[go: up one dir, main page]

CN110378137A - A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing - Google Patents

A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing Download PDF

Info

Publication number
CN110378137A
CN110378137A CN201910656860.3A CN201910656860A CN110378137A CN 110378137 A CN110378137 A CN 110378137A CN 201910656860 A CN201910656860 A CN 201910656860A CN 110378137 A CN110378137 A CN 110378137A
Authority
CN
China
Prior art keywords
data
external data
bottom layer
component
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910656860.3A
Other languages
Chinese (zh)
Inventor
刘圣金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Inspur Smart Computing Technology Co Ltd
Original Assignee
Guangdong Inspur Big Data Research Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Inspur Big Data Research Co Ltd filed Critical Guangdong Inspur Big Data Research Co Ltd
Priority to CN201910656860.3A priority Critical patent/CN110378137A/en
Publication of CN110378137A publication Critical patent/CN110378137A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of hardware bottom layers to encrypt storage method, and this method can be applied to hardware bottom layer encryption system.In the method, in hardware bottom layer encryption system, security audit component carries out security audit to external data, control extension component carries out data encryption to external data, when storing data, it is deposited into legal storage equipment, forms the preventing mechanism of three layers of hardware firewall including Data Audit, data encryption and data storage.That is, this method, which is realized, carries out security protection to data in hardware bottom layer, fills up at present in the blank of hardware bottom layer no data protection, solved the problems, such as that the encryption of software upper layer data is difficult to ensure data safety.The invention also discloses a kind of hardware bottom layer encryption storage system and readable storage medium storing program for executing, have corresponding technical effect.

Description

A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing
Technical field
The present invention relates to technical field of memory, more particularly to a kind of hardware bottom layer encryption storage method, system and readable Storage medium.
Background technique
The way that major part enterprise and mechanism take Cloud Server storage system safety management at present is generally by peace Dress system software means are filtered to the information security of server database and encryption, this peace based on software view Full guard means are although effective.
By taking the software management system to server database information safety as an example, safety management software is mounted on database In system, by way of system plugin or change database memory module source code security audit function is embedded into it is existing In database, then the data information of transmission is filtered and is screened by the security audit software of this insertion, to do To data safe processing and protection.This practices well is a set of safety management system to be arranged by software come to clothes in brief The data being engaged on device carry out safeguard protection, it is a kind of system software data protection schemes based on upper layer.When the illegal bypasses When the firewall of system software layer, entire server system will face uncontrollable data theft, information leakage and system The risk accidents of destruction.As it can be seen that installation software is difficult to ensure data safety in systems at present.
In conclusion the problems such as how efficiently solving data safety, is that current those skilled in the art are urgently to be solved Technical problem.
Summary of the invention
The object of the present invention is to provide a kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing, by Hardware view carries out encryption storage to data, to ensure data safety.
In order to solve the above technical problems, the invention provides the following technical scheme:
A kind of hardware bottom layer encryption storage method, is applied to hardware bottom layer encryption system, the hardware bottom layer encryption system Including host, security audit component, control extension component and storage equipment;The hardware bottom layer encrypts storage method, comprising:
External data is received using the host, and the external data is transferred to the security audit component;
It is whether safe that the external data is judged using the security audit component, and after determining data safety, by institute It states external data and is transferred to the control extension component;
The external data is encrypted using the control extension component;
The encrypted external data is stored in legal storage equipment using the control extension component.
Preferably, judge whether the external data is safe using the security audit component, comprising:
The security audit component extracts in the keyword, initial clear identification and the information content of the external data extremely One item missing is compared with default black and white lists, determines whether the external data is safe.
Preferably, described after determining data safety, the external data is transferred to the control extension component, is wrapped It includes:
The security audit component is transmitted the external data after determining data safety, using PCIe or SAS protocol To the control extension component.
Preferably, the external data is encrypted using the control extension component, comprising:
The control extension component is using encryption rule to the external data encryption.
Preferably, the control extension component using encryption rule to the external data encryption after, will The external data is transferred to before the control extension component, further includes:
Pseudo-code generation processing is carried out to the encrypted external data.
Preferably, the encrypted external data is stored in legal storage equipment using the control extension component In, comprising:
The control extension component determines whether the storage equipment to be selected is legal using cipher key match;
If legal, the encrypted external data is stored in the legal storage equipment.
A kind of hardware bottom layer encryption system, comprising:
Host, security audit component, control extension component and storage equipment;
Wherein: the host, for receiving external data and the external data being transferred to the security audit component;
The security audit component, it is whether safe for judging the external data, and after determining data safety, by institute It states external data and is transferred to the control extension component;
The control extension component, for being encrypted to the external data, and by the encrypted external data It is transferred to the legal storage equipment;
The storage equipment, for storing the encrypted external data.
Preferably, the security audit component, comprising: integrated manipulator, LPC resolver, I2C resolver, Memory control Device and SPI resolver.
Preferably, the control extension component, comprising: encrypted master, SPI resolver and LPC resolver.
A kind of readable storage medium storing program for executing is stored with computer program, the computer program quilt on the readable storage medium storing program for executing Processor realizes the step of above-mentioned hardware bottom layer encryption storage method when executing.
Storage method, hardware bottom layer encryption system packet are encrypted using the hardware bottom layer that can be applied to hardware bottom layer encryption system Include host, security audit component, control extension component and storage equipment;This method, comprising: external data is received using host, And external data is transferred to security audit component;It is whether safe that external data is judged using security audit component, and in determination After data safety, external data is transferred to control extension component;External data is encrypted using control extension component;Benefit Encrypted external data is stored in legal storage equipment with control extension component.
In the method, in hardware bottom layer encryption system, security audit component carries out security audit to external data, adds Close control assembly carries out data encryption to external data, when storing data, is deposited into legal storage equipment, formation includes The preventing mechanism of Data Audit, three layers of hardware firewall of data encryption and data storage.External data is in final deposit storage Before equipment, risk data and virus implantation can be isolated in security audit component;Control extension component can make the data finally stored It is encryption, leaking data can be also prevented from;External data legal and that encryption is mutual is deposited into legal storage equipment, it can be further Data are prevented to be stolen.As it can be seen that this method can ensure that the safety and reliability of data information transfer process.That is, this method is real Show and security protection is carried out to data in hardware bottom layer, has filled up at present in the blank of hardware bottom layer no data protection, solved The problem of encryption of software upper layer data is difficult to ensure data safety.
Correspondingly, the embodiment of the invention also provides hardware bottom layers corresponding with above-mentioned hardware bottom layer encryption storage method Storage system and readable storage medium storing program for executing are encrypted, is had above-mentioned technique effect, details are not described herein.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow chart of hardware bottom layer encryption storage method in the embodiment of the present invention;
Fig. 2 is a kind of structural schematic diagram of hardware bottom layer encryption storage system in the embodiment of the present invention;
Fig. 3 is a kind of specific implementation flow chart of hardware bottom layer encryption storage method in the embodiment of the present invention;
Fig. 4 is a kind of inside schematic diagram of hardware bottom layer encryption storage system in the embodiment of the present invention;
Fig. 5 is a kind of concrete structure schematic diagram of security audit component in the embodiment of the present invention;
Fig. 6 is a kind of concrete structure schematic diagram of control extension component in the embodiment of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, with reference to the accompanying drawings and detailed description The present invention is described in further detail.Obviously, described embodiments are only a part of the embodiments of the present invention, rather than Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Embodiment one:
Referring to FIG. 1, Fig. 1 is a kind of flow chart of hardware bottom layer encryption storage method, this method in the embodiment of the present invention It can be applied to hardware bottom layer encryption system as shown in Figure 2, Fig. 2 is a kind of hardware bottom layer encryption storage system in the embodiment of the present invention The structural schematic diagram of system.As it can be seen that hardware bottom layer encryption system includes host, security audit component, control extension component and storage Equipment.The hardware bottom layer encrypts storage method, comprising:
S101, external data is received using host, and external data is transferred to security audit component.
It should be noted that in embodiments of the present invention, in electronic equipment, (electronic equipment can be computer, such as service Device, data storage i.e., PC and Industrial Control Computer etc. have the computer equipment of storage system) in fit together to be formed One set of pieces of one functional unit.That is, security audit component, control extension component and non-software mould in the embodiment of the present invention Block, and it is the combination function body of hardware element.In addition, hardware bottom layer encryption storage system can specifically be set to computer, such as take Be engaged in device, data storage i.e., PC and Industrial Control Computer etc. have the computer equipment of storage system, correspondingly, of the invention Hardware bottom layer provided by embodiment encryption storage method be can be applied to include hardware bottom layer encrypt storage system computer In.
In embodiments of the present invention, external data specifically can be received by host, external data is then transferred to safety and is examined Count component.External data is the data that not hardware bottom layer encryption storage system inside generates, and can be specially sound to be stored Frequently, the common data information such as video, text and image.It needs to pass through between stored host and security audit component I2C bus, PCIe/SAS bus, lpc bus carry out data transmission.
S102, external data is judged using security audit component whether safely, and after determining data safety, by external number According to being transferred to control extension component.
After security audit component receives external data, first determine whether the external data is safe.It determines external Whether data are risk data or viral data.
Specifically, safety verification can be carried out to external data by way of black and white lists are arranged.That is security audit component At least one extracted in the keyword, initial clear identification and the information content of external data is compared with default black and white lists It is right, determine whether external data is safe.The process that confirmation process as carries out matching verifying one by one is compared, black and white lists are preset It can be determined according to the setting rule of the protecting data encryption mechanism of software view, details are not described herein.By external data After being compared with black and white lists, can determine whether external data is safe according to comparison result.For example, if the pass of external data Key word is matched with the blacklist in default black and white lists, then can determine that the external data is dangerous;If the keyword of external data It is matched with the white list in default black and white lists, then can determine external data safety.
After determining external data safety, external data can be transferred to control extension component.Specifically, security audit External data is transferred to control extension component after determining data safety, using PCIe or SAS protocol by component.That is, I2C bus, PCIe/SAS bus, lpc bus progress data biography can also be passed through between security audit component and control extension component It is defeated to carry out data transmission.
Wherein, security audit component may particularly include: integrated manipulator, LPC resolver, I2C resolver, Memory Controller Hub With SPI resolver etc..Each component division of labor is clear, and it is different to be responsible for content.Integrated manipulator be responsible for data safety audit, screening and Filtering, it may include CPLD or FPGA or ARM stone logical device.LPC resolver is responsible for transmitting in host to be examined comprising data safety The LPC signal of meter rule is parsed is transmitted to integrated manipulator again, while being also responsible for encryption rule information and encryption pseudo-code is close Code book is transmitted to downstream encryption control component.I2C resolver is for parsing host and sending control information to downstream storage, example PRESENT signal in place is such as detected, restarts and resets RESET signal and storage facility switching machine POWER_BUTTON signal.It is interior Memory controller is mainly used to the Audit data when work of cached security audit component, and cooperation DDR RAM internal register can be deposited Put the data information etc. for meeting security audit rule.SPI resolver is mainly by data safety audit black and white lists and data filtering The relevant informations such as screening conditions are stored in Flash ROM, it can seal the crucial computation rule of data safety audit up for safekeeping.Certainly, Security audit component in the embodiment of the present invention can also specifically encrypt storage system with hardware bottom layer provided by the embodiment of the present invention To the detailed description of security audit component in system.
S103, external data is encrypted using control extension component.
After control extension host receives external data, external data can be encrypted.Specifically, control extension Component is handled external data encryption using encryption rule.Preferably, encryption include recompile, data camouflage etc. encryption Processing, that is, after control extension component is handled external data encryption using encryption rule, add external data to be transferred to Before close control assembly, can also pseudo-code generation processing be carried out to encrypted external data.
Wherein, control extension component can include: the devices such as encrypted master, SPI resolver and LPC resolver, it is main It is responsible for Data Encryption Transmission work.Meet in the signals such as the PCIe/SAS agreement that encrypted master can be used for coming to upstream transmission The data information of security audit rule carries out encryption and pseudo-code generates work, and the setting rule sent according to host is applied to number It is sent in storage equipment according on encrypted work and by signals such as PCIe/SAS agreements;It is also responsible for the storage of verifying downstream simultaneously The confidence level of equipment carries out the pairing and verifying authorization work of key with it.LPC resolver mainly parses transmission upstream host hair The control information come may include the relevant informations such as encryption rule, pseudo-code generating mode and storage device authentication key.SPI solution Parser is mainly to parse data-signal of the transmission comprising encryption rule and be deposited into Flash ROM, encrypted master root Data are encrypted according to its internal data encryption rule and pseudo-code create-rule.Certainly, in the embodiment of the present invention Control extension component can also specifically with hardware bottom layer provided by the embodiment of the present invention encryption storage system in control extension The detailed description of component.
S104, encrypted external data is stored in legal storage equipment using control extension component.
Although after completing data encryption, even if data, which are stolen, can not also obtain the external data.But in order to need to read When taking the external data, it is able to confirm that and is normally read.In embodiments of the present invention, it needs to carry out legitimacy to storage equipment to test Card, that is, control extension component determines whether storage equipment to be selected is legal using cipher key match;It is encrypted if legal External data is stored in legal storage equipment.Even if being set in this way, unauthorized person enters the storage area of hardware device to storage It is standby to have carried out illegal operation or replacement, it also cannot achieve its purpose for stealing data.
The encryption of hardware bottom layer provided by embodiment of the present invention storage method can be applied to hardware bottom layer encryption system, hardware Bottom encryption system includes host, security audit component, control extension component and storage equipment;This method, comprising: utilize host External data is received, and external data is transferred to security audit component;Whether external data is judged using security audit component Safety, and after determining data safety, external data is transferred to control extension component;Using control extension component to external number According to being encrypted;Encrypted external data is stored in legal storage equipment using control extension component.
In the method, in hardware bottom layer encryption system, security audit component carries out security audit to external data, adds Close control assembly carries out data encryption to external data, when storing data, is deposited into legal storage equipment, formation includes The preventing mechanism of Data Audit, three layers of hardware firewall of data encryption and data storage.External data is in final deposit storage Before equipment, risk data and virus implantation can be isolated in security audit component;Control extension component can make the data finally stored It is encryption, leaking data can be also prevented from;External data legal and that encryption is mutual is deposited into legal storage equipment, it can be further Data are prevented to be stolen.As it can be seen that this method can ensure that the safety and reliability of data information transfer process.That is, this method is real Show and security protection is carried out to data in hardware bottom layer, has filled up at present in the blank of hardware bottom layer no data protection, solved The problem of encryption of software upper layer data is difficult to ensure data safety.
To more fully understand that hardware bottom layer provided by the embodiment of the present invention encrypts storage side convenient for those skilled in the art Method is provided for the embodiments of the invention hardware bottom below by taking the application scenarios of the data safety storage to Cloud Server as an example Layer encryption storage method is described in detail.
Referring to FIG. 3, Fig. 3 is a kind of specific implementation process of hardware bottom layer encryption storage method in the embodiment of the present invention Figure.
Staff first passes through host to security audit component set-up data audit black and white lists, completes to formulate data safety Audit regulation.When external data flow (same to external data) is transferred to host, security audit block analysis host is transmitted in signal Data whether meet security audit specification, and according to the keyword of data message stream, initial clear identification and information content etc. Remove comparison black and white lists.Mistake can be believed if the safe design specification that data information does not meet the formulation of data safety audit component Breath feeds back to host, and host can show error message, to remind operator to check the credibility of external data flow and make phase The rational approach answered.It can be anti-by correct information if the safe design specification that data information meets the formulation of data safety audit component It feeds host, host can issue power-on command to storage equipment by security audit component;Security audit component will meet simultaneously The data information of data safety audit is sent to the control extension component of next stage by protocol signals such as PCIe/SAS.Encryption The encryptions such as control assembly recompiled the data information received, data camouflage, while storage equipment can be detected be No matching meets, for example, to storage equipment carry out key detection and public key, private key pairing, if cipher key match correctly if encrypt control Component processed can be encrypted data information transfer to back-end storage device, if cipher key match authentication failed, security audit group Error message is fed back to host by part, and host prompt operator checks the data of problematic storage equipment or front end transmission, Then corresponding reasonable operation is made.The data of Cloud Server store the firewall encipherment protection Jing Guo three layers of hardware bottom layer, can Ensure that the data storage security in server is reliable.
In addition, hardware bottom layer provided by the embodiment of the present invention encrypts storage method, hardware realization data safety need to be based on The Cloud Server secure storage of processing is that the front-end and back-end of data flow transmission route cooperate together to complete, including four main Unit composition: host, security audit component, control extension component and storage equipment.Corresponding each specific unit, this method can divide For following four part:
First part, host, which is mainly responsible for, to be received external data flow and is transferred to safety by protocol signals such as PCIe/SAS Audit component, the audit black and white lists of data safety needed for also leaning on LPC protocol signal to transmit security audit component and encryption control Key information needed for molding block, it is another to remove the detection PRESENT signal for transmitting some control rear ends using I2C signal, restart RESET signal and to storage equipment switching on and shutting down power on signal etc..
Second part, security audit component upstream connect host, and downstream connects control extension component and storage equipment.Security audit Component can the data information that sends of real-time auditing host, inside the processing such as is audited, filtered and screen, will meet data and pacify The data information of full audit regulation is transmitted downstream to control extension component, incongruent data by protocol signals such as PCIe/SAS The data information of security audit rule is reported to upstream host.Security audit component is also responsible for working in Data Audit and be completed simultaneously The signals such as transmission detection PRESENT signal, Restart Signal RESET and switching on and shutting down POWER_BUTTON_N in place are stored to downstream afterwards Thus equipment is made into relevant movement.I2C and LPC signal prevailing transmission controls the encryption rule and pair-wise key of signal, data Etc. relevant informations.
Part III, the groundwork of control extension component are to meet upstream the data information progress of security audit rule Encryption is then sent to back-end storage device.In addition, control extension component is responsible for awarding for back-end storage device simultaneously Power verifying, there are also the work of public and private key pairing.Only verifying the authenticity of back-end storage device is credible equipment, control extension Component just can there are on back-end storage device by encrypted data information.If storage equipment is illegal incredible equipment, Its error message can be reported security audit component by control extension component, and safe unit, which is made, powers off back-end storage device Or data are shut off equal corresponding operatings.
Part IV, storage equipment are the data informations for storage server system, it must be credible by authorizing Equipment, generally can include key pair information inside legal believable storage equipment, the storage pairing institute in its storage unit The public key information and equipment unique identifier needed.
It is deposited about illustrating for each specific component referring also to the encryption of hardware bottom layer provided by the embodiment of the present invention Storage system.
Embodiment two:
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of hardware bottom layers to encrypt storage system, Hardware bottom layer encryption storage system described below can correspond to each other reference with above-described hardware bottom layer encryption storage method.
Referring to fig. 2 and Fig. 4, Fig. 4 are a kind of inside schematic diagram of hardware bottom layer encryption storage system in the embodiment of the present invention. As it can be seen that the system includes:
Host, security audit component, control extension component and storage equipment;
Wherein: host, for receiving external data and external data being transferred to security audit component;
Security audit component, it is whether safe for judging external data, and after determining data safety, by exterior data It is defeated by control extension component;
Control extension component, for being encrypted to external data, and encrypted external data is transferred to it is legal Store equipment;
Equipment is stored, for storing encrypted external data.
Preferably, security audit component, comprising: integrated manipulator, LPC resolver, I2C resolver, Memory Controller Hub and SPI resolver.
Specifically, security audit component can be a kind of security audit component in the embodiment of the present invention with specific reference to Fig. 5, Fig. 5 Concrete structure schematic diagram;Wherein, (1) marked in the figure, (2), (3), (4), (5), (6) and (7) is in security audit component The corresponding major functional steps of each component part.Its chief functional steps is illustrated below:
(1) host sends audit regulation to security audit hardware cell by LPC protocol signal, and internal LPC parses core Piece can be converted into digital logic value after receiving audit regulation, as generation black and white lists audit regulation.Its black and white name safety Audit regulation, which may include, audits to data informations such as video, document and audios, and can auditing, it corresponds to character field, version number and text The Hash codes of the markers such as part name (including but not limited to) express message etc., are audited, are screened to data according to audit regulation And filter operation.
(2) integrated manipulator (CPLD, FPGA or ARM stone module etc.) can be deposited audit regulation in the form of Digital Logic Be put in audit regulation memory, audit regulation memory here be SPI signal transmission Flash ROM particle in portion Sub-address;Audit regulation register and audit command register can map the built-in register using integrated manipulator.
(3) it is transferred to the integrated control of security audit component from mainboard by protocol signals such as PCIe/SAS when data message stream When in device processed, integrated manipulator can audit from external auditing command memory according to the audit regulation set early period Instruction set is called, and then its internal auditing command decoder carries out instruction to decode/select capable operation, by map instruction addresses of auditing Into internal auditing command register.
(4) possess multiple PCIe/SAS controller in integrated manipulator, PCIe/SAS signal can be solved The work such as code, data processing and address data memory mapping are completed to be converted into logic number from PCIe/SAS protocol signal.It is integrated These data flows are carried out address distribution and mapping by controller, can be first these logic digital value temporary caches in integrated control The inner primary buffer area (being here inner primary data storage) of device, these data flows are temporarily stored in inner primary buffer area The calling of data flow waiting integrated manipulator.
(5) integrated manipulator can move on to external data memory caching to the stream compression for being temporarily stored in inner primary buffer area Area's (being here external DDR RAM particle).The audit efficiency of data flow can be improved in this operating procedure.
(6) data processing unit of integrated manipulator can be called the logical data stream in external DDR RAM particle, Choosing row/routing operation is carried out to it to be transferred to ALU Data Computation Unit, is next exactly that audit instruction set is called to control ALU Data Computation Unit is combined with the audit work that PCIe/SAS controller carries out data safety rule, careful by not meeting The data of meter rule carry out screening and filtering.
(7) next stage encryption is sent by PCIe/SAS Controller by the data flow for meeting security audit rule Control module.
It should be noted that Fig. 5 is only one of embodiment of the present invention specific implementation structure, security audit component may be used also Structure is implemented for other.
Preferably, control extension component, comprising: encrypted master, SPI resolver and LPC resolver.Security audit component It can be a kind of concrete structure schematic diagram of control extension component in the embodiment of the present invention with specific reference to Fig. 6, Fig. 6, wherein figure acceptance of the bid (1), (2), (3), (4), (5) and (6) of note is the corresponding major function step of each component part in security audit component Suddenly.Steps are as follows for each component part and corresponding function in the control extension component:
(1) host sends data encryption rule to control extension hardware module by LPC protocol signal and equipment matching is close Key, internal LPC parsing chip can be converted into digital logic value after receiving data encryption rule and equipment matching key.Number It can be mathematical logic value according to encryption rule and negate, shift or generate the cryptographic means such as pseudo-code, data can be carried out so hidden Hiding encryption, it is ensured that the safety of data.
(2) encryption stone unit (CPLD, FPGA or ARM stone module etc.) can be close by data encryption rule and equipment matching Key is deposited in the form of Digital Logic in data encryption rule memory and crypto key memory, data encryption rule memory and Crypto key memory here be SPI signal transmission FlashROM particle in partial address.
(3) when data message stream is transferred to control extension module from security audit component by protocol signals such as PCIe/SAS Mathematical logic compiler when, the encryption rule that encryption stone unit can be set according to early period to store from external encryption rule Encrypted instruction collection calling is carried out in device, then its internal cryptographic rule decoder carries out instruction to decode/select capable operation, will encrypt Map instruction addresses are into internal cryptographic rule register.Stone unit is encrypted simultaneously, and decoding life is issued to data logic decoder It enables.
(4) logical data is sent in encryption converter by mathematical logic decoder, is used for data transmission and processing.Add simultaneously Close stone cell call encrypted instruction collection makes it according to the encryption rule set before to logical data encryption converter control It is encrypted, encryption rule negates encryption including but not limited to mathematical logic puppet code encryption, mathematical logic and mathematical logic moves The rules such as position.
(5) encrypted data are transferred in mathematical logic encoder by encryption converter, carry out mathematical logic value again Compiling.Then it gives compiled logical data transfer to PCIe/SAS Controller, PCIe/SAS signal can be solved The work such as code, data processing and address data memory mapping are completed to be converted into logic number from PCIe/SAS protocol signal.Encryption These data flows are carried out address distribution and mapping by stone unit, can be first that these logic digital value temporary caches are hard in encryption The inner primary buffer area of nuclear unit, these data flows for being temporarily stored in inner primary buffer area wait PCIe/SAS The calling of Controller.
(6) public key that key comparator at this time can transmit the private key identifies and cipher key management unit stored in equipment Carry out cipher key match, if cipher key match success if can carry out credible authorization to storage equipment.At this moment PCIe/SAS Controller just can will data information transfer to storage equipment on.
It should be noted that Fig. 6 is only one of embodiment of the present invention specific implementation structure, control extension component may be used also Structure is implemented for other.
Using hardware bottom layer encryption system provided by the embodiment of the present invention, hardware bottom layer encryption system includes host, peace Full audit component, control extension component and storage equipment;In hardware bottom layer encryption system, security audit component is to external data Security audit is carried out, control extension component carries out data encryption to external data, when storing data, is deposited into legal storage In equipment, the preventing mechanism of three layers of hardware firewall including Data Audit, data encryption and data storage is formed.External data Before final deposit storage equipment, risk data and virus implantation can be isolated in security audit component;Control extension component can make The data finally stored are encryptions, can be also prevented from leaking data;External data legal and that encryption is mutual is deposited into legal deposit Equipment is stored up, data can be further prevented to be stolen.As it can be seen that this method can ensure that the safety of data information transfer process and reliable Property.That is, hardware bottom layer encryption storage system realizes and carries out security protection to data in hardware bottom layer, fill up at present in hardware The blank of bottom no data protection solves the problems, such as that the encryption of software upper layer data is difficult to ensure data safety.
Embodiment three:
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of readable storage medium storing program for executing, are described below A kind of readable storage medium storing program for executing can correspond to each other reference with a kind of above-described hardware bottom layer encryption storage method.
A kind of readable storage medium storing program for executing is stored with computer program on readable storage medium storing program for executing, and computer program is held by processor The step of hardware bottom layer of above method embodiment encrypts storage method is realized when row.
The readable storage medium storing program for executing be specifically as follows USB flash disk, mobile hard disk, read-only memory (Read-OnlyMemory, ROM), The various program storage codes such as random access memory (Random Access Memory, RAM), magnetic or disk can Read storage medium.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.

Claims (10)

1. a kind of hardware bottom layer encrypts storage method, which is characterized in that be applied to hardware bottom layer encryption system, the hardware bottom layer Encryption system includes host, security audit component, control extension component and storage equipment;The hardware bottom layer encrypts storage side Method, comprising:
External data is received using the host, and the external data is transferred to the security audit component;
It is whether safe that the external data is judged using the security audit component, and after determining data safety, it will be described outer Portion's data are transferred to the control extension component;
The external data is encrypted using the control extension component;
The encrypted external data is stored in legal storage equipment using the control extension component.
2. hardware bottom layer according to claim 1 encrypts storage method, which is characterized in that utilize the security audit component Judge whether the external data is safe, comprising:
The security audit component extracts at least one in the keyword, initial clear identification and the information content of the external data Item is compared with default black and white lists, determines whether the external data is safe.
3. hardware bottom layer according to claim 1 encrypts storage method, which is characterized in that described to determine data safety Afterwards, the external data is transferred to the control extension component, comprising:
The external data is transferred to institute after determining data safety, using PCIe or SAS protocol by the security audit component State control extension component.
4. hardware bottom layer according to claim 1 encrypts storage method, which is characterized in that utilize the control extension component The external data is encrypted, comprising:
The control extension component is using encryption rule to the external data encryption.
5. hardware bottom layer according to claim 4 encrypts storage method, which is characterized in that in the control extension component benefit With encryption rule to the external data encryption after, by the external data be transferred to the control extension component it Before, further includes:
Pseudo-code generation processing is carried out to the encrypted external data.
6. hardware bottom layer according to any one of claims 1 to 5 encrypts storage method, which is characterized in that added using described The encrypted external data is stored in legal storage equipment by close control assembly, comprising:
The control extension component determines whether the storage equipment to be selected is legal using cipher key match;
If legal, the encrypted external data is stored in the legal storage equipment.
7. a kind of hardware bottom layer encryption system characterized by comprising
Host, security audit component, control extension component and storage equipment;
Wherein: the host, for receiving external data and the external data being transferred to the security audit component;
The security audit component, it is whether safe for judging the external data, and after determining data safety, it will be described outer Portion's data are transferred to the control extension component;
The control extension component is transmitted for encrypting to the external data, and by the encrypted external data To the legal storage equipment;
The storage equipment, for storing the encrypted external data.
8. hardware bottom layer according to claim 7 encrypts storage system, which is characterized in that the security audit component, packet It includes: integrated manipulator, LPC resolver, I2C resolver, Memory Controller Hub and SPI resolver.
9. hardware bottom layer according to claim 7 encrypts storage system, which is characterized in that the control extension component, packet It includes: encrypted master, SPI resolver and LPC resolver.
10. a kind of readable storage medium storing program for executing, which is characterized in that be stored with computer program, the meter on the readable storage medium storing program for executing The step of hardware bottom layer encrypts storage method as described in any one of claim 1 to 6 is realized when calculation machine program is executed by processor.
CN201910656860.3A 2019-07-19 2019-07-19 A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing Pending CN110378137A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910656860.3A CN110378137A (en) 2019-07-19 2019-07-19 A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910656860.3A CN110378137A (en) 2019-07-19 2019-07-19 A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing

Publications (1)

Publication Number Publication Date
CN110378137A true CN110378137A (en) 2019-10-25

Family

ID=68254263

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910656860.3A Pending CN110378137A (en) 2019-07-19 2019-07-19 A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing

Country Status (1)

Country Link
CN (1) CN110378137A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111783113A (en) * 2020-06-22 2020-10-16 济南浪潮高新科技投资发展有限公司 Data access authority control method based on SAS Controller
CN112270013A (en) * 2020-12-23 2021-01-26 江苏荣泽信息科技股份有限公司 A pluggable encrypted storage device based on PCIE
CN112364395A (en) * 2020-11-11 2021-02-12 中国信息安全测评中心 Safety protection method and device for solid state disk
CN113709493A (en) * 2021-07-23 2021-11-26 山东云海国创云计算装备产业创新中心有限公司 Video stream data encryption device, method and equipment of KVM system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201185082Y (en) * 2008-04-15 2009-01-21 航天信息股份有限公司 Mobile memory with high safety
CN102289614A (en) * 2010-06-18 2011-12-21 三星Sds株式会社 Anti-malware system and operating method thereof
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN106022171A (en) * 2016-05-03 2016-10-12 北京邮电大学 External storage device access control method and device for Android terminal
CN107147669A (en) * 2017-06-13 2017-09-08 周阳普 A kind of application data packet filtering handles firewall technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201185082Y (en) * 2008-04-15 2009-01-21 航天信息股份有限公司 Mobile memory with high safety
CN102289614A (en) * 2010-06-18 2011-12-21 三星Sds株式会社 Anti-malware system and operating method thereof
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN106022171A (en) * 2016-05-03 2016-10-12 北京邮电大学 External storage device access control method and device for Android terminal
CN107147669A (en) * 2017-06-13 2017-09-08 周阳普 A kind of application data packet filtering handles firewall technology

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111783113A (en) * 2020-06-22 2020-10-16 济南浪潮高新科技投资发展有限公司 Data access authority control method based on SAS Controller
CN112364395A (en) * 2020-11-11 2021-02-12 中国信息安全测评中心 Safety protection method and device for solid state disk
CN112270013A (en) * 2020-12-23 2021-01-26 江苏荣泽信息科技股份有限公司 A pluggable encrypted storage device based on PCIE
CN113709493A (en) * 2021-07-23 2021-11-26 山东云海国创云计算装备产业创新中心有限公司 Video stream data encryption device, method and equipment of KVM system
CN113709493B (en) * 2021-07-23 2024-02-09 山东云海国创云计算装备产业创新中心有限公司 Video stream data encryption device, method and equipment of KVM system

Similar Documents

Publication Publication Date Title
US8417964B2 (en) Software module management device and program
JP4689946B2 (en) A system that executes information processing using secure data
US8683610B2 (en) Method and apparatus for managing digital rights of secure removable media
CN101571900B (en) Software copyright protection method, device and system
US20030196096A1 (en) Microcode patch authentication
CN110378137A (en) A kind of hardware bottom layer encryption storage method, system and readable storage medium storing program for executing
CN109361668A (en) A method of reliable data transmission
US8650655B2 (en) Information processing apparatus and information processing program
CN104756127A (en) Secure data handling by a virtual machine
US9042553B2 (en) Communicating device and communicating method
CN103679062A (en) Intelligent electric meter main control chip and security encryption method
JP2003529963A (en) Method and apparatus for preventing piracy of digital content
CN106982186A (en) A kind of online safe key guard method and system
KR20160010521A (en) Device authenticity determination system and device authenticity determination method
EP4319041A1 (en) Cipher card and root key protection method therefor, and computer readable storage medium
CN116167020A (en) Software authorization method and system
CN107133512A (en) POS terminal control method and device
CN103873238A (en) Safety protection method of software integrity of cryptographic machine
CN102004887A (en) Method and device for protecting program
CN114928756A (en) Video data protection, encryption and verification method, system and equipment
CN112559979B (en) Method for protecting software library authorized use on POS machine through hardware security chip
JPH1139156A (en) Enciphered data decoding device
CN108959962A (en) A kind of API secure calling method of dynamic base
KR20200080776A (en) Data security apparatus
CN110933028B (en) Message transmission method, device, network device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191025