CN106709361B - File content hidden storage access method based on capacity hiding and multi-file system and storage device thereof - Google Patents
File content hidden storage access method based on capacity hiding and multi-file system and storage device thereof Download PDFInfo
- Publication number
- CN106709361B CN106709361B CN201611080008.9A CN201611080008A CN106709361B CN 106709361 B CN106709361 B CN 106709361B CN 201611080008 A CN201611080008 A CN 201611080008A CN 106709361 B CN106709361 B CN 106709361B
- Authority
- CN
- China
- Prior art keywords
- access
- storage
- storage area
- hidden
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention relates to a file content hiding storage access method and a device thereof based on capacity hiding and a multi-file system, wherein the method specifically comprises the following steps: firstly, monitoring a capacity request command sent by main equipment through a monitoring unit in the auxiliary equipment, analyzing an access command of the main equipment by an auxiliary equipment end, if the access command is a command for normally accessing a storage area, feeding back capacity identification information of the normally accessed storage area to the main equipment, if the received access command is a command for hiding the accessed storage area, requiring identity identification, and after the access command is passed, feeding back the capacity identification information of a corresponding hidden accessed storage area i to the main equipment; and a data clearing function is also provided, and when the hiding system is tried to be cracked, a self-destruction module of the mobile storage device is triggered to completely clear the secret files in the hidden area. The method and the device can effectively solve the problems that the stability of the hidden file is influenced by an operating system and is damaged by an attacker, and the like, and effectively ensure the safety of the data of the hidden stored file.
Description
Technical Field
The invention belongs to the technical field of mobile storage safety, and particularly relates to a file content hiding storage access method based on capacity hiding and a multi-file system and a storage device thereof.
Background
The USB-interfaced mobile storage devices are widely used, such as a USB disk, which has become a transfer station for data transmission and plays an important role in data exchange between computers. Meanwhile, the security problem of data is increasingly highlighted, important personal file information is often stolen or damaged, hidden storage of file contents is often used as an important method for protecting sensitive data information, and research on hidden storage of file contents and data security maintenance is actively carried out.
The existing file hiding technologies mainly include the following: modifying the registry so that the user cannot see the hidden file through ordinary file operation; files such as images and videos are used as host files, parasitic files are hidden in the host files, and the files can be hidden in image information through image watermarking technology; hooking a system API function, filtering access information of hidden files in a mode of hooking an entry address of an original file management function of a system by using a user-defined file management related function, so that a user cannot see the hidden files through a resource manager; the characteristic that the system does not display the volume label file is utilized, and the file attribute is modified to serve as the volume label attribute, so that the file is hidden; in addition, the first cluster number of the file in the directory entry can be modified to increase the file hiding strength; at present, a file hiding method for modifying the attribute of a directory entry and reconstructing a FAT table sequence is proposed; the method for hiding the file stores the file in a redundant block for bad block management by utilizing the characteristics of a Nand flash memory chip to realize file hiding; it has also been proposed to hide files in fragments of sectors of an existing file in a file system.
For file hiding, the most important measurement criteria are the hiding strength of the file, namely the imperceptibility of file hiding, the time complexity and the technical difficulty required for searching the hidden file in a cracking mode. The method can realize the hiding of the file, but the hiding strength is different. The method of hosting a file in a hosted file is susceptible to the operation of the hosted file, and is too robust; the method for hiding the file by using the characteristics of the memory chip has better hiding strength, but the hiding capacity is not large, so that the management of bad blocks of the chip is easily influenced; the method for hiding the file by using the redundant area of the file has strong concealment, but has poor robustness and small concealment capacity, and is easily influenced by file operation; other methods are all the host end technologies adopted, such as filtering drive, modifying file attributes, reconstructing FAT tables and the like. In addition, the existing file hiding method depends on an operating system to realize and is not suitable for mobile storage equipment. The above file hiding method has two main disadvantages: (1) the imperceptibility of the hidden file is not considered, namely an attacker can easily know the existence of the hidden file, so that the hidden file is stolen; (2) hidden files are susceptible to file manipulation, such as formatting devices. An attacker can destroy the hidden file by formatting the device.
Disclosure of Invention
In view of this, the invention provides a file content hiding storage access method and a storage device thereof based on capacity hiding and a multi-file system, which isolate a hidden storage area from a common storage area, improve the security and robustness of a hidden file, and have large hiding capacity and simple operation.
According to the design scheme provided by the invention, the file content hidden storage access method based on capacity hiding and a multi-file system is used for accessing the hidden storage data at the periphery of a host, a storage area of a mobile storage device is divided into a common access storage area and n hidden access storage areas, and the n hidden access storage areas are expressed as follows: the method comprises the following steps of hiding an access storage area 1, hiding access storage areas 2 and … and hiding an access storage area n, identifying each access storage area of the storage device through a flag byte of a physical block redundant area of the storage device, mapping logical storage to physical storage, respectively establishing a multi-file system in each access storage area of the mobile storage device, and specifically accessing hidden storage data, wherein the method comprises the following steps:
step 1, a host requests to access the capacity of a mobile storage device, the mobile storage device analyzes the request access command, determines an access storage area which is requested to be accessed currently through an address mapping method based on a lookup table, judges whether the access storage area is a request for accessing a common access storage area according to an access storage area file system, and feeds back the capacity information of the common access storage area to the host if the access storage area is the request for accessing the common access storage area; otherwise, identity authentication is carried out, if the authentication is passed, the capacity information of the hidden access storage area corresponding to the request access is fed back to the host, and if the authentication is not passed, the capacity information of the common access storage area is fed back to the host;
and 5, judging whether the counter value reaches the threshold value of the access limiting times, if so, performing self-destruction operation on the data of the hidden access storage area, cleaning the data of the hidden access storage area, returning to the step 3 for execution, and if not, directly returning to the step 3 for execution.
The above-mentioned obtaining, by the host, the access right to the hidden access storage area of the mobile storage device includes: the host freely switches between the ordinary access storage area and the n hidden access storage areas according to the request access requirement.
The above-mentioned obtaining, by the host, the access right of the ordinary access storage area of the mobile storage device includes: the host is restricted to requesting access only in the normal access storage area.
The identity authentication specifically includes the following contents: after the mobile storage device is accessed to the host, the host carries out enumeration identification on the mobile storage device, and after the mobile storage device driver is successfully installed, the host directly obtains the access authority of a common access storage area; the host executes write operation to the mobile storage device to initiate storage area switching, and the mobile storage device analyzes the instruction packet and judges whether the host has the authority to switch the storage area by sending a CBW instruction packet to the mobile storage device.
Preferably, the mobile storage device analyzes the instruction packet and determines whether to give the host storage area a switching right, specifically: the mobile storage device analyzes the instruction packet, reads the authority variable of the file system corresponding to the current access storage area, and judges whether the host computer is given the authority for requesting access according to the authority variable.
In the foregoing, the self-destruction operation of the data in the hidden access storage area is specifically: and clearing the data of the current hidden access storage area by adopting a data clearing method based on key page overwriting.
A file content hiding and storing device based on capacity hiding and a multi-file system is arranged in a mobile storage device, is used for storing and accessing common data and hidden data, and comprises a storage access module, an identity authentication module and a data cleaning module, wherein the storage access module comprises a storage access monitoring unit, a common storage access unit and a plurality of hidden storage access units; the common storage access unit is used for establishing a file system with common data and used for storage access of the common data; the hidden storage access units are respectively established with file systems of hidden data and used for the storage access of the hidden data; and the storage access monitoring unit is used for judging whether to give a storage access right of the corresponding hidden storage access unit according to the host access request and the identity authentication module, and judging whether to trigger the data cleaning module according to the authentication information fed back by the identity authentication module.
The identity authentication module is used for performing host identity authentication according to host write operation, and comprises a counter unit and an identity authentication unit, wherein the identity authentication unit analyzes a data packet requested to be accessed by a host through a mobile storage device, acquires information of a storage access unit requested to be accessed, judges whether the identity authentication is passed or not according to a file system authority state corresponding to the storage access unit, if the identity authentication is passed, the result is fed back to the storage access monitoring unit, and if the identity authentication is not passed, the counter counts and feeds back the result to the storage access monitoring unit.
The storage access monitoring unit feeds back a result according to the identity authentication module, and if the identity authentication is passed, the storage access monitoring unit gives access authority to a corresponding storage access unit of the host; if the identity authentication is not passed, the storage access monitoring unit gives the host access authority to only access the common storage access unit, and judges whether the counter value reaches a preset access limiting time threshold value, if so, the data cleaning module is triggered, otherwise, the identity authentication is continued according to the host write operation.
The data cleaning module is used for carrying out data cleaning operation on the storage access module according to the trigger signal of the storage access monitoring list.
The invention has the beneficial effects that:
compared with the prior art, the method comprises the steps that firstly, a monitoring unit in the slave device monitors a capacity request command sent by the master device, the slave device side analyzes the master device access command, if the master device access command is a command for normally accessing the storage area, capacity identification information of the normally accessed storage area is fed back to the master device, if the command for normally accessing the storage area is received, identity identification is needed, and after the command is passed, the corresponding capacity identification information of the hidden accessed storage area i is fed back to the master device, namely the capacity of the current storage area; the mechanism enables files needing to be protected to be stored in a hidden storage area, the identity authentication mechanism controls authorized access to the hidden area, and an operating system is transparent to the access of the hidden area, so that the method is mainly different from other file hiding methods; in addition, the invention also provides a data clearing function, when the hiding system is tried to be cracked, the self-destruction module of the mobile storage device is triggered, and the secret file in the hidden area is thoroughly cleared. The method and the device can effectively solve the problems that the stability of the hidden file is influenced by an operating system and is damaged by an attacker, and the like, and effectively ensure the safety of the data of the hidden stored file.
Description of the drawings:
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic view of the apparatus of the present invention;
FIG. 3 is a flow chart of an embodiment of the present invention;
FIG. 4 is a diagram illustrating identity authentication according to the present invention.
The specific implementation mode is as follows:
the present invention will be described in further detail below with reference to the accompanying drawings and technical solutions, and embodiments of the present invention will be described in detail by way of preferred examples, but the embodiments of the present invention are not limited thereto.
In a first embodiment, referring to fig. 1, a file content hidden storage access method based on capacity hiding and a multi-file system is used for accessing hidden storage data in a host periphery, a storage area of a mobile storage device is divided into a normal access storage area and n hidden access storage areas, where the n hidden access storage areas are represented as: the method comprises the following steps of hiding an access storage area 1, hiding access storage areas 2 and … and hiding an access storage area n, identifying each access storage area of the storage device through a flag byte of a physical block redundant area of the storage device, mapping from logical storage to physical storage, respectively establishing each file system in the access storage area corresponding to the mobile storage device, and specifically accessing the hidden storage data, wherein the method comprises the following steps:
step 1, a host requests to access the capacity of a mobile storage device, the mobile storage device analyzes the request access command, determines an access storage area which is requested to be accessed currently through an address mapping method based on a lookup table, judges whether the access storage area is a request for accessing a common access storage area according to an access storage area file system, and feeds back the capacity information of the common access storage area to the host if the access storage area is the request for accessing the common access storage area; otherwise, identity authentication is carried out, if the authentication is passed, the capacity information of the hidden access storage area corresponding to the request access is fed back to the host, and if the authentication is not passed, the capacity information of the common access storage area is fed back to the host;
and 5, judging whether the counter value reaches the threshold value of the access limiting times, if so, performing self-destruction operation on the data of the hidden access storage area, cleaning the data of the hidden access storage area, returning to the step 3 for execution, and if not, directly returning to the step 3 for execution.
The above-mentioned obtaining, by the host, the access right to the hidden access storage area of the mobile storage device includes: the host freely switches between the ordinary access storage area and the n hidden access storage areas according to the request access requirement.
The above-mentioned obtaining, by the host, the access right of the ordinary access storage area of the mobile storage device includes: the host is restricted to requesting access only in the normal access storage area.
The identity authentication specifically includes the following contents: after the mobile storage device is accessed to the host, the host carries out enumeration identification on the mobile storage device, and after the mobile storage device driver is successfully installed, the host directly obtains the access authority of a common access storage area; the host executes write operation to the mobile storage device to initiate storage area switching, and the mobile storage device analyzes the instruction packet and judges whether the host has the authority to switch the storage area by sending a CBW instruction packet to the mobile storage device.
Preferably, the mobile storage device analyzes the instruction packet and determines whether to give the host storage area a switching right, specifically: the mobile storage device analyzes the instruction packet, reads the authority variable of the file system corresponding to the current access storage area, and judges whether the host computer is given the authority for requesting access according to the authority variable.
In the foregoing, the self-destruction operation of the data in the hidden access storage area is specifically: and clearing the data of the current hidden access storage area by adopting a data clearing method based on key page overwriting.
In a second embodiment, referring to fig. 1, a file content hidden storage access method based on capacity hiding and a multi-file system is used for accessing hidden storage data in a host periphery, a storage area of a mobile storage device is divided into a normal access storage area and n hidden access storage areas, where the n hidden access storage areas are represented as: the method comprises the following steps of hiding an access storage area 1, hiding access storage areas 2 and … and hiding an access storage area n, identifying each access storage area of the storage device through a flag byte of a physical block redundant area of the storage device, mapping logical storage to physical storage, respectively establishing a multi-file system in each access storage area of the mobile storage device, and specifically accessing the hidden storage data, wherein the method comprises the following steps:
step 1, a host requests to access the capacity of a mobile storage device, the mobile storage device analyzes the request access command, determines an access storage area which is requested to access currently through address mapping based on a lookup table gLog2Phy [ ], judges whether the access storage area is a common access storage area which is requested to access according to an access storage area file system, and feeds back the capacity information of the common access storage area to the host if the access storage area is the common access storage area which is requested to access; otherwise, identity authentication is carried out, if the authentication is passed, the capacity information of the hidden access storage area corresponding to the request access is fed back to the host, and if the authentication is not passed, the capacity information of the common access storage area is fed back to the host;
and 5, judging whether the counter value reaches the threshold value of the access limiting times, if so, performing the data self-destruction operation of the hidden access storage area, adopting a data clearing method based on key page overwriting to clear the current hidden access storage area data, cleaning the hidden access storage area data, returning to the step 3 for execution, and otherwise, directly returning to the step 3 for execution.
The identity authentication comprises the following specific contents: after the mobile storage device is accessed to the host, the host carries out enumeration identification on the mobile storage device, and after the mobile storage device driver is successfully installed, the host directly obtains the access authority of a common access storage area; the host executes write operation to the mobile storage device to initiate storage area switching, the mobile storage device analyzes the instruction packet by sending a CBW instruction packet to the mobile storage device, reads the authority variable of the file system corresponding to the current access storage area, and judges whether the host is given the authority for requesting access according to the authority variable.
In a third embodiment, referring to fig. 2, a file content hiding storage apparatus based on capacity hiding and a multi-file system is provided in a mobile storage device, is used for storage access of common data and hidden data, and includes a storage access module, an identity authentication module, and a data cleansing module, where the storage access module includes a storage access monitoring unit, a common storage access unit, and multiple hidden storage access units; the common storage access unit is used for establishing a file system with common data and used for storage access of the common data; the hidden storage access units are respectively established with file systems of hidden data and used for the storage access of the hidden data; and the storage access monitoring unit is used for judging whether to give a storage access right of the corresponding hidden storage access unit according to the host access request and the identity authentication module, and judging whether to trigger the data cleaning module according to the authentication information fed back by the identity authentication module.
In a fourth embodiment, referring to fig. 2, a file content hiding storage apparatus based on capacity hiding and a multi-file system is provided in a mobile storage device, is used for storage access of common data and hidden data, and includes a storage access module, an identity authentication module, and a data cleaning module, where the storage access module includes a storage access monitoring unit, a common storage access unit, and multiple hidden storage access units; the common storage access unit is used for establishing a file system with common data and used for storage access of the common data; the hidden storage access units are respectively established with file systems of hidden data and used for the storage access of the hidden data; the storage access monitoring unit is used for judging whether to give storage access authority of the corresponding hidden storage access unit according to the host access request and the identity authentication module and judging whether to trigger the data cleaning module according to authentication information fed back by the identity authentication module; the identity authentication module is used for performing host identity authentication according to host write operation, and comprises a counter unit and an identity authentication unit, wherein the identity authentication unit analyzes a data packet requested to be accessed by a host through a mobile storage device, acquires information of a storage access unit requested to be accessed, judges whether the identity authentication is passed or not according to a file system authority state corresponding to the storage access unit, if the identity authentication is passed, the result is fed back to the storage access monitoring unit, and if the identity authentication is not passed, the counter counts and feeds back the result to the storage access monitoring unit.
The storage access monitoring unit manages a storage area in the mobile storage device, completes the mapping from a host logical address to a mobile storage device physical address and realizes transparent management of an operating system on file system access; the storage access monitoring unit feeds back a result according to the identity authentication module, and if the identity authentication is passed, the storage access monitoring unit gives access authority to a corresponding storage access unit of the host; if the identity authentication is not passed, the storage access monitoring unit gives the host access authority to only access the common storage access unit, and judges whether the counter value reaches a preset access limiting time threshold value, if so, the data cleaning module is triggered, otherwise, the identity authentication is continued according to the host write operation.
The data cleaning module is used for carrying out data cleaning operation on the storage access module according to the trigger signal of the storage access monitoring list.
The present invention divides the storage area of a storage device into a plurality of portions: the method comprises the following steps that a normal access storage area, a hidden access storage area 1, a hidden access storage area 2, … … and a hidden access storage area n are used, namely, a physical storage block of the storage device is logically divided into a plurality of storage areas, when the logical storage area is mapped to the physical storage area, the logical storage area is identified by a mark byte stored in a physical block redundant area in advance, and when the mark byte is written into different values, the logical storage area is mapped to different physical storage block areas; when the master equipment requests a command of slave equipment capacity, the slave equipment end analyzes the equipment access command, if the command is a command for normally accessing the storage area, the capacity identification information of the normally accessed storage area is fed back to the master equipment, if the command is received as a hidden access storage area command, identity identification is required, after the command is passed, the capacity identification information of the corresponding hidden access storage area i is fed back to the master equipment, namely the capacity of the current storage area, the master equipment end respectively establishes respective file systems in the normal access storage area and the hidden access storage area by using formatting operation, and the formatting capacity depends on the storage area capacity given by a capacity flag byte; establishing an identity authentication mechanism, setting an interrupt inspection mechanism at a master device end, generating an interrupt request by slave devices when the slave devices are accessed to a master device system, interrupting normal processing transactions by the master devices, inspecting the access devices, sending identity authentication information by the master devices after the slave devices are normally connected, performing identity authentication by an intelligent processor in the slave devices, if the identity authentication is not passed, performing storage access of the slave devices only by the master devices in a normal access storage area, if the identity authentication is passed, freely switching access between the normal access storage area and a plurality of configured hidden access storage areas by the master devices, performing enumeration identification on the slave devices by the master devices when the slave devices are accessed to the master device system under normal conditions, and directly accessing the normal access storage area after a slave device driver is successfully installed; the method comprises the steps that a user sends an operation command to slave equipment through a write operation mode at a master equipment end, when an intelligent processor in the slave equipment receives a command for performing identity authentication, user identity authentication is performed, the slave equipment opens the permission for accessing a hidden access storage area to the user after the authentication is passed, and the user can freely switch access between a normal access storage area and a plurality of hidden access storage areas; otherwise, processing according to the normal write operation command; after the user obtains the authority of super access slave equipment, the file content to be hidden can be stored in a certain specified hidden access storage area, and after the storage operation is completed, the storage area is switched to a normal access storage area.
The mobile storage equipment in the invention refers to USB mobile storage equipment with an intelligent processor; the capacity hiding of the storage device is to intercept a request device capacity command of the master device, and when the request is returned, the capacity value of the corresponding area is fed back, but the capacity value is not the real physical block storage capacity of the slave device. A multi-file system is based on capacity hiding, a storage area is divided into a normal access storage area and a plurality of storage areas such as a hidden access storage area 1, a hidden access storage area 2, … … and a hidden access storage area n, when a logic storage area is mapped to a physical storage area, a mark byte stored in a physical block redundant area in advance is used for marking, and when the mark byte is written with different values, the logic storage area is mapped to different physical storage block areas. The identity authentication mechanism is used for limiting the access of an unauthorized user to the hidden access storage area and protecting the security of the hidden access storage area.
Referring to fig. 3 and 4, multiple file systems are respectively established in each access storage area of the mobile storage device, the multiple file systems are in one-to-one correspondence with the number of the storage areas, and after the mobile storage device divides the storage areas, file system parameters corresponding to the storage area capacity are written into corresponding positions in the storage areas, so that each storage area has an independent file system; the switching of the multi-file system takes a change zone bit as a trigger zone bit for switching the file system, and when the change =0, the file system does not need to be switched; when change is more than 0, switching the current file system to the target file system; the multi-file system takes status as the identifier of the currently accessible file system, and when status =0, the storage area where the current file system is located is a common access storage area; when status >0, the storage area where the current file system is located is a hidden access storage area. Intercepting a command of a master device requesting the storage capacity of the slave device by the slave device, dividing a plurality of independent hidden storage areas from an original storage area, and mapping the access of the master device to the storage areas of the slave device to each hidden area, so that when the master device requests to obtain the capacity of the device, intercepting a return value of the command and feeding back a set capacity value to the master device; when the slave equipment accesses the master equipment, the slave equipment monitors a read-write command sent by the master equipment; when a user needs to access the hidden storage area, an identity authentication request must be sent to the slave device, a large amount of user authentication data is mixed in a pile of common data, and the identity authentication is performed when the intelligent processor in the slave device monitors characteristic data for identity identification. After the authentication is passed, the slave device is switched to a corresponding hidden storage area file system, and the physical address space of the hidden area is mapped to the logical address space, so that the physical address space of the current file system mapped by the logical address space of the host is replaced by the physical address space of the hidden area. And (4) safety protection of the hidden area. When the user authentication failure times exceed a preset threshold value, the device starts a data clearing module, and clears all data stored on the physical block without destroying a file system.
The present invention is not limited to the above-described embodiments, and various changes may be made therein by those skilled in the art, but any changes equivalent or similar to the present invention are intended to be included within the scope of the claims of the present invention.
Claims (9)
1. A file content hiding storage access method based on capacity hiding and a multi-file system is used for accessing hidden storage data at the periphery of a host computer, and is characterized in that: the storage area of the mobile storage device is divided into a common access storage area and n hidden access storage areas, wherein the n hidden access storage areas are represented as: the hidden access storage area 1, the hidden access storage area 2, … and the hidden access storage area n, each access storage area of the storage device is identified by a mark byte of a physical block redundant area of the storage device, mapping from logic storage to physical storage is carried out, each file system is respectively established in each access storage area corresponding to the mobile storage device, a plurality of file systems are in one-to-one correspondence with the number of the storage areas, after the mobile storage device divides the storage areas, the file system parameters corresponding to the storage area capacity are written into corresponding positions in the storage areas, each storage area has an independent file system, a main device end respectively establishes respective file systems in a common access storage area and a hidden access storage area by using formatting operation, the formatting capacity depends on the storage area capacity given by the capacity mark byte, and a slave device intercepts a command of the main device requesting the storage capacity of a slave device, dividing a plurality of independent hidden storage areas from an original storage area, mapping the access of the master equipment to the slave equipment storage areas to each hidden area, intercepting a command return value when the master equipment requests to obtain the equipment capacity, and feeding back a set capacity value to the master equipment; when the slave equipment accesses the master equipment, the slave equipment monitors a read-write command sent by the master equipment; when a user needs to access the hidden storage area, an identity authentication request is sent to the slave equipment, user authentication data is mixed in a pile of common data, identity authentication is carried out when an intelligent processor in the slave equipment monitors characteristic data for identity identification, the slave equipment is switched to a corresponding hidden storage area file system after the authentication is passed, a physical address space of the hidden area is mapped to a logical address space, and a physical address space of a current file system mapped by the logical address space of the host is replaced by the physical address space of the hidden area; the access of the hidden storage data specifically comprises the following steps:
step 1, a host requests to access the capacity of a mobile storage device, the mobile storage device analyzes the request access command, determines an access storage area which is requested to access currently through address mapping based on a lookup table gLog2Phy [ ], judges whether the access storage area is a common access storage area which is requested to access according to an access storage area file system, and feeds back the capacity information of the common access storage area to the host if the access storage area is the common access storage area which is requested to access; otherwise, identity authentication is carried out, if the authentication is passed, the capacity information of the hidden access storage area corresponding to the request access is fed back to the host, and if the authentication is not passed, the capacity information of the common access storage area is fed back to the host;
step 2, setting a threshold value of access limiting times, and initializing a hidden access storage area counter;
step 3, performing identity authentication according to the writing operation received by the mobile storage device;
step 4, if the authentication is passed, the host acquires the access authority of the hidden access storage area of the mobile storage device and returns to the step 3 to execute; if the authentication is not passed, the host acquires the access authority of the common access storage area of the mobile storage device, and the hidden access storage area counter is added with 1 for counting;
and 5, judging whether the counter value reaches the threshold value of the access limiting times, if so, performing the data self-destruction operation of the hidden access storage area, adopting a data clearing method based on key page overwriting to clear the current hidden access storage area data, cleaning the hidden access storage area data, returning to the step 3 for execution, and otherwise, directly returning to the step 3 for execution.
2. The file content hiding storage access method based on the capacity hiding and multiple file system as claimed in claim 1, wherein: the host in step 3 acquires the access right to the hidden access storage area of the mobile storage device, and the specific contents are as follows: the host freely switches between the ordinary access storage area and the n hidden access storage areas according to the request access requirement.
3. The file content hiding storage access method based on the capacity hiding and multiple file system as claimed in claim 1, wherein: the host in step 3 acquires the access right of the common access storage area of the mobile storage device, and the specific contents are as follows: the host is restricted to requesting access only in the normal access storage area.
4. The file content hiding storage access method based on the capacity hiding and multi-file system as claimed in any one of claims 1 to 3, wherein: the identity authentication specifically comprises the following contents: after the mobile storage device is accessed to the host, the host carries out enumeration identification on the mobile storage device, and after the mobile storage device driver is successfully installed, the host directly obtains the access authority of a common access storage area; the host executes write operation to the mobile storage device to initiate storage area switching, and the mobile storage device analyzes the instruction packet and judges whether the host has the authority to switch the storage area by sending a CBW instruction packet to the mobile storage device.
5. The file content hiding storage access method based on the capacity hiding and multiple file system as claimed in claim 4, wherein: the mobile storage device analyzes the instruction packet and judges whether to give the host storage area switching authority, specifically: the mobile storage device analyzes the instruction packet, reads the authority variable of the file system corresponding to the current access storage area, and judges whether the host computer is given the authority for requesting access according to the authority variable.
6. The utility model provides a file content hides storage device based on volume is hidden and many file systems, locates in the mobile storage equipment for the memory access of ordinary data and hidden data, contains memory access module, authentication module and data cleaning module, its characterized in that: the file content hidden storage access method implementation according to claim 1, wherein the storage access module comprises a storage access monitoring unit, a common storage access unit and a plurality of hidden storage access units; the common storage access unit is used for establishing a file system with common data and used for storage access of the common data; the hidden storage access units are respectively established with file systems of hidden data and used for the storage access of the hidden data; and the storage access monitoring unit is used for judging whether to give a storage access right of the corresponding hidden storage access unit according to the host access request and the identity authentication module, and judging whether to trigger the data cleaning module according to the authentication information fed back by the identity authentication module.
7. The file content hiding storage apparatus based on the capacity hiding and multiple file system as claimed in claim 6, wherein: the identity authentication module is used for performing host identity authentication according to host write operation, and comprises a counter unit and an identity authentication unit, wherein the identity authentication unit analyzes a data packet which requests access of a host through a mobile storage device, acquires information of a storage access unit which requests access, judges whether the identity authentication is passed or not according to a file system authority state corresponding to the storage access unit, if the identity authentication is passed, the result is fed back to the storage access monitoring unit, and if the identity authentication is not passed, the counter counts and feeds back the result to the storage access monitoring unit.
8. The file content hiding storage apparatus based on the capacity hiding and multiple file system as claimed in claim 7, wherein: the storage access monitoring unit feeds back a result according to the identity authentication module, and if the identity authentication is passed, the storage access monitoring unit gives access authority to a corresponding storage access unit of the host; if the identity authentication is not passed, the storage access monitoring unit gives the host access authority to only access the common storage access unit, and judges whether the counter value reaches a preset access limiting time threshold value, if so, the data cleaning module is triggered, otherwise, the identity authentication is continued according to the host write operation.
9. The file content hiding storage apparatus based on the capacity hiding and multiple file system as claimed in claim 6, wherein: and the data cleaning module is used for performing data cleaning operation on the storage access module according to the trigger signal of the storage access monitoring list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611080008.9A CN106709361B (en) | 2016-11-30 | 2016-11-30 | File content hidden storage access method based on capacity hiding and multi-file system and storage device thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611080008.9A CN106709361B (en) | 2016-11-30 | 2016-11-30 | File content hidden storage access method based on capacity hiding and multi-file system and storage device thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106709361A CN106709361A (en) | 2017-05-24 |
| CN106709361B true CN106709361B (en) | 2020-03-03 |
Family
ID=58934272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611080008.9A Active CN106709361B (en) | 2016-11-30 | 2016-11-30 | File content hidden storage access method based on capacity hiding and multi-file system and storage device thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106709361B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110489357B (en) * | 2019-09-10 | 2023-07-14 | 得一微电子股份有限公司 | Method and system for hiding data on removable storage device |
| CN111191298A (en) * | 2019-12-30 | 2020-05-22 | 山东方寸微电子科技有限公司 | Storage device and mobile storage equipment that a plurality of partitions switch in real time |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002042414A (en) * | 2000-07-19 | 2002-02-08 | Toshiba Corp | Disk storage device and security method to be applied to the same |
| US20060184717A1 (en) * | 2005-02-17 | 2006-08-17 | Intel Corporation | Integrated circuit capable of flash memory storage management |
| CN102207912B (en) * | 2010-07-07 | 2015-10-07 | 无锡中科龙泽信息科技有限公司 | Flash memory device and the access method thereof of sectoring function is realized in equipment end |
| EP2717164A4 (en) * | 2011-05-30 | 2014-04-16 | Huawei Device Co Ltd | Method and apparatus for accessing data storage device |
| CN102567235B (en) * | 2011-12-29 | 2015-01-21 | 武汉市工程科学技术研究院 | Intelligent active anti-virus U disk based on partition authentication and anti-virus method of U disk |
| CN105653986B (en) * | 2015-12-25 | 2018-11-16 | 成都三零嘉微电子有限公司 | A kind of data guard method and device based on microSD card |
-
2016
- 2016-11-30 CN CN201611080008.9A patent/CN106709361B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN106709361A (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11586734B2 (en) | Systems and methods for protecting SSDs against threats | |
| CN107038128B (en) | Virtualization of execution environment, and access method and device of virtual execution environment | |
| CN109933283B (en) | Direct host access storage device storage space | |
| CN109901911B (en) | Information setting method, control method, device and related equipment | |
| US7571294B2 (en) | NoDMA cache | |
| CN100517276C (en) | Data safe memory method and device | |
| US10372628B2 (en) | Cross-domain security in cryptographically partitioned cloud | |
| TW201349007A (en) | Systems and methods for providing anti-malware protection on storage devices | |
| CN109460671B (en) | Method for realizing webpage content tamper resistance based on operating system kernel | |
| US20190238560A1 (en) | Systems and methods to provide secure storage | |
| CN109739613B (en) | Maintenance method and access control method of nested page table and related device | |
| CN101877246A (en) | U disk encryption method | |
| US11734430B2 (en) | Configuration of a memory controller for copy-on-write with a resource controller | |
| CN106709361B (en) | File content hidden storage access method based on capacity hiding and multi-file system and storage device thereof | |
| Cheng et al. | CATTmew: Defeating software-only physical kernel isolation | |
| CN1293483C (en) | Multistorage type physical buffer computer data safety protection method and device | |
| CN103425563B (en) | Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology | |
| US11941264B2 (en) | Data storage apparatus with variable computer file system | |
| CN107562514B (en) | Physical memory access control and isolation method | |
| US10296468B2 (en) | Storage system and cache control apparatus for storage system | |
| CN106951790B (en) | USB storage medium transparent encryption method | |
| US9990494B2 (en) | Techniques for enabling co-existence of multiple security measures | |
| US7246213B2 (en) | Data address security device and method | |
| CN116126463A (en) | Memory access method, configuration method, computer system and related devices | |
| US20180088846A1 (en) | Multi-user dynamic storage allocation and encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |