CN118821243A - Data processing method, electronic device, storage medium and computer program product - Google Patents

Abstract

The present application discloses a data processing method, an electronic device, a storage medium and a computer program product, and belongs to the field of data processing technology. The data processing method is applied to an encrypted storage device; it includes: when the encrypted storage device is powered on, a first key component is generated; a second key component stored in the encrypted storage device is obtained; a master key is generated according to the first key component and the second key component, and the master key is written to the memory of the encrypted storage device; the sensitive data of the encrypted storage device is encrypted with the master key to obtain the sensitive data ciphertext, and the sensitive data ciphertext is written to the hardware storage unit of the encrypted storage device; in response to the sensitive data reading operation, the sensitive data ciphertext is decrypted with the master key to obtain the sensitive data, and the sensitive data is written to the memory. The present application effectively improves the storage security of sensitive data of the encrypted storage device.

Description

Data processing method, electronic device, storage medium and computer program product

Technical Field

The present application belongs to the field of data processing technology, and specifically relates to a data processing method, electronic equipment, storage medium and computer program product.

Background Art

As the demand for data security grows, people are paying more and more attention to data protection, and encrypted storage devices have gradually become an important tool for enterprises and individuals to protect data security. Among them, encrypted storage devices mainly implement data protection by encrypting the stored data. For example, encrypted storage devices include encrypted solid-state disk (SSD) devices, encrypted chip devices and other non-volatile memory devices with encryption functions. Sensitive data is important data of encrypted storage devices, which mainly includes encryption keys for stored data, authentication data of device access users, etc. Sensitive data is crucial to maintaining the security and functionality of encrypted storage devices.

At present, sensitive data is usually stored in the non-volatile memory of the encrypted storage device to prevent the loss or damage of sensitive data due to abnormal power failure of the encrypted storage device. However, the hardware unit of the encrypted storage device may be violently disassembled, resulting in the leakage of the storage content of the hardware unit. Therefore, the sensitive data stored in the hardware unit has the risk of leakage. Obviously, how to ensure the storage security of sensitive data has become an urgent problem to be solved.

Summary of the invention

The purpose of the embodiments of the present application is to provide a data processing method, an electronic device, a storage medium and a computer program product, which can solve the problem that sensitive data of current encrypted storage devices have the risk of leakage.

In order to solve the above technical problems, this application is implemented as follows:

In a first aspect, an embodiment of the present application provides a data processing method, which is applied to an encrypted storage device; the method comprises:

When the encryption storage device is powered on, generating a first key component;

Obtaining a second key component stored in the encryption storage device;

Generate a master key according to the first key component and the second key component, and write the master key into the memory of the encryption storage device;

Using the master key to encrypt the sensitive data of the encryption storage device to obtain a ciphertext of the sensitive data, and writing the ciphertext of the sensitive data into a hardware storage unit of the encryption storage device;

In response to a sensitive data read operation, the master key is used to decrypt the sensitive data ciphertext to obtain the sensitive data, and the sensitive data is written into the memory.

In a second aspect, an embodiment of the present application provides an electronic device, comprising: a processor, a memory, and a program or instruction stored in the memory and executable on the processor, wherein the program or instruction, when executed by the processor, implements the data processing method described in the first aspect.

In a third aspect, an embodiment of the present application provides a readable storage medium, on which a program or instruction is stored, and when the program or instruction is executed by a processor, the data processing method described in the first aspect is implemented.

In a fourth aspect, an embodiment of the present application provides a chip, comprising a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run a program or instruction to implement the data processing method as described in the first aspect.

In a fifth aspect, an embodiment of the present application provides a computer program product, including a computer program/instructions, which, when executed by a processor, implements the data processing method as described in the first aspect.

In an embodiment of the present application, the encryption storage device can generate a first key component when powered on, and generate a master key based on the first key component and the stored second key component, and then use the master key to encrypt the sensitive data of the encryption storage device to obtain the sensitive data ciphertext, and write the sensitive data ciphertext to the hardware storage unit of the encryption storage device. In this technical solution, the master key is stored in the memory of the encryption storage device. In response to the sensitive data read operation, the master key in the memory can be used to decrypt the sensitive data ciphertext to obtain the sensitive data. Since the first key component used to generate the master key is randomly generated by the encryption storage device each time it is powered on, and due to the power-off automatic destruction feature of the memory, the master key in the memory will also be automatically destroyed when the encryption storage device is powered off. Therefore, the master key has a higher security and a lower risk of leakage, and then using the master key to encrypt sensitive data can effectively improve the storage security of sensitive data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a data processing method provided in an embodiment of the present application;

FIG2 is a schematic diagram of a key generation method provided in an embodiment of the present application;

FIG3 is a flow chart of another data processing method provided in an embodiment of the present application;

FIG4 is a flow chart of another data processing method provided in an embodiment of the present application;

FIG5 is a schematic diagram of a sensitive data encryption principle provided in an embodiment of the present application;

FIG6 is a flow chart of another data processing method provided in an embodiment of the present application;

FIG7 is a schematic diagram of a data processing method provided in an embodiment of the present application;

FIG8 is a block diagram of a data processing device provided in an embodiment of the present application;

FIG. 9 is a block diagram of an electronic device provided by the present application.

DETAILED DESCRIPTION

The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

As the demand for data security grows, people are paying more and more attention to data protection, and encrypted storage devices are becoming an important tool for enterprises and individuals to protect data security. Among them, encrypted storage devices mainly implement data protection by encrypting the stored data. For example, encrypted storage devices include encrypted solid-state disk (SSD) devices, encrypted chip devices, USB flash disk devices, password card devices and other non-volatile memory devices with encryption functions.

Sensitive data, also known as security parameters, is important data for encrypted storage devices, which mainly include encryption keys for stored data, authentication data of device access users, etc. Sensitive data is crucial to maintaining the security and functionality of encrypted storage devices. For example, the Trusted Computing Group (TCG) protocol defines a set of security standards and specifications, including device self-encryption based on the Advanced Encryption Standard (AES), user rights management, and pre-boot authentication. These measures can effectively protect sensitive enterprise data from being leaked and establish a complete security authentication system. For encrypted SSD devices, their sensitive data include: TCG's Security Provider (SP) table. The SP table contains information about encryption keys, access control policies, authentication mechanisms, data recovery, etc. It is a key component in the encryption framework of encrypted SSD devices, and its preservation and management are crucial to maintaining the security and functionality of encrypted SSD devices.

At present, sensitive data is usually stored in the non-volatile memory of the encrypted storage device to prevent the loss or damage of sensitive data due to abnormal power failure of the encrypted storage device. However, the hardware unit of the encrypted storage device may be violently disassembled, resulting in the leakage of the storage content of the hardware unit. Therefore, the sensitive data stored in the hardware unit has the risk of leakage. Obviously, how to ensure the storage security of sensitive data has become an urgent problem to be solved.

In order to facilitate a better understanding of the technical solution of the present application, the following first describes the encrypted storage device provided in the embodiment of the present application. The encrypted storage device provided in the embodiment of the present application includes: a processor, a memory, and at least one hardware storage unit. The hardware storage unit is a non-volatile memory. For example, an SSD, a USB flash drive, a password card or a password chip, etc. Among them, the processor is connected to the memory and the hardware storage unit. The processor can be used to read the storage data ciphertext stored in the hardware storage unit, and decrypt the storage data ciphertext to obtain the storage data. The processor can also be used to encrypt the storage data to be written, obtain the storage data ciphertext to be written, and write the storage data ciphertext to the hardware storage unit, etc. In addition, the processor can also be used to encrypt and decrypt sensitive data of the encrypted storage device.

Optionally, the encrypted storage device may include a data encryption and decryption module. The data encryption and decryption module may include multiple operation units. Each operation unit is used to execute different encryption and decryption algorithms. In some embodiments, the data encryption and decryption module includes a first operation unit and a second operation unit. The first operation unit is used to execute a block encryption algorithm. The second operation unit is used to execute a hash algorithm. In this way, the processor can call different operation units at the same time to encrypt and decrypt different data at the same time, so as to realize parallel operation of multiple data encryption and decryption, and improve the operation efficiency of encryption and decryption.

Please refer to FIG. 1, which shows a flow chart of a data processing method provided in an embodiment of the present application. The data processing method can be applied to the encryption storage device provided in an embodiment of the present application. Optionally, the data processing method can be executed by a processor in the encryption storage device, and the following description takes the execution of the processor as an example. As shown in FIG. 1, the data processing method includes:

Step 101: When the encryption storage device is powered on, a first key component is generated.

