[go: up one dir, main page]

CN118862193A - A data reading and writing method, system, device and medium of a secure storage device - Google Patents

A data reading and writing method, system, device and medium of a secure storage device Download PDF

Info

Publication number
CN118862193A
CN118862193A CN202411365197.9A CN202411365197A CN118862193A CN 118862193 A CN118862193 A CN 118862193A CN 202411365197 A CN202411365197 A CN 202411365197A CN 118862193 A CN118862193 A CN 118862193A
Authority
CN
China
Prior art keywords
data
storage device
secure storage
writing
command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411365197.9A
Other languages
Chinese (zh)
Other versions
CN118862193B (en
Inventor
姜萌
苗功勋
高成南
马连忠
韩建鹏
张雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongfu Information Co Ltd
Original Assignee
Zhongfu Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongfu Information Co Ltd filed Critical Zhongfu Information Co Ltd
Priority to CN202411365197.9A priority Critical patent/CN118862193B/en
Publication of CN118862193A publication Critical patent/CN118862193A/en
Application granted granted Critical
Publication of CN118862193B publication Critical patent/CN118862193B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提出的一种安全存储设备的数据读写方法、系统、装置及介质,属于数据安全技术领域。所述方法包括:为安全存储设备分配根密钥,并将其设置为只读设备;通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥;安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件;通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥;利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据;安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。

The present invention proposes a data reading and writing method, system, device and medium for a secure storage device, which belongs to the field of data security technology. The method includes: allocating a root key to the secure storage device and setting it as a read-only device; sending a CBW command for reading data to the secure storage device through the host computer management software, and generating a data reading key; after the secure storage device receives the CBW command for reading data, it uses the data reading key to encrypt the returned data and sends it to the host computer management software; generates a CBW command for writing data through the host computer management software, and generates a data writing key; configures a check bit for the CBW command for writing data using the data writing key, and encrypts the written data; after the secure storage device receives the CBW command for writing data, it performs a command duplicate check and performs command verification according to the data writing key and the check bit, and after the verification is successful, decrypts the encrypted written data and performs a write operation.

Description

一种安全存储设备的数据读写方法、系统、装置及介质A data reading and writing method, system, device and medium of a secure storage device

技术领域Technical Field

本发明涉及数据安全技术领域,更具体的说是涉及一种安全存储设备的数据读写方法、系统、装置及介质。The present invention relates to the field of data security technology, and more specifically to a data reading and writing method, system, device and medium of a secure storage device.

背景技术Background Art

随着互联网的普及和数字化进程的加速,企业和个人产生的数据量呈爆炸式增长。这些数据中包含了大量的敏感信息,一旦泄露将带来严重的后果。因此,对数据安全的需求日益迫切。传统的存储设备,如普通硬盘、U盘等,在数据安全方面存在诸多隐患。它们往往缺乏有效的加密机制和访问控制手段,容易被未经授权的用户访问和篡改。此外,这些设备在物理安全方面也较为脆弱,容易受到损坏或丢失。With the popularization of the Internet and the acceleration of the digitalization process, the amount of data generated by enterprises and individuals has exploded. These data contain a large amount of sensitive information, which will have serious consequences once leaked. Therefore, the demand for data security is becoming increasingly urgent. Traditional storage devices, such as ordinary hard disks, USB flash drives, etc., have many hidden dangers in data security. They often lack effective encryption mechanisms and access control methods, and are easily accessed and tampered by unauthorized users. In addition, these devices are also relatively fragile in terms of physical security and are easily damaged or lost.

随着数据安全需求的进一步提升,市场上出现了专门用于安全存储的设备。这些设备通常集成了多种安全技术,如数据加密、身份验证、访问控制等,以提供更高级别的数据保护。安全存储设备是一种专门用于存储加密数据的硬件设备,其核心目的是保护数据的机密性、完整性和可用性。这类设备通常集成了多种安全技术,以确保存储的数据免受未经授权的访问、篡改或破坏。As the demand for data security continues to increase, devices dedicated to secure storage have emerged on the market. These devices usually integrate multiple security technologies, such as data encryption, identity authentication, access control, etc., to provide a higher level of data protection. A secure storage device is a hardware device dedicated to storing encrypted data. Its core purpose is to protect the confidentiality, integrity, and availability of data. Such devices usually integrate multiple security technologies to ensure that the stored data is protected from unauthorized access, tampering, or destruction.

目前,大多数安全存储设备在认证完成后,即安全环境下,系统内所有存储介质使用者均可操作该存储介质,可对存储介质读取或修改等。若安全环境内出现恶意攻击者,可窃取存储设备内容或改写存储设备,即在安全存储设备认证通过以后,攻击者可通过抓包方式,通过分析协议包对传输的数据进行窥探,或模拟合法用户对存储设备采用的标准SCSI协议对存储设备进行读写操作,读取安全存储设备的数据或者篡改安全存储设备的数据。At present, after most secure storage devices are authenticated, that is, in a secure environment, all storage media users in the system can operate the storage media, read or modify the storage media, etc. If a malicious attacker appears in the secure environment, the storage device content can be stolen or rewritten. That is, after the secure storage device is authenticated, the attacker can snoop on the transmitted data by capturing packets and analyzing protocol packets, or simulate the standard SCSI protocol used by legitimate users to read and write storage devices, read the data of the secure storage device, or tamper with the data of the secure storage device.

具体来说,通用安全存储设备允许标准SCSI指令操作后,操作系统内的所有应用均可通过标准SCSI指令操作该设备。此时若有恶意攻击者,则可以读取数据以及恶意破坏存储设备数据。Specifically, after the universal secure storage device allows standard SCSI command operations, all applications in the operating system can operate the device through standard SCSI commands. At this time, if there is a malicious attacker, the data can be read and the storage device data can be maliciously destroyed.

发明内容Summary of the invention

针对以上问题,本发明的目的在于提供一种安全存储设备的数据读写方法、系统、装置及介质,通过注册认证、加密传输和哈希验证等手段控制安全存储设备数据传输流程,有效的防范了恶意攻击者的在各个环节窃密的可能,并保护了安全存储设备中保存数据不被恶意篡改。In response to the above problems, the purpose of the present invention is to provide a data reading and writing method, system, device and medium for a secure storage device, which controls the data transmission process of the secure storage device by means of registration authentication, encrypted transmission and hash verification, effectively prevents the possibility of malicious attackers stealing secrets at various links, and protects the data stored in the secure storage device from being maliciously tampered with.

