CN118821243B

CN118821243B - Data processing method, electronic device, storage medium and computer program product

Info

Publication number: CN118821243B
Application number: CN202411273363.2A
Authority: CN
Inventors: 张婷; 王璞; 粟汝发
Original assignee: Shandong Yunhai Guochuang Cloud Computing Equipment Industry Innovation Center Co Ltd
Current assignee: Shandong Yunhai Guochuang Cloud Computing Equipment Industry Innovation Center Co Ltd
Priority date: 2024-09-12
Filing date: 2024-09-12
Publication date: 2025-03-21
Anticipated expiration: 2044-09-12
Also published as: CN118821243A

Abstract

The application discloses a data processing method, electronic equipment, a storage medium and a computer program product, and belongs to the technical field of data processing. The data processing method is applied to the encryption storage device and comprises the steps of generating a first key component when the encryption storage device is electrified, obtaining a second key component stored in the encryption storage device, generating a master key according to the first key component and the second key component, writing the master key into a memory of the encryption storage device, conducting encryption processing on sensitive data of the encryption storage device by the aid of the master key to obtain a sensitive data ciphertext, writing the sensitive data ciphertext into a hardware storage unit of the encryption storage device, conducting decryption processing on the sensitive data ciphertext by the aid of the master key in response to sensitive data reading operation to obtain sensitive data, and writing the sensitive data into the memory. The application effectively improves the storage security of the sensitive data of the encrypted storage device.

Description

Data processing method, electronic device, storage medium, and computer program product

Technical Field

The application belongs to the technical field of data processing, and particularly relates to a data processing method, electronic equipment, a storage medium and a computer program product.

Background

With the increasing demand for data security, people gradually increase the attention to data protection, and encryption storage devices gradually become important tools for protecting data security for enterprises and individuals. The encryption storage device is used for realizing data protection by mainly encrypting and storing the stored data. For example, the encrypted storage device includes a nonvolatile memory device having an encryption function such as an encrypted Solid state disk (Solid STATE DISK, SSD) device, an encryption chip device, or the like. While the sensitive data is the important data of the encrypted storage device, which mainly comprises the encryption key of the stored data, the authentication data of the device access user, etc. Sensitive data is critical to maintaining the security and functionality of encrypted storage devices.

Currently, sensitive data is usually stored in a nonvolatile memory of an encrypted storage device, so as to prevent the encrypted storage device from losing, damaging and the like of the sensitive data due to abnormal power failure and the like. However, there may be a problem of violent disassembly of the hardware unit of the encrypted storage device, resulting in leakage of the storage content of the hardware unit. Thus, sensitive data stored in the hardware unit has a risk of leakage. Clearly, how to guarantee the storage security of sensitive data becomes a problem to be solved.

Disclosure of Invention

An embodiment of the application aims to provide a data processing method, electronic equipment, a storage medium and a computer program product, which can solve the problem that sensitive data of the conventional encrypted storage equipment has leakage risk.

In order to solve the technical problems, the application is realized as follows:

In a first aspect, an embodiment of the present application provides a data processing method, which is applied to an encrypted storage device, where the method includes:

Generating a first key component when the encrypted storage device is powered up;

Acquiring a second key component stored by the encryption storage device;

Generating a master key according to the first key component and the second key component, and writing the master key into the memory of the encryption storage device;

Encrypting the sensitive data of the encryption storage equipment by adopting the master key to obtain a sensitive data ciphertext, and writing the sensitive data ciphertext into a hardware storage unit of the encryption storage equipment;

And responding to the sensitive data reading operation, adopting the master key to decrypt the sensitive data ciphertext to obtain the sensitive data, and writing the sensitive data into the memory.

In a second aspect, an embodiment of the present application provides an electronic device, where the electronic device includes a processor, a memory, and a program or an instruction stored on the memory and executable on the processor, where the program or the instruction implements the data processing method according to the first aspect when executed by the processor.

In a third aspect, an embodiment of the present application provides a readable storage medium, where a program or an instruction is stored, where the program or the instruction implements the data processing method according to the first aspect when executed by a processor.

In a fourth aspect, an embodiment of the present application provides a chip, where the chip includes a processor and a communication interface, where the communication interface is coupled to the processor, and the processor is configured to execute a program or instructions to implement a data processing method according to the first aspect.

In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements a data processing method as described in the first aspect.

In the embodiment of the application, the encryption storage device can generate the first key component when being electrified, generate the master key according to the first key component and the stored second key component, further encrypt the sensitive data of the encryption storage device by adopting the master key to obtain the sensitive data ciphertext, and write the sensitive data ciphertext into the hardware storage unit of the encryption storage device. In the technical scheme, the master key is stored in the memory of the encryption storage device. In response to the sensitive data reading operation, the sensitive data ciphertext can be decrypted by using the master key in the memory to obtain the sensitive data. Because the first key component for generating the master key is randomly generated when the encryption storage device is powered up each time, and because of the power-off automatic destruction characteristic of the memory, the master key in the memory can be automatically destroyed when the encryption storage device is powered off. Therefore, the master key has higher security and lower leakage risk, and further the sensitive data is encrypted by using the master key, so that the storage security of the sensitive data can be effectively improved.

Drawings

FIG. 1 is a flow chart of a data processing method according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a key generation method according to an embodiment of the present application;

FIG. 3 is a flow chart of another data processing method according to an embodiment of the present application;

FIG. 4 is a flow chart of yet another data processing method provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of encryption of sensitive data provided by an embodiment of the present application;

FIG. 6 is a flow chart of yet another data processing method provided by an embodiment of the present application;

FIG. 7 is a schematic diagram of a data processing method according to an embodiment of the present application;

FIG. 8 is a block diagram of a data processing apparatus provided by an embodiment of the present application;

Fig. 9 is a block diagram of an electronic device provided by the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

With the increasing demand for data security, people gradually increase the attention to data protection, and encryption storage devices gradually become important tools for protecting data security for enterprises and individuals. The encryption storage device is used for realizing data protection by mainly encrypting and storing the stored data. For example, the encrypted storage device includes a nonvolatile memory device having an encryption function such as an encrypted Solid state disk (Solid STATE DISK, SSD) device, an encryption chip device, a usb device, and a cryptographic card device.

Sensitive data, also called security parameters, is important data of the encrypted storage device, and mainly comprises an encryption key of the stored data, authentication data of an access user of the device, and the like. Sensitive data is critical to maintaining the security and functionality of encrypted storage devices. Illustratively, the trusted computing group (Trusted Computing Group, TCG) protocol defines a set of security standard specifications, including device self-encryption based on symmetric encryption algorithm (Advanced Encryption Standard, AES), user rights management, pre-boot authentication, etc., which can effectively protect enterprise-sensitive data from leakage and establish a perfect security authentication system. For an encrypted SSD device, its sensitive data includes a TCG's security provider (Security Provider, SP) table. The SP table contains information about encryption keys, access control policies, authentication mechanisms, data recovery, etc., which are key components in the encryption framework of the encryption SSD device, and its preservation and management are critical to maintaining the security and functionality of the encryption SSD device.

In order to better understand the technical scheme of the present application, the following describes the encryption storage device provided by the embodiment of the present application. The encryption storage device provided by the embodiment of the application comprises a processor, a memory and at least one hardware storage unit. The hardware storage unit is a nonvolatile memory. For example, SSD, USB flash disk, password card or password chip, etc. The processor is connected with the memory and the hardware storage unit. The processor can be used for reading the stored data ciphertext stored in the hardware storage unit and decrypting the stored data ciphertext to obtain the stored data. The processor may also be configured to encrypt the storage data to be written to obtain a storage data ciphertext to be written, and write the storage data ciphertext into the hardware storage unit. And the processor can also be used for encrypting and decrypting the sensitive data of the encrypted storage device.

Optionally, the encrypted storage device may include a data encryption and decryption module. The data encryption and decryption module may include a plurality of operation units. Each arithmetic unit is used for executing different encryption and decryption algorithms. In some embodiments, the data encryption and decryption module includes a first operation unit and a second operation unit. The first arithmetic unit is used for executing a block encryption algorithm. The second arithmetic unit is used for executing a hash algorithm. Therefore, the processor can call different operation units at the same time so as to encrypt and decrypt different data at the same time, so that parallel operation of encrypting and decrypting a plurality of data is realized, and the operation efficiency of encrypting and decrypting is improved.

Referring to fig. 1, a flowchart of a data processing method according to an embodiment of the application is shown. The data processing method can be applied to the encryption storage device provided by the embodiment of the application. Alternatively, the data processing method may be executed by a processor in the encryption storage device, and the following is described by taking the processor execution as an example. As shown in fig. 1, the data processing method includes:

step 101, generating a first key component when the encryption storage device is powered on.

In the embodiment of the application, the processor can randomly generate the first key component when the encryption storage device is powered on. Alternatively, the processor may invoke a true random number generator (True Random Number Generator, TRNG) to randomly generate a random number upon powering up the encrypted storage device, resulting in the first key component.

Step 102, obtaining a second key component stored by the encryption storage device.

In the embodiment of the application, the second key component is stored in the hardware storage unit of the encryption storage device. Alternatively, the second key component may be fixed data written at the time of shipment of the encrypted storage device.

And 103, generating a master key according to the first key component and the second key component, and writing the master key into the memory of the encryption storage device.

Alternatively, the processor may employ a target key generation algorithm to generate a master key from the first key component and the second key component to write the master key to the memory of the encrypted storage device. The master key in the written memory has the characteristics of being unable to be exported, automatic destruction after power failure, and the like. The target key generation algorithm may be HKDF algorithm, exclusive or algorithm, etc. For example, the processor may exclusive-or the first key component and the second key component to generate the master key.

Illustratively, as shown in FIG. 2, the first key component is a random number that is randomly generated by invoking TRNG when the encrypted storage device is powered up. The second key component is data built in the encrypted storage device from the factory. The master key is data generated by exclusive-or processing of the first key component and the second key component.

And 104, encrypting the sensitive data of the encrypted storage device by adopting the master key to obtain a sensitive data ciphertext, and writing the sensitive data ciphertext into a hardware storage unit of the encrypted storage device.

Optionally, the processor may encrypt the sensitive data of the encrypted storage device using a block encryption algorithm with the master key to obtain the sensitive data ciphertext. Illustratively, the block encryption algorithm may be SM1, SM4, or advanced encryption standard ‌ (Advanced Encryption Standard, AES) algorithm, or the like.

And 105, in response to the sensitive data reading operation, decrypting the sensitive data ciphertext by adopting the master key to obtain the sensitive data, and writing the sensitive data into the memory.

The sensitive data reading operation is used for reading sensitive data ciphertext in a hardware storage unit of the encrypted storage device. Optionally, the processor may generate and respond to the sensitive data reading operation when the encryption storage device is powered on, and decrypt the sensitive data ciphertext with the master key to obtain the sensitive data, and write the sensitive data into the memory. Or the processor can generate and respond to the sensitive data reading operation when receiving the data reading and writing request of the user for the first time, and adopts the master key to decrypt the sensitive data ciphertext to obtain the sensitive data, and writes the sensitive data into the memory, so that the processor can execute the data reading process indicated by the data reading and writing request according to the sensitive data.

In some embodiments of the present application, an encrypted storage device may include a first hardware unit and a second hardware unit. Wherein the second key component is stored in the first hardware unit. The processor can encrypt the first key component by adopting the second key component after generating the first key component to obtain a first key component ciphertext, and store the first key component ciphertext to the second hardware unit so as to store the first key component and the second key component in a decentralized manner, thereby avoiding the leakage of the first key component and the second key component, reducing the leakage risk of the master key and guaranteeing the generation, storage and use safety of the master key. The first hardware unit is a NAND, and the second hardware unit is a NOR Flash, for example.

In some embodiments of the application, the sensitive data of the encrypted storage device includes a data encryption key and a key encryption key. The data encryption key is used for encrypting the stored data of the encrypted storage device. The key encryption key is generated from user credential data of an entry user of the encrypted storage device, which corresponds to the entry user. The key encryption key is used to encrypt the data encryption key. And, the key encryption key is used for being stored by the master key encryption.

Where an entry user may refer to an allowed access user (i.e., an authorized access user) of the encrypted storage device. For example, the user entered may be a user entered by a managing user of the encrypted storage device that is allowed to access the encrypted storage device. The administrative user may be a super administrator or a general administrator authorized by the super administrator, or the like. The user credential data includes at least one of a password of the user account, a personal identification number (Personal identification number, PIN) of the user, and biometric information entered by the user. Thus, obviously, the access user of the encrypted storage device must provide the correct user credentials to generate the correct key encryption key, and then decrypt the key to obtain the data encryption key, so as to decrypt the stored data by using the data encryption key and access the data. By encrypting the data encryption key by the key encryption key, it can be ensured that only authorized entry users can access sensitive data, and further access stored data of the hardware storage unit.

Alternatively, as shown in fig. 2, the data encryption key may be a random number that invokes TRNG generation. The key encryption key is generated according to user credential data of the user by adopting a key derivation algorithm. Alternatively, in the hardware storage unit of the encryption storage device, the stored data of different storage address segments may be encrypted with different data encryption keys. Thus, for each divided storage address segment, the TRNG is called to generate different random numbers, and the data encryption key of each storage address segment is obtained.

Optionally, the sensitive data ciphertext includes a data key ciphertext and an encryption key ciphertext. The sensitive data in the memory comprises a data key ciphertext and a key encryption key after decrypting the encryption key ciphertext by adopting a master key. The data processing method further comprises the steps that the processor conducts key derivation processing according to user credential data of an input user of the encryption storage device to obtain a key encryption key of the input user. The processor randomly generates a data encryption key.

Based on the above, the process of encrypting the sensitive data of the encrypted storage device by the processor by using the master key to obtain the sensitive data ciphertext may include the process of encrypting the data encryption key by the processor by using the key encryption key to obtain the data key ciphertext. The processor adopts the master key to encrypt the key encryption key to obtain an encryption key ciphertext, and generates a sensitive data ciphertext.

Correspondingly, the process of decrypting the sensitive data ciphertext by the processor by adopting the master key can comprise the steps of decrypting the encrypted key ciphertext by adopting the master key to obtain the key encrypted key by the processor, generating and writing the sensitive data into the memory. The sensitive data includes a data key ciphertext and a key encryption key. Based on this, as shown in fig. 3, the data processing method further includes:

Step 301, responding to a data read-write request triggered by a first user, and acquiring first user credential data included in the data read-write request.

The first user triggers a data read-write request when the first user wants to read or write data to the encrypted storage device. The data read-write request may include first user credential data of the first user, a target address of a hardware storage unit to be accessed, and the like. The target address may be a write address of the data to be written, or the target address may be a data address of the data to be read.

Step 302, performing key derivation processing on the first user credential data to obtain a key encryption key of the first user.

Optionally, the processor may invoke a key derivation algorithm to perform a key derivation process on the first user credential data to obtain a key encryption key for the first user. The key derivation algorithm may be PBKDF2, ‌ ‌ Scrypt, ‌ ‌ HMAC-based PRF, or the like.

Step 303, in the case that the key encryption key of the first user exists in the key encryption keys of the input users, decrypting the data key ciphertext by adopting the key encryption key of the first user to obtain the data encryption key, and executing the data reading process indicated by the data reading and writing request by adopting the data encryption key.

In the embodiment of the application, the processor can read the sensitive data in the memory after obtaining the key encryption key of the first user. And comparing whether the key encryption key of the first user exists in the key encryption keys of the input users in the sensitive data. In the case where the key encryption key of the first user is not present in the key encryption keys of the entry users, it is indicated that the first user is not permitted to access the encrypted storage device. The processor may return a hint message. In the case where there is a key encryption key of the first user among key encryption keys of the entry user, it is indicated that the first user is permitted to access the encrypted storage device. The processor can read the data key ciphertext from the sensitive data in the memory, decrypt the data key ciphertext by adopting the key encryption key of the first user to obtain the data encryption key, and execute the data reading process indicated by the data reading and writing request by adopting the data encryption key. In this way, the sensitive data can be used for carrying out identity authentication on a user accessing the encrypted storage device, and the access security of the encrypted storage device is improved. And, the data is stored by encrypting the data encryption key, the data encryption key is encrypted by the key encryption key, and the three-level key mechanism of the master key encryption key is used for encrypting or signing the key of the lower level by the key of the higher level to form a level chain of keys. This three-level key mechanism allows flexibility in managing keys while maintaining a high degree of security and access control.

Further alternatively, in the hardware storage unit of the encryption storage device, the stored data of different storage address segments may be encrypted with different data encryption keys. Based on this, in step 303, when the first user's key encryption key is present in the key encryption key of the input user, the processor may acquire the target address accessed in the data read/write request, and acquire the data key ciphertext corresponding to the target address. Further, the data key ciphertext is decrypted by using the key encryption key of the first user, a data encryption key is obtained, and data reading processing indicated by the data reading and writing request is executed by using the data encryption key.

In an alternative implementation, the user of the encrypted storage device also has access restrictions. For example, an administrator user may access all hardware storage units. While some users have access to only a portion of the hardware storage units. The memory address segment of each hardware memory unit accessible to the user may be custom set by the administrative user. Or may be automatically generated based on a set access policy.

The sensitive data of the encrypted storage device may include a plurality of data encryption keys. Each data encryption key is used to encrypt stored data for a different storage address segment in the hardware storage unit. Accordingly, the sensitive data ciphertext comprises a plurality of data key ciphertexts. The sensitive data in the memory includes a plurality of data key ciphertexts.

In an alternative case, the data encryption key of each storage address segment may be obtained by decrypting the same data key ciphertext using a plurality of target key encryption keys. That is, the data key ciphertext obtained by encrypting the data encryption key of the same storage address segment by the plurality of target encryption keys is the same. The target key encryption key is a key encryption key of the entering user that allows access to the storage address segment. Thus, the sensitive data ciphertext includes the data key ciphertext for each storage address segment in the hardware storage unit. Accordingly, the sensitive data in the memory includes the data key ciphertext for each storage address segment.

In another alternative case, the data key ciphertext obtained by encrypting the data encryption key of the same storage address segment by the plurality of target encryption keys is different. Thus, the sensitive data ciphertext includes at least one data key ciphertext for each of the memory address segments in the hardware memory unit. Accordingly, the sensitive data in the memory includes at least one data key ciphertext for each memory address segment. Under the condition that a plurality of input users with access allowed by one storage address segment are provided, the storage address segment corresponds to a plurality of data key ciphertexts. As shown in fig. 4, the data processing method further includes:

Step 401, responding to a data read-write request triggered by a first user, and acquiring first user credential data included in the data read-write request.

The explanation and implementation of this step may refer to the foregoing step 301, and will not be described herein.

Step 402, performing key derivation processing on the first user credential data to obtain a key encryption key of the first user.

The explanation and implementation of this step may refer to the foregoing step 302, and will not be described herein.

Step 403, in the key encryption key of the input user, under the condition that the key encryption key of the first user exists, acquiring a first address segment accessible to the first user.

The explanation and implementation of this step may refer to the foregoing step 303, and will not be described herein. It should be noted that the user who inputs the encrypted storage device has access restrictions. The processor may obtain a first address field accessible to the first user to determine whether the first address field includes a target address to which the data read-write request indicates access. In the case that the first address field does not include the target address to which the data read-write request indicates access, indicating that the first user does not have access to the target address, the processor may return a hint message. In the case where the first address field includes a target address for which the data read-write request indicates access, indicating that the first user has access to the target address, then step 404, described below, may be performed.

Alternatively, the processor may store a storage address field in the hardware storage unit that is allowed to be accessed by the user, so that the processor obtains a first address field accessible by the first user. The first address field is a storage address field that the first user is allowed to access.

Step 404, when the first address field includes a target address to which the data read/write request indicates access, reading a data key ciphertext of the first address field where the target address is located.

In the embodiment of the application, in the case that the first address field includes the target address to which the data read-write request indicates access, it is indicated that the first user has access to the target address. The processor reads the data key ciphertext of the first address field where the target address is located.

In an alternative implementation, the sensitive data in the memory comprises each storage address segment in the hardware storage unit and a data key ciphertext corresponding to each storage address segment. The processor reads the data key ciphertext of the first address field where the target address is located from the sensitive data.

In another alternative implementation, the sensitive data in the memory includes the correspondence between each storage address segment in the hardware storage unit, the entry user, and the ciphertext of the data key. In the corresponding relation, the input user is allowed to access the corresponding storage address section, and the data key ciphertext corresponding to the input user is obtained by adopting the key encryption key of the input user to encrypt the data encryption key of the storage address section. The processor may read from the sensitive data a data key ciphertext corresponding to the first address segment and the first user.

And 405, decrypting the data key ciphertext by adopting the key encryption key of the first user to obtain the data encryption key of the first address segment.

Step 406, executing the data reading process indicated by the data reading and writing request by adopting the data encryption key.

In some embodiments of the application, as previously described, the user of the encrypted storage device has access restrictions. The sensitive information of the encrypted storage device includes rights control data. The entitlement control data indicates at least a segment of a memory address accessible to the entering user. Correspondingly, the sensitive data ciphertext also comprises a right control data ciphertext. The right control data ciphertext is ciphertext data obtained by encrypting the right control data by adopting a master key. The sensitive data in the memory also includes entitlement control data.

The authority control data is used for managing access authorities of different users or processes to data on the encrypted storage device. The encrypted storage device can ensure that only authorized entry users can access the data on the encrypted storage device through methods such as user authentication, access control strategy definition, access rights and the like according to the rights control data. For example, a specified user or a specified group of users may access specific data, and may access specific data under specified conditions. An administrator user may have full access to the entire data on the encrypted storage device and the ability to manage system settings. In contrast, an average user may have only rights to read or write a portion of data. The authority control data are used for indicating the access authorities and authentication information of different input users, and the access authorities and the authentication information are stored in the hardware storage unit after being encrypted by the master key.

Optionally, the step 403 of obtaining the first address field accessible to the first user comprises determining the first address field accessible to the first user based on the entitlement control data. The processor can read authority control data in the sensitive data in the memory and determine a first address field accessible by a first user.

In an alternative implementation, the entitlement control data includes a correspondence between a key encryption key and a storage address field. The process of determining, by the processor, a first address segment accessible to the first user based on the entitlement control data may include determining a storage address segment corresponding to the first user's key encryption key based on a correspondence of the key encryption key and the storage address segment, resulting in the first address segment.

In another alternative implementation, the entitlement control data includes a correspondence of a key encryption key, a data key ciphertext, and a storage address field. The key encryption key is used for encrypting and decrypting the corresponding data key ciphertext. The data encryption key after the data key ciphertext decryption is used for encrypting and decrypting the storage data of the corresponding storage address segment. Based on this, the process of determining the first address segment accessible to the first user by the processor according to the entitlement control data may include determining a storage address segment corresponding to the first user's key encryption key according to a correspondence of the key encryption key, the data key ciphertext, and the storage address segment, to obtain the first address segment. Accordingly, the process of reading the data key ciphertext of the first address segment where the target address is located in step 404 may include determining the data key ciphertext corresponding to the key encryption key of the first user based on the correspondence of the key encryption key, the data key ciphertext, and the storage address segment.

In some embodiments of the present application, as described above, in the hardware storage unit of the encryption storage device, the stored data of different storage address segments may be encrypted using different data encryption keys. The sensitive information of the encrypted storage device includes access range data. The access range data indicates at least a segmented access condition of a hardware storage unit of the encrypted storage device. The segment access condition indicates a division condition of a storage data segment of the hardware storage unit. Correspondingly, the sensitive data ciphertext also comprises an access range data ciphertext. The access range data ciphertext is ciphertext data obtained by encrypting access range data by adopting a master key. The sensitive data in the memory also includes access range data.

And under the condition that the access permission exists in the input user, the access range data is also used for at least indicating the access user corresponding to the storage address segment in the hardware storage unit of the encryption storage device. Or the access scope data is further used to indicate at least the access user category of each storage address segment.

And under the condition that the access rights of the input users are the same, or the data key ciphertexts obtained by encrypting the data encryption keys of the same storage address section by a plurality of target encryption keys are the same, the sensitive data ciphertexts comprise the data key ciphertexts of all the storage address sections in the hardware storage unit. Accordingly, the sensitive data in the memory includes the data key ciphertext for each storage address segment.

Under the condition that the data key ciphertexts obtained by encrypting the data encryption keys of the same storage address segment by the plurality of target encryption keys are different, the sensitive data ciphertexts comprise at least one data key ciphertext of each storage address segment in the hardware storage unit. Accordingly, the sensitive data in the memory includes at least one data key ciphertext for each memory address segment. Under the condition that a plurality of input users with access allowed by one storage address segment are provided, the storage address segment corresponds to a plurality of data key ciphertexts.

Wherein the access range data is used for defining and controlling access rights to specific data segments on the encrypted storage device. The method allows fine-grained access control to the data on the encrypted storage device and reduces the risk of data leakage by dividing the range of each stored data segment on the hardware storage unit, and by distributing a data encryption key, providing a locking and unlocking locking range based on the identity verification and authorization state of the user, and the like. The access range data is used for indicating the access authority and the access policy of the specific storage data segment, and the access range data ciphertext is generated after the access range data is encrypted by the master key.

Optionally, the step 403 of obtaining the first address field accessible to the first user comprises determining the first address field accessible to the first user based on the access range data. The processor may read access range data in the sensitive data in the memory and determine a first address field accessible to the first user.

In an alternative implementation, the access range data includes a correspondence of a key encryption key, a data key ciphertext, and a storage address field. The key encryption key is used for encrypting and decrypting the corresponding data key ciphertext. The data encryption key after the data key ciphertext decryption is used for encrypting and decrypting the storage data of the corresponding storage address segment. Based on this, the process of determining, by the processor, the first address segment accessible to the first user according to the access range data may include determining, by the processor, a storage address segment corresponding to the first user's key encryption key according to a correspondence of the key encryption key, the data key ciphertext, and the storage address segment, to obtain the first address segment. Accordingly, the process of reading the data key ciphertext of the first address segment where the target address is located in step 404 may include determining the data key ciphertext corresponding to the key encryption key of the first user based on the correspondence of the key encryption key, the data key ciphertext, and the storage address segment.

In another alternative implementation, the access range data includes a correspondence of data key ciphertext and a storage address field. The process of reading the data key ciphertext of the first address segment where the target address is located in step 404 may include determining the data key ciphertext corresponding to the first address segment according to a correspondence between the data key ciphertext and the storage address segment.

In some embodiments, the generation of the access range data may include steps 011 through 017 described below.

In step 011, access range information of a hardware storage unit of the encrypted storage device is acquired. The access range information indicates a segmented access condition of the hardware storage unit.

Alternatively, the access scope information may be generated according to a set access scope control policy. Or the sectional access condition of the hardware storage unit can be set by the management user in a self-defining way. The processor may obtain access scope information of the hardware storage unit entered by the management user in response to an access scope entry operation by the management user.

In step 012, a plurality of memory address segments of the hardware memory unit are determined based on the access range information.

For example, assume that an encrypted storage device includes a first hardware storage unit, a second hardware storage unit, and a third hardware storage unit. If the encryption storage device is divided according to the hardware storage unit, the plurality of storage address segments determined by the processor include a first storage address segment, a second storage address segment, and a third storage address segment. The first memory address segment is a memory address segment of a first hardware memory unit. The second memory address segment is a memory address segment of a second hardware memory unit. The third memory address segment is a memory address segment of a third hardware memory unit.

In step 013, a different data encryption key is generated for each storage address segment.

The processor may generate a data encryption key different for each storage address segment to obtain access range information. Alternatively, the processor may randomly generate a different random number for each memory address segment, resulting in a data encryption key for each memory address segment.

In step 014, for each storage address segment, the storage data of the storage address segment is encrypted using the corresponding data encryption key to generate a storage data ciphertext, and the storage data ciphertext is written into the hardware storage space corresponding to the storage address segment.

Alternatively, the processor may obtain the data write address of the data write operation in response to the data write operation. And encrypting the data to be written by adopting a data encryption key of a storage address section where the data writing address is positioned to generate a storage data ciphertext, and writing the storage data ciphertext into the data writing address.

Further optionally, the access scope information further indicates an access user category for each storage address segment. Optionally, the administrative user may also define an entry user or group of entry users accessible to each storage address segment. The generation process of the access range data further comprises the following steps:

In step 015, for each storage address segment, a key encryption key for each target entry user of the access user class of the storage address segment is obtained.

Alternatively, for each storage address segment, the processor may determine the access user category for each storage address segment from the access range information. And further determining each input user in the access user category, obtaining target input users, and obtaining the key encryption key of each target input user.

In step 016, the data encryption keys corresponding to the storage address segments are respectively encrypted by adopting the key encryption keys of each target entry user, so as to obtain the data key ciphertext corresponding to the storage address segments.

In the embodiment of the application, the processor can adopt each target of the stored data segment to enter the key encryption key of the user for each stored data segment, and respectively encrypt the data encryption key corresponding to the stored address segment to obtain the data key ciphertext corresponding to the stored address segment.

And under the condition that the data key ciphertext obtained by encrypting the data encryption keys of the same storage address segment by the plurality of target encryption keys is the same, the processor can obtain one data key ciphertext corresponding to the storage address segment. Under the condition that the data key ciphertexts obtained by encrypting the data encryption keys of the same storage address segment by the plurality of target encryption keys are different, if the number of target input users for storing the data segment is a plurality of, the processor can obtain the plurality of data key ciphertexts corresponding to the storage address segment.

In step 017, access range data is generated from the storage address field, the corresponding data key ciphertext, and the key encryption key of the target entry user.

In the embodiment of the application, the processor can determine the corresponding relation among the single storage address segment, the data key ciphertext and the key encryption key according to the key encryption key of each target entry user corresponding to the single storage address segment and the data key ciphertext of each target entry user, so as to obtain the corresponding relation among each storage address segment, the data key ciphertext and the key encryption key.

For example, assume that a hardware memory location includes a first memory address segment and a second memory address segment. There are two target entry users that allow access to the first storage address. The key encryption keys of the two target input users are a key encryption key A11 and a key encryption key A12 in sequence. And carrying out encryption processing by adopting a data encryption key of the first storage address of the key encryption key A11 to obtain a data key ciphertext B11. And carrying out encryption processing by adopting a data encryption key of the first storage address of the key encryption key A12 to obtain a data key ciphertext B12.

There are two target entry users that allow access to the first storage address. The key encryption keys of the two target input users are a key encryption key A21 and a key encryption key A22 in sequence. And carrying out encryption processing by adopting a data encryption key of the first storage address of the key encryption key A21 to obtain a data key ciphertext B21. And carrying out encryption processing by adopting a data encryption key of the first storage address of the key encryption key A22 to obtain a data key ciphertext B22.

The access range data generated by the processor are a first storage address-key encryption key A11-data key ciphertext B11, a first storage address-key encryption key A12-data key ciphertext B12, a second storage address-key encryption key A21-data key ciphertext B21, and a second storage address-key encryption key A22-data key ciphertext B22.

In some embodiments, the generation of the entitlement control data includes steps 021 through 025 described below.

In step 021, user credential data and rights control information of the second user is obtained. The entitlement control information indicates a second address segment accessible to the second user.

Alternatively, the second user may be the user to be entered. The administrative user allows the second user to access the encrypted storage device. The processor may obtain user credential data and rights control information of the second user entered by the administrative user in response to a rights entry operation by the administrative user.

In step 022, the user credential data of the second user is subjected to a key derivation process to obtain a key encryption key of the second user.

In step 023, a data encryption key corresponding to the second address segment is obtained.

In step 024, the data encryption key of the second address segment is encrypted by using the key encryption key of the second user, so as to obtain the data key ciphertext corresponding to the second address segment.

In step 025, entitlement control data is generated.

Optionally, the rights control data is generated according to the key encryption key of the second user, the second address field, and the data key ciphertext of the second address field. The rights control data includes a key encryption key, a second address field, and a data key ciphertext for the second user.

It should be noted that, in some embodiments, in the case that the data key ciphertext obtained by encrypting the data encryption key of the same storage address segment by the plurality of target encryption keys is the same, the generating process of the entitlement control data may include acquiring the user credential data and entitlement control information of the second user. The entitlement control information indicates a second address segment accessible to the second user. And carrying out key derivation processing on the user credential data of the second user to obtain a key encryption key of the second user. And acquiring a data key ciphertext corresponding to the second address field. Generating rights control data including a key encryption key of the second user, a second address field, and a data key ciphertext. The processor may obtain the data key ciphertext corresponding to the second address field from the access range data.

In some embodiments of the application, the sensitive data of the encrypted storage device comprises a plurality of data segments. Accordingly, the sensitive data ciphertext includes a plurality of data ciphertext segments. Illustratively, as shown in FIG. 5, the sensitive data of the encrypted storage device includes a key management data segment, a rights control data segment, and an access range data segment. The key management data segment comprises a key encryption key and a data encryption key. The entitlement control data section includes entitlement control data. The access range data segment includes access range data.

Accordingly, the sensitive data ciphertext includes a key management data field, a rights control data field, and an access range data field. The key management data segment comprises a key encryption ciphertext obtained by encrypting a key encryption key by adopting a master key and a data encryption ciphertext obtained by encrypting a data encryption key by adopting the key encryption key. The entitlement control data section comprises entitlement control data ciphertext obtained by encrypting entitlement control data by adopting a master key. The access range data segment includes an access range data ciphertext obtained by encrypting the access range data with the master key. Of course, the sensitive data of the encrypted storage device also includes other pieces of secure information data. Correspondingly, the sensitive data ciphertext also comprises other safety information data segments, wherein the other safety information data segments comprise ciphertext obtained by encrypting data in the other safety information data segments in the sensitive data by adopting a master key.

Accordingly, the sensitive data in the memory includes a key management data field, a rights control data field, and an access range data field. The key management data segment comprises a key encryption key and a data encryption ciphertext. The entitlement control data section includes entitlement control data. The access range data segment includes access range data.

Further optionally, each data ciphertext segment of the sensitive data ciphertext includes not only the sensitive sub-data ciphertext, but also a target hash value of the data of the sensitive sub-data ciphertext after decryption. Correspondingly, the sensitive data in the memory comprises data segments corresponding to the data ciphertext segments one by one, and each data segment comprises sensitive sub-data corresponding to the sensitive sub-data ciphertext. Based on this, as shown in fig. 6, the data processing method further includes:

step 601, responding to the error data positioning operation, and obtaining the sensitive data of the memory.

In the embodiment of the application, the error data positioning operation is used for performing error searching and positioning on the sensitive data in the memory. Alternatively, the error data localization operation may be automatically triggered by the processor in the target situation. Or the error data location operation may be manually triggered by the administrative user. The target situation may be a data read-write anomaly.

Step 602, for each data segment in the sensitive data, calculating a hash value corresponding to the ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment, and obtaining a current hash value.

Optionally, the processor may use a hash algorithm to calculate a hash value corresponding to the ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment, so as to obtain the current hash value.

Step 603, comparing the target hash value with the current hash value, and determining that the comparison result indicates that the sensitive sub-data corresponding to the unequal current hash values have errors.

And obtaining a target hash value of each data ciphertext segment in the sensitive data ciphertext. And comparing the target hash value of the data ciphertext segment corresponding to each data segment in the sensitive data with the current hash value of the data segment to determine whether the target hash value is consistent with the current hash value of the data segment. If so, determining that the data of the data segment is correct. If not, sensitive sub-data in the data segment is wrong.

The sensitive data ciphertext includes, by way of example, a key management data field, a rights control data field, and an access range data field. The key management data segment comprises a key encryption ciphertext obtained by encrypting a key encryption key by adopting a master key, a data encryption ciphertext obtained by encrypting a data encryption key by adopting a key encryption key, and a first hash value. The first hash value is a hash value of the data encryption key and the key encryption key. The entitlement control data section includes entitlement control data ciphertext encrypted with the entitlement control data using the master key and a second hash value. The second hash value is a hash value of the entitlement control data. The access range data segment includes an access range data ciphertext encrypted with the access range data using the master key, and a third hash value. The third hash value is a hash value of the access range data.

The processor executing steps 602 to 603, for each data segment, calculates a hash value corresponding to a ciphertext of the corresponding sensitive sub-data according to the sensitive sub-data in the data segment, to obtain a current hash value, compares the target hash value with the current hash value, and determines that the comparison result indicates that the sensitive sub-data corresponding to the unequal current hash value is wrong, where the process may include:

The method comprises the steps of carrying out decryption processing on a data key ciphertext in sensitive data by adopting a key encryption key to obtain a data encryption key, calculating hash values of the data encryption key and the key encryption key in the sensitive data to obtain a fourth hash value, calculating hash values of authority control data in the sensitive data to obtain a fifth hash value, calculating hash values of access range data in the sensitive data to obtain a sixth hash value, comparing the first hash value with the fourth hash value, the second hash value with the fifth hash value, and comparing the third hash value with the sixth hash value to determine that data corresponding to the unequal hash values are wrong in the sensitive data.

Therefore, when the operation of the encryption storage equipment is abnormal and the sensitive information in the memory is destroyed, the encryption storage equipment can calculate the hash value of each data segment in the memory, and then compare the calculated hash value with the target hash value stored in the sensitive data ciphertext in the hardware storage unit, so that the data abnormality exists in the data segment with unequal hash values in the quick memory, the quick positioning of the error data segment is realized, and further, the sensitive data ciphertext in the hardware storage unit can be decrypted again by utilizing the master key, so that the sensitive data is acquired again and stored in the memory, and the quick recovery of the sensitive data in the memory is realized.

In some embodiments of the present application, the access range data ciphertext is encrypted data using a master key to encrypt the access range data using a block encryption algorithm. The right control data ciphertext is data obtained by encrypting the right control data by using a block encryption algorithm and a master key. The data key ciphertext is data encrypted by a data encryption key by using a block encryption algorithm and a key encryption key. The encryption key ciphertext is data obtained by encrypting a key encryption key by using a master key by adopting a block encryption algorithm. The hash value corresponding to the sensitive sub-data ciphertext is data obtained by calculating according to the sensitive sub-data corresponding to the sensitive data by adopting a hash algorithm. Wherein the block encryption algorithm comprises SM1, SM4 or AES. The hash algorithm includes SM3 and SHA-3.

Optionally, the encrypted storage device includes a data encryption and decryption module. The data encryption and decryption module comprises a first operation unit and a second operation unit. The first arithmetic unit is used for executing a block encryption algorithm. The second arithmetic unit is used for executing a hash algorithm. Based on the data, the access range data ciphertext, the authority control data ciphertext, the data key ciphertext and the encryption key ciphertext are all data obtained by calling the first operation unit, and the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calling the second operation unit.

Illustratively, the sensitive data of the encrypted storage device is taken as an SP table. As shown in fig. 7, the SP table of the encrypted storage device includes a key management data section, a rights control data section, an access range data section, a management interface data section, and other data sections.

The key management data segment comprises a key encryption key and a data encryption key. The entitlement control data section includes entitlement control data. The access range data segment includes access range data. The management interface data segment includes management interface data. The other data segment includes SP other data.

The SP table (sensitive data ciphertext) in the hardware storage unit includes a key management data segment, a rights control data segment, an access range data segment, a management interface data segment, and other data segments.

The key management data segment comprises a key encryption ciphertext obtained by calling the first operation unit to encrypt a key encryption key by adopting a master key, a data encryption ciphertext obtained by calling the first operation unit to encrypt a data encryption key by adopting the key encryption key, and a key management hash value (namely a first hash value). The first hash value is a hash value of the data encryption key and the key encryption key calculated by calling the second operation unit. The entitlement control data section includes entitlement control data ciphertext, which is obtained by calling the first arithmetic unit to encrypt entitlement control data using the master key, and an entitlement control hash value (i.e., a second hash value). The second hash value is a hash value of the rights control data calculated by the calling second operation unit. The access range data segment includes an access range data ciphertext that has been encrypted by the first arithmetic unit using the master key, and an access range hash value (i.e., a third hash value). The third hash value is a hash value of the access range data calculated by calling the second operation unit. The management interface data segment comprises an interface data ciphertext and a management interface hash value, wherein the interface data ciphertext is obtained by calling the first operation unit to encrypt the interface data by adopting the master key. The management interface hash value is a hash value of management interface data calculated by calling the second operation unit. The other data segments comprise other data ciphertexts and other data hash values after the first operation unit is called to encrypt the other data of the SP by adopting the master key. The other data hash value is a hash value of the SP other data calculated by calling the second operation unit.

The sensitive data in the memory comprises a key management data section, a right control data section, an access range data section, a management interface data section and other data sections. The key management data segment comprises a data encryption ciphertext and a key encryption key which is obtained by calling a first operation unit to decrypt the key encryption ciphertext by adopting a master key. The permission control data segment comprises permission control data obtained by calling the first operation unit to decrypt the permission control data ciphertext by adopting the master key. The access range data segment includes access range data decrypted by the first arithmetic unit using the master key to the access range data ciphertext. The management interface data segment comprises interface data after the first operation unit is called and the interface data ciphertext is decrypted by adopting the master key. The other data segments comprise other data of the SP table after the first operation unit adopts the master key to decrypt other data ciphertext.

In this way, by integrating various encryption and decryption algorithms (such as SM3/SM 4) into one data encryption and decryption module, sensitive data of the encryption storage device can be transmitted to the data encryption and decryption module once, and various encryption and decryption operations can be executed simultaneously. And the processor can call different operation units at the same time so as to encrypt and decrypt different data at the same time, thereby realizing parallel operation of encrypting and decrypting a plurality of data and improving the operation efficiency of encrypting and decrypting.

In addition, in the embodiment of the application, a three-level key mechanism is adopted, the key of the encryption storage device is divided into three layers of a main key, a key encryption key and a data encryption key, and the key of each layer has specific application and access control. The layered encryption mode provides an effective security mechanism, can improve the management flexibility of the key of the encrypted storage device, and simultaneously keeps higher access security and access control capability of the device, and ensures that even if a certain key is leaked, the access authority of all data cannot be obtained because the key of a higher level cannot be obtained, so that the data security of the encrypted storage device is effectively ensured. Furthermore, in the embodiment of the application, the encryption and decryption of the sensitive data, the stored data and other important data can be carried out by adopting SM3, SM4 and other cryptographic algorithms, so that the encryption performance is improved on the basis of further guaranteeing the security.

Furthermore, where the encrypted storage device is an SSD device, the sensitive data may be an SP table of the TCG protocol. The technical scheme of the application can use the master key to carry out sectional encryption storage on the SP table, encrypt the SP table according to key information, user identity, access authority, locking range, management interface and other data sections by using a block encryption algorithm, and calculate the hash value of each section of information to store by using a hash algorithm. Therefore, on the premise of effectively preventing unauthorized access and data leakage, the operation efficiency of the SSD device can be improved through encryption parallel processing, and the error positioning capability of the sensitive data can be improved when the SSD device is abnormal, so that the recovery speed of the sensitive data is improved.

Referring to fig. 8, a block diagram of a data processing apparatus according to an embodiment of the present application is shown. A data processing apparatus is applied to an encrypted storage device. As shown in fig. 8, the data processing apparatus 800 includes a generation module 801, an acquisition module 802, an encryption module 803, and a decryption module 804.

A generating module 801, configured to generate a first key component when the encrypted storage device is powered on;

an obtaining module 802, configured to obtain a second key component stored in the encrypted storage device;

The generating module 801 is further configured to generate a master key according to the first key component and the second key component, and write the master key into the memory of the encrypted storage device;

the encryption module 803 is configured to encrypt the sensitive data of the encrypted storage device with a master key to obtain a sensitive data ciphertext, and write the sensitive data ciphertext into a hardware storage unit of the encrypted storage device;

The decryption module 804 is configured to perform decryption processing on the ciphertext of the sensitive data by using the master key in response to the sensitive data reading operation, so as to obtain the sensitive data, and write the sensitive data into the memory.

The sensitive data in the memory comprises a data key ciphertext and a key encryption key which is generated according to user credential data of a user by adopting a master key to decrypt the encryption key ciphertext;

The obtaining module 802 is further configured to obtain first user credential data included in a data read-write request in response to the data read-write request triggered by the first user;

the generating module 801 is further configured to perform a key derivation process on the first user credential data to obtain a key encryption key of the first user;

The decryption module 804 is further configured to, when the key encryption key of the first user exists in the key encryption keys of the input user, decrypt the data key ciphertext with the key encryption key of the first user to obtain a data encryption key, execute data reading processing indicated by the data read/write request with the data encryption key, and encrypt the stored data of the encrypted storage device with the data encryption key.

Optionally, the sensitive data includes a plurality of data key ciphertexts, and the data encryption key after each data key ciphertexts is used for encrypting the stored data of different storage address segments in the hardware storage unit, and the decryption module 804 is further configured to:

Acquiring a first address field accessible by a first user;

Reading a data key ciphertext of a first address field where the target address is located under the condition that the first address field comprises the target address where the data read-write request indicates access;

and decrypting the data key ciphertext by adopting the key encryption key of the first user to obtain the data encryption key of the first address segment.

Optionally, the sensitive data ciphertext further comprises a permission control data ciphertext, the sensitive data further comprises permission control data, the permission control data at least indicates a storage address field accessible to the input user, and the decryption module 804 is further configured to determine a first address field accessible to the first user according to the permission control data.

Optionally, the permission control data includes a corresponding relationship among a key encryption key, a data key ciphertext and a storage address segment, the key encryption key is used for encrypting and decrypting the corresponding data key ciphertext, and the data encryption key after the data key ciphertext is decrypted is used for encrypting and decrypting the storage data of the corresponding storage address segment, and the decryption module 804 is further configured to:

Determining a storage address segment corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment, and obtaining a first address segment;

And determining the data key ciphertext corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address field.

Optionally, the sensitive data ciphertext further comprises access range data ciphertext, the sensitive data further comprises access range data, the access range data at least indicates an access user corresponding to a storage address segment in a hardware storage unit of the encrypted storage device, and the decryption module 804 is further configured to determine a first address segment accessible to the first user according to the access range data.

Optionally, the access range data includes a corresponding relationship among a key encryption key, a data key ciphertext and a storage address segment, the key encryption key is used for encrypting and decrypting the corresponding data key ciphertext, and the data encryption key after the data key ciphertext decryption is used for encrypting and decrypting the storage data of the corresponding storage address segment, and the decryption module 804 is further configured to:

Optionally, the sensitive data ciphertext comprises a plurality of data ciphertext segments, each data ciphertext segment comprising a sensitive sub-data ciphertext and a target hash value of the data after the sensitive sub-data ciphertext has been decrypted; the sensitive data comprises data segments corresponding to a plurality of data ciphertext segments one by one, wherein each data segment comprises sensitive sub-data corresponding to sensitive sub-data ciphertext;

The data processing device 800 further includes a calculation module, configured to calculate, for each data segment, a hash value corresponding to a corresponding sensitive sub-data ciphertext according to the sensitive sub-data in the data segment, to obtain a current hash value;

and the comparison module is used for comparing the target hash value with the current hash value and determining that the comparison result indicates that the sensitive sub data corresponding to the unequal current hash value has errors.

Optionally, the sensitive data ciphertext comprises a key management data section, a right control data section and an access range data section, wherein the key management data section comprises a data key ciphertext, an encryption key ciphertext and a first hash value, the first hash value is a hash value of a data encryption key and a key encryption key, the right control data section comprises a right control data ciphertext and a second hash value, the second hash value is a hash value of right control data, and the access range data section comprises an access range data ciphertext and a third hash value, and the third hash value is a hash value of access range data;

The computing module is also used for decrypting the data key ciphertext in the sensitive data by adopting the key encryption key to obtain a data encryption key, computing the hash value of the data encryption key and the key encryption key in the sensitive data to obtain a fourth hash value, computing the hash value of the authority control data in the sensitive data to obtain a fifth hash value, computing the hash value of the access range data in the sensitive data to obtain a sixth hash value;

The comparison module is further used for comparing the first hash value with the fourth hash value, the second hash value with the fifth hash value, the third hash value with the sixth hash value, and determining that data corresponding to the unequal hash values are wrong in the sensitive data.

Optionally, the acquiring module 802 is further configured to acquire user credential data and rights control information of the second user, where the rights control information indicates a second address segment accessible to the second user;

The generating module 801 is further configured to perform a key derivation process on the user credential data of the second user, to obtain a key encryption key of the second user;

the obtaining module 802 is further configured to obtain a data encryption key corresponding to the second address segment;

The encryption module 803 is further configured to encrypt the data encryption key of the second address segment by using the key encryption key of the second user, so as to obtain a data key ciphertext corresponding to the second address segment;

the generating module 801 is further configured to generate rights control data.

Optionally, the generating module 801 is further configured to

Generating authority control data according to the key encryption key of the second user, the second address segment and the data key ciphertext of the second address segment, wherein the authority control data comprises the corresponding relation of the key encryption key, the data key ciphertext and the second address segment.

Optionally, the obtaining module 802 is further configured to obtain, in response to a rights entry operation of the management user, user credential data and rights control information of the second user entered by the management user.

Optionally, the obtaining module 802 is further configured to obtain access range information of a hardware storage unit of the encrypted storage device, where the access range information indicates a segmented access condition of the hardware storage unit;

The data processing apparatus 800 further includes a determining module configured to determine a plurality of memory address segments of the hardware memory unit according to the access range information;

The generating module 801 is further configured to generate a data encryption key that is different for each storage address segment;

the encryption module 803 is further configured to encrypt, for each storage address segment, storage data of the storage address segment with a corresponding data encryption key, generate a storage data ciphertext, and write the storage data ciphertext into a hardware storage space corresponding to the storage address segment.

The access scope information also indicates the access user category of each storage address segment, an acquisition module 802 is further used for acquiring the key encryption key of each target entry user of the access user category of the storage address segment for each storage address segment;

The encryption module 803 is further configured to encrypt the data encryption keys corresponding to the storage address segments by using the key encryption keys of each target entry user, so as to obtain data key ciphertext corresponding to the storage address segments;

The generating module 801 is further configured to generate access range data according to the storage address segment, the corresponding data key ciphertext, and the key encryption key of the target entry user.

Optionally, the obtaining module 802 is further configured to obtain access scope information of the hardware storage unit entered by the management user in response to an access scope entry operation of the management user.

Optionally, the access range data ciphertext is data obtained by encrypting the access range data by using a master key, the right control data ciphertext is data obtained by encrypting the right control data by using a master key, the data key ciphertext is data obtained by encrypting the data encryption key by using a key encryption key by using a block encryption algorithm, the encryption key ciphertext is data obtained by encrypting the key encryption key by using a master key by using a block encryption algorithm, and the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calculating according to the corresponding sensitive sub-data in the sensitive data by using a hash algorithm.

Optionally, the encryption storage device comprises a data encryption and decryption module, wherein the data encryption and decryption module comprises a first operation unit and a second operation unit;

The first operation unit is used for executing a block encryption algorithm, the second operation unit is used for executing a hash algorithm, the access range data ciphertext, the authority control data ciphertext, the data key ciphertext and the encryption key ciphertext are all data obtained by calling the first operation unit, and the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calling the second operation unit.

Optionally, the encryption storage device comprises a first hardware unit and a second hardware unit, wherein the second key component is stored in the first hardware unit, and an encryption module 803 is used for carrying out encryption processing on the first key component by adopting the second key component to obtain a first key component ciphertext, and storing the first key component ciphertext into the second hardware unit.

Optionally, the user credential data includes at least one of a password of the user account, a personal identification number PIN of the user, and biometric information entered by the user.

Optionally, as shown in FIG. 9, the embodiment of the present application further provides an electronic device 900 comprising a processor 901, a memory 902, and a program or instructions stored on the memory 902 and executable on the processor 901. The program or the instructions, when executed by the processor 901, implement the respective processes of the above-mentioned embodiments of the data processing method, and achieve the same technical effects, and for avoiding repetition, will not be described herein.

It should be noted that, the functions of the respective components in the electronic device 900 in the embodiment of the present application may refer to the functions of the respective corresponding portions in the electronic device 100 provided in the foregoing embodiment, and are not described herein.

The embodiment of the application also provides a readable storage medium, on which a program or an instruction is stored, which when executed by a processor, implements each process of the above-mentioned data processing method embodiment, and can achieve the same technical effects, and in order to avoid repetition, the description is omitted here.

Wherein the processor is a processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium such as a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.

The embodiment of the application further provides a chip, which comprises a processor and a communication interface, wherein the communication interface is coupled with the processor, and the processor is used for running programs or instructions to realize the processes of the data processing method embodiment, and can achieve the same technical effects, so that repetition is avoided, and the description is omitted here. It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, chip systems, or system-on-chip chips, etc.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.

The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.

Claims

1. A data processing method, characterized in that it is applied to an encrypted storage device, said method comprising:

Acquiring a second key component stored by the encryption storage device;

And responding to sensitive data reading operation, adopting the master key to decrypt the sensitive data ciphertext to obtain the sensitive data, and writing the sensitive data into the memory, wherein the sensitive data in the memory comprises a data key ciphertext and a key encryption key, the key encryption key is generated according to user credential data input into a user, the data key ciphertext is generated by encrypting the data encryption key by the key encryption key, and the storage data of the encryption storage device is encrypted by the data encryption key.

2. The method of claim 1, wherein the sensitive data ciphertext comprises a data key ciphertext and an encryption key ciphertext, the method further comprising:

Responding to a data read-write request triggered by a first user, and acquiring first user credential data included in the data read-write request;

Performing key derivation processing on the first user credential data to obtain a key encryption key of the first user;

And under the condition that the key encryption key of the first user exists in the key encryption keys of the input users, decrypting the data key ciphertext by adopting the key encryption key of the first user to obtain a data encryption key, and executing the data reading process indicated by the data reading and writing request by adopting the data encryption key, wherein the data encryption key is used for encrypting the stored data of the encryption storage device.

3. The method of claim 2, wherein the sensitive data comprises a plurality of the data key ciphertexts, each of the decrypted data encryption keys being used to encrypt stored data for a different one of the memory address segments in the hardware memory unit, the method further comprising:

the step of decrypting the data key ciphertext by using the key encryption key of the first user to obtain the data encryption key comprises the following steps:

acquiring a first address field accessible to the first user;

4. A method according to claim 3, wherein the sensitive data ciphertext further comprises entitlement control data ciphertext, the sensitive data further comprising entitlement control data indicative of at least a segment of a memory address accessible to the entering user;

the obtaining the first address field accessible to the first user comprises determining the first address field accessible to the first user according to the authority control data.

5. The method of claim 4, wherein the entitlement control data comprises a key encryption key, a data key ciphertext, and a correspondence of storage address segments, the key encryption key being used to encrypt and decrypt the corresponding data key ciphertext, the data encryption key after decryption of the data key ciphertext being used to encrypt and decrypt the storage data of the corresponding storage address segment, the determining the first address segment accessible to the first user based on the entitlement control data comprising:

the reading of the data key ciphertext of the first address segment where the target address is located comprises determining the data key ciphertext corresponding to the key encryption key of the first user according to the corresponding relation among the key encryption key, the data key ciphertext and the storage address segment.

6. The method of claim 3, wherein the sensitive data ciphertext further comprises access range data ciphertext, the sensitive data further comprising access range data, the access range data indicating at least an access user corresponding to a storage address field in a hardware storage unit of the encrypted storage device;

the obtaining the first address field accessible to the first user comprises determining the first address field accessible to the first user according to the access range data.

7. The method of claim 6, wherein the access range data includes a correspondence of a key encryption key, a data key ciphertext, and a storage address field, the key encryption key is used to encrypt and decrypt the corresponding data key ciphertext, the data encryption key after the data key ciphertext decryption is used to encrypt and decrypt the storage data of the corresponding storage address field, and the determining the first address field accessible to the first user based on the access range data includes:

8. The method of claim 1, wherein the sensitive data ciphertext comprises a plurality of data ciphertext segments, each data ciphertext segment comprising a sensitive sub-data ciphertext and a target hash value of the data after decryption of the sensitive sub-data ciphertext;

The sensitive data comprises data segments corresponding to a plurality of data ciphertext segments one by one, and each data segment comprises sensitive sub-data corresponding to the sensitive sub-data ciphertext;

The method further comprises the steps of:

responding to the error data positioning operation, and acquiring sensitive data of the memory;

for each data segment, calculating a hash value corresponding to the corresponding sensitive sub-data ciphertext according to the sensitive sub-data in the data segment to obtain a current hash value;

And comparing the target hash value with the current hash value, and determining that the comparison result indicates that the sensitive sub-data corresponding to the current hash value which is not equal is wrong.

9. The method of claim 8, wherein the sensitive data ciphertext comprises a key management data segment, a rights control data segment, and an access range data segment, the key management data segment comprising a data key ciphertext, an encryption key ciphertext, and a first hash value that is a hash of the data encryption key and the key encryption key, the rights control data segment comprising a rights control data ciphertext and a second hash value that is a hash of the rights control data, the access range data segment comprising an access range data ciphertext and a third hash value that is a hash of the access range data;

Calculating, for each data segment, a hash value corresponding to the corresponding ciphertext of the sensitive sub-data according to the sensitive sub-data in the data segment, to obtain a current hash value, comparing the target hash value with the current hash value, and determining that the comparison result indicates that the sensitive sub-data corresponding to the current hash value is incorrect, where the comparison result indicates that the sensitive sub-data corresponding to the current hash value is not equal, including:

decrypting the data key ciphertext in the sensitive data by adopting the key encryption key to obtain a data encryption key;

Calculating hash values of the data encryption key and the key encryption key in the sensitive data to obtain a fourth hash value;

Calculating a hash value of the authority control data in the sensitive data to obtain a fifth hash value;

calculating a hash value of the access range data in the sensitive data to obtain a sixth hash value;

Comparing the first hash value with the fourth hash value, the second hash value with the fifth hash value, and the third hash value with the sixth hash value to determine that data corresponding to unequal hash values are wrong in the sensitive data.

10. The method according to claim 4, wherein the method further comprises:

acquiring user credential data and authority control information of a second user, wherein the authority control information indicates a second address field accessible to the second user;

Performing key derivation processing on the user credential data of the second user to obtain a key encryption key of the second user;

Acquiring a data encryption key corresponding to the second address segment;

Encrypting the data encryption key of the second address segment by adopting the key encryption key of the second user to obtain a data key ciphertext corresponding to the second address segment;

and generating the authority control data.

11. The method of claim 10, wherein the generating the entitlement control data comprises:

Generating the authority control data according to the key encryption key of the second user, the second address segment and the data key ciphertext of the second address segment, wherein the authority control data comprises the corresponding relation of the key encryption key, the data key ciphertext and the second address segment.

12. The method of claim 10, wherein the obtaining user credential data and rights control information for the second user comprises:

And responding to the authority input operation of the management user, and acquiring user credential data and authority control information of a second user input by the management user.

13. A method according to claim 3, characterized in that the method further comprises:

Acquiring access range information of a hardware storage unit of the encryption storage device, wherein the access range information indicates a segmented access condition of the hardware storage unit;

determining a plurality of storage address segments of the hardware storage unit according to the access range information;

Generating a different data encryption key for each storage address segment;

and for each storage address segment, encrypting the storage data of the storage address segment by adopting the corresponding data encryption key to generate a storage data ciphertext, and writing the storage data ciphertext into a hardware storage space corresponding to the storage address segment.

14. The method of claim 13, wherein the access scope information further indicates a category of access users for each of the storage address segments, the method further comprising:

acquiring a key encryption key of each target entry user of the access user category of the storage address segment for each storage address segment;

encrypting the data encryption key corresponding to the storage address segment by adopting the key encryption key of each target entry user to obtain a data key ciphertext corresponding to the storage address segment;

And generating access range data according to the storage address segment, the corresponding data key ciphertext and the key encryption key of the target input user.

15. The method of claim 13, wherein the obtaining access range information of the hardware storage unit of the encrypted storage device comprises:

and responding to access range input operation of a management user, and acquiring access range information of a hardware storage unit input by the management user.

16. The method of claim 9, wherein the access range data ciphertext is encrypted by using a block encryption algorithm and the master key, the entitlement control data ciphertext is encrypted by using a block encryption algorithm and the master key, the data key ciphertext is encrypted by using a block encryption algorithm and the key encryption key, the encryption key ciphertext is encrypted by using a block encryption algorithm and the key encryption key, the key encryption key ciphertext is encrypted by using a block encryption algorithm and the master key, and the hash value corresponding to the sensitive sub-data ciphertext is calculated by using a hash algorithm from the sensitive sub-data corresponding to the sensitive data.

17. The method of claim 16, wherein the encrypted storage device comprises a data encryption and decryption module comprising a first arithmetic unit and a second arithmetic unit;

The first operation unit is used for executing the block encryption algorithm, the second operation unit is used for executing the hash algorithm, the access range data ciphertext, the authority control data ciphertext, the data key ciphertext and the encryption key ciphertext are all data obtained by calling the first operation unit, and the hash value corresponding to the sensitive sub-data ciphertext is data obtained by calling the second operation unit.

18. The method of claim 1, wherein the encrypted storage device comprises a first hardware unit and a second hardware unit, the second key component being stored in the first hardware unit, the method further comprising:

and encrypting the first key component by adopting the second key component to obtain a first key component ciphertext, and storing the first key component ciphertext into the second hardware unit.

19. The method of claim 2, wherein the user credential data includes at least one of a password for a user account, a personal identification number, PIN, of the user, and biometric information entered by the user.

20. An electronic device comprising a processor and a memory, the memory having instructions stored thereon, which when executed by the processor, implement the method of any of claims 1 to 19.

21. A readable storage medium having stored thereon a program or instructions which when executed by a processor performs the method of any of claims 1 to 19.

22. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of any of claims 1 to 19.