In an embodiment of the present application, when the encrypted storage device is powered on, the processor may randomly generate a first key component. Optionally, when the encrypted storage device is powered on, the processor may call a true random number generator (TRNG) to randomly generate a random number to obtain the first key component.

Step 102: Obtain a second key component stored in an encryption storage device.

In the embodiment of the present application, the hardware storage unit of the encryption storage device stores the second key component. Optionally, the second key component may be fixed data written into the encryption storage device when it leaves the factory.

Step 103: Generate a master key based on the first key component and the second key component, and write the master key into the memory of the encryption storage device.

Optionally, the processor may use a target key generation algorithm to generate a master key according to the first key component and the second key component, so as to write the master key to the memory of the encrypted storage device. The master key written into the memory has the characteristics of being non-exportable and automatically destroyed when the power is turned off. Among them, the target key generation algorithm may be an HKDF algorithm, an XOR algorithm, etc. For example, the processor may perform an XOR operation on the first key component and the second key component to generate the master key.

For example, as shown in FIG2 , the first key component is a random number randomly generated by calling TRNG when the encrypted storage device is powered on. The second key component is data built into the encrypted storage device at the factory. The master key is data generated by performing an XOR operation on the first key component and the second key component.

Step 104: Use the master key to encrypt the sensitive data of the encryption storage device to obtain the sensitive data ciphertext, and write the sensitive data ciphertext into the hardware storage unit of the encryption storage device.

Optionally, the processor may use a block encryption algorithm and a master key to encrypt the sensitive data of the encryption storage device to obtain a ciphertext of the sensitive data. For example, the block encryption algorithm may be SM1, SM4, or an Advanced Encryption Standard (AES) algorithm.

Step 105: In response to the sensitive data read operation, the master key is used to decrypt the sensitive data ciphertext to obtain the sensitive data, and the sensitive data is written into the memory.

The sensitive data read operation is used to read the sensitive data ciphertext in the hardware storage unit of the encrypted storage device. Optionally, the processor can generate and respond to the sensitive data read operation when the encrypted storage device is powered on, use the master key to decrypt the sensitive data ciphertext to obtain sensitive data, and write the sensitive data to the memory. Alternatively, the processor can generate and respond to the sensitive data read operation when the user's data read and write request is received for the first time, use the master key to decrypt the sensitive data ciphertext to obtain sensitive data, and write the sensitive data to the memory, so that the processor can perform the data read processing indicated by the data read and write request according to the sensitive data.

In some embodiments of the present application, the encryption storage device may include a first hardware unit and a second hardware unit. The second key component is stored in the first hardware unit. After generating the first key component, the processor may use the second key component to encrypt the first key component to obtain the first key component ciphertext, and store the first key component ciphertext in the second hardware unit to store the first key component and the second key component in a distributed manner, so as to avoid leakage of both at the same time, reduce the risk of leakage of the master key, and ensure the security of generation, storage and use of the master key. By way of example, the first hardware unit is NAND, and the second hardware unit is NOR Flash.

In an embodiment of the present application, the encryption storage device can generate a first key component when powered on, and generate a master key based on the first key component and the stored second key component, and then use the master key to encrypt the sensitive data of the encryption storage device to obtain the sensitive data ciphertext, and write the sensitive data ciphertext to the hardware storage unit of the encryption storage device. In this technical solution, the master key is stored in the memory of the encryption storage device. In response to the sensitive data read operation, the master key in the memory can be used to decrypt the sensitive data ciphertext to obtain the sensitive data. Since the first key component used to generate the master key is randomly generated by the encryption storage device each time it is powered on, and due to the power-off automatic destruction feature of the memory, the master key in the memory will also be automatically destroyed when the encryption storage device is powered off. Therefore, the master key has a higher security and a lower risk of leakage, and then using the master key to encrypt sensitive data can effectively improve the storage security of sensitive data.

In some embodiments of the present application, the sensitive data of the encrypted storage device includes: a data encryption key and a key encryption key. Among them, the data encryption key is used to encrypt the storage data of the encrypted storage device. The key encryption key is generated according to the user credential data of the user entering the encrypted storage device, which corresponds to the entering user. The key encryption key is used to encrypt the data encryption key. And, the key encryption key is used to be encrypted and stored by the master key.

Among them, the entered user may refer to a user who is allowed to access the encrypted storage device (i.e., an authorized access user). For example, the entered user may be a user who is allowed to access the encrypted storage device and is entered by the management user of the encrypted storage device. The management user may be a super administrator or a general administrator authorized by the super administrator, etc. The user credential data includes at least one of the following: the password of the user account, the user's personal identification number (PIN), and the biometric information entered by the user. Obviously, the user who accesses the encrypted storage device must provide the correct user credentials to generate an accurate key encryption key, and then decrypt the data encryption key, so as to use the data encryption key to decrypt the stored data and access the data. Encrypting the data encryption key by the key encryption key can ensure that only authorized entered users can access sensitive data, and then access the stored data of the hardware storage unit.

Optionally, as shown in FIG2 , the data encryption key may be a random number generated by calling TRNG. The key encryption key is a key encryption key generated according to the user credential data of the user using a key derivation algorithm. Optionally, in the hardware storage unit of the encryption storage device, the storage data of different storage address segments may be encrypted using different data encryption keys. In this way, for each divided storage address segment, TRNG is called to generate a different random number to obtain the data encryption key of each storage address segment.

Optionally, the sensitive data ciphertext includes a data key ciphertext and an encryption key ciphertext. The sensitive data in the memory includes: a data key ciphertext and a key encryption key after decrypting the encryption key ciphertext using a master key. Correspondingly, optionally, the data processing method further includes: the processor performs key derivation processing based on user credential data of an input user of the encrypted storage device to obtain a key encryption key of the input user. The processor randomly generates a data encryption key.

Based on this, the processor uses the master key to encrypt the sensitive data of the encrypted storage device to obtain the sensitive data ciphertext, which may include: the processor uses the key encryption key to encrypt the data encryption key to obtain the data key ciphertext. The processor uses the master key to encrypt the key encryption key to obtain the encryption key ciphertext, and generates the sensitive data ciphertext.

Accordingly, the processor uses the master key to decrypt the sensitive data ciphertext, and the process of obtaining the sensitive data may include: the processor uses the master key to decrypt the encryption key ciphertext to obtain the key encryption key, and generates and writes the sensitive data to the memory. The sensitive data includes: the data key ciphertext and the key encryption key. Based on this, as shown in FIG3, the data processing method also includes:

Step 301: In response to a data read/write request triggered by a first user, first user credential data included in the data read/write request is obtained.

When the first user wants to read or write data to the encrypted storage device, a data read/write request is triggered. The data read/write request may include the first user credential data of the first user and the target address of the hardware storage unit to be accessed. The target address may be the write address of the data to be written, or the target address may be the data address of the data to be read.

Step 302: Perform key derivation processing on the first user's credential data to obtain a key encryption key of the first user.

Optionally, the processor may call a key derivation algorithm to perform key derivation processing on the first user's credential data to obtain a key encryption key of the first user. The key derivation algorithm may be PBKDF2, Scrypt, or HMAC-based PRF, etc.

Step 303: If there is a first user's key encryption key in the key encryption key of the input user, the data key ciphertext is decrypted using the first user's key encryption key to obtain a data encryption key, and the data encryption key is used to execute the data reading process indicated by the data read/write request.

In an embodiment of the present application, after obtaining the key encryption key of the first user, the processor can read the sensitive data in the memory. Compare whether there is a key encryption key of the first user in the key encryption key of the input user in the sensitive data. In the case where the key encryption key of the first user does not exist in the key encryption key of the input user, it indicates that the first user is not allowed to access the encrypted storage device. The processor can return a prompt message. In the case where the key encryption key of the first user exists in the key encryption key of the input user, it indicates that the first user is allowed to access the encrypted storage device. The processor can read the data key ciphertext from the sensitive data in the memory, use the key encryption key of the first user to decrypt the data key ciphertext, obtain the data encryption key, and use the data encryption key to perform the data read processing indicated by the data read and write request. In this way, the sensitive data can be used to authenticate the user accessing the encrypted storage device and improve the access security of the encrypted storage device. In addition, a three-level key mechanism of using a data encryption key to encrypt the stored data, a key encryption key to encrypt the data encryption key, and a master key encryption key encryption key is used to encrypt or sign the lower-level key through a higher-level key to form a hierarchical chain of keys. This three-level key mechanism allows for flexible key management while maintaining a high level of security and access control.

Further optionally, in the hardware storage unit of the encrypted storage device, the stored data in different storage address segments can be encrypted using different data encryption keys. Based on this, in step 303, when the processor enters the key encryption key of the user and there is a key encryption key of the first user, it can obtain the target address accessed in the data read/write request and obtain the data key ciphertext corresponding to the target address. Then, the data key ciphertext is decrypted using the key encryption key of the first user to obtain the data encryption key, and the data encryption key is used to perform the data reading process indicated by the data read/write request.

In an optional implementation, the logged-in user of the encrypted storage device also has access restrictions. For example, an administrator user can access all hardware storage units. Some users can only access some hardware storage units. Among them, the storage address segment of the hardware storage unit accessible to each logged-in user can be a custom setting of the management user. Alternatively, it can also be automatically generated according to the set access policy.

The sensitive data of the encrypted storage device may include multiple data encryption keys. Each data encryption key is used to encrypt the storage data of different storage address segments in the hardware storage unit. Accordingly, the sensitive data ciphertext includes multiple data key ciphertexts. The sensitive data in the memory includes multiple data key ciphertexts.

In an optional case, the data encryption key of each storage address segment can be obtained by decrypting the same data key ciphertext using multiple target key encryption keys. That is, the data key ciphertexts obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys are the same. The target key encryption key is the key encryption key of the input user who is allowed to access the storage address segment. In this way, the sensitive data ciphertext includes the data key ciphertext of each storage address segment in the hardware storage unit. Correspondingly, the sensitive data in the memory includes the data key ciphertext of each storage address segment.

In another optional case, the data key ciphertexts obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys are different. In this way, the sensitive data ciphertext includes at least one data key ciphertext for each storage address segment in the hardware storage unit. Correspondingly, the sensitive data in the memory includes at least one data key ciphertext for each storage address segment. Among them, when there are multiple input users allowed to access a storage address segment, the storage address segment corresponds to multiple data key ciphertexts. As shown in Figure 4, the data processing method also includes:

Step 401: In response to a data read/write request triggered by a first user, first user credential data included in the data read/write request is obtained.

The explanation and implementation of this step can refer to the aforementioned step 301 and will not be described in detail here.

Step 402: Perform key derivation processing on the first user's credential data to obtain a key encryption key of the first user.

The explanation and implementation of this step can refer to the aforementioned step 302 and will not be elaborated here.

Step 403: If the key encryption key of the first user exists in the key encryption key of the input user, obtain a first address segment accessible to the first user.

The explanation and implementation of this step can refer to the aforementioned step 303 and will not be described in detail here. It should be noted that the registered users of the encrypted storage device have access restrictions. The processor can obtain the first address segment accessible to the first user to determine whether the first address segment includes the target address that the data read and write request indicates to access. In the case where the first address segment does not include the target address that the data read and write request indicates to access, it indicates that the first user has no right to access the target address, and the processor can return a prompt message. In the case where the first address segment includes the target address that the data read and write request indicates to access, it indicates that the first user has the right to access the target address, and the following step 404 can be executed.

Optionally, the processor may store the storage address segment that the user is allowed to access in the hardware storage unit, so that the processor can obtain the first address segment that is accessible to the first user. The first address segment is the storage address segment that the first user is allowed to access.

Step 404: When the first address segment includes a target address to be accessed by the data read/write request, read the data key ciphertext of the first address segment where the target address is located.

In the embodiment of the present application, when the first address segment includes the target address to be accessed by the data read/write request, it indicates that the first user has the right to access the target address. The processor reads the data key ciphertext of the first address segment where the target address is located.

In an optional implementation, the sensitive data in the memory includes: each storage address segment in the hardware storage unit, and the data key ciphertext corresponding to each storage address segment. The processor reads the data key ciphertext of the first address segment where the target address is located from the sensitive data.

In another optional implementation, the sensitive data in the memory includes: the correspondence between each storage address segment in the hardware storage unit, the input user, and the data key ciphertext. In the correspondence, the input user is allowed to access the corresponding storage address segment, and the data key ciphertext corresponding to the input user is obtained by encrypting the data encryption key of the storage address segment using the key encryption key of the input user. The processor can read the data key ciphertext corresponding to the first address segment and the first user from the sensitive data.

Step 405: Use the key encryption key of the first user to decrypt the data key ciphertext to obtain the data encryption key of the first address segment.

Step 406: Use the data encryption key to execute the data read processing indicated by the data read/write request.

In some embodiments of the present application, as described above, the logged-in user of the encrypted storage device has access restrictions. The sensitive information of the encrypted storage device includes permission control data. The permission control data at least indicates the storage address segment accessible to the logged-in user. Accordingly, the sensitive data ciphertext also includes: permission control data ciphertext. The permission control data ciphertext is the ciphertext data obtained by encrypting the permission control data using the master key. The sensitive data in the memory also includes permission control data.

Among them, the permission control data is used to manage the access rights of different users or processes to the data on the encrypted storage device. The encrypted storage device can ensure that only authorized users can access the data on the encrypted storage device through user identity authentication, definition of access control policies and access rights, etc. according to the permission control data. For example, a specified user or a specified user group can access specific data, and can access specific data under specified conditions. The administrator user can have full access rights to the entire data on the encrypted storage device and the ability to manage system settings. In contrast, ordinary users can only have the authority to read or write part of the data. The permission control data is used to indicate the access rights and authentication information of different input users, which is encrypted by the master key and stored in the hardware storage unit.

Optionally, the process of obtaining the first address segment accessible to the first user in step 403 includes: determining the first address segment accessible to the first user according to the permission control data. The processor may read the permission control data in the sensitive data in the memory to determine the first address segment accessible to the first user.

In an optional implementation, the permission control data includes: a correspondence between a key encryption key and a storage address segment. The process of the processor determining the first address segment accessible to the first user according to the permission control data may include: determining the storage address segment corresponding to the key encryption key of the first user according to the correspondence between the key encryption key and the storage address segment, and obtaining the first address segment.

In another optional implementation, the permission control data includes: a correspondence between a key encryption key, a data key ciphertext, and a storage address segment. Among them, the key encryption key is used to encrypt and decrypt the corresponding data key ciphertext. The data encryption key after decryption of the data key ciphertext is used to encrypt and decrypt the storage data of the corresponding storage address segment. Based on this, the processor determines the first address segment accessible to the first user according to the permission control data, which may include: determining the storage address segment corresponding to the key encryption key of the first user according to the correspondence between the key encryption key, the data key ciphertext, and the storage address segment, and obtaining the first address segment. Accordingly, the process of reading the data key ciphertext of the first address segment where the target address is located in step 404 may include: determining the data key ciphertext corresponding to the key encryption key of the first user according to the correspondence between the key encryption key, the data key ciphertext, and the storage address segment.

In some embodiments of the present application, as described above, in the hardware storage unit of the encrypted storage device, the storage data of different storage address segments can be encrypted using different data encryption keys. The sensitive information of the encrypted storage device includes access range data. The access range data at least indicates the segmented access status of the hardware storage unit of the encrypted storage device. The segmented access status indicates the division status of the storage data segments of the hardware storage unit. Correspondingly, the sensitive data ciphertext also includes: access range data ciphertext. The access range data ciphertext is the ciphertext data obtained after encrypting the access range data using the master key. The sensitive data in the memory also includes access range data.

In the case that the input user has access rights, the access range data is also used to at least indicate the access user corresponding to the storage address segment in the hardware storage unit of the encryption storage device. Alternatively, the access range data is also used to at least indicate the access user category of each storage address segment.

When the access rights of the input users are the same, or when the data key ciphertexts obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys are the same, the sensitive data ciphertext includes the data key ciphertexts of each storage address segment in the hardware storage unit. Accordingly, the sensitive data in the memory includes the data key ciphertexts of each storage address segment.

In the case where the data key ciphertexts obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys are different, the sensitive data ciphertext includes at least one data key ciphertext for each storage address segment in the hardware storage unit. Correspondingly, the sensitive data in the memory includes at least one data key ciphertext for each storage address segment. Among them, in the case where there are multiple input users who are allowed to access a storage address segment, there are multiple data key ciphertexts corresponding to the storage address segment.

Among them, the access range data is responsible for defining and controlling the access rights to specific data segments on the encrypted storage device. By dividing the range of each storage data segment on the hardware storage unit, and by allocating data encryption keys, and providing locking and unlocking lock ranges based on user authentication and authorization status, fine-grained access control is allowed for data on the encrypted storage device to reduce the risk of data leakage. The access range data is used to indicate the access rights and access policies of a specific storage data segment, which is encrypted by the master key to generate the access range data ciphertext.

Optionally, the process of obtaining the first address segment accessible to the first user in step 403 includes: determining the first address segment accessible to the first user according to the access range data. The processor may read the access range data in the sensitive data in the memory to determine the first address segment accessible to the first user.

In an optional implementation, the access range data includes: a correspondence between a key encryption key, a data key ciphertext, and a storage address segment. The key encryption key is used to encrypt and decrypt the corresponding data key ciphertext. The data encryption key after decryption of the data key ciphertext is used to encrypt and decrypt the storage data of the corresponding storage address segment. Based on this, the process of the processor determining the first address segment accessible to the first user based on the access range data may include: determining the storage address segment corresponding to the key encryption key of the first user based on the correspondence between the key encryption key, the data key ciphertext, and the storage address segment, and obtaining the first address segment. Accordingly, the process of step 404 reading the data key ciphertext of the first address segment where the target address is located may include: determining the data key ciphertext corresponding to the key encryption key of the first user based on the correspondence between the key encryption key, the data key ciphertext, and the storage address segment.

In another optional implementation, the access range data includes: a correspondence between a data key ciphertext and a storage address segment. The process of reading the data key ciphertext of the first address segment where the target address is located in step 404 may include: determining the data key ciphertext corresponding to the first address segment according to the correspondence between the data key ciphertext and the storage address segment.

In some embodiments, the process of generating access range data may include the following steps 011 to 017 .

In step 011, the access range information of the hardware storage unit of the encryption storage device is obtained. The access range information indicates the segmented access status of the hardware storage unit.

Optionally, the access range information may be generated according to a set access range control policy. Alternatively, the segmented access status of the hardware storage unit may also be a custom setting of the management user. The processor may obtain the access range information of the hardware storage unit entered by the management user in response to the access range entry operation of the management user.

In step 012, multiple storage address segments of the hardware storage unit are determined based on the access range information.

For example, it is assumed that the encryption storage device includes a first hardware storage unit, a second hardware storage unit, and a third hardware storage unit. If the encryption storage device is divided according to the hardware storage unit, the multiple storage address segments determined by the processor include a first storage address segment, a second storage address segment, and a third storage address segment. The first storage address segment is a storage address segment of the first hardware storage unit. The second storage address segment is a storage address segment of the second hardware storage unit. The third storage address segment is a storage address segment of the third hardware storage unit.

In step 013, a different data encryption key is generated for each storage address segment.

The processor may generate a different data encryption key for each storage address segment to obtain the access range information. Alternatively, the processor may randomly generate a different random number for each storage address segment to obtain the data encryption key for each storage address segment.

In step 014, for each storage address segment, the storage data of the storage address segment is encrypted using the corresponding data encryption key to generate storage data ciphertext, and the storage data ciphertext is written to the hardware storage space corresponding to the storage address segment.

Optionally, the processor may obtain a data write address of the data write operation in response to the data write operation, encrypt the data to be written using the data encryption key of the storage address segment where the data write address is located to generate storage data ciphertext, and write the storage data ciphertext to the data write address.

Further optionally, the access range information also indicates the access user category of each storage address segment. Optionally, the management user can also define the entry user or entry user group that can access each storage address segment. The generation process of the access range data also includes:

In step 015, for each storage address segment, a key encryption key of each target entry user of the access user category of the storage address segment is obtained.

Optionally, for each storage address segment, the processor may determine the access user category of each storage address segment from the access range information, and then determine each input user in the access user category, obtain the target input user, and obtain the key encryption key of each target input user.

In step 016, the key encryption key of each target input user is used to encrypt the data encryption key corresponding to the storage address segment to obtain the data key ciphertext corresponding to the storage address segment.

In an embodiment of the present application, the processor can, for each storage data segment, use the key encryption key of each target entry user of the storage data segment to encrypt the data encryption key corresponding to the storage address segment to obtain the data key ciphertext corresponding to the storage address segment.

Among them, when the data key ciphertexts obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys are the same, the processor can obtain a data key ciphertext corresponding to the storage address segment. When the data key ciphertexts obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys are different, if the number of target input users of the storage data segment is multiple, the processor can obtain multiple data key ciphertexts corresponding to the storage address segment.

In step 017, access range data is generated according to the storage address segment, the corresponding data key ciphertext and the key encryption key of the target entry user.

In an embodiment of the present application, the processor can determine the correspondence between a single storage address segment, the data key ciphertext, and the key encryption key based on the key encryption key of each target entry user corresponding to a single storage address segment, and the data key ciphertext of each target entry user, and then obtain the correspondence between each storage address segment, the data key ciphertext, and the key encryption key.

For example, it is assumed that the hardware storage unit includes a first storage address segment and a second storage address segment. There are two target entry users who are allowed to access the first storage address. The key encryption keys of the two target entry users are: key encryption key A11 and key encryption key A12. The data encryption key of the first storage address of key encryption key A11 is used for encryption processing to obtain data key ciphertext B11. The data encryption key of the first storage address of key encryption key A12 is used for encryption processing to obtain data key ciphertext B12.

There are two target entry users who are allowed to access the first storage address. The key encryption keys of the two target entry users are: key encryption key A21 and key encryption key A22. The data encryption key of the first storage address of key encryption key A21 is used for encryption processing to obtain data key ciphertext B21. The data encryption key of the first storage address of key encryption key A22 is used for encryption processing to obtain data key ciphertext B22.

The access range data generated by the processor is: first storage address-key encryption key A11-data key ciphertext B11, first storage address-key encryption key A12-data key ciphertext B12, second storage address-key encryption key A21-data key ciphertext B21, and second storage address-key encryption key A22-data key ciphertext B22.

In some embodiments, the process of generating the permission control data includes the following steps 021 to 025.

In step 021, user credential data and permission control information of a second user are obtained. The permission control information indicates a second address segment accessible to the second user.

Optionally, the second user may be a user to be entered. The management user allows the second user to access the encrypted storage device. The processor may obtain the user credential data and permission control information of the second user entered by the management user in response to the permission entry operation of the management user.

In step 022, key derivation processing is performed on the user credential data of the second user to obtain a key encryption key of the second user.

In step 023, the data encryption key corresponding to the second address segment is obtained.

In step 024, the data encryption key of the second address segment is encrypted using the key encryption key of the second user to obtain the data key ciphertext corresponding to the second address segment.

In step 025, authority control data is generated.

Optionally, the permission control data is generated according to the second user's key encryption key, the second address segment, and the data key ciphertext of the second address segment. The permission control data includes: the second user's key encryption key, the second address segment, and the data key ciphertext.

It should be noted that, in some embodiments, when the data key ciphertext obtained by encrypting the data encryption key of the same storage address segment with multiple target encryption keys is the same, the process of generating the permission control data may include: obtaining the user credential data and permission control information of the second user. The permission control information indicates the second address segment accessible to the second user. Perform key derivation processing on the user credential data of the second user to obtain the key encryption key of the second user. Obtain the data key ciphertext corresponding to the second address segment. Generate permission control data, which includes: the key encryption key of the second user, the second address segment and the data key ciphertext. Among them, the processor can obtain the data key ciphertext corresponding to the second address segment from the access range data.

In some embodiments of the present application, the sensitive data of the encrypted storage device includes multiple data segments. Correspondingly, the sensitive data ciphertext includes multiple data ciphertext segments. By way of example, as shown in FIG5 , the sensitive data of the encrypted storage device includes a key management data segment, a permission control data segment, and an access range data segment. Among them, the key management data segment includes: a key encryption key and a data encryption key. The permission control data segment includes permission control data. The access range data segment includes access range data.

Correspondingly, the sensitive data ciphertext includes a key management data segment, an authority control data segment, and an access range data segment. Among them, the key management data segment includes: a key-encrypted ciphertext encrypted by using a master key to encrypt a key encryption key, and a data-encrypted ciphertext encrypted by using a key encryption key to encrypt a data encryption key. The authority control data segment includes: an authority control data ciphertext encrypted by using a master key to encrypt authority control data. The access range data segment includes: an access range data ciphertext encrypted by using a master key to encrypt access range data. Of course, the sensitive data of the encrypted storage device also includes other security information data segments. Correspondingly, the sensitive data ciphertext also includes other security information data segments, and the other security information data segments include: a ciphertext encrypted by using a master key to encrypt data in other security information data segments in the sensitive data.

Correspondingly, the sensitive data in the memory includes a key management data segment, an authority control data segment, and an access range data segment. Among them, the key management data segment includes: key encryption key and data encryption ciphertext. The authority control data segment includes: authority control data. The access range data segment includes: access range data.

Further optionally, each data ciphertext segment of the sensitive data ciphertext includes not only the sensitive sub-data ciphertext, but also the target hash value of the data after the sensitive sub-data ciphertext is decrypted. Accordingly, the sensitive data in the memory includes: data segments corresponding to multiple data ciphertext segments one by one, and each data segment includes sensitive sub-data corresponding to the sensitive sub-data ciphertext. Based on this, as shown in FIG6 , the data processing method further includes:

Step 601: In response to an error data location operation, sensitive data in the memory is obtained.

In an embodiment of the present application, the error data location operation is used to locate errors in sensitive data in the memory. Optionally, the error data location operation can be automatically triggered by the processor in a target situation. Alternatively, the error data location operation can also be manually triggered by a management user. The target situation can be a data read and write abnormal situation.

Step 602: For each data segment in the sensitive data, calculate the hash value corresponding to the ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment to obtain the current hash value.

Optionally, the processor may use a hash algorithm to calculate a hash value corresponding to a ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment to obtain a current hash value.

Step 603: Compare the target hash value and the current hash value, and determine that the comparison result indicates that the sensitive sub-data corresponding to the unequal current hash value is incorrect.

Among them, the target hash value of each data ciphertext segment in the sensitive data ciphertext is obtained. For each data segment in the sensitive data, the target hash value of the data ciphertext segment corresponding to the data segment is compared with the current hash value of the data segment to see if they are consistent. If they are consistent, it is determined that the data of the data segment is correct. If they are inconsistent, the sensitive sub-data in the data segment is incorrect.

By way of example, the sensitive data ciphertext includes: a key management data segment, a permission control data segment, and an access range data segment. Among them, the key management data segment includes: a key-encrypted ciphertext encrypted by a master key to a key encryption key, a data-encrypted ciphertext encrypted by a key encryption key to a data encryption key, and a first hash value. The first hash value is a hash value of the data encryption key and the key encryption key. The permission control data segment includes: a permission control data ciphertext encrypted by a master key to permission control data, and a second hash value. The second hash value is a hash value of the permission control data. The access range data segment includes: a access range data ciphertext encrypted by a master key to access range data, and a third hash value. The third hash value is a hash value of the access range data.

The process in which the processor executes steps 602 to 603, for each data segment, calculates a hash value corresponding to the ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment, obtains a current hash value, compares the target hash value with the current hash value, and determines that the sensitive sub-data corresponding to the current hash value that is not equal to the comparison result is incorrect may include:

Decrypting the data key ciphertext in the sensitive data using a key encryption key to obtain the data encryption key; calculating hash values of the data encryption key and the key encryption key in the sensitive data to obtain a fourth hash value; calculating the hash value of the permission control data in the sensitive data to obtain a fifth hash value; calculating the hash value of the access range data in the sensitive data to obtain a sixth hash value; comparing the first hash value and the fourth hash value, the second hash value and the fifth hash value, and the third hash value and the sixth hash value to determine that in the sensitive data, the data corresponding to the hash values that are not equal as indicated by the comparison result are incorrect.

In this way, when the encrypted storage device malfunctions and causes sensitive information in the memory to be destroyed, the encrypted storage device can first calculate the hash value of each data segment in the memory, and then compare the calculated hash value with the target hash value stored in the sensitive data ciphertext in the hardware storage unit to quickly determine in the memory that there is a data anomaly in the data segments with unequal hash values, thereby quickly locating the erroneous data segments, and then use the master key to decrypt the sensitive data ciphertext in the hardware storage unit again to regain the sensitive data and store it in the memory, thereby realizing rapid recovery of the sensitive data in the memory.

In some embodiments of the present application, the access range data ciphertext is data obtained by encrypting the access range data using a block encryption algorithm and a master key. The permission control data ciphertext is data obtained by encrypting the permission control data using a block encryption algorithm and a master key. The data key ciphertext is data obtained by encrypting the data encryption key using a block encryption algorithm and a key encryption key. The encryption key ciphertext is data obtained by encrypting the key encryption key using a block encryption algorithm and a master key. The hash value corresponding to the sensitive sub-data ciphertext is data calculated using a hash algorithm based on the corresponding sensitive sub-data in the sensitive data. Among them, the block encryption algorithm includes SM1, SM4 or AES. The hash algorithm includes SM3 and SHA-3.

Optionally, the encryption storage device includes a data encryption and decryption module. The data encryption and decryption module includes a first operation unit and a second operation unit. The first operation unit is used to execute a block encryption algorithm. The second operation unit is used to execute a hash algorithm. Based on this, the access range data ciphertext, the authority control data ciphertext, the data key ciphertext, and the encryption key ciphertext are all data obtained by calling the first operation unit; the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calling the second operation unit.

For example, the sensitive data of the encrypted storage device is taken as an SP table. As shown in Fig. 7, the SP table of the encrypted storage device includes: a key management data segment, a permission control data segment, an access range data segment, a management interface data segment and other data segments.

Among them, the key management data segment includes: key encryption key and data encryption key. The authority control data segment includes authority control data. The access range data segment includes access range data. The management interface data segment includes management interface data. The other data segment includes SP other data.

The SP table (sensitive data ciphertext) in the hardware storage unit includes: key management data segment, permission control data segment, access scope data segment, management interface data segment and other data segments.

Among them, the key management data segment includes: the key encryption ciphertext after calling the first operation unit to encrypt the key encryption key with the master key, the data encryption ciphertext after calling the first operation unit to encrypt the data encryption key with the key encryption key, and the key management hash value (i.e., the first hash value). The first hash value is the hash value of the data encryption key and the key encryption key calculated by calling the second operation unit. The authority control data segment includes: the authority control data ciphertext after calling the first operation unit to encrypt the authority control data with the master key, and the authority control hash value (i.e., the second hash value). The second hash value is the hash value of the authority control data calculated by calling the second operation unit. The access range data segment includes: the access range data ciphertext after calling the first operation unit to encrypt the access range data with the master key, and the access range hash value (i.e., the third hash value). The third hash value is the hash value of the access range data calculated by calling the second operation unit. The management interface data segment includes: the interface data ciphertext after calling the first operation unit to encrypt the interface data with the master key, and the management interface hash value. The management interface hash value is the hash value of the management interface data calculated by calling the second operation unit. The other data segment includes: the ciphertext of other data encrypted by calling the first operation unit using the master key to encrypt the other data of SP, and the hash value of other data. The hash value of other data is the hash value of the other data of SP calculated by calling the second operation unit.

The sensitive data in the memory include: key management data segment, permission control data segment, access range data segment, management interface data segment and other data segments. Among them, the key management data segment includes: data encryption ciphertext, and the key encryption key after calling the first operation unit to use the master key to decrypt the key encryption ciphertext. The permission control data segment includes the permission control data after calling the first operation unit to use the master key to decrypt the permission control data ciphertext. The access range data segment includes the access range data after calling the first operation unit to use the master key to decrypt the access range data ciphertext. The management interface data segment includes the interface data after calling the first operation unit to use the master key to decrypt the interface data ciphertext. Other data segments include other data in the SP table after calling the first operation unit to use the master key to decrypt other data ciphertexts.

In this way, by integrating various encryption and decryption algorithms (such as SM3/SM4) into a data encryption and decryption module, the sensitive data of the encrypted storage device can be transmitted to the data encryption and decryption module once, and various encryption and decryption operations can be performed simultaneously. In addition, the processor can call different operation units at the same time to encrypt and decrypt different data at the same time, so as to realize the parallel operation of multiple data encryption and decryption, and improve the operation efficiency of encryption and decryption.

In an embodiment of the present application, the encryption storage device can generate a first key component when powered on, and generate a master key based on the first key component and the stored second key component, and then use the master key to encrypt the sensitive data of the encryption storage device to obtain the sensitive data ciphertext, and write the sensitive data ciphertext to the hardware storage unit of the encryption storage device. In this technical solution, the master key is stored in the memory of the encryption storage device. In response to the sensitive data read operation, the master key in the memory can be used to decrypt the sensitive data ciphertext to obtain the sensitive data. Since the first key component used to generate the master key is randomly generated by the encryption storage device each time it is powered on, and due to the power-off automatic destruction feature of the memory, the master key in the memory will also be automatically destroyed when the encryption storage device is powered off. Therefore, the master key has a higher security and a lower risk of leakage, and then using the master key to encrypt sensitive data can effectively improve the storage security of sensitive data.

In addition, a three-level key mechanism is adopted in the embodiment of the present application, and the key of the encrypted storage device is divided into three layers: the master key, the key encryption key and the data encryption key, and the keys of each layer have specific uses and access controls. This layered method provides an effective security mechanism, which can improve the management flexibility of the keys of the encrypted storage device while maintaining a high level of device access security and access control capabilities. The key layered encryption method ensures that even if a key is leaked, it is impossible to obtain access rights to all data because it is impossible to obtain keys of a higher level, thereby effectively ensuring the data security of the encrypted storage device. Furthermore, in the embodiment of the present application, national secret algorithms such as SM3 and SM4 can be used to encrypt and decrypt important data such as sensitive data and stored data, so as to improve encryption performance while further ensuring security.

In addition, when the encrypted storage device is an SSD device, the sensitive data can be the SP table of the TCG protocol. The technical solution of the present application can use the master key to perform segmented encrypted storage of the SP table, and use the group encryption algorithm to encrypt the data segments according to the key information, user identity and access rights, lock range, management interface, etc., and calculate the hash value of each segment of information through the hash algorithm for storage. In this way, under the premise of effectively preventing unauthorized access and data leakage, the computing efficiency of the SSD device can be improved through encrypted parallel processing, and the error location capability of sensitive data can be improved when an abnormality occurs in the SSD device, thereby improving the recovery speed of sensitive data.

Please refer to FIG8 , which shows a block diagram of a data processing device provided in an embodiment of the present application. A data processing device is applied to an encrypted storage device. As shown in FIG8 , the data processing device 800 includes: a generation module 801 , an acquisition module 802 , an encryption module 803 and a decryption module 804 .

A generating module 801, configured to generate a first key component when the encryption storage device is powered on;

An acquisition module 802 is used to acquire a second key component stored in an encryption storage device;

The generating module 801 is further used to generate a master key according to the first key component and the second key component, and write the master key into the memory of the encryption storage device;

The encryption module 803 is used to encrypt the sensitive data of the encryption storage device using the master key to obtain the sensitive data ciphertext, and write the sensitive data ciphertext into the hardware storage unit of the encryption storage device;

The decryption module 804 is used to respond to the sensitive data reading operation, use the master key to decrypt the sensitive data ciphertext, obtain the sensitive data, and write the sensitive data into the memory.

In an embodiment of the present application, the encryption storage device can generate a first key component when powered on, and generate a master key based on the first key component and the stored second key component, and then use the master key to encrypt the sensitive data of the encryption storage device to obtain the sensitive data ciphertext, and write the sensitive data ciphertext to the hardware storage unit of the encryption storage device. In this technical solution, the master key is stored in the memory of the encryption storage device. In response to the sensitive data read operation, the master key in the memory can be used to decrypt the sensitive data ciphertext to obtain the sensitive data. Since the first key component used to generate the master key is randomly generated by the encryption storage device each time it is powered on, and due to the power-off automatic destruction feature of the memory, the master key in the memory will also be automatically destroyed when the encryption storage device is powered off. Therefore, the master key has a higher security and a lower risk of leakage, and then using the master key to encrypt sensitive data can effectively improve the storage security of sensitive data.

Optionally, the sensitive data ciphertext includes: data key ciphertext and encryption key ciphertext; the sensitive data in the memory includes: data key ciphertext and a key encryption key after decrypting the encryption key ciphertext using a master key, the key encryption key being generated based on user credential data of the input user;

The acquisition module 802 is further configured to, in response to a data read/write request triggered by the first user, acquire first user credential data included in the data read/write request;

The generating module 801 is further used to perform key derivation processing on the first user credential data to obtain a key encryption key of the first user;

The decryption module 804 is also used to, when there is a first user's key encryption key in the input user's key encryption key, use the first user's key encryption key to decrypt the data key ciphertext to obtain the data encryption key, and use the data encryption key to execute the data reading process indicated by the data read and write request. The data encryption key is used to encrypt the storage data of the encrypted storage device.

Optionally, the sensitive data includes multiple data key ciphertexts, and the data encryption key after decryption of each data key ciphertext is used to: encrypt the storage data of different storage address segments in the hardware storage unit; the decryption module 804 is also used to:

Acquire a first address segment accessible to a first user;

In the case where the first address segment includes a target address to be accessed as indicated by the data read/write request, reading the data key ciphertext of the first address segment where the target address is located;

The data key ciphertext is decrypted using the key encryption key of the first user to obtain the data encryption key of the first address segment.

Optionally, the sensitive data ciphertext also includes the permission control data ciphertext, and the sensitive data also includes the permission control data, and the permission control data at least indicates the storage address segment accessible to the input user; the decryption module 804 is also used to determine the first address segment accessible to the first user based on the permission control data.

Optionally, the permission control data includes: a correspondence between a key encryption key, a data key ciphertext, and a storage address segment, the key encryption key is used to encrypt and decrypt the corresponding data key ciphertext, and the data encryption key after decrypting the data key ciphertext is used to encrypt and decrypt the storage data of the corresponding storage address segment; the decryption module 804 is further used to:

Determine the storage address segment corresponding to the key encryption key of the first user according to the correspondence between the key encryption key, the data key ciphertext and the storage address segment, and obtain the first address segment;

According to the correspondence between the key encryption key, the data key ciphertext and the storage address segment, the data key ciphertext corresponding to the key encryption key of the first user is determined.

Optionally, the sensitive data ciphertext also includes access range data ciphertext, and the sensitive data also includes access range data, and the access range data at least indicates the access user corresponding to the storage address segment in the hardware storage unit of the encrypted storage device; the decryption module 804 is also used to determine the first address segment accessible to the first user based on the access range data.

Optionally, the access range data includes: a correspondence between a key encryption key, a data key ciphertext, and a storage address segment, the key encryption key is used to encrypt and decrypt the corresponding data key ciphertext, and the data encryption key after decrypting the data key ciphertext is used to encrypt and decrypt the storage data of the corresponding storage address segment; the decryption module 804 is further used to:

Determine the storage address segment corresponding to the key encryption key of the first user according to the correspondence between the key encryption key, the data key ciphertext and the storage address segment, and obtain the first address segment;

According to the correspondence between the key encryption key, the data key ciphertext and the storage address segment, the data key ciphertext corresponding to the key encryption key of the first user is determined.

Optionally, the sensitive data ciphertext includes: a plurality of data ciphertext segments, each data ciphertext segment includes a sensitive sub-data ciphertext and a target hash value of the data after the sensitive sub-data ciphertext is decrypted; the sensitive data includes: data segments corresponding to the plurality of data ciphertext segments one by one, each data segment includes sensitive sub-data corresponding to the sensitive sub-data ciphertext; the acquisition module 802 is further used to acquire the sensitive data in the memory in response to the error data locating operation;

The data processing device 800 further includes: a calculation module, configured to calculate, for each data segment, a hash value corresponding to the ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment, to obtain a current hash value;

The comparison module is used to compare the target hash value and the current hash value, and determine that the sensitive sub-data corresponding to the unequal current hash value indicated by the comparison result is incorrect.

Optionally, the sensitive data ciphertext includes: a key management data segment, an authority control data segment and an access range data segment, the key management data segment includes: a data key ciphertext, an encryption key ciphertext and a first hash value, the first hash value being a hash value of a data encryption key and a key encryption key; the authority control data segment includes: an authority control data ciphertext and a second hash value, the second hash value being a hash value of the authority control data; the access range data segment includes: an access range data ciphertext and a third hash value, the third hash value being a hash value of the access range data;

The calculation module is further used to use the key encryption key to decrypt the data key ciphertext in the sensitive data to obtain the data encryption key; calculate the hash value of the data encryption key and the key encryption key in the sensitive data to obtain a fourth hash value; calculate the hash value of the permission control data in the sensitive data to obtain a fifth hash value; calculate the hash value of the access range data in the sensitive data to obtain a sixth hash value;

The comparison module is also used to compare the first hash value and the fourth hash value, the second hash value and the fifth hash value, and the third hash value and the sixth hash value to determine that the data corresponding to the unequal hash values indicated by the comparison result in the sensitive data is incorrect.

Optionally, the acquisition module 802 is further configured to acquire user credential data and permission control information of the second user, where the permission control information indicates a second address segment accessible to the second user;

The generating module 801 is further used to perform key derivation processing on the user credential data of the second user to obtain a key encryption key of the second user;

The acquisition module 802 is further used to acquire the data encryption key corresponding to the second address segment;

The encryption module 803 is further used to encrypt the data encryption key of the second address segment using the key encryption key of the second user to obtain the data key ciphertext corresponding to the second address segment;

The generating module 801 is also used to generate authority control data.

Optionally, the generating module 801 is further used to

According to the key encryption key of the second user, the second address segment, and the data key ciphertext of the second address segment, permission control data is generated, and the permission control data includes: a corresponding relationship between the key encryption key, the data key ciphertext and the second address segment.

Optionally, the acquisition module 802 is further configured to acquire user credential data and permission control information of the second user entered by the management user in response to the management user's permission entry operation.

Optionally, the acquisition module 802 is further used to acquire access range information of a hardware storage unit of the encryption storage device, where the access range information indicates a segmented access condition of the hardware storage unit;

The data processing device 800 further includes: a determination module, configured to determine a plurality of storage address segments of the hardware storage unit according to the access range information;

The generating module 801 is further used to generate a different data encryption key for each storage address segment;

The encryption module 803 is also used to encrypt the storage data of each storage address segment using the corresponding data encryption key, generate storage data ciphertext, and write the storage data ciphertext into the hardware storage space corresponding to the storage address segment.

Optionally, the access range information further indicates the access user category of each storage address segment; the acquisition module 802 is further used to acquire, for each storage address segment, the key encryption key of each target entry user of the access user category of the storage address segment;

The encryption module 803 is further used to use the key encryption key of each target input user to encrypt the data encryption key corresponding to the storage address segment to obtain the data key ciphertext corresponding to the storage address segment;

The generating module 801 is further used to generate access range data according to the storage address segment, the corresponding data key ciphertext and the key encryption key of the target entry user.

Optionally, the acquisition module 802 is further configured to, in response to an access range entry operation of the management user, acquire access range information of the hardware storage unit entered by the management user.

Optionally, the access range data ciphertext is data obtained by encrypting the access range data using a block encryption algorithm and a master key; the permission control data ciphertext is data obtained by encrypting the permission control data using a block encryption algorithm and a master key; the data key ciphertext is data obtained by encrypting the data encryption key using a block encryption algorithm and a key encryption key; the encryption key ciphertext is data obtained by encrypting the key encryption key using a block encryption algorithm and a master key; the hash value corresponding to the sensitive sub-data ciphertext is data calculated using a hash algorithm based on the corresponding sensitive sub-data in the sensitive data.

Optionally, the encryption storage device includes: a data encryption and decryption module, the data encryption and decryption module includes a first operation unit and a second operation unit;

The first operation unit is used to execute the block encryption algorithm, and the second operation unit is used to execute the hash algorithm; the access range data ciphertext, the authority control data ciphertext, the data key ciphertext, and the encryption key ciphertext are all data obtained by calling the first operation unit; the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calling the second operation unit.

Optionally, the encryption storage device includes: a first hardware unit and a second hardware unit, the second key component is stored in the first hardware unit; an encryption module 803, used to use the second key component to encrypt the first key component to obtain the first key component ciphertext, and store the first key component ciphertext in the second hardware unit.

Optionally, the user credential data includes at least one of the following: a password for a user account, a personal identification number PIN of the user, and biometric information entered by the user.

In an embodiment of the present application, the encryption storage device can generate a first key component when powered on, and generate a master key based on the first key component and the stored second key component, and then use the master key to encrypt the sensitive data of the encryption storage device to obtain the sensitive data ciphertext, and write the sensitive data ciphertext to the hardware storage unit of the encryption storage device. In this technical solution, the master key is stored in the memory of the encryption storage device. In response to the sensitive data read operation, the master key in the memory can be used to decrypt the sensitive data ciphertext to obtain the sensitive data. Since the first key component used to generate the master key is randomly generated by the encryption storage device each time it is powered on, and due to the power-off automatic destruction feature of the memory, the master key in the memory will also be automatically destroyed when the encryption storage device is powered off. Therefore, the master key has a higher security and a lower risk of leakage, and then using the master key to encrypt sensitive data can effectively improve the storage security of sensitive data.

Optionally, as shown in FIG9 , an embodiment of the present application further provides an electronic device, the electronic device 900 comprising: a processor 901, a memory 902, and a program or instruction stored in the memory 902 and executable on the processor 901. When the program or instruction is executed by the processor 901, each process of the above-mentioned data processing method embodiment is implemented, and the same technical effect can be achieved, and to avoid repetition, it will not be described here.

It should be noted that the functions of the various components within the electronic device 900 in the embodiment of the present application can refer to the functions of the corresponding parts within the electronic device 100 provided in the aforementioned embodiment, and will not be described in detail here.

An embodiment of the present application also provides a readable storage medium, on which a program or instruction is stored. When the program or instruction is executed by a processor, the various processes of the above-mentioned data processing method embodiment are implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

The processor is the processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a computer read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.

The embodiment of the present application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, the processor is used to run a program or instruction, implement the various processes of the above data processing method embodiment, and can achieve the same technical effect, to avoid repetition, it is not repeated here. It should be understood that the chip mentioned in the embodiment of the present application can also be called a system-level chip, a system chip, a chip system or a system-on-chip chip, etc.

It should be noted that, in this article, the terms "comprise", "include" or any other variant thereof are intended to cover non-exclusive inclusion, so that the process, method, article or device including a series of elements includes not only those elements, but also includes other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the sentence "comprise one..." do not exclude the presence of other identical elements in the process, method, article or device including the element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved, for example, the described method may be performed in an order different from that described, and various steps may also be added, omitted, or combined. In addition, the features described with reference to certain examples may be combined in other examples.

Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application, or the part that contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, a magnetic disk, or an optical disk), and includes a number of instructions for a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in each embodiment of the present application.

The embodiments of the present application are described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present application, ordinary technicians in this field can also make many forms without departing from the purpose of the present application and the scope of protection of the claims, all of which are within the protection of the present application.

Claims (22)

1. A data processing method, characterized by being applied to an encrypted storage device; the method comprises the following steps:

generating a first key component when the encrypted storage device is powered up;

Acquiring a second key component stored by the encryption storage device;

Generating a master key according to the first key component and the second key component, and writing the master key into the memory of the encryption storage device;

encrypting the sensitive data of the encryption storage equipment by adopting the master key to obtain a sensitive data ciphertext, and writing the sensitive data ciphertext into a hardware storage unit of the encryption storage equipment;

and responding to the sensitive data reading operation, adopting the master key to decrypt the sensitive data ciphertext to obtain the sensitive data, and writing the sensitive data into the memory.

2. The method of claim 1, wherein the sensitive data ciphertext comprises: a data key ciphertext and an encryption key ciphertext; the sensitive data in the memory comprises: the data key ciphertext and the key encryption key which is obtained by decrypting the encryption key ciphertext by adopting the master key are generated according to user credential data of an input user; the method further comprises the steps of:

responding to a data read-write request triggered by a first user, and acquiring first user credential data included in the data read-write request;

Performing key derivation processing on the first user credential data to obtain a key encryption key of the first user;

And under the condition that the key encryption key of the first user exists in the key encryption keys of the input users, decrypting the data key ciphertext by adopting the key encryption key of the first user to obtain a data encryption key, and executing the data reading process indicated by the data reading and writing request by adopting the data encryption key, wherein the data encryption key is used for encrypting the stored data of the encryption storage device.

3. The method of claim 2, wherein the sensitive data comprises a plurality of the data key ciphertexts, each of the data key ciphertexts decrypted data encryption key for: encrypting the storage data of different storage address segments in the hardware storage unit; the method further comprises the steps of:

The step of decrypting the data key ciphertext by using the key encryption key of the first user to obtain the data encryption key comprises the following steps:

acquiring a first address field accessible to the first user;

Reading a data key ciphertext of a first address field where the target address is located under the condition that the first address field comprises the target address where the data read-write request indicates access;

And decrypting the data key ciphertext by adopting the key encryption key of the first user to obtain the data encryption key of the first address segment.

4. A method according to claim 3, wherein the sensitive data ciphertext further comprises entitlement control data ciphertext, the sensitive data further comprising entitlement control data indicative of at least a segment of a memory address accessible to the entering user;

The obtaining a first address field accessible to the first user includes: and determining a first address segment accessible to the first user according to the authority control data.

5. The method of claim 4, wherein the entitlement control data comprises: the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment is that the key encryption key is used for encrypting and decrypting the corresponding data key ciphertext, and the data encryption key after the data key ciphertext is decrypted is used for encrypting and decrypting the storage data of the corresponding storage address segment; the determining, according to the permission control data, a first address field accessible to the first user includes:

Determining a storage address segment corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment, and obtaining a first address segment;

The reading the data key ciphertext of the first address field where the target address is located comprises the following steps: and determining the data key ciphertext corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment.

6. The method of claim 3, wherein the sensitive data ciphertext further comprises access range data ciphertext, the sensitive data further comprising access range data, the access range data indicating at least an access user corresponding to a storage address field in a hardware storage unit of the encrypted storage device;

the obtaining a first address field accessible to the first user includes: and determining a first address segment accessible to the first user according to the access range data.

7. The method of claim 6, wherein the access range data comprises: the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment is that the key encryption key is used for encrypting and decrypting the corresponding data key ciphertext, and the data encryption key after the data key ciphertext is decrypted is used for encrypting and decrypting the storage data of the corresponding storage address segment; the determining, according to the access range data, a first address segment accessible to the first user includes:

Determining a storage address segment corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment, and obtaining a first address segment;

The reading the data key ciphertext of the first address field where the target address is located comprises the following steps: and determining the data key ciphertext corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment.

8. The method of claim 1, wherein the sensitive data ciphertext comprises: the data ciphertext comprises a sensitive sub-data ciphertext and a target hash value of data decrypted by the sensitive sub-data ciphertext;

The sensitive data includes: the data segments are in one-to-one correspondence with the data ciphertext segments, and each data segment comprises sensitive sub-data corresponding to the sensitive sub-data ciphertext;

the method further comprises the steps of:

Responding to the error data positioning operation, and acquiring sensitive data of the memory;

For each data segment, calculating a hash value corresponding to the corresponding sensitive sub-data ciphertext according to the sensitive sub-data in the data segment to obtain a current hash value;

And comparing the target hash value with the current hash value, and determining that the comparison result indicates that the sensitive sub-data corresponding to the current hash value which is not equal is wrong.

9. The method of claim 8, wherein the sensitive data ciphertext comprises: a key management data segment, a rights control data segment, and an access range data segment, the key management data segment comprising: a data key ciphertext, an encryption key ciphertext, and a first hash value that is a hash value of a data encryption key and a key encryption key; the entitlement control data section includes: the authorization control data ciphertext and a second hash value, wherein the second hash value is the hash value of the authorization control data; the access range data segment includes: the method comprises the steps of accessing range data ciphertext and a third hash value, wherein the third hash value is a hash value of the access range data;

Calculating, for each data segment, a hash value corresponding to the corresponding ciphertext of the sensitive sub-data according to the sensitive sub-data in the data segment, to obtain a current hash value, comparing the target hash value with the current hash value, and determining that the comparison result indicates that the sensitive sub-data corresponding to the current hash value is incorrect, where the comparison result indicates that the sensitive sub-data corresponding to the current hash value is not equal, including:

Decrypting the data key ciphertext in the sensitive data by adopting the key encryption key to obtain a data encryption key;

calculating hash values of the data encryption key and the key encryption key in the sensitive data to obtain a fourth hash value;

Calculating a hash value of the authority control data in the sensitive data to obtain a fifth hash value;

Calculating a hash value of the access range data in the sensitive data to obtain a sixth hash value;

Comparing the first hash value with the fourth hash value, the second hash value with the fifth hash value, and the third hash value with the sixth hash value to determine that data corresponding to unequal hash values are wrong in the sensitive data.

10. The method according to claim 4, wherein the method further comprises:

Acquiring user credential data and authority control information of a second user, wherein the authority control information indicates a second address field accessible to the second user;

performing key derivation processing on the user credential data of the second user to obtain a key encryption key of the second user;

acquiring a data encryption key corresponding to the second address segment;

Encrypting the data encryption key of the second address segment by adopting the key encryption key of the second user to obtain a data key ciphertext corresponding to the second address segment;

And generating the authority control data.

11. The method of claim 10, wherein the generating the entitlement control data comprises:

Generating the authority control data according to the key encryption key of the second user, the second address segment and the data key ciphertext of the second address segment, wherein the authority control data comprises: and the corresponding relation among the key encryption key, the data key ciphertext and the second address segment.

12. The method of claim 10, wherein the obtaining user credential data and rights control information for the second user comprises:

and responding to the authority input operation of the management user, and acquiring user credential data and authority control information of a second user input by the management user.

13. A method according to claim 3, characterized in that the method further comprises:

Acquiring access range information of a hardware storage unit of the encryption storage device, wherein the access range information indicates a segmented access condition of the hardware storage unit;

determining a plurality of storage address segments of the hardware storage unit according to the access range information;

generating a different data encryption key for each storage address segment;

And for each storage address segment, encrypting the storage data of the storage address segment by adopting the corresponding data encryption key to generate a storage data ciphertext, and writing the storage data ciphertext into a hardware storage space corresponding to the storage address segment.

14. The method of claim 13, wherein the access scope information further indicates an access user category for each of the storage address segments; the method further comprises the steps of:

Acquiring a key encryption key of each target entry user of the access user category of the storage address segment for each storage address segment;

encrypting the data encryption key corresponding to the storage address segment by adopting the key encryption key of each target entry user to obtain a data key ciphertext corresponding to the storage address segment;

And generating access range data according to the storage address segment, the corresponding data key ciphertext and the key encryption key of the target input user.

15. The method of claim 13, wherein the obtaining access range information of the hardware storage unit of the encrypted storage device comprises:

And responding to access range input operation of a management user, and acquiring access range information of a hardware storage unit input by the management user.

16. The method of claim 9, wherein the access range data ciphertext is encrypted data of the access range data using the master key using a block encryption algorithm; the right control data ciphertext is data obtained by encrypting the right control data by using a block encryption algorithm and the master key; the data key ciphertext is data obtained by encrypting the data encryption key by adopting a block encryption algorithm and utilizing the key encryption key; the encryption key ciphertext is data obtained by encrypting the key encryption key by using a block encryption algorithm and the master key; the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calculating according to the sensitive sub-data corresponding to the sensitive data by adopting a hash algorithm.

17. The method of claim 16, wherein the encrypted storage device comprises: the data encryption and decryption module comprises a first operation unit and a second operation unit;

The first operation unit is used for executing the block encryption algorithm, and the second operation unit is used for executing the hash algorithm; the access range data ciphertext, the authority control data ciphertext, the data key ciphertext and the encryption key ciphertext are all data obtained by calling the first operation unit; the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calling the second operation unit.

18. The method of claim 1, wherein the encrypted storage device comprises: the first hardware unit and the second hardware unit, the second key component is stored in the first hardware unit; the method further comprises the steps of:

And encrypting the first key component by adopting the second key component to obtain a first key component ciphertext, and storing the first key component ciphertext into the second hardware unit.

19. The method of claim 2, wherein the user credential data comprises at least one of: the password of the user account, the personal identification number PIN of the user and the biological identification information input by the user.

20. An electronic device comprising a processor and a memory, the memory having instructions stored thereon, which when executed by the processor, implement the method of any of claims 1 to 19.

21. A readable storage medium having stored thereon a program or instructions which when executed by a processor performs the method of any of claims 1 to 19.

22. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of any of claims 1 to 19.