本发明为实现上述目的,通过以下技术方案实现:In order to achieve the above object, the present invention is implemented through the following technical solutions:

第一方面,本发明公开了一种安全存储设备的数据读写方法,包括:In a first aspect, the present invention discloses a method for reading and writing data of a secure storage device, comprising:

通过上位机管理软件注册安全存储设备,注册成功后为安全存储设备分配一个根密钥,并将安全存储设备设置为只读设备;Register the secure storage device through the upper computer management software. After successful registration, assign a root key to the secure storage device and set the secure storage device as a read-only device.

当从安全存储设备读取数据时,通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥;When reading data from a secure storage device, a CBW command for reading data is sent to the secure storage device through the host computer management software, and a data reading key is generated;

安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件;After receiving the CBW command to read data, the secure storage device uses the data reading key to encrypt the returned data and sends it to the upper computer management software;

当向安全存储设备写入数据时,通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥;When writing data to the secure storage device, the host computer management software generates a CBW command for writing data and generates a data writing key;

利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备;Using the data write key to configure the check bit for the CBW command for writing data, encrypting the write data, and sending the CBW command for writing data and the encrypted write data to the secure storage device in sequence;

安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。After receiving the CBW command to write data, the secure storage device performs a command duplicate check and verifies the command based on the data write key and the check bit. After the verification is successful, the encrypted write data is decrypted and the write operation is performed.

进一步,所述通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥,包括:Further, the sending of a CBW command for reading data to the secure storage device through the host computer management software and generating a data reading key includes:

通过上位机管理软件生成含有READ命令的CBW命令,作为读取数据的CBW命令,并发送至安全存储设备;Generate a CBW command containing a READ command through the host computer management software as a CBW command for reading data and send it to the secure storage device;

通过对称加密算法利用根密钥对读取数据的CBW命令的dCBWTag字段进行加密,将加密后的dCBWTag字段作为数据读取密钥。The dCBWTag field of the CBW command for reading data is encrypted using a root key through a symmetric encryption algorithm, and the encrypted dCBWTag field is used as a data reading key.

进一步,所述安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件,包括:Further, after receiving the CBW command for reading data, the secure storage device encrypts the returned data using the data reading key and sends it to the upper computer management software, including:

安全存储设备收到读取数据的CBW命令后,提取出相应的返回数据;After receiving the CBW command for reading data, the secure storage device extracts the corresponding returned data;

通过对称加密算法利用根密钥对读取数据的CBW命令的dCBWTag字段进行加密,以计算出数据读取密钥;The dCBWTag field of the CBW command for reading data is encrypted using the root key through a symmetric encryption algorithm to calculate the data reading key;

通过对称加密算法利用数据读取密钥对返回数据进行加密;Encrypt the returned data using the data reading key through a symmetric encryption algorithm;

依次将加密后的返回数据和读取成功CSW发送至上位机管理软件。The encrypted return data and the read success CSW are sent to the upper computer management software in turn.

进一步,所述通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥,包括:Further, the generating of the CBW command for writing data by the host computer management software and generating the data writing key includes:

通过上位机管理软件生成含有自定义命令0Xfa的CBW命令,作为写入数据的CBW命令;Generate a CBW command containing a custom command 0Xfa through the host computer management software as the CBW command for writing data;

通过对称加密算法利用根密钥对写入数据的CBW命令的dCBWTag字段进行加密,将加密后的dCBWTag字段作为数据写入密钥。The dCBWTag field of the CBW command for writing data is encrypted using a root key through a symmetric encryption algorithm, and the encrypted dCBWTag field is used as the data writing key.

进一步,所述利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备,包括:Further, the method of configuring a check bit for a CBW command for writing data using a data writing key, encrypting the written data, and sequentially sending the CBW command for writing data and the encrypted written data to a secure storage device includes:

计算数据写入密钥的哈希值;在写入数据的CBW命令中,用所述哈希值的前4个字节替换CBWC字段的最后4个字节,以更新写入数据的CBW命令;Calculate a hash value of the data write key; in a CBW command for writing data, replace the last 4 bytes of the CBWC field with the first 4 bytes of the hash value to update the CBW command for writing data;

通过对称加密算法利用数据写入密钥对写入数据进行加密;Encrypt the written data using the data writing key through a symmetric encryption algorithm;

先将写入数据的CBW命令发送至安全存储设备,再将加密后的写入数据发送至安全存储设备。The CBW command for writing data is first sent to the secure storage device, and then the encrypted write data is sent to the secure storage device.

进一步,所述安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作,包括:Further, after receiving the CBW command for writing data, the secure storage device performs a command duplicate check and performs command verification according to the data writing key and the check bit. After the verification is successful, the encrypted write data is decrypted and a write operation is performed, including:

安全存储设备收到写入数据的CBW命令后,提取写入数据的CBW命令的dCBWTag字段,识别dCBWTag字段是否重复出现;After receiving the CBW command for writing data, the secure storage device extracts the dCBWTag field of the CBW command for writing data and identifies whether the dCBWTag field appears repeatedly;

若是,则直接结束操作;If yes, then end the operation directly;

若否,则通过对称加密算法利用根密钥对dCBWTag字段进行加密,以计算出数据写入密钥;计算数据写入密钥的哈希值,并提取哈希值的4个字节,作为校验码;If not, encrypt the dCBWTag field using the root key through a symmetric encryption algorithm to calculate the data write key; calculate the hash value of the data write key, and extract 4 bytes of the hash value as a check code;

提取出写入数据的CBW命令的CBWC字段的最后4个字节,并其判断是否与校验码相同;Extract the last 4 bytes of the CBWC field of the CBW command for writing data, and determine whether they are the same as the check code;

如果相同,则校验成功,利用数据写入密钥对加密后的写入数据进行解密操作,生成原始的写入数据,将原始的写入数据写入安全存储设备的预设空间中,并向上位机管理软件返回写入成功CSW;If they are the same, the verification is successful, and the encrypted write data is decrypted using the data write key to generate the original write data, which is written into the preset space of the secure storage device, and a write success CSW is returned to the upper computer management software;

如果不相同,则校验失败,直接结束操作。If they are not the same, the verification fails and the operation ends directly.

进一步,所述对称加密算法采用SM4算法或AES算法。Furthermore, the symmetric encryption algorithm adopts SM4 algorithm or AES algorithm.

第二方面,本发明还公开了一种安全存储设备的数据读写系统,包括:In a second aspect, the present invention further discloses a data reading and writing system of a secure storage device, comprising:

注册模块,用于通过上位机管理软件注册安全存储设备,注册成功后为安全存储设备分配一个根密钥,并将安全存储设备设置为只读设备;A registration module is used to register the secure storage device through the upper computer management software. After successful registration, a root key is assigned to the secure storage device and the secure storage device is set as a read-only device.

读取命令发送模块,用于当从安全存储设备读取数据时,通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥;A read command sending module is used to send a CBW command for reading data to the secure storage device through the upper computer management software when reading data from the secure storage device, and generate a data reading key;

读取执行模块,用于当安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件;The read execution module is used to encrypt the returned data with the data read key and send it to the upper computer management software after the secure storage device receives the CBW command to read the data;

写入命令生成模块,用于当向安全存储设备写入数据时,通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥;A write command generation module is used to generate a CBW command for writing data and a data writing key through the upper computer management software when writing data to the secure storage device;

写入命令发送模块,用于利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备;A write command sending module, used to configure a check bit for a CBW command for writing data using a data write key, encrypt the write data, and sequentially send the CBW command for writing data and the encrypted write data to a secure storage device;

写入执行模块,用于当安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。The write execution module is used to perform command duplication check and command verification based on the data write key and check bit when the secure storage device receives the CBW command to write data. After the verification is successful, the encrypted write data is decrypted and the write operation is performed.

第三方面,本发明还公开了一种安全存储设备的数据读写装置,包括:In a third aspect, the present invention further discloses a data reading and writing device of a secure storage device, comprising:

存储器,用于存储安全存储设备的数据读写程序;A memory, used for storing a data reading and writing program of a secure storage device;

处理器,用于执行所述安全存储设备的数据读写程序时实现如上文任一项所述安全存储设备的数据读写方法的步骤。A processor is used to implement the steps of the data reading and writing method of the secure storage device as described in any one of the above items when executing the data reading and writing program of the secure storage device.

第四方面,本发明还公开了一种可读存储介质,所述可读存储介质上存储有安全存储设备的数据读写程序,所述安全存储设备的数据读写程序被处理器执行时实现如上文任一项所述安全存储设备的数据读写方法的步骤。In a fourth aspect, the present invention further discloses a readable storage medium, on which a data reading and writing program for a secure storage device is stored. When the data reading and writing program for the secure storage device is executed by a processor, the steps of the data reading and writing method for the secure storage device as described in any of the above items are implemented.

对比现有技术,本发明有益效果在于:Compared with the prior art, the present invention has the following beneficial effects:

1、本发明通过上位机管理软件为安全存储设备分配唯一的根密钥,并在数据读写过程中动态生成专用的数据读取密钥和数据写入密钥。这种机制确保了数据传输过程中的加密性,有效防止了数据在传输过程中被截获或篡改,从而显著增强了数据的安全性。1. The present invention allocates a unique root key to the secure storage device through the host computer management software, and dynamically generates a dedicated data reading key and data writing key during the data reading and writing process. This mechanism ensures the encryption during data transmission, effectively prevents data from being intercepted or tampered with during transmission, and thus significantly enhances data security.

2.本发明在写入数据过程中引入了命令查重和校验机制。实现了安全存储设备在收到写入命令后,会进行命令的唯一性检查和基于数据写入密钥的校验,确保只有合法且未重复的命令才会被执行。这一流程有效避免了因重复写入或非法命令导致的数据错误或系统崩溃,极大地提升了系统的可靠性和稳定性。2. The present invention introduces a command duplication check and verification mechanism in the process of writing data. After receiving the write command, the secure storage device will perform a command uniqueness check and verification based on the data write key to ensure that only legal and non-duplicate commands are executed. This process effectively avoids data errors or system crashes caused by duplicate writing or illegal commands, greatly improving the reliability and stability of the system.

3、本发明通过上位机管理软件对安全存储设备进行统一注册和管理,用户可以方便地实现设备的初始化、密钥分配和数据读写等操作,无需复杂的配置和调试过程。同时,加密和校验机制的自动化处理也减少了人为错误的可能性,提高了整体操作效率和用户体验。此外,只读模式的设置还防止了用户误操作导致的数据丢失或损坏,进一步保障了用户数据的安全和完整。3. The present invention uniformly registers and manages secure storage devices through the host computer management software, and users can easily implement operations such as device initialization, key distribution, and data reading and writing without complicated configuration and debugging processes. At the same time, the automated processing of encryption and verification mechanisms also reduces the possibility of human errors, improves overall operating efficiency and user experience. In addition, the setting of read-only mode also prevents data loss or damage caused by user misoperation, further ensuring the security and integrity of user data.

4、本发明可有效地防范恶意攻击者的威胁,可防范攻击者读取到安全存储设备的真实内容,防范攻击者篡改安全存储设备内容。即使攻击者获取到交互的数据包,以及获取到了加密算法,由于密钥为一次一变,仍然无法还原真实数据,从而确保存储设备的数据安全。4. The present invention can effectively prevent the threat of malicious attackers, prevent attackers from reading the real content of the secure storage device, and prevent attackers from tampering with the content of the secure storage device. Even if the attacker obtains the interactive data packet and the encryption algorithm, the real data cannot be restored because the key changes once, thereby ensuring the data security of the storage device.

由此可见,本发明与现有技术相比,具有突出的实质性特点和显著的进步,其实施的有益效果也是显而易见的。It can be seen that compared with the prior art, the present invention has outstanding substantive features and significant progress, and the beneficial effects of its implementation are also obvious.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on the provided drawings without paying creative work.

图1是本发明具体实施方式的方法流程图。FIG1 is a method flow chart of a specific embodiment of the present invention.

图2是本发明具体实施方式的系统结构图。FIG. 2 is a system structure diagram of a specific implementation mode of the present invention.

图中,1、注册模块;2、读取命令发送模块;3、读取执行模块;4、写入命令生成模块;5、写入命令发送模块;6、写入执行模块。In the figure, 1. Registration module; 2. Read command sending module; 3. Read execution module; 4. Write command generation module; 5. Write command sending module; 6. Write execution module.

具体实施方式DETAILED DESCRIPTION

为了使本技术领域的人员更好地理解本发明方案,下面结合附图和具体实施方式对本发明作进一步的详细说明。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to enable those skilled in the art to better understand the scheme of the present invention, the present invention is further described in detail below in conjunction with the accompanying drawings and specific implementation methods. Obviously, the described embodiments are only part of the embodiments of the present invention, rather than all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of the present invention.

参见图1所示,本实施例提供了一种安全存储设备的数据读写方法,包括如下步骤:As shown in FIG1 , this embodiment provides a data reading and writing method of a secure storage device, comprising the following steps:

S1:通过上位机管理软件注册安全存储设备,注册成功后为安全存储设备分配一个根密钥,并将安全存储设备设置为只读设备。S1: Register the secure storage device through the host computer management software. After successful registration, assign a root key to the secure storage device and set the secure storage device as a read-only device.

在具体实施方式中,安全存储设备通过上位机管理软件进行注册,在注册时会产生一个根密钥,此密钥将存储到该安全存储设备以及上位机管理软件中;用户在使用时,接入主机通过安全认证以后,该安全存储设备将呈现为一个只读存储设备,攻击者无法通过标准的SCSI协议进行写操作。In a specific implementation method, the secure storage device is registered through the host computer management software. A root key is generated during the registration, and this key will be stored in the secure storage device and the host computer management software. When the user uses it, after the access host passes the security authentication, the secure storage device will appear as a read-only storage device, and attackers will not be able to perform write operations through the standard SCSI protocol.

S2:当从安全存储设备读取数据时,通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥。S2: When reading data from the secure storage device, a CBW command for reading data is sent to the secure storage device through the host computer management software, and a data reading key is generated.

在具体实施方式中,当从安全存储设备读取数据时,首先通过上位机管理软件生成含有READ命令的CBW命令,作为读取数据的CBW命令,并发送至安全存储设备。然后,通过对称加密算法利用根密钥对读取数据的CBW命令的dCBWTag字段进行加密,将加密后的dCBWTag字段作为数据读取密钥。In a specific implementation, when reading data from a secure storage device, a CBW command containing a READ command is first generated by the host computer management software as a CBW command for reading data, and sent to the secure storage device. Then, the dCBWTag field of the CBW command for reading data is encrypted using a root key through a symmetric encryption algorithm, and the encrypted dCBWTag field is used as a data reading key.

其中,在本方法中,所有的加密算法采用对称加密算法即可,例如SM4、AES等加密算法。Among them, in this method, all encryption algorithms can adopt symmetric encryption algorithms, such as SM4, AES and other encryption algorithms.

需要特别说明的是,在本发明中,所采用的CBW命令的结构如下表1所示。It should be noted that, in the present invention, the structure of the CBW command used is shown in Table 1 below.

表1:CBW命令结构表。Table 1: CBW command structure table.

在表1所示的CBW命令中,dCBWTag字段在每次发送命令时均发生改变,因此,在本步骤中通过注册时生成的根密钥对本次命令中的dCBWTag字段进行加密,将加密后dCBWTag作为本次传输数据解密的密钥。In the CBW command shown in Table 1, the dCBWTag field changes each time the command is sent. Therefore, in this step, the dCBWTag field in this command is encrypted by the root key generated during registration, and the encrypted dCBWTag is used as the key for decrypting the data transmitted this time.

S3:安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件。S3: After receiving the CBW command to read data, the secure storage device uses the data reading key to encrypt the returned data and sends it to the upper computer management software.

在具体实施方式中,安全存储设备收到读取数据的CBW命令后,首先提取出相应的返回数据;然后,通过对称加密算法利用根密钥对读取数据的CBW命令的dCBWTag字段进行加密,以计算出数据读取密钥。此时,通过对称加密算法利用数据读取密钥对返回数据进行加密;并依次将加密后的返回数据和读取成功CSW发送至上位机管理软件。In a specific implementation, after receiving the CBW command for reading data, the secure storage device first extracts the corresponding return data; then, the dCBWTag field of the CBW command for reading data is encrypted using the root key through a symmetric encryption algorithm to calculate the data reading key. At this time, the return data is encrypted using the data reading key through a symmetric encryption algorithm; and the encrypted return data and the read success CSW are sent to the upper computer management software in turn.

上位机管理软件收到加密后的返回数据后,根据本次的数据读取密钥解密即可完成数据的读取。After receiving the encrypted return data, the upper computer management software can complete the data reading by decrypting it according to the data reading key.

S4:当向安全存储设备写入数据时,通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥。S4: When writing data to the secure storage device, a CBW command for writing data is generated through the host computer management software, and a data writing key is generated.

在具体实施方式中,首先通过上位机管理软件生成含有自定义命令0Xfa的CBW命令,作为写入数据的CBW命令;然后通过对称加密算法利用根密钥对写入数据的CBW命令的dCBWTag字段进行加密,将加密后的dCBWTag字段作为数据写入密钥。In a specific implementation, a CBW command containing a custom command 0Xfa is first generated by the host computer management software as a CBW command for writing data; then the dCBWTag field of the CBW command for writing data is encrypted using a root key through a symmetric encryption algorithm, and the encrypted dCBWTag field is used as the data writing key.

需要特别说明的是,向安全存储设备写入数据时,由于该设备为只读设备,不会响应标准的WRITE命令(0x2a), 因此采取自定义命令(0Xfa)进行写入。上位机管理软件在发起写命令时,对CBW中的dCBWTag字段利用根密钥进行加密计算,加密后的dCBWTag作为本次传输数据的数据写入密钥,并利用该密钥对所要写入的数据进行加密并发送给安全存储设备。It should be noted that when writing data to the secure storage device, since the device is a read-only device and will not respond to the standard WRITE command (0x2a), a custom command (0Xfa) is used for writing. When the host management software initiates a write command, the dCBWTag field in the CBW is encrypted using the root key. The encrypted dCBWTag is used as the data write key for the data being transmitted this time, and the key is used to encrypt the data to be written and sent to the secure storage device.

S5:利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备。S5: Use the data write key to configure a check bit for the CBW command for writing data, encrypt the write data, and send the CBW command for writing data and the encrypted write data to the secure storage device in sequence.

在具体实施方式中,首先计算数据写入密钥的哈希值;然后在写入数据的CBW命令中,用所述哈希值的前4个字节替换CBWC字段的最后4个字节,以更新写入数据的CBW命令。此时,通过对称加密算法利用数据写入密钥对写入数据进行加密。最后,先将写入数据的CBW命令发送至安全存储设备,再将加密后的写入数据发送至安全存储设备。In a specific implementation, the hash value of the data write key is first calculated; then, in the CBW command for writing data, the first 4 bytes of the hash value are used to replace the last 4 bytes of the CBWC field to update the CBW command for writing data. At this time, the write data is encrypted using the data write key through a symmetric encryption algorithm. Finally, the CBW command for writing data is first sent to the secure storage device, and then the encrypted write data is sent to the secure storage device.

作为示例的,为防止攻击者在抓取写入数据的CBW后,复制该命令对存储设备内数据进行篡改,本步骤在写入数据的CBW 命令中,将加密后的dCBWTag字段计算哈希值,并将哈希值的前4个字节放到CBWC字段的最后4个字节,用于后续进行dCBWTag数据认证比对。As an example, to prevent an attacker from copying the command to tamper with the data in the storage device after capturing the CBW for writing data, this step calculates the hash value of the encrypted dCBWTag field in the CBW command for writing data, and puts the first 4 bytes of the hash value into the last 4 bytes of the CBWC field for subsequent dCBWTag data authentication and comparison.

S6:安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。S6: After receiving the CBW command for writing data, the secure storage device performs a command duplicate check and verifies the command according to the data writing key and the check bit. After the verification is successful, the encrypted write data is decrypted and the write operation is performed.

在本步骤中,安全存储设备在收到包含私有指令0xfa的CBW命令后,首先验证该命令的dCBWTag字段是否为重复发送,再根据根密钥计算出本次传输的数据写入密钥,并与收到的CBW的最后4个字节进行比对,比对成功后响应相对应的写操作,这样即使攻击者复制该命令或更改命令中的dCBWTag设备均不会响应该操作。随后,安全存储设备在收到正确加密数据后根据本次传输的数据写入密钥,对本次传输的数据进行解密并完成写操作。In this step, after receiving the CBW command containing the private instruction 0xfa, the secure storage device first verifies whether the dCBWTag field of the command is sent repeatedly, and then calculates the data write key for this transmission based on the root key, and compares it with the last 4 bytes of the received CBW. After the comparison is successful, it responds to the corresponding write operation, so that even if the attacker copies the command or changes the dCBWTag in the command, the device will not respond to the operation. Subsequently, after receiving the correctly encrypted data, the secure storage device writes the key according to the data transmitted this time, decrypts the data transmitted this time and completes the write operation.

在具体实施方式中,安全存储设备收到写入数据的CBW命令后,首先提取写入数据的CBW命令的dCBWTag字段,识别dCBWTag字段是否重复出现。In a specific implementation, after receiving a CBW command for writing data, the secure storage device first extracts the dCBWTag field of the CBW command for writing data, and identifies whether the dCBWTag field appears repeatedly.

如果dCBWTag字段重复出现,则直接结束操作。If the dCBWTag field appears repeatedly, the operation ends directly.

如果dCBWTag字段是首次出现,则通过对称加密算法利用根密钥对dCBWTag字段进行加密,以计算出数据写入密钥;随后计算数据写入密钥的哈希值,并提取哈希值的4个字节,作为校验码。If the dCBWTag field appears for the first time, the dCBWTag field is encrypted using a root key through a symmetric encryption algorithm to calculate a data write key; then a hash value of the data write key is calculated, and 4 bytes of the hash value are extracted as a check code.

此时,提取出写入数据的CBW命令的CBWC字段的最后4个字节,并其判断是否与校验码相同。At this time, the last 4 bytes of the CBWC field of the CBW command for writing data are extracted, and it is determined whether they are the same as the check code.

如果相同,则校验成功,利用数据写入密钥对加密后的写入数据进行解密操作,生成原始的写入数据,将原始的写入数据写入安全存储设备的预设空间中,并向上位机管理软件返回写入成功CSW。If they are the same, the verification is successful, and the encrypted write data is decrypted using the data write key to generate the original write data, which is written into the preset space of the secure storage device, and a write success CSW is returned to the upper computer management software.

如果不相同,则校验失败,直接结束操作。If they are not the same, the verification fails and the operation ends directly.

本发明提供了一种安全存储设备的数据读写方法,通过注册认证、加密传输和哈希验证等手段控制安全存储设备数据传输流程,有效的防范了恶意攻击者的在各个环节窃密的可能,并保护了安全存储设备中保存数据不被恶意篡改。The present invention provides a data reading and writing method for a secure storage device, which controls the data transmission process of the secure storage device by means of registration authentication, encrypted transmission and hash verification, effectively prevents the possibility of malicious attackers stealing secrets at various links, and protects the data stored in the secure storage device from being maliciously tampered with.

参见图2所示,本发明还公开了一种安全存储设备的数据读写系统,包括:注册模块1、读取命令发送模块2、读取执行模块3、写入命令生成模块4、写入命令发送模块5和写入执行模块6。As shown in Figure 2, the present invention also discloses a data reading and writing system for a secure storage device, including: a registration module 1, a read command sending module 2, a read execution module 3, a write command generation module 4, a write command sending module 5 and a write execution module 6.

注册模块1,用于通过上位机管理软件注册安全存储设备,注册成功后为安全存储设备分配一个根密钥,并将安全存储设备设置为只读设备。The registration module 1 is used to register the secure storage device through the upper computer management software. After successful registration, a root key is allocated to the secure storage device and the secure storage device is set as a read-only device.

读取命令发送模块2,用于当从安全存储设备读取数据时,通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥。The read command sending module 2 is used to send a CBW command for reading data to the secure storage device through the upper computer management software when reading data from the secure storage device, and generate a data reading key.

读取执行模块3,用于当安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件。The read execution module 3 is used to encrypt the returned data with the data read key and send it to the upper computer management software after the secure storage device receives the CBW command for reading data.

写入命令生成模块4,用于当向安全存储设备写入数据时,通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥。The write command generation module 4 is used to generate a CBW command for writing data and a data writing key through the upper computer management software when writing data to the secure storage device.

写入命令发送模块5,用于利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备。The write command sending module 5 is used to configure a check bit for the CBW command for writing data using the data write key, encrypt the write data, and send the CBW command for writing data and the encrypted write data to the secure storage device in sequence.

写入执行模块6,用于当安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。The write execution module 6 is used to perform command duplication check and command verification based on the data write key and check bit when the secure storage device receives the CBW command for writing data. After the verification is successful, the encrypted write data is decrypted and the write operation is performed.

本实施例的安全存储设备的数据读写系统的具体实施方式与上述安全存储设备的数据读写方法的具体实施方式基本一致,在此不再赘述。The specific implementation of the data reading and writing system of the secure storage device of this embodiment is basically the same as the specific implementation of the data reading and writing method of the secure storage device described above, and will not be described in detail here.

本发明还公开了一种安全存储设备的数据读写装置,包括处理器和存储器;其中,所述处理器执行所述存储器中保安全存储设备的数据读写程序时实现如上文任一项所述安全存储设备的数据读写方法的步骤。The present invention also discloses a data reading and writing device for a secure storage device, comprising a processor and a memory; wherein the processor implements the steps of the data reading and writing method for the secure storage device as described in any one of the above items when executing the data reading and writing program for the secure storage device in the memory.

进一步的,本实施例中的安全存储设备的数据读写装置,还可以包括:Furthermore, the data reading and writing device of the secure storage device in this embodiment may also include:

输入接口,用于获取外界导入的安全存储设备的数据读写程序,并将获取到的安全存储设备的数据读写程序保存至所述存储器中,还可以用于获取外界终端设备传输的各种指令和参数,并传输至处理器中,以便处理器利用上述各种指令和参数展开相应的处理。本实施例中,所述输入接口具体可以包括但不限于USB接口、串行接口、语音输入接口、指纹输入接口、硬盘读取接口等。The input interface is used to obtain the data reading and writing program of the secure storage device imported from the outside, and save the obtained data reading and writing program of the secure storage device to the memory, and can also be used to obtain various instructions and parameters transmitted by the external terminal device, and transmit them to the processor, so that the processor can use the above various instructions and parameters to carry out corresponding processing. In this embodiment, the input interface can specifically include but is not limited to a USB interface, a serial interface, a voice input interface, a fingerprint input interface, a hard disk reading interface, etc.

输出接口,用于将处理器产生的各种数据输出至与其相连的终端设备,以便于与输出接口相连的其他终端设备能够获取到处理器产生的各种数据。本实施例中,所述输出接口具体可以包括但不限于USB接口、串行接口等。The output interface is used to output various data generated by the processor to the terminal device connected thereto, so that other terminal devices connected to the output interface can obtain various data generated by the processor. In this embodiment, the output interface may specifically include but is not limited to a USB interface, a serial interface, etc.

通讯单元,用于在安全存储设备的数据读写装置和外部服务器之间建立远程通讯连接,以便于安全存储设备的数据读写装置能够将镜像文件挂载到外部服务器中。本实施例中,通讯单元具体可以包括但不限于基于无线通讯技术或有线通讯技术的远程通讯单元。The communication unit is used to establish a remote communication connection between the data reading and writing device of the secure storage device and the external server so that the data reading and writing device of the secure storage device can mount the image file to the external server. In this embodiment, the communication unit may specifically include but is not limited to a remote communication unit based on wireless communication technology or wired communication technology.

键盘,用于获取用户通过实时敲击键帽而输入的各种参数数据或指令。The keyboard is used to obtain various parameter data or instructions input by the user by tapping the keycaps in real time.

显示器,用于运行安全存储设备的数据读写过程的相关信息进行实时显示。The display is used to display relevant information of the data reading and writing process of the running secure storage device in real time.

鼠标,可以用于协助用户输入数据并简化用户的操作。The mouse can be used to assist users in inputting data and simplify user operations.

本发明还公开了一种可读存储介质,这里所说的可读存储介质包括随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动硬盘、CD-ROM或技术领域内所公知的任意其他形式的存储介质。可读存储介质中存储有安全存储设备的数据读写程序,所述安全存储设备的数据读写程序被处理器执行时实现如上文任一项所述安全存储设备的数据读写方法的步骤。The present invention also discloses a readable storage medium, wherein the readable storage medium includes a random access memory (RAM), a memory, a read-only memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable hard disk, a CD-ROM or any other form of storage medium known in the technical field. The readable storage medium stores a data reading and writing program of a secure storage device, and when the data reading and writing program of the secure storage device is executed by a processor, the steps of the data reading and writing method of the secure storage device described in any one of the above items are implemented.

综上所述,本发明通过注册认证、加密传输和哈希验证等手段控制安全存储设备数据传输流程,有效的防范了恶意攻击者的在各个环节窃密的可能,并保护了安全存储设备中保存数据不被恶意篡改。In summary, the present invention controls the data transmission process of the secure storage device through registration authentication, encrypted transmission and hash verification, effectively preventing the possibility of malicious attackers stealing secrets at various links, and protecting the data stored in the secure storage device from being maliciously tampered with.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的方法而言,由于其与实施例公开的系统相对应,所以描述的比较简单,相关之处参见方法部分说明即可。In this specification, each embodiment is described in a progressive manner, and each embodiment focuses on the differences from other embodiments. The same or similar parts between the embodiments can be referred to each other. As for the method disclosed in the embodiment, since it corresponds to the system disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the method part description.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. In order to clearly illustrate the interchangeability of hardware and software, the composition and steps of each example have been generally described in the above description according to function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professionals and technicians may use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the present invention.

在本发明所提供的几个实施例中,应该理解到,所揭露的系统、系统和方法,可以通过其它的方式实现。例如,以上所描述的系统实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,系统或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed systems, systems and methods can be implemented in other ways. For example, the system embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of systems or units, which can be electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能模块可以集成在一个处理单元中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个单元中。In addition, each functional module in each embodiment of the present invention may be integrated into one processing unit, or each module may exist physically separately, or two or more modules may be integrated into one unit.

同理,在本发明各个实施例中的各处理单元可以集成在一个功能模块中,也可以是各个处理单元物理存在,也可以两个或两个以上处理单元集成在一个功能模块中。Similarly, each processing unit in each embodiment of the present invention may be integrated into one functional module, or each processing unit may exist physically, or two or more processing units may be integrated into one functional module.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the method or algorithm described in conjunction with the embodiments disclosed herein may be implemented directly using hardware, a software module executed by a processor, or a combination of the two. The software module may be placed in a random access memory (RAM), a memory, a read-only memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should be noted that, in this article, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "include", "comprise" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the sentence "comprise a ..." do not exclude the presence of other identical elements in the process, method, article or device including the elements.

以上对本发明所提供的安全存储设备的数据读写方法、系统、装置及可读存储介质进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明的保护范围内。The data reading and writing method, system, device and readable storage medium of the secure storage device provided by the present invention are introduced in detail above. Specific examples are used herein to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only used to help understand the method of the present invention and its core idea. It should be pointed out that for ordinary technicians in this technical field, without departing from the principles of the present invention, several improvements and modifications can be made to the present invention, and these improvements and modifications also fall within the scope of protection of the present invention.

Claims (10)

1.一种安全存储设备的数据读写方法,其特征在于,包括:1. A method for reading and writing data of a secure storage device, comprising: 通过上位机管理软件注册安全存储设备,注册成功后为安全存储设备分配一个根密钥,并将安全存储设备设置为只读设备;Register the secure storage device through the upper computer management software. After successful registration, assign a root key to the secure storage device and set the secure storage device as a read-only device. 当从安全存储设备读取数据时,通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥;When reading data from a secure storage device, a CBW command for reading data is sent to the secure storage device through the host computer management software, and a data reading key is generated; 安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件;After receiving the CBW command to read data, the secure storage device uses the data reading key to encrypt the returned data and sends it to the upper computer management software; 当向安全存储设备写入数据时,通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥;When writing data to the secure storage device, the host computer management software generates a CBW command for writing data and generates a data writing key; 利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备;Using the data write key to configure the check bit for the CBW command for writing data, encrypting the write data, and sending the CBW command for writing data and the encrypted write data to the secure storage device in sequence; 安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。After receiving the CBW command to write data, the secure storage device performs a command duplicate check and verifies the command based on the data write key and the check bit. After the verification is successful, the encrypted write data is decrypted and the write operation is performed. 2.根据权利要求1所述的安全存储设备的数据读写方法,其特征在于,所述通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥,包括:2. The data reading and writing method of the secure storage device according to claim 1, characterized in that the sending of a CBW command for reading data to the secure storage device through the host computer management software and generating a data reading key comprises: 通过上位机管理软件生成含有READ命令的CBW命令,作为读取数据的CBW命令,并发送至安全存储设备;Generate a CBW command containing a READ command through the host computer management software as a CBW command for reading data and send it to the secure storage device; 通过对称加密算法利用根密钥对读取数据的CBW命令的dCBWTag字段进行加密,将加密后的dCBWTag字段作为数据读取密钥。The dCBWTag field of the CBW command for reading data is encrypted using a root key through a symmetric encryption algorithm, and the encrypted dCBWTag field is used as a data reading key. 3.根据权利要求2所述的安全存储设备的数据读写方法,其特征在于,所述安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件,包括:3. The data reading and writing method of the secure storage device according to claim 2 is characterized in that after the secure storage device receives the CBW command for reading data, it uses the data reading key to encrypt the returned data and sends it to the upper computer management software, including: 安全存储设备收到读取数据的CBW命令后,提取出相应的返回数据;After receiving the CBW command for reading data, the secure storage device extracts the corresponding returned data; 通过对称加密算法利用根密钥对读取数据的CBW命令的dCBWTag字段进行加密,以计算出数据读取密钥;The dCBWTag field of the CBW command for reading data is encrypted using the root key through a symmetric encryption algorithm to calculate the data reading key; 通过对称加密算法利用数据读取密钥对返回数据进行加密;Encrypt the returned data using the data reading key through a symmetric encryption algorithm; 依次将加密后的返回数据和读取成功CSW发送至上位机管理软件。The encrypted return data and the read success CSW are sent to the upper computer management software in turn. 4.根据权利要求3所述的安全存储设备的数据读写方法,其特征在于,所述通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥,包括:4. The data reading and writing method of the secure storage device according to claim 3, characterized in that the generating of the CBW command for writing data and the generating of the data writing key by the host computer management software comprises: 通过上位机管理软件生成含有自定义命令0Xfa的CBW命令,作为写入数据的CBW命令;Generate a CBW command containing a custom command 0Xfa through the host computer management software as the CBW command for writing data; 通过对称加密算法利用根密钥对写入数据的CBW命令的dCBWTag字段进行加密,将加密后的dCBWTag字段作为数据写入密钥。The dCBWTag field of the CBW command for writing data is encrypted using a root key through a symmetric encryption algorithm, and the encrypted dCBWTag field is used as the data writing key. 5.根据权利要求4所述的安全存储设备的数据读写方法,其特征在于,所述利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备,包括:5. The data reading and writing method of the secure storage device according to claim 4, characterized in that the step of configuring a check bit for a CBW command for writing data using a data writing key, encrypting the written data, and sequentially sending the CBW command for writing data and the encrypted written data to the secure storage device comprises: 计算数据写入密钥的哈希值;在写入数据的CBW命令中,用所述哈希值的前4个字节替换CBWC字段的最后4个字节,以更新写入数据的CBW命令;Calculate a hash value of the data write key; in a CBW command for writing data, replace the last 4 bytes of the CBWC field with the first 4 bytes of the hash value to update the CBW command for writing data; 通过对称加密算法利用数据写入密钥对写入数据进行加密;Encrypt the written data using the data writing key through a symmetric encryption algorithm; 先将写入数据的CBW命令发送至安全存储设备,再将加密后的写入数据发送至安全存储设备。The CBW command for writing data is first sent to the secure storage device, and then the encrypted write data is sent to the secure storage device. 6.根据权利要求5所述的安全存储设备的数据读写方法,其特征在于,所述安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作,包括:6. The data reading and writing method of the secure storage device according to claim 5, characterized in that after receiving the CBW command for writing data, the secure storage device performs command duplication check and command verification according to the data writing key and the check bit, and after the verification is successful, decrypts the encrypted write data and performs a write operation, including: 安全存储设备收到写入数据的CBW命令后,提取写入数据的CBW命令的dCBWTag字段,识别dCBWTag字段是否重复出现;After receiving the CBW command for writing data, the secure storage device extracts the dCBWTag field of the CBW command for writing data and identifies whether the dCBWTag field appears repeatedly; 若是,则直接结束操作;If yes, then end the operation directly; 若否,则通过对称加密算法利用根密钥对dCBWTag字段进行加密,以计算出数据写入密钥;计算数据写入密钥的哈希值,并提取哈希值的4个字节,作为校验码;If not, encrypt the dCBWTag field using the root key through a symmetric encryption algorithm to calculate the data write key; calculate the hash value of the data write key, and extract 4 bytes of the hash value as a check code; 提取出写入数据的CBW命令的CBWC字段的最后4个字节,并其判断是否与校验码相同;Extract the last 4 bytes of the CBWC field of the CBW command for writing data, and determine whether they are the same as the check code; 如果相同,则校验成功,利用数据写入密钥对加密后的写入数据进行解密操作,生成原始的写入数据,将原始的写入数据写入安全存储设备的预设空间中,并向上位机管理软件返回写入成功CSW;If they are the same, the verification is successful, and the encrypted write data is decrypted using the data write key to generate the original write data, which is written into the preset space of the secure storage device, and a write success CSW is returned to the upper computer management software; 如果不相同,则校验失败,直接结束操作。If they are not the same, the verification fails and the operation ends directly. 7.根据权利要求2所述的安全存储设备的数据读写方法,其特征在于,所述对称加密算法采用SM4算法或AES算法。7. The data reading and writing method of the secure storage device according to claim 2, characterized in that the symmetric encryption algorithm adopts the SM4 algorithm or the AES algorithm. 8.一种安全存储设备的数据读写系统,其特征在于,包括:8. A data reading and writing system for a secure storage device, comprising: 注册模块,用于通过上位机管理软件注册安全存储设备,注册成功后为安全存储设备分配一个根密钥,并将安全存储设备设置为只读设备;A registration module is used to register the secure storage device through the upper computer management software. After successful registration, a root key is assigned to the secure storage device and the secure storage device is set as a read-only device. 读取命令发送模块,用于当从安全存储设备读取数据时,通过上位机管理软件向安全存储设备发送读取数据的CBW命令,并生成数据读取密钥;A read command sending module is used to send a CBW command for reading data to the secure storage device through the upper computer management software when reading data from the secure storage device, and generate a data reading key; 读取执行模块,用于当安全存储设备收到读取数据的CBW命令后,利用数据读取密钥加密返回数据,并发送至上位机管理软件;The read execution module is used to encrypt the returned data with the data read key and send it to the upper computer management software after the secure storage device receives the CBW command to read the data; 写入命令生成模块,用于当向安全存储设备写入数据时,通过上位机管理软件生成写入数据的CBW命令,并生成数据写入密钥;A write command generation module is used to generate a CBW command for writing data and a data writing key through the upper computer management software when writing data to the secure storage device; 写入命令发送模块,用于利用数据写入密钥为写入数据的CBW命令配置校验位,并加密写入数据,依次将写入数据的CBW命令和加密后的写入数据发送至安全存储设备;A write command sending module, used to configure a check bit for a CBW command for writing data using a data write key, encrypt the write data, and sequentially send the CBW command for writing data and the encrypted write data to a secure storage device; 写入执行模块,用于当安全存储设备收到写入数据的CBW命令后,进行命令查重并根据数据写入密钥和校验位进行命令校验,校验成功后,对加密后的写入数据进行解密,并进行写入操作。The write execution module is used to perform command duplication check and command verification based on the data write key and check bit when the secure storage device receives the CBW command to write data. After the verification is successful, the encrypted write data is decrypted and the write operation is performed. 9.一种安全存储设备的数据读写装置,其特征在于,包括:9. A data reading and writing device for a secure storage device, comprising: 存储器,用于存储安全存储设备的数据读写程序;A memory, used for storing a data reading and writing program of a secure storage device; 处理器,用于执行所述安全存储设备的数据读写程序时实现如权利要求1至7任一项所述的安全存储设备的数据读写方法的步骤。A processor, configured to implement the steps of the data reading and writing method for a secure storage device as claimed in any one of claims 1 to 7 when executing the data reading and writing program of the secure storage device. 10.一种可读存储介质,其特征在于:所述可读存储介质上存储有安全存储设备的数据读写程序,所述安全存储设备的数据读写程序被处理器执行时实现如权利要求1至7任一项所述的安全存储设备的数据读写方法的步骤。10. A readable storage medium, characterized in that: a data reading and writing program of a secure storage device is stored on the readable storage medium, and when the data reading and writing program of the secure storage device is executed by a processor, the steps of the data reading and writing method of the secure storage device as described in any one of claims 1 to 7 are implemented.
CN202411365197.9A 2024-09-29 2024-09-29 Data read-write method, system, device and medium for secure storage equipment Active CN118862193B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411365197.9A CN118862193B (en) 2024-09-29 2024-09-29 Data read-write method, system, device and medium for secure storage equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411365197.9A CN118862193B (en) 2024-09-29 2024-09-29 Data read-write method, system, device and medium for secure storage equipment

Publications (2)

Publication Number Publication Date
CN118862193A true CN118862193A (en) 2024-10-29
CN118862193B CN118862193B (en) 2025-04-25

Family

ID=93172276

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411365197.9A Active CN118862193B (en) 2024-09-29 2024-09-29 Data read-write method, system, device and medium for secure storage equipment

Country Status (1)

Country Link
CN (1) CN118862193B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101493866A (en) * 2008-01-23 2009-07-29 杨筑平 Controlled storage device and access operation software
US9432298B1 (en) * 2011-12-09 2016-08-30 P4tents1, LLC System, method, and computer program product for improving memory systems
US20170061145A1 (en) * 2015-08-28 2017-03-02 Dell Products L.P. System and method to redirect and unlock software secure disk devices in a high latency environment
CN109840434A (en) * 2019-01-24 2019-06-04 山东华芯半导体有限公司 A kind of method for secure storing based on the close chip of state
CN111159720A (en) * 2020-03-27 2020-05-15 深圳市芯天下技术有限公司 System for testing RPMC
CN118152306A (en) * 2024-02-28 2024-06-07 杭州华澜微电子股份有限公司 Hard disk data protection method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101493866A (en) * 2008-01-23 2009-07-29 杨筑平 Controlled storage device and access operation software
US9432298B1 (en) * 2011-12-09 2016-08-30 P4tents1, LLC System, method, and computer program product for improving memory systems
US20170061145A1 (en) * 2015-08-28 2017-03-02 Dell Products L.P. System and method to redirect and unlock software secure disk devices in a high latency environment
CN109840434A (en) * 2019-01-24 2019-06-04 山东华芯半导体有限公司 A kind of method for secure storing based on the close chip of state
CN111159720A (en) * 2020-03-27 2020-05-15 深圳市芯天下技术有限公司 System for testing RPMC
CN118152306A (en) * 2024-02-28 2024-06-07 杭州华澜微电子股份有限公司 Hard disk data protection method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
何为;于洋;晁志超;: "基于隐藏分区的安全优盘系统设计", 微电子学与计算机, no. 02, 5 February 2017 (2017-02-05) *

Also Published As

Publication number Publication date
CN118862193B (en) 2025-04-25

Similar Documents

Publication Publication Date Title
KR102254256B1 (en) Anti-rollback version upgrade in secured memory chip
CN1535411B (en) Method and system for increasing security in computer systems using attached storage devices
US11368299B2 (en) Self-encryption drive (SED)
JP4668619B2 (en) Device key
CN103106372B (en) For lightweight privacy data encryption method and the system of android system
US8839001B2 (en) Infinite key memory transaction unit
TWI514187B (en) Systems and methods for providing anti-malware protection on storage devices
JP7309261B2 (en) Authentication method for biometric payment device, authentication device for biometric payment device, computer device, and computer program
CN109558340B (en) Secure solid-state disk encryption system and method based on trusted authentication
US20020141588A1 (en) Data security for digital data storage
WO2020192406A1 (en) Method and apparatus for data storage and verification
JPH10247905A (en) Access qualification authentication device and its method
CN102084373A (en) Backing up digital content that is stored in a secured storage device
JP2007510201A (en) Data security
CN104484628B (en) It is a kind of that there is the multi-application smart card of encrypting and decrypting
JP2021090151A (en) Storage system and data protection method thereof
WO2017137481A1 (en) A removable security device and a method to prevent unauthorized exploitation and control access to files
WO2019118031A1 (en) Virus immune computer system and method
KR101043255B1 (en) USB hub security device and data security method using the same
JP3905170B2 (en) Processing system and client device
CN118862193A (en) A data reading and writing method, system, device and medium of a secure storage device
CN107317925B (en) Mobile terminal
CN118592007A (en) Information processing device and information processing system
CN115618306A (en) A software protection method, device, system, CPU chip and electronic equipment
CN108985079B (en) Data verification method and verification system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant