such as random electrical characteristics of transistors, noise, latency, etc.
Furthermore, the generated unique identification Chip ID is stored in a read-only memory space of the data storage device, and the common ROM is designed with the data to be written in later in the design stage, the manufacturing stage is unified, the information is fixed after being written in, and the information can only be read out later and can not be written in, so that the ROM data in the solid state hard disk chips produced in the same batch are identical. Whereas PUFs need to exploit the unpredictability of the storage device during manufacturing to generate a unique identifier, which must be measured after production, it is not possible to write in advance to a common read-only memory, but rather to write to a dedicated read-only memory space inside the storage device after generation. In the alternative scheme, the read-only memory space is a disposable memory space which is formed in the flash memory particles of the solid state disk and the CPU memory of the main control module, and is a nonvolatile memory space. The space can only be written once, once the written data cannot be changed later, the PUF generates an identifier by utilizing the unpredictability in the production process and stores the identifier into the opened disposable storage space, so that the storage security of the information can be improved.
In summary, the conventional hard disk identification manner, such as serial number or MAC (MEDIA ACCESS Control) address, may be often forged or tampered, and by generating a unique and unclonable identifier of the solid state disk based on the physical unclonable function, the unique identifier of the solid state disk can be protected by the physical unclonable function, so that the hard disk is prevented from being replaced or copied, and has higher anti-counterfeiting property and non-tamperable property.
Based on step S12, in one possible implementation, a specific procedure for verifying the data storage device is specifically described. Specifically, the method can further comprise the following steps:
Step one: the access device sends first data information; the first data information comprises identity information carried by the access equipment itself and a first random array;
Step two: searching corresponding pairing information in the data storage equipment according to the first data information, and performing data processing on the pairing information, the first random array and the unique identifier by using a second preset encryption algorithm to obtain first processed data;
Step three: and verifying the data storage device based on the first processed data.
For convenience of description, the above steps are described in combination.
In a first specific embodiment, when the data access request characterizes the main control module of the solid state disk and applies for accessing the flash memory particles therein, the first data information sent by the access device is a CPU ID and a set of random numbers sent by the main control module of the solid state disk. Further, after receiving the first data information sent by the access device, the flash memory particle searches the corresponding CPU ID in the database of the flash memory particle to determine the pairing information.
It should be noted that the pairing information is non-plaintext of the CPU ID and Chip ID combined together. Before the hard disk leaves the factory, after unique identification of flash memory particles of the solid state disk is generated by using a PUF, the unique identification is bound with a CPU ID of a main control module of the solid state disk to obtain a binding result, and then pairing information is generated through encryption algorithm processing. The pairing information ensures that only the master control module bound to the unique identification of the flash memory granule can access and control it. Further, the pairing information is respectively stored in a main control module of the solid state disk and a preset database corresponding to the flash memory particles, and the preset databases respectively correspond to read-only memory spaces of the main control module and the flash memory particles. Similarly, the read-only memory space is a disposable memory space opened in the CPU memory and the flash memory particles of the main control module, and can be written once, once written, the read-only memory space cannot be changed later, so that the storage safety of the pairing information is improved.
Specifically, the pairing information is generated by encrypting the binding result of the identification information and the unique identifier by using a third preset encryption algorithm, and the pairing information is respectively stored in the read-only memory space of the access device and the data storage device.
In the embodiment of the application, after the flash memory particles determine pairing information (non-plaintext) according to the first data information, the first random array, the unique identification Chip ID and the determined pairing information of the main control module are subjected to data processing by using a second preset encryption algorithm to obtain first processed data, and then the first processed data is transmitted back to the main control module, and the data storage equipment is verified based on the first processed data. It should be noted that, in the process of performing data processing on the pairing information, the first random array and the unique identifier, the data processing may be encryption, function processing, or exclusive or addition, and if the data processing is encryption, the second preset encryption algorithm may use the first random array as a key. The first preset encryption algorithm, the second preset encryption algorithm and the third preset encryption algorithm are different encryption algorithms.
Based on step S12, in another possible embodiment, a specific procedure for verifying the data storage device is specifically described. Specifically, the method can further comprise the following steps:
step one: the data storage device sends second data information; the second data information includes the unique identification and a second random array;
Step two: searching corresponding pairing information in the access equipment according to the second data information, and performing data processing on the pairing information, the second random array and the identity information of the access equipment by using a fourth preset encryption algorithm to obtain second processed data;
step three: and verifying the data storage device based on the second processed data.
It will be appreciated that the second data information may also be sent via the flash memory granule; the second data information comprises a unique identification generated by the PUF and a randomly generated second random array. The main control module searches corresponding pairing information from a database of the main control module after receiving the pairing information; and similarly, carrying out data processing on the second random array, the CPU ID and the determined pairing information of the flash memory particles to obtain second processed data, then transmitting the second processed data back to the flash memory particles, and checking the data storage equipment based on the second processed data. It should be noted that, in the process of performing data processing on the pairing information, the second random array, and the identity information of the access device, encryption, function processing, or exclusive or addition may be performed, if the pairing information, the second random array, and the identity information of the access device are the encryption processing, the fourth preset encryption algorithm may use the second random array as a key. The first preset encryption algorithm, the second preset encryption algorithm, the third preset encryption algorithm and the fourth preset encryption algorithm are different encryption algorithms.
It is noted that the two possible embodiments described above may be performed separately, i.e. optionally with verification. It may also be performed jointly, i.e. after the data storage device has been checked based on the first processed data, the data storage device may be checked again based on the second processed data. In this way, the reliability of the verification can be increased.
Further, verifying the data storage device based on the first processed data may include the steps of:
and carrying out inverse processing on the first processed data to obtain pairing information after the first inverse processing, and if the pairing information after the first inverse processing is consistent with the pairing information, passing the verification.
In this embodiment, after the main control module receives the first processed data, it performs inverse processing on the first processed data. It will be appreciated that if the data processing is encryption, then the corresponding inverse processing is to perform the corresponding decryption processing on the encrypted data. In addition, since the pairing information is non-plaintext and is encrypted once in the first process, if the encrypted data is decrypted, the pairing information needs to be decrypted correspondingly, that is, whether the pairing information is matched with the pairing information in the CPU memory of the main control module is compared after the pairing information is decrypted twice.
Accordingly, the verifying the data storage device based on the second processed data may include the following steps:
And carrying out inverse processing on the second processed data to obtain pairing information after the second inverse processing, and if the pairing information after the second inverse processing is consistent with the pairing information, passing the verification.
In this embodiment, after the flash memory granule receives the second processed data, it is subjected to the inverse processing. Similarly, if the data processing is encryption operation, then the corresponding inverse processing is to perform corresponding decryption processing on the data, and then compare the paired information of the flash memory particles to see if they match.
Therefore, according to the embodiment, the flash memory particles in the solid state disk can be prevented from being detached and replaced or the data in the flash memory can be prevented from being changed. In addition, because a plurality of solid state disks can be installed on one computer, the main control module of each solid state disk can only access the flash memory of the hard disk, but not access the flash memories of other hard disks; some illegal users can be prevented from installing flash memory particles in the A hard disk into the B hard disk, and the aim of accessing the data of the flash memory particles of the A hard disk by using the main control module of the B hard disk is achieved in the mode.
It can be appreciated that the first specific embodiment is applicable to binding of the internal structure of the solid state disk, and in the second specific embodiment, when the data access request characterizes that the server applies to access the solid state disk, the pairing binding of the external server and the solid state disk needs to be realized. Similarly, the same process as the previous steps is executed before the hard disk leaves the factory, a non-plaintext unique identifier of a main control module of the solid state hard disk is generated by using a PUF, and binding pairing is carried out with a CPU ID of a server CPU after leaving the factory; pairing information is stored in the respective disposable storage spaces; and subsequently, carrying out pairing verification on the two parties, and achieving that only the server can access the solid state disk. Therefore, the whole solid state disk can be prevented from being replaced and the data of the solid state disk can be prevented from being changed. The more specific processing procedure may refer to the corresponding content disclosed in the foregoing implementation procedure, and will not be described herein.
Step S13: and if the verification is passed, allowing access to the data storage device.
In the embodiment of the application, when the verification is passed, the access device and the data storage device are successfully paired, and the access device can access the data storage device. Therefore, the data storage device can be accessed only by the access device passing the verification, the data can be effectively prevented from being tampered maliciously, and the integrity of the data is ensured. And prevents unauthorized device replacement, providing a more reliable data storage and protection scheme.
It is noted that if the verification is not passed, an alarm mechanism is triggered and access to the data storage device is disabled. It can be seen that if the hard disk is replaced, the verification fails, thereby triggering an alarm mechanism; the system will send out an alarm to remind the user that the hard disk is possibly replaced, and further protect the safety of the hard disk. The read-write operation of the hard disk is prevented from being unauthorized, and the safety of the data is further protected by prohibiting the read-write operation of the hard disk to ensure that the hard disk is not replaced or the data is tampered.
Meanwhile, for the operation of deleting data, a data integrity checking algorithm, such as a CRC (Cyclic Redundancy Check ) algorithm, can be used for checking the data in the solid state disk. The existence of hard disk pairing check effectively prevents the operation of deleting and modifying the hard disk data and protects the integrity of the data. Specifically, after data operation is performed on target data in the data storage device, a data integrity check algorithm is used for performing integrity check on the target data.
The application provides a data storage device access control method, which comprises the following steps: receiving a data access request; verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by a PUF; and if the verification is passed, allowing access to the data storage device. Therefore, the unique identifier of the data storage device is generated by using the PUF, and the access operation of the data storage device can be performed only when the verification passes, so that the data of the data storage device can be effectively prevented from being tampered maliciously, and the integrity of the data is ensured; meanwhile, the data storage device can be prevented from being replaced, and the physical safety of the data storage device is improved.
Due to the advancement of the technical scheme, the method can be widely applied to the fields of data security, computer network security and cloud computing.
In the field of data security, the technical scheme can effectively prevent the risk that the hard disk is replaced or data is tampered. By binding and pairing the physical unclonable function with the id of the CPU, the uniqueness of the hard disk and the binding relation with the specific CPU are ensured. And only after the CPU and the hard disk are successfully paired and checked, the read-write operation of the hard disk can be started, otherwise, an alarm mechanism can be triggered. The security mechanism can prevent the hard disk from being illegally replaced or unauthorized access, thereby improving the security of data.
In the field of computer network security, the technical scheme can be applied to hard disk management of a server. The physical unclonable function is used as the unique identifier of the hard disk main control module and is bound with the CPU of the specific server, so that the uniqueness of the hard disk of the server and the pairing relation with the specific server can be ensured. Only after the CPU and the hard disk are successfully paired and checked, the read-write operation of the hard disk can be started, so that unauthorized hard disk access and data tampering are prevented.
In the field of cloud computing, the technical scheme can be applied to hard disk management of a cloud server. By using the physical unclonable function as a unique identifier of the hard disk and binding with the CPU of the specific cloud server, the uniqueness of the cloud server hard disk and the pairing relation with the specific cloud server can be ensured. Only after the CPU and the hard disk are successfully paired and checked, the read-write operation of the hard disk can be started, so that the data security in the cloud server is ensured, and unauthorized hard disk access and data tampering are prevented.
With increasing importance of data security and network security, and popularization and development of cloud computing, demands for protecting hard disk data security will be increasing. Therefore, the technical scheme has wide application prospect and market demand in the fields of data security, computer network security and cloud computing.
Correspondingly, the embodiment of the application also discloses an access control device of the data storage device, which is shown in fig. 2, and comprises the following steps:
A request acquisition module 11 for receiving a data access request;
A pairing verification module 12 for verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by the PUF;
an access control module 13, configured to allow access to the data storage device if the verification passes.
The more specific working process of each module may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
It can be seen that by the above scheme of the present embodiment, it includes: receiving a data access request; verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by a PUF; and if the verification is passed, allowing access to the data storage device. Therefore, the unique identifier of the data storage device is generated by using the PUF, and the access operation of the data storage device can be performed only when the verification passes, so that the data of the data storage device can be effectively prevented from being tampered maliciously, and the integrity of the data is ensured; meanwhile, the data storage device can be prevented from being replaced, and the physical safety of the data storage device is improved.
In a specific embodiment, the pairing check module 12 includes:
the verification information acquisition module is used for acquiring the verification information, wherein the verification information comprises the unique identifier obtained by encrypting the identifier of the data storage device generated by the PUF through a first preset encryption algorithm, and the unique identifier is stored in a read-only storage space of the data storage device.
In a specific embodiment, the pairing check module 12 further includes:
The first data information determining module is used for sending the first data information through the access equipment; the first data information comprises identification information of the access equipment and a first random array;
The first pairing information searching module is used for searching corresponding pairing information in the data storage equipment according to the first data information, and carrying out data processing on the pairing information, the first random array and the unique identifier by utilizing a second preset encryption algorithm to obtain first processed data;
The first verification module is used for verifying the data storage device based on the first processed data;
and/or a second data information determining module, configured to send second data information by the data storage device; the second data information includes the unique identification and a second random array;
The second pairing information searching module is used for searching corresponding pairing information in the access equipment according to the second data information, and carrying out data processing on the pairing information, the second random array and the identity information of the access equipment by utilizing a fourth preset encryption algorithm to obtain second processed data;
And the second checking module is used for checking the data storage device based on the second processed data.
In a specific embodiment, the first verification module is specifically configured to:
performing inverse processing on the first processed data to obtain pairing information after the first inverse processing, and if the pairing information after the first inverse processing is consistent with the pairing information, passing the verification;
correspondingly, the second checking module is specifically configured to:
And carrying out inverse processing on the second processed data to obtain pairing information after the second inverse processing, and if the pairing information after the second inverse processing is consistent with the pairing information, passing the verification.
In a specific embodiment, the data storage device access control apparatus further includes:
and the alarm mechanism triggering module is used for triggering an alarm mechanism and prohibiting access to the data storage equipment if the verification is not passed.
Further, the embodiment of the present application further discloses an electronic device, and fig. 3 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 3 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement the relevant steps of the data storage device access control method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, data 223, and the like, and the data 223 may include various data. The storage means may be a temporary storage or a permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the data storage device access control method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Further, embodiments of the present application also disclose a computer readable storage medium, where the computer readable storage medium includes random access Memory (Random Access Memory, RAM), memory, read-Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, magnetic disk, or optical disk, or any other form of storage medium known in the art. Wherein the computer program, when executed by a processor, implements the aforementioned data storage device access control method. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The steps of a data storage device access control method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing has described in detail the method, apparatus, device and medium for controlling access to a data storage device, and specific examples have been used herein to illustrate the principles and embodiments of the present invention, where the above examples are only for aiding in the understanding of the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A method for controlling access to a data storage device, comprising:
Receiving a data access request;
Verifying a data storage device, the verification information comprising a unique identification of the data storage device generated by a PUF;
And if the verification is passed, allowing access to the data storage device.
2. The method of claim 1, wherein the verifying the data storage device comprises:
And acquiring the verification information, wherein the verification information comprises the unique identifier obtained by encrypting the identifier of the data storage device generated by the PUF through a first preset encryption algorithm, and the unique identifier is stored in a read-only memory space of the data storage device.
3. The data storage device access control method of claim 2, wherein the verifying the data storage device further comprises:
The access device sends first data information; the first data information comprises identification information of the access equipment and a first random array;
Searching corresponding pairing information in the data storage equipment according to the first data information, and performing data processing on the pairing information, the first random array and the unique identifier by using a second preset encryption algorithm to obtain first processed data;
Verifying the data storage device based on the first processed data;
and/or the data storage device transmits second data information; the second data information includes the unique identification and a second random array;
Searching corresponding pairing information in the access equipment according to the second data information, and performing data processing on the pairing information, the second random array and the identity information of the access equipment by using a fourth preset encryption algorithm to obtain second processed data;
And verifying the data storage device based on the second processed data.
4. The method according to claim 3, wherein the pairing information is generated by encrypting a binding result of the identification information and the unique identifier by using a third preset encryption algorithm, and the pairing information is stored in read-only memory spaces of the access device and the data storage device, respectively.
5. The method of claim 4, wherein the first preset encryption algorithm, the second preset encryption algorithm, the third preset encryption algorithm, and the fourth preset encryption algorithm are different encryption algorithms.
6. The data storage device access control method of claim 3, wherein the verifying the data storage device based on the first processed data comprises:
performing inverse processing on the first processed data to obtain pairing information after the first inverse processing, and if the pairing information after the first inverse processing is consistent with the pairing information, passing the verification;
The verifying the data storage device based on the second processed data includes:
And carrying out inverse processing on the second processed data to obtain pairing information after the second inverse processing, and if the pairing information after the second inverse processing is consistent with the pairing information, passing the verification.
7. The data storage device access control method of claim 1, further comprising:
And if the verification is not passed, triggering an alarm mechanism and prohibiting access to the data storage device.
8. A data storage device access control apparatus, comprising:
the request acquisition module is used for receiving a data access request;
The pairing verification module is used for verifying the data storage device, and the verification information comprises a unique identifier of the data storage device generated by the PUF;
and the access control module is used for allowing access to the data storage device if the verification passes.
9. An electronic device comprising a processor and a memory; wherein the memory is for storing a computer program that is loaded and executed by the processor to implement the data storage device access control method of any of claims 1 to 7.
10. A computer-readable storage medium storing a computer program; wherein the computer program, when executed by a processor, implements the data storage device access control method of any of claims 1 to 7.
CN202410735017.5A 2024-06-07 2024-06-07 Access control method, device, equipment and medium for data storage equipment Pending CN118504007A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410735017.5A CN118504007A (en) 2024-06-07 2024-06-07 Access control method, device, equipment and medium for data storage equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410735017.5A CN118504007A (en) 2024-06-07 2024-06-07 Access control method, device, equipment and medium for data storage equipment

Publications (1)

Publication Number Publication Date
CN118504007A true CN118504007A (en) 2024-08-16

Family

ID=92236700

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410735017.5A Pending CN118504007A (en) 2024-06-07 2024-06-07 Access control method, device, equipment and medium for data storage equipment

Country Status (1)

Country Link
CN (1) CN118504007A (en)

Similar Documents

Publication Publication Date Title
JP6275653B2 (en) Data protection method and system
US7540018B2 (en) Data security for digital data storage
US8898477B2 (en) System and method for secure firmware update of a secure token having a flash memory controller and a smart card
US8171306B2 (en) Universal secure token for obfuscation and tamper resistance
US9521132B2 (en) Secure data storage
US20040255119A1 (en) Memory device and passcode generator
CN202795383U (en) Device and system for protecting data
US20090268902A1 (en) System for and method of cryptographic provisioning
KR20120093375A (en) Content control method using certificate revocation lists
KR20180031584A (en) Memory system and binding method between the same and host
WO2010014934A2 (en) System for and method of remote secure backup
CN118821243A (en) Data processing method, electronic device, storage medium and computer program product
CN116305330B (en) Safety management method for CPU hardware
CN116451188B (en) Software program operation safety protection method, system and storage medium
Lee et al. A study on a secure USB mechanism that prevents the exposure of authentication information for smart human care services
CN114553566B (en) Data encryption method, device, equipment and storage medium
CN117113369A (en) Data reading and writing method and device, computer equipment and storage medium
CN118504007A (en) Access control method, device, equipment and medium for data storage equipment
KR102365421B1 (en) Program security system and method
CN120105490A (en) A controller data access method, device, equipment and storage medium
CN120658454A (en) Method and system for implementing anti-cracking authorization authentication using firmware multi-factor authentication technology
CN120342691A (en) Information publishing method, system, medium, terminal and program product based on two-factor authentication mechanism and national secret algorithm
CN118921661A (en) High-security Bluetooth digital key storage management method based on mobile terminal TEE
CN119513839A (en) Login verification method, device, equipment, medium and program product based on Ukey
WO2023001591A1 (en) Systems and methods for improved researcher privacy in distributed ledger-based query logging systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination