CN115834694A - Data storage method, device, storage chip and computer readable storage medium - Google Patents
Data storage method, device, storage chip and computer readable storage medium Download PDFInfo
- Publication number
- CN115834694A CN115834694A CN202211423824.0A CN202211423824A CN115834694A CN 115834694 A CN115834694 A CN 115834694A CN 202211423824 A CN202211423824 A CN 202211423824A CN 115834694 A CN115834694 A CN 115834694A
- Authority
- CN
- China
- Prior art keywords
- security level
- data
- key
- storage
- plaintext data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a data storage method, a data storage device, a storage chip and a computer-readable storage medium, wherein the storage chip comprises a calculation unit and a storage unit which are in communication connection, the storage unit comprises a plurality of storage areas, and different storage areas correspond to different security levels. When receiving the plaintext data, the computing unit determines a target security level corresponding to the plaintext data, and then judges whether the plaintext data needs to be encrypted or not based on the target security level; if the plaintext data needs to be encrypted, acquiring an encryption key corresponding to the plaintext data according to the target security level; and finally, encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the target security level. Therefore, the storage unit is divided into a plurality of storage areas, and different storage areas store ciphertext data corresponding to different security levels, so that partitioned management of the data is realized, and data confusion caused by unified management is avoided.
Description
Technical Field
The invention relates to the field of data storage, in particular to a data storage method, a data storage device, a storage chip and a computer readable storage medium.
Background
With the coming of the information explosion age, the modern information technology runs through our lives all the time, such as shopping through internet, chatting or browsing web pages through mobile phones. In the information interaction process, information data is inevitably intercepted, copied and even tampered and utilized, so in order to cope with the situation, a security chip with encryption countermeasures and security authentication functions is usually adopted in the prior art to encrypt the information, but the prior art uniformly manages the encrypted data, and management confusion is easily caused.
Disclosure of Invention
The present invention is directed to a data storage method, device, storage chip and computer readable storage medium, so as to solve the problems of the prior art.
Embodiments of the invention may be implemented as follows:
in a first aspect, the present invention provides a data storage method, which is applied to a computing unit of a memory chip, wherein the memory chip further includes a memory unit in communication connection with the computing unit, the memory unit includes a plurality of memory areas, and different memory areas correspond to different security levels; the method comprises the following steps:
receiving plaintext data and determining a target security level corresponding to the plaintext data;
judging whether the plaintext data needs to be encrypted or not based on the target security level;
if the plaintext data needs to be encrypted, acquiring an encryption key corresponding to the plaintext data according to the target security level;
and encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the target security level.
In an optional embodiment, the target security level is one of a first security level, a second security level, a third security level and a fourth security level, and data encryption requirements corresponding to the first security level, the second security level, the third security level and the fourth security level are sequentially decreased progressively;
the step of determining whether the plaintext data needs to be encrypted based on the target security level includes:
if the target security level is the first security level, the second security level or the third security level, confirming that the plaintext data needs to be encrypted;
and if the target security level is the fourth security level, confirming that the plaintext data does not need to be encrypted.
In an alternative embodiment, the method further comprises:
and if the plaintext data does not need to be encrypted, performing out-of-order processing on the plaintext data to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the fourth security level.
In an optional embodiment, the target security level is one of a first security level, a second security level, a third security level and a fourth security level, and data encryption requirements corresponding to the first security level, the second security level, the third security level and the fourth security level are sequentially reduced;
the step of obtaining the encryption key corresponding to the plaintext data according to the target security level includes:
when the target security level is the first security level, acquiring a first key and a second key corresponding to the plaintext data;
when the target security level is the second security level, acquiring a first key corresponding to the plaintext data;
when the target security level is the third security level, acquiring a second key corresponding to the plaintext data;
wherein the first key and the second key are generated by the computing unit in real time based on the plaintext data; or, the storage unit further includes a temporary storage area for storing a plurality of keys, and the first key and the second key are obtained by the calculation unit by searching from the temporary storage area.
In an optional embodiment, the plurality of storage areas include a first area, a second area, a third area, and a fourth area corresponding to the first security level, the second security level, the third security level, and the fourth security level one to one;
the step of encrypting the plaintext data by using the encryption key to obtain ciphertext data and storing the ciphertext data in a storage area corresponding to the target security level includes:
randomly inserting the first key and the second key into the plaintext data to obtain ciphertext data, and storing the ciphertext data into the first area; alternatively, the first and second electrodes may be,
randomly inserting the first secret key into the plaintext data to obtain ciphertext data, and storing the ciphertext data to the second area; alternatively, the first and second electrodes may be,
and randomly inserting the second key into the plaintext data to obtain the ciphertext data, and storing the ciphertext data to the third area.
In an alternative embodiment, the computing unit comprises one of a central processing unit CPU, a network processor NP, a microprocessor DSP, a field programmable gate array FPGA.
In an optional embodiment, the computing unit includes a processing module, and a first encryption and decryption module and a second encryption and decryption module electrically connected to the processing module, and the processing module, the first encryption and decryption module, and the second encryption and decryption module are all in communication connection with the storage unit;
the first encryption and decryption module is used for generating the first key;
the second encryption and decryption module is used for generating the second key; the first key is more complex than the second key;
the first encryption and decryption module and the second encryption and decryption module are all programmable logic devices.
In a second aspect, the present invention provides a data storage device, which is applied to a computing unit of a memory chip, wherein the memory chip further includes a memory unit communicatively connected to the computing unit, the memory unit includes a plurality of memory areas, and different memory areas correspond to different security levels; the device comprises:
the data receiving module is used for receiving plaintext data and determining a target security level corresponding to the plaintext data;
the data receiving module is further configured to determine whether the plaintext data needs to be encrypted based on the target security level;
the key acquisition module is used for acquiring an encryption key corresponding to the plaintext data according to the target security level when the plaintext data needs to be encrypted;
and the data encryption module is used for encrypting the plaintext data by using the encryption key to obtain ciphertext data and storing the ciphertext data into a storage area corresponding to the target security level.
In a third aspect, the present invention provides a memory chip, including a computing unit and a memory unit communicatively connected to the computing unit, where the memory unit includes a plurality of memory areas; the computing unit is used for realizing the data storage method in any one of the previous embodiments.
In a fourth aspect, the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the data storage method of any one of the preceding embodiments.
Compared with the prior art, the embodiment of the invention provides a data storage method, a data storage device, a storage chip and a computer-readable storage medium, wherein the storage chip comprises a computing unit and a storage unit in communication connection with the computing unit, the storage unit comprises a plurality of storage areas, and different storage areas correspond to different security levels. When receiving the plaintext data, the computing unit determines a target security level corresponding to the plaintext data, and then judges whether the plaintext data needs to be encrypted or not based on the target security level; if the plaintext data needs to be encrypted, acquiring an encryption key corresponding to the plaintext data according to the target security level; and finally, encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the target security level. Therefore, the storage unit is divided into a plurality of storage areas, and different storage areas store ciphertext data corresponding to different security levels, so that partitioned management of the data is realized, and data confusion caused by unified management is avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a memory chip according to an embodiment of the present invention.
Fig. 2 is a second schematic structural diagram of a memory chip according to an embodiment of the invention.
Fig. 3 is a schematic flowchart of a data storage method according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a data storage device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Furthermore, the appearances of the terms "first," "second," and the like, if any, are only used to distinguish one description from another and are not to be construed as indicating or implying relative importance.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
In the prior art, a security chip having encryption countermeasures and security authentication functions is generally used to encrypt information. Therefore, on the premise of ensuring the integrity of data, the decryption difficulty of the information data can be greatly improved by using the data encryption and data storage or reading authentication functions, and even if the information data is intercepted or copied, the information data cannot be decrypted easily.
However, for the current security chip, the data is encrypted and then stored in the in-chip storage area, and the data is stored in the in-chip storage area only by passing identity authentication. When the security chip receives a large number of read-write requests, a large number of identity authentication processes are correspondingly required, which can cause the operation load of the processing module of the security chip to be overlarge, and further can extrude the read-write speed of the security chip, and can also seriously delay the operation speed of other modules in the chip.
In view of this, embodiments of the present invention provide a data storage method, which can divide a storage unit into multiple storage areas, where different storage areas store ciphertext data corresponding to different security levels, so as to implement partition management on data and avoid data confusion caused by unified management. The following detailed description is made by way of examples, with reference to the accompanying drawings.
Here, an application scenario of the present solution is introduced first.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a memory chip 100 according to an embodiment of the present invention. The memory chip 100 includes a computing unit 110 and a memory unit 120 communicatively connected to the computing unit 110, where the memory unit 120 includes a plurality of memory areas, and different memory areas correspond to different security levels. The computing unit 110 is used to implement the data storage method of the following embodiments.
In an alternative example, the plurality of storage areas may include a first area, a second area, a third area, a fourth area, and a temporary storage area. Correspondingly, the security levels corresponding to the first area, the second area, the third area, and the fourth area may be: a first security level, a second security level, a third security level, and a fourth security level.
The security level may represent an encryption requirement for the data, and correspondingly, the encryption requirements for the data of the first security level, the second security level, the third security level, and the fourth security level may be sequentially decreased. The temporary storage area may be used to store a plurality of keys generated by the computing unit 110 in advance and key positions of some keys in the data.
The memory chip 100 may be any chip including the memory unit 120, and the memory unit 120 may be, but is not limited to: random Access Memory (RAM), flash Memory (Flash), electrically Erasable Read-Only Memory (EEPROM), and the like.
It will be appreciated that the structure shown in fig. 1 is merely illustrative, and that the memory chip 100 may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
In an alternative embodiment, the computing unit 110 includes one of a central processing unit CPU, a Network Processor (NP), a microprocessor (DSP), and a Field Programmable Gate Array (FPGA).
In another alternative embodiment, referring to fig. 2 in combination with fig. 1, the computing unit 110 may include a processing module, and a first encryption/decryption module and a second encryption/decryption module electrically connected to the processing module, and the processing module, the first encryption/decryption module, and the second encryption/decryption module are all communicatively connected to the storage unit 120.
The first encryption and decryption module and the second encryption and decryption module can be programmable logic devices, and the first encryption and decryption module is used for generating a first secret key. The second encryption and decryption module may generate the second key with the first key being more complex than the second key.
It can be understood that the first key and the second key may be generated in real time, or the first encryption and decryption module and the second encryption and decryption module may be respectively generated in advance and stored in the temporary storage area.
Referring to fig. 3, fig. 3 is a schematic flow chart of a data storage method according to an embodiment of the present invention, where an execution subject of the method is a computing unit of the memory chip. The data storage method comprises the following steps:
and S110, receiving the plaintext data and determining a target security level corresponding to the plaintext data.
In an alternative example, the computing unit may be preset with a security policy corresponding to each security level, for example, the security policy may be in the form of a regular expression. Therefore, after the computing unit receives the plaintext data, the content of the plaintext data obtained by analysis can be matched with a plurality of security policies, and when one security policy is matched, the security level corresponding to the security policy is the target security level corresponding to the plaintext data.
In another alternative example, the plaintext data may include a security level flag, and the target security level may be determined based on the security level flag.
In this embodiment, the security level may characterize the encryption requirements for the data, i.e., the target security level may characterize the encryption requirements for the plaintext data.
And S120, judging whether the plaintext data needs to be encrypted or not based on the target security level.
It will be appreciated that not all data stored in the storage unit needs to be encrypted, that encryption of data is required to be high, and that data with lower encryption requirements does not need to be encrypted. Since the security level indicates the encryption requirement for the data, it is possible to determine whether the plaintext data needs to be encrypted based on the target security level, and if so, perform the following steps S130 to S140.
And S130, acquiring an encryption key corresponding to the plaintext data according to the target security level.
It is understood that the encryption key corresponding to the plaintext data may be generated by the computing unit in real time, or may be obtained by looking up the encryption key from the temporary storage unit.
S140, encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the target security level.
For example, the plaintext data is abc byte, and the position of the plaintext data can be replaced by a bac byte and then encrypted by using an encryption key.
Optionally, in order to further improve the security of the information data, the ciphertext data may be replaced with the location before being encrypted by using the encryption key.
According to the data storage method provided by the embodiment of the invention, the storage unit is divided into a plurality of storage areas, and different storage areas correspond to different security levels. When receiving the plaintext data, the computing unit determines a target security level corresponding to the plaintext data, and then judges whether the plaintext data needs to be encrypted based on the target security level; if the plaintext data needs to be encrypted, acquiring an encryption key corresponding to the plaintext data according to the target security level; and finally, encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the target security level. Therefore, the storage unit is divided into a plurality of storage areas, and different storage areas store ciphertext data corresponding to different security levels, so that partitioned management of the data is realized, and data confusion caused by unified management is avoided.
In an optional embodiment, the target security level is one of a first security level, a second security level, a third security level and a fourth security level, and the data encryption requirements corresponding to the first security level, the second security level, the third security level and the fourth security level may be sequentially decreased. Correspondingly, the sub-step of the step S120 may include:
and S121, if the target security level is the first security level, the second security level or the third security level, confirming that the plaintext data needs to be encrypted.
And S122, if the target security level is the fourth security level, confirming that the plaintext data does not need to be encrypted.
In an alternative embodiment, the plurality of storage areas divided by the storage unit may include a first area, a second area, a third area, and a fourth area, which correspond to the first security level, the second security level, the third security level, and the fourth security level in a one-to-one manner. Correspondingly, with reference to fig. 2, if it is confirmed that the plaintext data does not need to be encrypted, the computing unit may execute the following step S150.
And S150, carrying out disorder processing on the plaintext data to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the fourth security level.
That is, if the target security level of the plaintext data is the fourth security level, the plaintext data may be directly subjected to the out-of-order processing to obtain ciphertext data, and the ciphertext data may be stored in the fourth region. Alternatively, if the plaintext data can be disclosed, the plaintext data may be directly stored in the fourth area.
It should be noted that, for data to be stored in the first area, the second area, or the third area, keys used for encryption processing may be different. For example, the key may include a first key and a second key, and the first key may have a higher complexity than the second key.
The following describes the procedure of obtaining the obtained encryption key and encryption processing when the target security level is different.
The substep of S130 includes three steps S131 to S133:
s131, when the target security level is the first security level, acquiring a first key and a second key corresponding to the plaintext data.
Therefore, when the target security level is the first security level, the encryption key required by the plaintext data is the first key and the second key, and at this time, the sub-step of S140 includes S141, randomly inserting the first key and the second key into the plaintext data to obtain ciphertext data, and storing the ciphertext data in the first region.
S132, when the target security level is the second security level, acquiring a first key corresponding to the plaintext data.
Therefore, when the target security level is the second security level, the encryption key required by the plaintext data is only the first key, and in this case, the sub-step of S140 includes S142, randomly inserting the first key into the plaintext data to obtain ciphertext data, and storing the ciphertext data in the second region.
And S133, when the target security level is the third security level, acquiring a second key corresponding to the plaintext data.
Therefore, when the target security level is the third security level, the encryption key required by the plaintext data is only the second key, and in this case, the sub-step of S140 includes S143, randomly inserting the second key into the plaintext data to obtain ciphertext data, and storing the ciphertext data in the third area.
It should be noted that, with reference to fig. 1, the first secret key and the second secret key may be generated by the computing unit in real time based on plaintext data, or may be obtained by the computing unit by searching from a temporary storage area.
With reference to fig. 1, the processing module may request the first encryption/decryption module and/or the second encryption/decryption module for the first key and the second key based on the target security level, and generate the first key and the second key in real time by the first encryption/decryption module and the second encryption/decryption module, respectively, and feed back the first key and the second key to the processing module. Or, the first encryption and decryption module and the second encryption and decryption module may respectively generate a plurality of first secret keys and a plurality of second secret keys in advance and store the keys in the temporary storage area, the processing module only needs to go to the temporary storage area to search for the needed first secret key and/or second secret key, then uses the first secret key and/or second secret key to encrypt the ciphertext data to obtain ciphertext data, and stores the ciphertext data in the corresponding storage area, so that the first encryption and decryption module and the second encryption and decryption module do not need to generate the first secret key and the second secret key in real time to reduce the calculation load of the first encryption and decryption module and the second encryption and decryption module.
For ease of understanding, a simple example of processing plaintext data is shown below.
It is assumed that the first and second keys (1), (2), (1) and (2) are composed of different fields, respectively. It is assumed that the plaintext data received by the calculation unit is abc (a/b/c each represents a byte consisting of N bits).
(1) When the target security level of abc is determined as the first security level, it needs to use (1) and (2), and random insertion of (1) and (2) into abc results in ciphertext data, which may exist but is not limited to the following possibilities:
①②abc、①a②bc、①ab②c、①abc②、abc②①、②①abc、②a①bc、②ab①c、②abc①、abc①②。
assuming that the resulting ciphertext data is (1) ab (2) and c, then (1) ab (2) and c are stored in the first region.
(2) When the target security level of abc is determined as the second security level, (1) is needed, and (1) is randomly inserted into abc to obtain ciphertext data, wherein the ciphertext data can have four possibilities of (1) abc, a (1), bc, ab (1) and abc (1).
Assuming that the resulting ciphertext data is a (1).
(3) When the target security level of abc is determined as the third security level, 2 is needed, 2 is randomly inserted into abc to obtain ciphertext data, and the ciphertext data can have four possibilities of abc, a (2), bc, ab (2), c and abc (2).
Assuming that the resulting ciphertext data is ab (2) c, ab (2) c is stored in the third region.
(4) When the target security level of abc is determined to be the fourth security level, the abc is directly subjected to out-of-order processing without a key to obtain ciphertext data, and the ciphertext data can have five possibilities of acb, bac, bca, cba.
Assuming that the resulting ciphertext data is cba, the cba is stored to the fourth area. If abc can be directly disclosed, it may be directly stored in the fourth area, where possible.
It should be noted that the above example is only an example for understanding, and in practical applications, the form of plaintext data and the form of encryption key are subject to practical application conditions.
Three different ways of generating the key are described below.
1) And (3) an addition encryption algorithm: k = x + a; corresponding to a subtraction decryption algorithm: x = K-a;
2) XOR encryption algorithm: k = x ^ b; corresponding XOR decryption algorithm: x = K ^ b;
3) And (3) displacement encryption algorithm: k = x < c; and (3) corresponding displacement decryption algorithm: x = K > c;
wherein K represents the generated key; x represents a variable value, and can be an encryption flag bit in plaintext data or a receiving timestamp corresponding to the plaintext data; a. b, c represent different fixed values.
With reference to the above example, when the target security level of the plaintext data is the first security level, a first key (1) may be generated by using a displacement encryption algorithm, and a second key (2) may be generated by using an exclusive-or encryption algorithm; when the target security level of the plaintext data is a second security level, a second key (2) can be generated by adopting an exclusive-or encryption algorithm; when the target security level of the plaintext data is a third security level, the second key (2) may be generated using an additive encryption algorithm. It is to be understood that this example is only an example, and the manner of generating the key used in the practical application is subject to the practical situation, and is not limited herein.
In an optional embodiment, in order to improve the cracking difficulty of the data, the data in any storage area in the storage unit may be reordered once every preset period. In an optional example, the storage unit may perform reordering processing on each ciphertext data at preset intervals on the basis of a timestamp of the ciphertext data; or, aiming at a certain ciphertext data in any storage area, the computing unit controls the storage unit to perform reordering processing on the ciphertext data once every preset period.
For example, assuming that the preset period is T =2h, for some ciphertext data in the first region, plaintext data obtained by reordering the ciphertext data in different preset periods (e.g., T1 to T8) may be as shown in the following table (1):
watch (1)
| T/hour | A-zone information data byte ordering |
| T1 | ①abc② |
| T2 | ①ab②c |
| T3 | ①a②bc |
| T4 | ①②abc |
| T5 | ②①abc |
| T6 | ②a①bc |
| T7 | ②ab①c |
| T8 | ②abc① |
Therefore, the byte sections of the ciphertext data in the storage unit are sequenced differently in different preset periods, and the difficulty in cracking the information data of the storage chip is increased. For the other second area, the third area and the fourth area, the processing is similar to this, and is not described herein again.
For the way of storing the key in the temporary storage area in advance, for a certain key, it may be marked as a flag bit in the key, and it is default that the flag bit in the key is in a state of always keeping unchanged, that is, when the key is locked as the flag bit, the key is already locked (it may be understood that the position of the key in the encryption result obtained by encrypting with the key is fixed, does not change according to the change of the time period, and cannot move the position in the segment of the field), for example, for the ciphertext data (1 and abc (2), when (1) is locked as the flag bit in advance, the ciphertext data obtained by reordering every preset period can only be: (1) abc (2), (1) ab (2), (1) a (2).
Therefore, the actual content of the key (1) and the key position of the key (1) in the encrypted data can be bound and stored in the temporary storage area. Correspondingly, when encryption/decryption is needed, the actual key content and the corresponding key position are directly taken out from the temporary storage area to be subjected to encryption processing or decryption processing, so that the calculation load of the calculation unit is reduced.
It should be noted that, the execution sequence of each step in the foregoing method embodiments is not limited to that shown in the drawings, and the execution sequence of each step is subject to the practical application.
In order to carry out the corresponding steps in the above-described method embodiments and in the various possible embodiments, an implementation of a data storage device is given below.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a data storage device 200 according to an embodiment of the present invention. The data storage device 200 is applied to a computing unit of a memory chip, and the memory chip further comprises a storage unit which is in communication connection with the computing unit, wherein the storage unit comprises a plurality of storage areas, and different storage areas correspond to different security levels. The data storage device 200 includes: a data receiving module 210, a key obtaining module 220 and a data encrypting module 230.
The data receiving module 210 is configured to receive plaintext data and determine a target security level corresponding to the plaintext data.
The data receiving module 210 is further configured to determine whether the plaintext data needs to be encrypted based on the target security level.
The key obtaining module 220 is configured to obtain an encryption key corresponding to the plaintext data according to the target security level when the plaintext data needs to be encrypted.
The data encryption module 230 is configured to encrypt plaintext data by using an encryption key to obtain ciphertext data, and store the ciphertext data in a storage area corresponding to the target security level.
In an optional embodiment, the target security level is one of a first security level, a second security level, a third security level, and a fourth security level, and the data receiving module 210 sequentially decrementing data encryption requirements corresponding to the first security level, the second security level, the third security level, and the fourth security level may specifically be configured to: if the target security level is the first security level, the second security level or a third security level, confirming that the plaintext data needs to be encrypted; and if the target security level is the fourth security level, confirming that the plaintext data does not need to be encrypted.
In an alternative embodiment, the key obtaining module 220 is further configured to: and if the plaintext data does not need to be encrypted, performing out-of-order processing on the plaintext data to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the fourth security level.
In an alternative embodiment, the data encryption module 230 may specifically be configured to: when the target security level is the first security level, acquiring a first key and a second key corresponding to the plaintext data; when the target security level is the second security level, acquiring a first key corresponding to the plaintext data; when the target security level is the third security level, acquiring a second key corresponding to the plaintext data; wherein the first key and the second key are generated by the computing unit in real time based on the plaintext data; or, the storage unit further includes a temporary storage area for storing a plurality of keys, and the first key and the second key are obtained by the calculation unit by searching from the temporary storage area.
In an optional embodiment, the plurality of storage areas include a first area, a second area, a third area, and a fourth area corresponding to the first security level, the second security level, the third security level, and the fourth security level in a one-to-one manner. The data encryption module 230 may be specifically configured to: randomly inserting the first key and the second key into the plaintext data to obtain ciphertext data, and storing the ciphertext data into the first area; or, the first key is randomly inserted into the plaintext data to obtain the ciphertext data, and the ciphertext data is stored in the second area; or, the second key is randomly inserted into the plaintext data to obtain the ciphertext data, and the ciphertext data is stored in the third area.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the data storage device 200 described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the data storage method disclosed in the above embodiment. The readable storage medium may be, but is not limited to: various media capable of storing program code, such as a U disk, a removable hard disk, a ROM, a RAM, a PROM, an EPROM, an EEPROM, a FLASH disk, or an optical disk.
To sum up, the embodiment of the present invention provides a data storage method, an apparatus, a storage chip and a computer-readable storage medium, where the storage chip includes a computing unit and a storage unit in communication connection with the computing unit, the storage unit includes a plurality of storage areas, and different storage areas correspond to different security levels. When receiving the plaintext data, the computing unit determines a target security level corresponding to the plaintext data, and then judges whether the plaintext data needs to be encrypted or not based on the target security level; if the plaintext data needs to be encrypted, acquiring an encryption key corresponding to the plaintext data according to the target security level; and finally, encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the target security level. Therefore, the storage unit is divided into a plurality of storage areas, and different storage areas store ciphertext data corresponding to different security levels, so that partitioned management of the data is realized, and data confusion caused by unified management is avoided.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. The data storage method is characterized in that the data storage method is applied to a computing unit of a storage chip, the storage chip further comprises a storage unit which is in communication connection with the computing unit, the storage unit comprises a plurality of storage areas, and different storage areas correspond to different security levels; the method comprises the following steps:
receiving plaintext data and determining a target security level corresponding to the plaintext data;
judging whether the plaintext data needs to be encrypted or not based on the target security level;
if the plaintext data needs to be encrypted, acquiring an encryption key corresponding to the plaintext data according to the target security level;
and encrypting the plaintext data by using the encryption key to obtain ciphertext data, and storing the ciphertext data to a storage area corresponding to the target security level.
2. The method according to claim 1, wherein the target security level is one of a first security level, a second security level, a third security level and a fourth security level, and data encryption requirements corresponding to the first security level, the second security level, the third security level and the fourth security level are sequentially decreased;
the step of determining whether the plaintext data needs to be encrypted based on the target security level includes:
if the target security level is the first security level, the second security level or the third security level, confirming that the plaintext data needs to be encrypted;
and if the target security level is the fourth security level, confirming that the plaintext data does not need to be encrypted.
3. The method of claim 2, further comprising:
and if the plaintext data does not need to be encrypted, performing out-of-order processing on the plaintext data to obtain ciphertext data, and storing the ciphertext data into a storage area corresponding to the fourth security level.
4. The method according to claim 1, wherein the target security level is one of a first security level, a second security level, a third security level and a fourth security level, and data encryption requirements corresponding to the first security level, the second security level, the third security level and the fourth security level are sequentially reduced;
the step of obtaining the encryption key corresponding to the plaintext data according to the target security level comprises:
when the target security level is the first security level, acquiring a first key and a second key corresponding to the plaintext data;
when the target security level is the second security level, acquiring a first key corresponding to the plaintext data;
when the target security level is the third security level, acquiring a second key corresponding to the plaintext data;
wherein the first key and the second key are generated by the computing unit in real time based on the plaintext data; or, the storage unit further includes a temporary storage area for storing a plurality of keys, and the first key and the second key are obtained by the calculation unit by searching from the temporary storage area.
5. The method of claim 4, wherein the plurality of storage regions comprises a first region, a second region, a third region, and a fourth region in one-to-one correspondence with the first security level, the second security level, the third security level, and the fourth security level;
the step of encrypting the plaintext data by using the encryption key to obtain ciphertext data and storing the ciphertext data in a storage area corresponding to the target security level includes:
randomly inserting the first key and the second key into the plaintext data to obtain ciphertext data, and storing the ciphertext data into the first area; alternatively, the first and second electrodes may be,
randomly inserting the first secret key into the plaintext data to obtain ciphertext data, and storing the ciphertext data to the second area; alternatively, the first and second electrodes may be,
and randomly inserting the second key into the plaintext data to obtain the ciphertext data, and storing the ciphertext data to the third area.
6. The method according to claim 1, wherein the computing unit comprises one of a central processing unit CPU, a network processor NP, a microprocessor DSP, a field programmable gate array FPGA.
7. The method according to claim 4, wherein the computing unit comprises a processing module, and a first encryption/decryption module and a second encryption/decryption module electrically connected to the processing module, and the processing module, the first encryption/decryption module and the second encryption/decryption module are all communicatively connected to the storage unit;
the first encryption and decryption module is used for generating the first key;
the second encryption and decryption module is used for generating the second key; the first key is more complex than the second key;
the first encryption and decryption module and the second encryption and decryption module are all programmable logic devices.
8. The data storage device is characterized by being applied to a computing unit of a storage chip, wherein the storage chip further comprises a storage unit which is in communication connection with the computing unit, the storage unit comprises a plurality of storage areas, and different storage areas correspond to different security levels; the device comprises:
the data receiving module is used for receiving plaintext data and determining a target security level corresponding to the plaintext data;
the data receiving module is further configured to determine whether the plaintext data needs to be encrypted based on the target security level;
the key acquisition module is used for acquiring an encryption key corresponding to the plaintext data according to the target security level when the plaintext data needs to be encrypted;
and the data encryption module is used for encrypting the plaintext data by using the encryption key to obtain ciphertext data and storing the ciphertext data into a storage area corresponding to the target security level.
9. A memory chip is characterized by comprising a computing unit and a memory unit which is in communication connection with the computing unit, wherein the memory unit comprises a plurality of memory areas; the computing unit is adapted to implement the data storage method of any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the data storage method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211423824.0A CN115834694A (en) | 2022-11-14 | 2022-11-14 | Data storage method, device, storage chip and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211423824.0A CN115834694A (en) | 2022-11-14 | 2022-11-14 | Data storage method, device, storage chip and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834694A true CN115834694A (en) | 2023-03-21 |
Family
ID=85528078
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211423824.0A Pending CN115834694A (en) | 2022-11-14 | 2022-11-14 | Data storage method, device, storage chip and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834694A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116502251A (en) * | 2023-06-21 | 2023-07-28 | 东方空间技术(山东)有限公司 | Data encryption storage method, device, equipment and storage medium |
-
2022
- 2022-11-14 CN CN202211423824.0A patent/CN115834694A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116502251A (en) * | 2023-06-21 | 2023-07-28 | 东方空间技术(山东)有限公司 | Data encryption storage method, device, equipment and storage medium |
| CN116502251B (en) * | 2023-06-21 | 2024-04-16 | 东方空间技术(山东)有限公司 | Data encryption storage method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110881063B (en) | Storage method, device, equipment and medium of private data | |
| CN108885741B (en) | Tokenization method and system for realizing exchange on block chain | |
| EP2924677B1 (en) | Splitting s-boxes in a white-box implementation to resist attacks | |
| CN109740384A (en) | Data based on block chain deposit card method and apparatus | |
| US9444619B2 (en) | Generation of randomized messages for cryptographic hash functions | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| EP2902939A1 (en) | Program verification device, program verification method, and program verification program | |
| US20170033922A1 (en) | Balanced Encoding of Intermediate Values Within a White-Box Implementation | |
| CN111400728A (en) | Data encryption and decryption method and device applied to block chain | |
| WO2019121026A1 (en) | Homomorphic encryption for password authentication | |
| US11924327B2 (en) | Variable data protection | |
| US11101989B2 (en) | Trusted ring | |
| JP6352441B2 (en) | Anonymizing streaming data | |
| US9594918B1 (en) | Computer data protection using tunable key derivation function | |
| CN115834694A (en) | Data storage method, device, storage chip and computer readable storage medium | |
| CN112100144A (en) | Block chain file sharing method and device, storage medium and electronic equipment | |
| JP5511803B2 (en) | Techniques for performing symmetric cryptography | |
| CN112052432A (en) | Terminal device authorization method and device | |
| RU2710670C2 (en) | Cryptographic system and method | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| CN112788021B (en) | Cloud data-based digital city management data sharing system for identity verification method | |
| CN114244517A (en) | Data encryption and signature method and device, computer equipment and storage medium | |
| CN113630448A (en) | Distributed encryption storage method and system, computer device and readable storage medium | |
| KR102126295B1 (en) | Method for comparing chiphertext based and apparatus for executing the method | |
| US10678468B2 (en) | Method and system for dynamic dispersed saving |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |