CN120316839B - Hard disk data protection and safety transmission system - Google Patents
Hard disk data protection and safety transmission systemInfo
- Publication number
- CN120316839B CN120316839B CN202510759491.6A CN202510759491A CN120316839B CN 120316839 B CN120316839 B CN 120316839B CN 202510759491 A CN202510759491 A CN 202510759491A CN 120316839 B CN120316839 B CN 120316839B
- Authority
- CN
- China
- Prior art keywords
- file
- data
- hard disk
- storage channel
- encryption chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
本发明涉及数据安全领域,尤其是一种硬盘数据保护与安全传输系统。包括蓝牙模块、硬盘和存储通道安全加密芯片,存储通道安全加密芯片通过蓝牙模块与手机端应用软件无线通信进行身份认证,根据身份认证结果实现硬盘访问权限解锁和释放敏感数据;存储通道安全加密芯片连接于主机与硬盘之间,实现硬盘的数据加解密传输和分区控制;硬盘划分为公开区、隐私区和隐藏区,公开区以明文形式存储开放资源,隐私区以密文形式存储个人数据,隐藏区以密文形式存储敏感数据,通过专用工具采用私有协议访问敏感数据。本发明实现了硬盘数据的访问控制、分级管理、病毒防护以及安全传输功能,解决了存储设备丢失或被盗导致的数据泄露问题。
The present invention relates to the field of data security, and in particular to a hard disk data protection and secure transmission system. The system comprises a Bluetooth module, a hard disk, and a storage channel security encryption chip. The storage channel security encryption chip wirelessly communicates with mobile phone application software via the Bluetooth module to perform identity authentication, unlocking hard disk access rights and releasing sensitive data based on the authentication result. The storage channel security encryption chip is connected between a host and a hard disk to implement data encryption and decryption transmission and partition control on the hard disk. The hard disk is divided into a public area, a private area, and a hidden area. The public area stores open resources in plain text, the private area stores personal data in ciphertext, and the hidden area stores sensitive data in ciphertext. Sensitive data is accessed through a dedicated tool using a private protocol. The present invention implements hard disk data access control, hierarchical management, virus protection, and secure transmission functions, solving the problem of data leakage caused by lost or stolen storage devices.
Description
Technical Field
The invention relates to the technical field of computer storage and data security, in particular to a hard disk data protection and security transmission system based on a hard disk encryption chip.
Background
With the rapid increase of data storage demands and the frequent occurrence of data leakage events, hard disk data security has become a core problem in the field of computer storage. The traditional hard disk data protection technology mainly relies on software encryption, operating system authority control or password authentication mechanisms, but the methods have obvious defects, and aiming at the aspect of safe transmission of data, the data sources are difficult to trace, and the data circulation safety is ensured.
For example, the prior art mostly adopts a software encryption scheme based on an operating system, and the security of the software encryption scheme depends on the integrity of a host driver and the security of a system environment. Such schemes are vulnerable to malicious programs (e.g., persistent blue, panda-burning, etc. luxes), and have problems of poor drive compatibility, difficult cross-platform adaptation, etc. In addition, the software encryption key is easy to be stolen by memory sniffing or man-in-the-middle attack, and interception of the communication link is difficult to resist. The conventional hard disk generally adopts a single encryption strategy, and cannot realize differential protection of public data, private data and sensitive data. When the storage device is lost or stolen, an attacker can obtain all data by cracking a single encryption layer, resulting in privacy and sensitive information disclosure. The existing hard disk antivirus technology mainly relies on real-time scanning or sandbox isolation, but has insufficient active defensive capability against hidden area malicious codes (such as macro viruses or script Trojan horse disguised as normal files). Traditional file systems (e.g., NTFS, FAT, EXT, 4) employ standard instructions that are easily hijacked or utilized by malicious programs, resulting in data being tampered with or encrypted. When data is transmitted across devices, the traditional method lacks end-to-end hardware-level encryption protection, key management is loose, and data sources cannot be traced. For example, in public cloud storage or shared transmission scenarios, plaintext or weakly encrypted data is vulnerable to interception or tampering.
Aiming at the problems, the prior art tries to improve the security through a Hardware Security Module (HSM) or a trusted computing technology, but has the defects that the resource allocation conflict is caused by the tight coupling design of a hardware encryption chip and a storage master control, the multistage security isolation is difficult to realize, the system driver dependence and cross-platform compatibility problems cannot be solved due to the lack of an identity authentication mechanism based on wireless transmission with mobile equipment, and the transmission and execution of malicious codes are difficult to block due to the lack of an active anti-virus mechanism and a private transmission protocol design of stored data. Therefore, there is an urgent need for a comprehensive solution that fuses hardware encryption, hierarchical storage management, active virus protection, and secure transmission to address data security challenges in complex environments.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a hard disk data protection and safety transmission system, which realizes access control, hierarchical management, virus protection and data safety transmission of a hard disk, aims to solve the problem of data leakage caused by the loss of storage equipment, resist the eternal blue and panda burning and other malicious programs based on a data encryption mechanism, such as luxury viruses, worms, trojans and the like, and realize the safety transmission of data.
In order to solve the technical problems, the technical scheme adopted by the invention is that the hard disk data protection and safety transmission system comprises a Bluetooth module, a hard disk and a storage channel safety encryption chip, wherein the storage channel safety encryption chip performs identity authentication through wireless communication between the Bluetooth module and application software of a mobile phone terminal, and realizes unlocking of hard disk access authority and release of sensitive data according to an identity authentication result;
The storage channel security encryption chip divides the hard disk into an open area, a private area and a hidden area according to the setting of application software of the mobile phone terminal, and the open area stores open resources in a plaintext form; the private area stores personal data in a ciphertext mode, the personal data is required to be accessed after identity authentication is finished through mobile phone application software, the hidden area stores sensitive data in a ciphertext mode, the sensitive data is invisible in a file system, and the sensitive data is accessed through a private protocol by a special tool, the special tool comprises a FatFS file system, a virus scanning component and an isolation sandbox, the FatFS file system calls a private instruction protocol stack to realize creation, enumeration, reading, modification and deletion of a sensitive data file in the hidden area, the isolation sandbox is used for temporarily storing hidden area write-in data, the virus scanning component is used for carrying out virus scanning on the temporary storage data, and the write-in data is written in the hidden area through the private instruction protocol stack after the virus scanning is passed;
The data security transmission of the hidden area is realized through a storage channel security encryption chip and a special tool, the storage channel security encryption chip provides a password operation service, the special tool is responsible for calling an interface and managing files, the special tool reconstructs a file structure through a hard encryption module of the storage channel security encryption chip and a digital envelope mechanism, authentication information and key information are generated according to identification marks set by users, encryption and decryption are carried out on file contents, and security of sensitive data in the transmission process is ensured.
Further, the secure transmission of the data in the hidden area is based on a digital envelope technology, each transmission file comprises a file header and a file body, the file header records functional data of the file body, the functional data comprises a file protection key authentication identifier, version information, a signature certificate, the effective length and format of the file to be transmitted and a file header signature value, and the file body comprises an effective encryption data block and a filling encryption data block.
Further, the encryption process of the transmission file data is as follows:
S11, a data sender sends an identification mark F to a storage channel security encryption chip through a special tool, and the storage channel security encryption chip generates a file protection key authentication mark K according to the identification mark F;
S12, carrying out key derivation by the storage channel security encryption chip based on version information and the identification mark F to obtain a file protection key Mkey and Mkey for encrypting a file body;
s13, the storage channel security encryption chip splices the file protection key authentication identification K, version information, the signature certificate and the effective length and format of the file, then uses a signature private key corresponding to the signature certificate to sign a splicing result to obtain a file header signature value, and the file header signature value, the file protection key authentication identification K, the version information, the signature certificate and the effective length and format of the file form a file header, and a special tool obtains the file header;
S14, splitting the file by a special tool according to the set grouping and sending the split file to a storage channel security encryption chip, carrying out loop encryption on the split file by the storage channel security encryption chip to generate a ciphertext, filling the ciphertext according to the set grouping to obtain an effective encrypted data block and a filled encrypted data block, and assembling an encrypted file body and a file header by the special tool to obtain a digital envelope file capable of being transmitted;
S15, calling an interface used in the transmission file data encryption process, sending the digital envelope file to a storage channel security encryption chip through a private instruction protocol stack, and then sending the digital envelope file to a hidden area of a hard disk by the storage channel security encryption chip.
Further, the decryption process of the transmission file data is as follows:
s21, the data receiver acquires a digital envelope file, splits the digital envelope file into a file header and a file body, and sends the file header to a storage channel security encryption chip through a special tool;
s22, the storage channel security encryption chip analyzes the signature certificate to obtain a signature public key, and performs signature verification on the file header to verify the validity of the file header;
s23, if the file header is legal, the storage channel security encryption chip generates a file protection key authentication identifier K1 according to an identification identifier F1 input by a data receiver, compares whether K1 is consistent with K in the file header, and if so, proves that the authority is correct;
S24, the storage channel security encryption chip carries out key derivation based on version information and an identification mark F1 input by a receiver to obtain a file secret file protection key Mkey ', Mkey' for decrypting a file body;
S25, the special tool carries out loop decryption on the file according to the set group to obtain a plaintext, and obtains an actual file according to the effective length and the format of the file.
The process of identity authentication by the storage channel security encryption chip through wireless communication between the Bluetooth module and the mobile phone end application software is that the Bluetooth module establishes point-to-point communication with the mobile phone end application software, authentication data is transmitted in a challenge response mode, the storage channel security encryption chip analyzes the authentication data transmitted by the Bluetooth module, if the data is legal, the identity authentication is successful, and otherwise, the identity authentication is failed.
Furthermore, the secret key of the privacy zone is imported from outside, a key backup and key recovery mechanism is designed for recovering the data of the privacy zone, a hard disk protection key is derived according to the identity authentication data, and the hard disk protection key encrypts and stores the secret key of the privacy zone.
Further, the secret key of the hidden area is randomly generated by the storage channel security encryption chip and does not have a secret key recovery mechanism, the root secret key of the hidden area secret key is generated by the characteristic metadata solidified by the storage channel security encryption chip through derivative operation, and the root secret key is used for protecting the hidden area secret key.
Further, the hard disk is a SATA interface hard disk, including a SATA solid state hard disk, a SATA mechanical hard disk, an m.2 interface, and an MSATA interface hard disk.
Furthermore, the storage channel security encryption chip is connected between the host and the hard disk in a SATA bridging mode, so that a data channel from the host to the hard disk is realized.
Further, the host accesses the public area and the private area through the SATA standard protocol, and the host accesses the hidden area through the custom SATA private instruction protocol stack.
The invention has the beneficial effects that the invention constructs a hard disk data protection and safety transmission system through integrating the memory channel safety encryption chip HX0168, the Bluetooth module, the SATA interface hard disk and the special tool. The method is characterized in that a hard disk is divided into a public area, a private area and a hidden area, and hierarchical management and control of data are realized by combining a multi-level security mechanism (such as digital envelope technology and private instruction protocol) and dynamic authentication (Bluetooth challenge-response), wherein the public area is accessed transparently, the private area has the characteristic of offline authorization and is authenticated through a mobile phone terminal, the hidden area is only read and written by a special tool through a private protocol, and a secret key is randomly generated by a chip and cannot be exported and recovered. The special tool effectively blocks the self-starting and the transmission of persistent Lesu viruses such as blue and malicious scripts through a FatFS file system, a quarantine sandbox, a dynamic virus scanning assembly and a private instruction protocol stack, and simultaneously ensures the safe transmission of data by utilizing a digital envelope technology. The design is compatible with various SATA storage devices, resists data leakage and attack from storage, access to transmission, and is suitable for the fields of government affairs, finance and the like with high security requirements.
Drawings
FIG. 1 is a schematic block diagram of a hard disk data protection and secure transmission system;
FIG. 2 is a logical architecture diagram of a hard disk data protection and secure transfer design;
FIG. 3 is a schematic diagram of a privacy zone quarantine sandbox;
FIG. 4 is a schematic diagram of a digital envelope file structure;
FIG. 5 is a transmission file data encryption flow chart;
fig. 6 is a transmission file data decryption flow chart.
Detailed Description
The invention will be further described with reference to the drawings and the specific examples.
Example 1
The embodiment discloses a hard disk data protection and secure transmission system, as shown in fig. 1, comprising a bluetooth module, a SATA interface hard disk and a storage channel secure encryption chip, wherein the storage channel secure encryption chip is a storage channel secure encryption chip HX0168 of shandonghua wing microelectronics technologies corporation, and the SATA interface hard disk comprises a SATA solid state hard disk, a SATA mechanical hard disk, an m.2 interface, an MSATA interface hard disk and the like, and is used for storing data, and the data content and access authority of the SATA interface hard disk are controlled by the HX0168. In operation, the bluetooth module is an authentication medium, the SATA interface hard disk is a data storage carrier, and HX0168 is a security management core.
The Bluetooth module is provided with an SPI (UART) interface and is connected with a corresponding interface of HX0168, and the HX0168 carries out identity authentication with mobile phone end application software through wireless communication of the Bluetooth module. The specific implementation mode is that the Bluetooth module establishes point-to-point communication with the application software of the mobile phone terminal, authentication data is transmitted in a challenge response mode, HX0168 analyzes the authentication data transmitted by the Bluetooth module, and if the authentication of the data rule is successful, the mounting of the hard disk hidden area is controlled according to the authentication result.
The HX0168 chip is responsible for the safety management of data, is connected between the host and the SATA interface hard disk in a SATA bridging mode, realizes a data path between the host and the SATA interface hard disk, realizes the encryption and decryption transmission and the partition control of the data of the SATA interface hard disk, and provides necessary calculation functions required by the safety transmission of the data for a special tool. HX0168 supports hard disk access control technology, digital envelope technology, bluetooth drive interface, SKF/SDF interface, standard instruction protocol stack and private instruction protocol stack. The access control technology is used for managing the hard disk partition of the SATA storage module, the digital envelope technology is used for packaging transmission files to realize safe transmission, the Bluetooth driving interface is communicated with the Bluetooth module to acquire and screen mobile phone end application software authentication data, the SKF/SDF interface is used for providing password calculation service, the standard instruction protocol stack is an ATA/SCSI standard instruction used for reading and writing of a hard disk public area and a private area, and the private instruction protocol stack is an ATA/SCSI private (custom) instruction used for reading and writing of hidden area data.
HX0168 divides SATA storage modules into three types, open area, private area, and hidden area. The public area data stores open resources such as operating system components, system tools and public data in a plaintext form, the data does not need encryption protection and access control, a host accesses the public area through a SATA standard protocol, and HX0168 transmits the public area data in a transparent transmission mode. The private area data is stored in a ciphertext form, the host accesses the private area through SATA standard read-write, the host loads authentication information (the authentication information can be loaded and accessed after identity authentication is completed through the mobile phone application software) which is controlled by the mobile phone application software, HX0168 acquires and discriminates the authentication information by means of the Bluetooth module, and actively loads or unloads the private area to the host, so that access control of the private area is realized. The hidden area stores sensitive data, not only is stored in a ciphertext form, but also needs a special tool to read and write by adopting a private protocol, and the sensitive data is analyzed by combining the special tool. The design can resist the data encryption mechanism-based luxes viruses such as eternal blue and pandas burning, and prevent the self-starting of worm, trojan horse and other malicious programs.
In the embodiment, the secret key of the private area is imported from the outside, a key backup and key recovery mechanism can be designed for recovering the data of the hidden area, and a hard disk protection key is derived according to the identity authentication data, and is stored after being encrypted and used for protecting the secret area key to prevent the secret area key from being cracked by sniffing or throwing. The secret key of the hidden area is randomly generated from the inside, the root secret key is generated by the characteristic metadata solidified by the HX0168 chip through derivative operation, the root secret key protects the encryption secret key of the hidden area of the file, data recovery cannot be carried out, and the security of sensitive data is ensured.
The special tool is used for managing the sensitive data of the hidden area, and the safe transmission of the data of the privacy area by the digital envelope technology depends on the software and hardware resources of a host, and as shown in fig. 2, the special tool consists of a FatFS file system, a virus scanning component and an isolation sandbox. The special tool is arranged in the host and is communicated with HX0168 through a host drive-free interface. The host drive-free interface communicates with the HX0168 chip through two types of protocols, namely a standard protocol and a proprietary protocol. The system comprises a standard protocol, a private protocol, a HX0168, a standard command protocol stack, a Bluetooth drive interface, a digital envelope technology, a SKF/SDF password interface, a standard command protocol stack and a private command protocol stack, wherein the standard protocol is used for reading and writing public area data and private area data, the private protocol is used for reading and writing hidden area data and supporting a digital envelope technology and a SKF/SDF password interface, the HX0168 is a security management core and is used for providing hard disk access control, a Bluetooth drive interface, the digital envelope technology, the SKF/SDF password interface, the standard command protocol stack and the private command protocol stack, the Bluetooth drive interface and the Bluetooth module are used for supporting the hard disk access control technology and controlling the loading and access of the private area, and the SKF/SDF password interface is used for supporting the digital envelope technology and realizing the data security transmission. HX0168 communicates with the SATA interface hard disk via standard protocols for accessing public and private areas and private protocols for accessing hidden areas. In this embodiment, the standard protocol is a SATA standard command protocol stack, and the proprietary protocol is a custom SATA proprietary command protocol stack.
The FatFS file system calls a private instruction protocol stack to realize the functions of creating, enumerating, reading, modifying, deleting and the like of the hidden area sensitive data file, and manages the hidden area partition and the hidden area file system. The isolation sandbox is a memory space of the host computer and is used for temporarily storing the data written in the hidden area, the private instruction protocol stack is converted into a standard protocol stack after virus scanning is needed, and the data is stored in the hidden area through the SATA interface. As shown in fig. 3, the virus scanning component is loaded by a special tool, and the special tool invokes an external virus plug-in a dynamic loading mode to identify and scan written data in real time and filter malicious programs/scripts. Because the hidden area adopts a private instruction protocol stack to read data, the data loading is controlled by a special tool, and therefore, the executable file/script cannot be started automatically.
The HX0168 chip and the special tool together ensure the safe transmission of data, the HX0168 chip provides the cipher operation service, and the special tool is responsible for calling the interface and managing the file.
Secure transmission is based on digital envelope technology, as shown in fig. 4, each transmission file is composed of two parts, a file header and a file body. The file header records the description information and the password resource of the transmission file, and the file header records the description information and the password resource of the transmission file and comprises a file protection key authentication identifier, version information, a sender signature certificate, the effective length and format of the file and a file header signature value which are generated according to user setting authentication information. The file protection key authentication mark is generated by the calculation of the identification mark input by the user, and the key derivation calculation is carried out according to the user setting authentication information, so as to obtain the digital envelope file body key. Version information represents the algorithmic protocol of the key derivation calculation, providing greater flexibility and security. The signature certificate is derived from a cipher resource built in the sender HX0168 chip and matched with a signature private key in the sender HX0168 chip, and is used for checking a file header to generate a signature value. The file effective length and format represent the actual effective data length in the file body, and the file format represents the actual format of the file. The file body is divided into valid encrypted data blocks and filled encrypted data blocks. The effective encryption data block length corresponds to the file effective length in the file header, and the padding encryption data block is used to supplement the packet calculated length.
As shown in fig. 5, the transmission file data encryption process is:
S11, a data sender (encryptor) sends an identification mark F to a storage channel security encryption chip through a special tool, and the HX0168 chip generates a file protection key authentication mark through hash calculation (such as SM3 algorithm) according to the identification mark F, wherein the file protection key authentication mark is used for authenticating the identity of a decryptor.
And S12, the HX0168 chip performs key derivation (hash calculation or symmetric encryption algorithm) based on the version information and the identification mark F to obtain a file protection key Mkey, mkey for encrypting the file body.
S13, the HX0168 chip splices the file protection key authentication identification K, version information, the signature certificate and the effective length and format of the file, then uses a signature private key corresponding to the signature certificate to sign the splicing result to obtain a file header signature value, and the file header signature value, the file protection key authentication identification K, the version information, the signature certificate and the effective length and format of the file form a file header, and a special tool obtains the file header. In this process, the signature private key and the file protection key Mkey only work inside the HX0168 chip, and the special tool cannot obtain the signature private key and the file protection key. The signature value is used for guaranteeing the integrity of the header file, the signature certificate in the header corresponds to the signature private key of the sending end, and the signature public key in the extracted signature certificate can be used for verifying the header signature value.
S14, the special tool splits the file according to one 128KB group and sends the split file to the HX0168 chip, the HX0168 chip carries out loop encryption on the split file to generate ciphertext, and the encryption algorithm can adopt a feedback-free (non-chained) mode (such as ECB, CTR and XTS) of a symmetric algorithm such as SM 4/AES. And filling according to 128KB of one packet to obtain an effective encrypted data block and a filled encrypted data block, and assembling an encrypted file body and a file header by a special tool to obtain a digital envelope file capable of being transmitted.
S15, calling an SKF/SDF interface used in the transmission file data encryption process, sending the digital envelope file to the HX0168 chip through the private instruction protocol stack, and then sending the digital envelope file to the hidden area of the hard disk by the HX0168 chip.
The transmission file data decryption process and the transmission file data encryption process are the inverse processes, as shown in fig. 6, and the transmission file data decryption process is as follows:
s21, the data receiver (decryptor) acquires the digital envelope file, splits the digital envelope file into a file header and a file body, and sends the file header to the HX0168 chip through a special tool.
S22, the HX0168 chip analyzes the signature certificate to obtain a signature public key, and performs signature verification on the file header to verify the validity of the file header.
S23, if the file header is legal, the HX0168 chip generates a file protection key authentication identifier K1 according to an identification identifier F1 input by a data receiver, compares whether K1 is consistent with K in the file header, and if so, proves that the authority is correct.
S24, the HX0168 chip carries out key derivation based on version information and identification mark F1 input by a receiver, and a file secret file protection key Mkey ', Mkey' is obtained and used for decrypting a file body. The protection key Mkey ' only works inside the HX0168 chip in this process.
S25, the special tool carries out loop decryption on the file according to a 128KB group to obtain a plaintext, and obtains an actual file according to the effective length and format of the file.
The invention realizes the functions of access control, hierarchical management, virus protection and safe transmission of hard disk data through the software and hardware collaborative design of the memory channel safe encryption chip HX0168, aims at solving the problem of data leakage caused by the loss or theft of memory equipment, and effectively resists the attack of malicious programs such as luxes virus, worms, trojan horse and the like. The invention is suitable for the scenes of high security requirements such as personal privacy protection, enterprise sensitive data management, government confidential document storage and the like.
The foregoing description is only of the basic principles and preferred embodiments of the present invention, and modifications and alternatives thereto will occur to those skilled in the art to which the present invention pertains, as defined by the appended claims.
Claims (7)
1. The hard disk data protection and safety transmission system is characterized by comprising a Bluetooth module, a hard disk and a storage channel safety encryption chip, wherein the storage channel safety encryption chip performs identity authentication through wireless communication between the Bluetooth module and mobile phone end application software, and realizes unlocking of hard disk access rights and release of sensitive data according to an identity authentication result;
the storage channel security encryption chip divides a hard disk into a public area, a private area and a hidden area according to the setting of application software of a mobile phone end, wherein the public area stores open resources in a plaintext form, the private area stores personal data in a ciphertext form, the personal data is required to be accessed after identity authentication is completed through the application software of the mobile phone end, the hidden area stores sensitive data in a ciphertext form, the sensitive data is invisible in a file system and accesses the sensitive data through a private protocol by a special tool, the special tool comprises a FatFS file system, a virus scanning component and an isolation sandbox, the FatFS file system calls a private instruction protocol stack to realize the creation, enumeration, reading, modification and deletion of sensitive data files in the hidden area, the isolation sandbox is used for temporarily storing write data in the hidden area, the virus scanning component is used for carrying out virus scanning on the temporary data, and write data is written in the hidden area through a private instruction protocol stack after the virus scanning is passed;
The data security transmission of the hidden area is realized through a storage channel security encryption chip and a special tool, the storage channel security encryption chip provides a password operation service, and the special tool is responsible for calling an interface and managing files;
the data security transmission of the hidden area is based on a digital envelope technology, each transmission file comprises a file header and a file body, the file header records the functional data of the file body and comprises a file protection key authentication identifier, version information, a signature certificate, the effective length and format of the file to be transmitted and a file header signature value, and the file body comprises an effective encryption data block and a filling encryption data block;
the encryption process of the transmission file data is as follows:
S11, a data sender sends an identification mark F to a storage channel security encryption chip through a special tool, and the storage channel security encryption chip generates a file protection key authentication mark K according to the identification mark F;
S12, carrying out key derivation by the storage channel security encryption chip based on version information and the identification mark F to obtain a file protection key Mkey and Mkey for encrypting a file body;
s13, the storage channel security encryption chip splices the file protection key authentication identification K, version information, the signature certificate and the effective length and format of the file, then uses a signature private key corresponding to the signature certificate to sign a splicing result to obtain a file header signature value, and the file header signature value, the file protection key authentication identification K, the version information, the signature certificate and the effective length and format of the file form a file header, and a special tool obtains the file header;
S14, splitting the file by a special tool according to the set grouping and sending the split file to a storage channel security encryption chip, carrying out loop encryption on the split file by the storage channel security encryption chip to generate a ciphertext, filling the ciphertext according to the set grouping to obtain an effective encrypted data block and a filled encrypted data block, and assembling an encrypted file body and a file header by the special tool to obtain a digital envelope file capable of being transmitted;
S15, calling an interface used in the encryption process of the transmission file data, sending the digital envelope file to a storage channel security encryption chip through a private instruction protocol stack, and then sending the digital envelope file to a hidden area of a hard disk by the storage channel security encryption chip;
The decryption process of the transmission file data is as follows:
s21, the data receiver acquires a digital envelope file, splits the digital envelope file into a file header and a file body, and sends the file header to a storage channel security encryption chip through a special tool;
s22, the storage channel security encryption chip analyzes the signature certificate to obtain a signature public key, and performs signature verification on the file header to verify the validity of the file header;
s23, if the file header is legal, the storage channel security encryption chip generates a file protection key authentication identifier K1 according to an identification identifier F1 input by a data receiver, compares whether K1 is consistent with K in the file header, and if so, proves that the authority is correct;
S24, the storage channel security encryption chip carries out key derivation based on version information and an identification mark F1 input by a receiver to obtain a file secret file protection key Mkey ', mkey' which is used for decrypting a file body;
S25, the special tool carries out loop decryption on the file according to the set group to obtain a plaintext, and obtains an actual file according to the effective length and the format of the file.
2. The hard disk data protection and safety transmission system according to claim 1, wherein the process of identity authentication by the storage channel safety encryption chip through wireless communication between the Bluetooth module and the mobile phone end application software is that the Bluetooth module establishes point-to-point communication with the mobile phone end application software, authentication data is transmitted in a challenge response mode, the storage channel safety encryption chip analyzes the authentication data transmitted by the Bluetooth module, if the data is legal, the identity authentication is successful, and otherwise, the identity authentication fails.
3. The hard disk data protection and security transmission system according to claim 1, wherein the private area key is imported from outside, a key backup and key recovery mechanism is designed for recovering the private area data, and the hard disk protection key is derived according to the identity authentication data and is stored after being encrypted.
4. The hard disk data protection and secure transmission system according to claim 1, wherein the hidden area key is randomly generated by the storage channel secure encryption chip and has no key recovery mechanism, the root key of the hidden area key is generated by deriving the characteristic metadata solidified by the storage channel secure encryption chip, and the root key protection is used for the hidden area key.
5. The system of claim 1, wherein the hard disk is a SATA interface hard disk including a SATA solid state disk, a SATA mechanical hard disk, an M.2 interface, and a MSATA interface hard disk.
6. The system of claim 5, wherein the secure encryption chip is connected between the host and the hard disk in SATA bridge mode to realize data channel from host to hard disk.
7. The system of claim 6, wherein the host accesses the public and private areas via SATA standard protocols and the host accesses the hidden area via a custom SATA proprietary command protocol stack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510759491.6A CN120316839B (en) | 2025-06-09 | 2025-06-09 | Hard disk data protection and safety transmission system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510759491.6A CN120316839B (en) | 2025-06-09 | 2025-06-09 | Hard disk data protection and safety transmission system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN120316839A CN120316839A (en) | 2025-07-15 |
| CN120316839B true CN120316839B (en) | 2025-09-09 |
Family
ID=96321849
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510759491.6A Active CN120316839B (en) | 2025-06-09 | 2025-06-09 | Hard disk data protection and safety transmission system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120316839B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117010034A (en) * | 2023-07-28 | 2023-11-07 | 深圳市奥斯珂科技有限公司 | Solid state disk-based security management method and solid state disk |
| CN119276473A (en) * | 2024-08-29 | 2025-01-07 | 国家石油天然气管网集团有限公司 | A method and system for data acquisition based on encrypted secure communication link |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9064131B2 (en) * | 2010-07-28 | 2015-06-23 | Nextlabs, Inc. | Protecting documents using policies and encryption |
| CN113626859B (en) * | 2021-07-26 | 2024-04-12 | 西安电子科技大学 | Method, system, equipment and medium for supporting encryption protection of key escrow personal file |
-
2025
- 2025-06-09 CN CN202510759491.6A patent/CN120316839B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117010034A (en) * | 2023-07-28 | 2023-11-07 | 深圳市奥斯珂科技有限公司 | Solid state disk-based security management method and solid state disk |
| CN119276473A (en) * | 2024-08-29 | 2025-01-07 | 国家石油天然气管网集团有限公司 | A method and system for data acquisition based on encrypted secure communication link |
Also Published As
| Publication number | Publication date |
|---|---|
| CN120316839A (en) | 2025-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104951409B (en) | A hardware-based full disk encryption system and encryption method | |
| CN1535411B (en) | Method and system for increasing security in computer systems using attached storage devices | |
| CN112560058B (en) | SSD partition encryption storage system based on intelligent password key and implementation method thereof | |
| CN100487715C (en) | Date safety storing system, device and method | |
| US11088832B2 (en) | Secure logging of data storage device events | |
| WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| CN108509802B (en) | Application data anti-leakage method and device | |
| EP2954637B1 (en) | Methods and devices for authentication and key exchange | |
| JP2017511619A (en) | Secure voice and data method and system | |
| US12225111B2 (en) | Authorization requests from a data storage device to multiple manager devices | |
| CN111901360B (en) | A control system and method suitable for secure access to intranet data | |
| CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
| US12175117B2 (en) | Multiple authorization requests from a data storage device | |
| CN105809043A (en) | Data security protection method of computer | |
| JP2008005408A (en) | Recording data processing device | |
| CN103207976A (en) | Mobile storage file leakage-preventing method and confidential U-disk based on same | |
| US12118103B2 (en) | Certificates in data storage devices | |
| CN114942729A (en) | Data safety storage and reading method for computer system | |
| CN105825136A (en) | Method and device for realizing electronic file safe transmission by combining hardware and software | |
| CN120316839B (en) | Hard disk data protection and safety transmission system | |
| CN118761107A (en) | A security management method for solid state hard disk and solid state hard disk | |
| CN118821104A (en) | Data authorization management method and related equipment applied to trusted data space | |
| CN112087294A (en) | A Portable Secure Computer Architecture Based on Cryptographic Hash Tag Protection | |
| CN103532712A (en) | Digital media file protection method, system and client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |