CN117113370A - Data security operation method, device and storage medium - Google Patents
Data security operation method, device and storage medium Download PDFInfo
- Publication number
- CN117113370A CN117113370A CN202310920641.8A CN202310920641A CN117113370A CN 117113370 A CN117113370 A CN 117113370A CN 202310920641 A CN202310920641 A CN 202310920641A CN 117113370 A CN117113370 A CN 117113370A
- Authority
- CN
- China
- Prior art keywords
- service data
- key
- data
- expansion card
- storage unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 103
- 238000004364 calculation method Methods 0.000 claims abstract description 70
- 230000004044 response Effects 0.000 claims abstract description 58
- 238000012508 change request Methods 0.000 claims description 33
- 238000004422 calculation algorithm Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 abstract description 16
- 238000010586 diagram Methods 0.000 description 19
- 238000012545 processing Methods 0.000 description 17
- 230000005540 biological transmission Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 10
- 238000009877 rendering Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 238000013478 data encryption standard Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 238000010420 art technique Methods 0.000 description 2
- 230000001934 delay Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/40—Bus structure
- G06F13/4063—Device-to-bus coupling
- G06F13/4068—Electrical coupling
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T1/00—General purpose image data processing
- G06T1/20—Processor architectures; Processor configuration, e.g. pipelining
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T1/00—General purpose image data processing
- G06T1/60—Memory management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present disclosure relates to a data security operation method, apparatus and storage medium. The method comprises the following steps: the host encrypts the service data to obtain encrypted service data, and the encrypted service data is sent to an expansion card of the host through a bus; the expansion card acquires encrypted service data sent by the host through the bus, stores the encrypted service data to a first storage unit on the expansion card, and decrypts the encrypted service data acquired from the first storage unit in response to the calculation task so as to execute the calculation task by using the decrypted service data. According to the embodiment of the application, the data security can be ensured when the data is transmitted on the bus. And the method can ensure that the ciphertext rather than the plaintext is acquired by the host when the service data content is mapped to the host, thereby further ensuring the integrity, confidentiality and reliability of the data. The encryption and decryption method in the process is simple and direct, does not need to be subjected to complex operation, and can give consideration to the performance and response time of the system.
Description
Technical Field
The present disclosure relates to the field of data processing, and in particular, to a data security operation method, apparatus, and storage medium.
Background
With the continued development of computer technology, the number of expansion cards (e.g., graphics processor GPUs, etc.) used in modern computer systems has increased. These expansion cards may provide additional storage, processing, networking, or other functionality to meet the needs of different users. However, as the number and functionality of expansion cards increases, data security becomes an increasingly important issue. During transmission, data transmitted between the host and the expansion card may be at risk of being stolen, tampered with, or maliciously accessed. For some critical applications, such as financial transactions, network communications, etc., data security is particularly important.
There are some encryption methods and techniques for improving the security of data, however, there are some problems in the prior art, for example, in some situations (such as when the host sends the data to the video memory on the GPU for storage), the data can be obtained by the PCIE BAR mapping or another link protocol analysis apparatus, so that the data is still at risk. And because some encryption methods are too complex, delays and performance losses may be introduced during data transmission, thereby affecting the response time and throughput of the system. Therefore, a new data security operation method is needed, which can ensure the integrity, confidentiality and reliability of data transmission while considering the performance and response time of the system.
Disclosure of Invention
In view of this, the present disclosure proposes a data security operation method, apparatus, and storage medium.
According to one aspect of the present disclosure, a data security operation method is provided. The method may be used for an expansion card of a host, and the method may include: acquiring encrypted service data sent by a host through a bus, wherein the encrypted service data is obtained after the host encrypts the service data; storing the encrypted service data to a first storage unit on the expansion card; in response to the computing task, the encrypted service data acquired from the first storage unit is decrypted to perform the computing task using the decrypted service data.
In one possible implementation manner, the encrypted service data is obtained by encrypting the service data by using a key by a host; decrypting the encrypted service data acquired from the first storage unit in response to the computing task to perform the computing task using the decrypted service data, comprising: in response to the computing task, the encrypted service data acquired from the first storage unit is decrypted using the key to perform the computing task using the decrypted service data.
In one possible implementation, the key may be an updated key, and the method may further include: receiving a key change request sent by a host computer every a preset period, wherein the key change request can comprise a key obtained by encrypting a public key by the host computer; and in response to the key change request, decrypting the key obtained by encrypting the public key by the host by using the private key to obtain the updated key.
In one possible implementation, the key may be stored in a second storage unit connected to the bus on the expansion card, and in response to the computing task, decrypting the encrypted service data obtained from the first storage unit using the key to perform the computing task using the decrypted service data may include: decrypting the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data; the method may further comprise: and writing the updated key into the second storage unit.
In one possible implementation, the expansion card may include a system management unit and an encryption/decryption unit, where the system management unit is configured to write a key to the second storage unit, and the encryption/decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt the data, and the second storage unit may reject write access from outside the system management unit and reject read access from outside the encryption/decryption unit.
In one possible implementation, the method may further include: under the condition that the processed data is to be transmitted through the bus, the processed data is encrypted and then transmitted through the bus, and the processed data is obtained after the calculation task is executed by using the decrypted service data.
In one possible implementation, the case where the processed data is to be transmitted through the bus may include that the processed data is to be sent to a display engine of the expansion card for display, and that the processed data is to be sent to the first storage unit for storage.
In one possible implementation, the encrypted service data and the processed data are obtained by encrypting with a symmetric encryption algorithm.
In one possible implementation, the expansion card may be a graphics processor GPU and the first memory unit may be a video memory of the GPU.
According to another aspect of the present disclosure, a data security operation method is provided. The method may be used with a host, the method may include: encrypting the service data to obtain encrypted service data; and sending the encrypted service data to an expansion card of the host computer through a bus, wherein the encrypted service data can be used for being stored to a first storage unit on the expansion card by the expansion card, so that the expansion card responds to a calculation task and decrypts the encrypted service data acquired from the first storage unit so as to execute the calculation task by utilizing the decrypted service data.
In one possible implementation manner, encrypting the service data to obtain encrypted service data may include: encrypting the service data by the key to obtain encrypted service data; the expansion card decrypts the encrypted service data acquired from the first storage unit in response to the computing task to perform the computing task using the decrypted service data, and may include: the expansion card decrypts the encrypted service data acquired from the first storage unit using the key in response to the calculation task to perform the calculation task using the decrypted service data.
In one possible implementation, the key may be an updated key, and the method may further include: and sending a key change request to the expansion card at intervals of a preset period, wherein the key change request can comprise a key obtained by encrypting a public key, and the key change request is used for the expansion card to decrypt the key obtained by encrypting the public key by using a private key in response to the key change request so as to obtain an updated key.
In one possible implementation, the key may be stored in a second storage unit connected to the bus on the expansion card, the updated key may be written to the second storage unit by the expansion card, the expansion card decrypting the encrypted service data obtained from the first storage unit using the key in response to the computing task to perform the computing task using the decrypted service data, and may include: the expansion card decrypts the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data.
In one possible implementation, the expansion card may include a system management unit and an encryption and decryption unit, where the system management unit may be configured to write a key to the second storage unit, and the encryption and decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt data, where the second storage unit may deny write access from outside the system management unit, and deny read access from outside the encryption and decryption unit.
In one possible implementation manner, in the case that the processed data is to be transmitted through the bus, the processed data is encrypted by the expansion card and then transmitted through the bus, and the processed data is obtained after the expansion card performs a calculation task by using the decrypted service data.
In one possible implementation, the case where the processed data is to be transmitted through the bus may include that the processed data is to be sent to a display engine of the expansion card for display, and that the processed data is to be sent to the first storage unit for storage.
In one possible implementation, the encrypted service data and the processed data may be obtained by encrypting using a symmetric encryption algorithm.
In one possible implementation, the expansion card may be a graphics processor GPU and the first memory unit may be a video memory of the GPU.
According to the embodiment of the application, the service data acquired by the expansion card of the host through the bus is encrypted service data sent by the host, so that the data security when the data is transmitted on the bus can be ensured. And because the data stored on the storage unit of the expansion card is also encrypted service data, the service data content can be obtained by the host when being mapped to the host, and the ciphertext is obtained by the host instead of the plaintext, thereby further ensuring the integrity, confidentiality and reliability of the data. When a calculation task exists, the encrypted service data acquired by the expansion card from the storage unit is decrypted for subsequent operation in response to the calculation task, and the encryption and decryption method in the process is simple and direct without complex operation, so that the performance and response time of the system can be considered.
According to another aspect of the present disclosure, a data security operation apparatus is provided. The device may be used for an expansion card of a host, and the device may include: the acquisition module is used for acquiring encrypted service data sent by the host through the bus, wherein the encrypted service data is obtained after the host encrypts the service data; the storage module is used for storing the encrypted service data to a first storage unit on the expansion card; and the first decryption module is used for decrypting the encrypted service data acquired from the first storage unit in response to the calculation task so as to execute the calculation task by utilizing the decrypted service data.
In one possible implementation manner, the encrypted service data is obtained by encrypting the service data by using a key by a host; a first decryption module operable to: in response to the computing task, the encrypted service data acquired from the first storage unit is decrypted using the key to perform the computing task using the decrypted service data.
In one possible implementation, the key may be an updated key, and the apparatus may further include: the receiving module is used for receiving a key change request sent by the host computer at intervals of a preset period, wherein the key change request can comprise a key obtained by encrypting the public key by the host computer; and the second decryption module is used for decrypting the secret key obtained by encrypting the public key by the host by using the private key in response to the secret key change request to obtain the updated secret key.
In one possible implementation, the key may be stored in a second storage unit on the expansion card connected to the bus, and the first decryption module may be configured to: decrypting the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data; the apparatus may further include: and the writing module is used for writing the updated secret key into the second storage unit.
In one possible implementation, the expansion card may include a system management unit and an encryption/decryption unit, where the system management unit is configured to write a key to the second storage unit, and the encryption/decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt the data, and the second storage unit may reject write access from outside the system management unit and reject read access from outside the encryption/decryption unit.
In one possible implementation, the apparatus may further include: the second encryption module is used for encrypting the processed data and transmitting the encrypted data through the bus under the condition that the processed data is to be transmitted through the bus, and the processed data is obtained after the calculation task is executed by using the decrypted service data.
In one possible implementation, the case where the processed data is to be transmitted through the bus may include that the processed data is to be sent to a display engine of the expansion card for display, and that the processed data is to be sent to the first storage unit for storage.
In one possible implementation, the encrypted traffic data and the processed data may be obtained by encrypting using a symmetric encryption algorithm.
In one possible implementation, the expansion card may be a graphics processor GPU and the first memory unit may be a video memory of the GPU.
According to another aspect of the present disclosure, a data security operation apparatus is provided. The apparatus may be for use with a host, the apparatus may include: the first encryption module is used for encrypting the service data to obtain encrypted service data; the first sending module is used for sending the encrypted service data to the expansion card of the host computer through the bus, the encrypted service data can be used for being stored to the first storage unit on the expansion card by the expansion card, the expansion card is enabled to respond to the calculation task, the encrypted service data acquired from the first storage unit is decrypted, and the calculation task is executed by utilizing the decrypted service data.
In one possible implementation, the first encryption module may be configured to: encrypting the service data by the key to obtain encrypted service data; the expansion card decrypts the encrypted service data acquired from the first storage unit in response to the computing task to perform the computing task using the decrypted service data, and may include: the expansion card decrypts the encrypted service data acquired from the first storage unit using the key in response to the calculation task to perform the calculation task using the decrypted service data.
In one possible implementation, the key may be an updated key, and the apparatus may further include: and the second sending module is used for sending a key change request to the expansion card at intervals of a preset period, wherein the key change request can comprise a key obtained by encrypting a public key, and the key change request is used for decrypting the key obtained by encrypting the public key by using a private key by the expansion card in response to the key change request to obtain an updated key.
In one possible implementation, the key may be stored in a second storage unit connected to the bus on the expansion card, the updated key may be written to the second storage unit by the expansion card, the expansion card decrypting the encrypted service data obtained from the first storage unit using the key in response to the computing task to perform the computing task using the decrypted service data, and may include: the expansion card decrypts the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data.
In one possible implementation, the expansion card may include a system management unit and an encryption and decryption unit, where the system management unit may be configured to write a key to the second storage unit, and the encryption and decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt data, where the second storage unit may deny write access from outside the system management unit, and deny read access from outside the encryption and decryption unit.
In one possible implementation manner, in the case that the processed data is to be transmitted through the bus, the processed data is encrypted by the expansion card and then transmitted through the bus, and the processed data is obtained after the expansion card performs a calculation task by using the decrypted service data.
In one possible implementation, the case where the processed data is to be transmitted through the bus may include that the processed data is to be sent to a display engine of the expansion card for display, and that the processed data is to be sent to the first storage unit for storage.
In one possible implementation, the encrypted service data and the processed data may be obtained by encrypting using a symmetric encryption algorithm.
In one possible implementation, the expansion card may be a graphics processor GPU and the first memory unit may be a video memory of the GPU.
According to another aspect of the present disclosure, there is provided a data security operation apparatus including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the above-described method when executing the instructions stored in the memory.
According to another aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer program instructions, wherein the computer program instructions, when executed by a processor, implement the above-described method.
According to another aspect of the present disclosure, there is provided a computer program product comprising a computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in a processor of an electronic device, performs the above method.
Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features and aspects of the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 shows a schematic view of an application scenario according to an embodiment of the application.
FIG. 2 illustrates a schematic architecture of a data security operating system according to an embodiment of the present application.
Fig. 3 shows a flow chart of a data security operation method according to an embodiment of the present application.
Fig. 4 shows a flow chart of a data security operation method according to an embodiment of the present application.
FIG. 5 shows a schematic diagram of a data security operation flow according to an embodiment of the application.
Fig. 6 shows a block diagram of a data security operation device according to an embodiment of the present application.
Fig. 7 shows a block diagram of a data security operation device according to an embodiment of the present application.
FIG. 8 is a block diagram illustrating an apparatus 1900 for secure operation of data, according to an example embodiment.
Detailed Description
Various exemplary embodiments, features and aspects of the disclosure will be described in detail below with reference to the drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
In addition, numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements, and circuits well known to those skilled in the art have not been described in detail in order not to obscure the present disclosure.
With the continued development of computer technology, the number of expansion cards (e.g., graphics processor GPUs, etc.) used in modern computer systems has increased. These expansion cards may provide additional storage, processing, networking, or other functionality to meet the needs of different users. However, as the number and functionality of expansion cards increases, data security becomes an increasingly important issue. During transmission, data transmitted between the host and the expansion card may be at risk of being stolen, tampered with, or maliciously accessed. For some critical applications, such as financial transactions, network communications, etc., data security is particularly important. There are some encryption methods and techniques for improving the security of data, however, there are some problems in the prior art, for example, in some situations (such as when the host sends the data to the video memory on the GPU for storage), the data can be obtained by the PCIE BAR mapping or another link protocol analysis apparatus, so that the data is still at risk. And because some encryption methods are too complex, delays and performance losses may be introduced during data transmission, thereby affecting the response time and throughput of the system. Therefore, a new data security operation method is needed, which can ensure the integrity, confidentiality and reliability of data transmission while considering the performance and response time of the system.
In view of this, the application proposes a data security operation method, in the method of this embodiment of the application, the service data obtained by the expansion card of the host computer through the bus is the encrypted service data sent by the host computer, thus can guarantee the data security when the data is transmitted on the bus, and the data stored on the memory cell of the expansion card is also the encrypted data, can make the service data content obtain ciphertext rather than plaintext when being mapped to the host computer, further guarantee the integrity, confidentiality, reliability of the data, through responding to the calculation task when having the calculation task, the encryption and decryption method in this process is simple and direct, does not need to be through the complex operation, can compromise performance and response time of the system.
Fig. 1 shows a schematic view of an application scenario according to an embodiment of the application. In the scenario that the data security operation method of the embodiment of the application can be applied to data transmission between a host and an expansion card, as shown in fig. 1, data on the host can be derived from software on the host, network equipment, storage equipment of the host or other equipment, the expansion card can be a graphics processor (graphics processing unit, GPU), PCIe (peripheral component interconnect express) card, network card (inter-process communication, IPC) or solid state disk (solid state drive, SSD) card, and the host and the expansion card can be connected through a bus. According to the method of the embodiment of the application, when the service data is transmitted between the host and the expansion card, the host transmits the encrypted service data to the expansion card, the expansion card can store the encrypted service data into a storage unit of the expansion card, and when a calculation task is carried out subsequently, the data is acquired from the storage unit and decrypted, so that the safety of the data transmission is ensured.
The architecture of the data security operation system according to the embodiment of the present application is described below using a GPU as an expansion card. Referring to FIG. 2, a schematic diagram of the architecture of a data security operating system according to an embodiment of the application is shown. As shown in FIG. 2, the data security operation system according to the embodiment of the present application may include a host and a GPU, where the host and the GPU are connected by a bus, and the GPU may include a video memory, a GPU system management unit, a key storage unit, an encryption/decryption unit, a rendering calculation unit, a display unit, and other units.
The video memory can be used for storing encrypted service data sent by the host; the GPU system management unit can be used for realizing the functions of GPU power consumption management, key negotiation with a host, communication with the host and the like; the key storage unit can be connected with the bus and is a storage unit independent of the video memory, and is used for storing the key obtained by key negotiation and sent by the GPU system management unit and providing the key for the encryption and decryption unit; the encryption and decryption unit can be connected with the bus and arranged between the bus and the rendering calculation unit (namely the GPU engine) and can be used for decrypting the encrypted service data by utilizing the secret key; the rendering calculation unit can be used for performing corresponding rendering and calculation on the decrypted service data; the display unit can be used for displaying the data processed by the rendering calculation unit.
The following describes a data security operation method according to an embodiment of the present application based on fig. 1 and fig. 2 through fig. 3 to fig. 5.
Fig. 3 shows a flow chart of a data security operation method according to an embodiment of the present application. The method can be used in the data security operation system, as shown in fig. 3, and the method can include:
in step S301, the host encrypts the service data to obtain encrypted service data.
The service data of the host may be data waiting for processing by an expansion card (such as GPU), may be generated by software of the host itself, may be received by the host through a network device, or may be data stored in a storage device of the host.
Optionally, the step S301 includes:
the host encrypts the service data by using the key to obtain encrypted service data.
The encryption mode may be a symmetric encryption algorithm, an asymmetric encryption algorithm or other customized algorithms, and in order to improve efficiency, optionally, the encrypted service data may be obtained by encrypting by using the symmetric encryption algorithm by the host. The symmetric encryption algorithm may be AES (Advanced Encryption Standard), DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), etc., which is not limited in this regard. The key may be a key of a symmetric encryption algorithm, and the key used in encrypting the data and the key used in decrypting the data later may be the same.
In the encryption process, the service data can be encrypted in blocks so as to rapidly process a large amount of service data. Each block of service data can be encrypted by using a preset encryption function and the like by utilizing a secret key, and finally the encrypted data of each block are spliced to obtain the encrypted service data, and the process can be realized based on the prior art.
In step S302, the host sends the encrypted service data to the expansion card of the host through the bus.
The bus may be PCIe (Peripheral Component Interconnect Express) bus or DMA (Direct Memory Access) bus, and communication between the host and the expansion card may be implemented by a P2P (Peer-to-Peer) communication technology.
The expansion card of the host can refer to fig. 1, including GPU, PCIe card, network card IPC, SSD card, etc.
In step S303, the expansion card obtains the encrypted service data sent by the host through the bus.
The encrypted service data is obtained by encrypting the service data by the host.
Step S304, the expansion card stores the encrypted business data to a first storage unit on the expansion card.
Alternatively, the expansion card may be a GPU, and the first storage unit may be a video memory of the GPU. At this time, the expansion card can directly store the encrypted service data into the first storage unit without any modification, so that the encrypted service data stored in the first storage unit is obtained, and the performance in the read-write process is improved.
Therefore, when the expansion card is a GPU, the service data stored in the video memory of the GPU is the encrypted service data. For devices other than GPUs, the raw data cannot be obtained through the PCIe BAR mapping or other link protocol analysis instrumentation.
In step S305, the expansion card decrypts the encrypted service data acquired from the first storage unit in response to the calculation task to perform the calculation task using the decrypted service data.
The computing tasks may include tasks that render, calculate, and the like, business data. For example, in the case that the expansion card is a GPU, the GPU may decrypt the encrypted service data by using the encryption and decryption unit shown in fig. 2, and execute a corresponding computing task on the decrypted service data through the rendering computing unit, that is, an engine (engines) of the GPU. That is, in the present application, the data transmitted between the host and the GPU and the data stored in the first storage unit (i.e., the video memory) are encrypted data, which is safe, and only when the data is loaded into the engine of the GPU, the data is decrypted to be processed by the engine, thereby ensuring that the data is safe to be transmitted and stored, and no leakage risk exists.
The expansion card may decrypt the encrypted service data by using the key in the encryption and decryption unit shown in fig. 2, to obtain decrypted service data. Optionally, the step S305 includes:
the expansion card decrypts the encrypted service data acquired from the first storage unit using the key in response to the calculation task to perform the calculation task using the decrypted service data.
The expansion card may include a system management unit (i.e., the GPU system management unit in fig. 2) and an encryption/decryption unit.
The system management unit may be configured to write the key to the second storage unit (i.e., the key storage unit in fig. 2), and the encryption/decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt the data. The data may include business data and GPU processed data.
The second storage unit may be a secure storage unit independent of the first storage unit, the second storage unit denying write access from outside the system management unit and denying read access from outside the encryption and decryption unit. Thereby ensuring the security of the key.
Thus, the key can be obtained from the second storage unit by the encryption and decryption unit, and the encryption and decryption unit can decrypt the key based on the key.
According to the embodiment of the application, the service data acquired by the expansion card of the host through the bus is encrypted service data sent by the host, so that the data security when the data is transmitted on the bus can be ensured. And because the data stored on the storage unit of the expansion card is also encrypted service data, the service data content can be obtained by the host when being mapped to the host, and the ciphertext is obtained by the host instead of the plaintext, thereby further ensuring the integrity, confidentiality and reliability of the data. When a calculation task exists, the encrypted service data acquired by the expansion card from the storage unit is decrypted for subsequent operation in response to the calculation task, and the encryption and decryption method in the process is simple and direct without complex operation, so that the performance and response time of the system can be considered.
After the calculation task is executed by the expansion card, the decrypted service data can be obtained to obtain processed data, and because the risk of leakage, tampering and the like exists in the process of transmitting the data through the bus, in order to ensure the data security of the processed data, the method can optionally further comprise:
and under the condition that the processed data is to be transmitted through the bus, the expansion card encrypts the processed data and transmits the encrypted data through the bus. The encryption and decryption hardware logic (such as the encryption and decryption unit above) is set in front of the engine (i.e. the rendering computing unit) of the GPU to encrypt the processed data, so that the data transmitted on the bus is encrypted data, the data subsequently stored in the first storage unit (i.e. the video memory) is also encrypted data, the video memory is also mapped to the system memory address, and the data is also encrypted data, which is safe.
The processed data is obtained by executing a calculation task by using the decrypted service data by the expansion card. The bus may be a bus internal to the expansion card, which may be the PCIe bus described above. Under the condition that the processed data is not transmitted through the bus inside the expansion card, encryption of the processed data is not needed, so that the data transmission efficiency is improved.
Alternatively, the processed data may be encrypted by an expansion card using a symmetric encryption algorithm. The process of encrypting the processed data by the expansion card may be performed in an encryption/decryption unit as shown in fig. 2. The processed data may be encrypted by a symmetric encryption algorithm using the key.
Optionally, the case that the processed data is to be transmitted through the bus includes that the processed data is to be sent to a display engine of the expansion card for display, and the processed data is to be sent to the first storage unit for storage.
The display engine may refer to the display unit in fig. 2, where the processed data may be content to be displayed, and the display engine may decrypt the encrypted data to display the decrypted content.
The processed data to be sent to the first storage unit for storage may be subjected to subsequent processing by the host.
In order to improve encryption and decryption efficiency, the host and the expansion card can share the same key in the process of encrypting and decrypting data, and only one key is required to be maintained in the scene, and the key can be stored in the second storage unit. If the key is not changed all the time, there is a risk of being reversely analyzed and attacked, and encrypted data may be cracked, at this time, in order to ensure the security of the key, key negotiation may be periodically performed between the expansion card and the host, so as to update the key, see below.
Alternatively, the key may be an updated key, referring to fig. 4, which shows a flowchart of a data security operation method according to an embodiment of the present application. As shown in fig. 4, the method further includes:
step S401, the host sends a key change request to the expansion card every predetermined period.
The period may be a task period, such as running a key session program once every time the host performs a task, and sending a key change request to the expansion card.
The key change request may include a key obtained by encrypting the public key by the host. The public key may be pre-generated. The private key corresponding to the public key is stored by the expansion card. The process of encrypting a key with a public key may be implemented based on prior art techniques.
In step S402, the expansion card receives a key change request sent by the host at intervals of a predetermined period.
This step may be performed by the GPU system management unit in fig. 2.
In step S403, the expansion card decrypts the key obtained by encrypting the public key by the host with the private key in response to the key change request, to obtain the updated key.
The private key may be pre-generated. The process of decrypting the encrypted key using the private key may be implemented based on prior art techniques. Step S403 may be performed, for example, by the GPU system management unit in fig. 2.
Alternatively, the key may be stored in a second memory unit on the expansion card connected to the bus, which may also be used to write the updated key. The method may further comprise:
the expansion card writes the updated key to the second storage unit.
Wherein the updated key may be written to the second storage unit by the system management unit. The updated key can replace the original key as a key used when the subsequent host and the expansion card encrypt/decrypt the data, that is, the subsequent encryption/decryption unit can read the updated key stored by the subsequent host and the expansion card from the second storage unit to decrypt or encrypt the data.
The step S305 may include:
the expansion card decrypts the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data.
According to the embodiment of the application, the second storage unit independent of the first storage unit is utilized, so that the expansion card can only write the updated secret key into the second storage unit and read the secret key to decrypt the encrypted service data in response to the calculation task, the safety of the secret key can be ensured, and the safety of the encrypted data is further ensured.
Taking an expansion card as an example of a GPU, the above-mentioned data security operation flow is generally described by fig. 5, and referring to fig. 5, a schematic diagram of the data security operation flow according to an embodiment of the present application is shown. As shown in fig. 5, the host may encrypt the service data with the key, and distribute the encrypted service data to the corresponding GPU. The GPU can write the encrypted service data into the video memory, the host triggers the GPU to execute the corresponding task, and when the service data is processed, the GPU can acquire the encrypted service data from the video memory to decrypt and execute the corresponding task. The data obtained after the GPU performs the task can be encrypted again by using the secret key and written into the video memory of the GPU.
In this process, the key may be updated periodically. The host and the GPU may run a key session procedure to perform key exchange, so that both sides obtain updated keys.
Fig. 6 shows a block diagram of a data security operation device according to an embodiment of the present application. The device may be used for an expansion card of a host, as shown in fig. 6, and may include:
the acquiring module 601 is configured to acquire encrypted service data sent by a host through a bus, where the encrypted service data is obtained by encrypting the service data by the host;
a storage module 602, configured to store the encrypted service data to a first storage unit on the expansion card; a step of
The first decryption module 603 is configured to decrypt the encrypted service data acquired from the first storage unit in response to the calculation task, so as to perform the calculation task using the decrypted service data.
In one possible implementation manner, the encrypted service data is obtained by encrypting the service data by using a key by a host; the first decryption module 603 is operable to: in response to the computing task, the encrypted service data acquired from the first storage unit is decrypted using the key to perform the computing task using the decrypted service data.
In one possible implementation, the key may be an updated key, and the apparatus may further include: the receiving module is used for receiving a key change request sent by the host computer at intervals of a preset period, wherein the key change request can comprise a key obtained by encrypting the public key by the host computer; and the second decryption module is used for decrypting the secret key obtained by encrypting the public key by the host by using the private key in response to the secret key change request to obtain the updated secret key.
In one possible implementation, the key may be stored in a second storage unit on the expansion card connected to the bus, and the first decryption module 603 may be configured to: decrypting the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data; the apparatus may further include: and the writing module is used for writing the updated secret key into the second storage unit.
In one possible implementation, the expansion card may include a system management unit and an encryption/decryption unit, where the system management unit is configured to write a key to the second storage unit, and the encryption/decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt the data, and the second storage unit may reject write access from outside the system management unit and reject read access from outside the encryption/decryption unit.
In one possible implementation, the apparatus may further include: the second encryption module is used for encrypting the processed data and transmitting the encrypted data through the bus under the condition that the processed data is to be transmitted through the bus, and the processed data is obtained after the calculation task is executed by using the decrypted service data.
In one possible implementation, the case where the processed data is to be transmitted through the bus may include that the processed data is to be sent to a display engine of the expansion card for display, and that the processed data is to be sent to the first storage unit for storage.
In one possible implementation, the encrypted traffic data and the processed data may be obtained by encrypting using a symmetric encryption algorithm.
In one possible implementation, the expansion card may be a graphics processor GPU and the first memory unit may be a video memory of the GPU.
Fig. 7 shows a block diagram of a data security operation device according to an embodiment of the present application. The apparatus may be used with a host, as shown in fig. 7, and may include:
a first encryption module 701, configured to encrypt service data to obtain encrypted service data;
the first sending module 702 is configured to send the encrypted service data to an expansion card of the host through the bus, where the encrypted service data may be used to be stored by the expansion card to a first storage unit on the expansion card, so that the expansion card decrypts, in response to the computing task, the encrypted service data obtained from the first storage unit, and performs the computing task using the decrypted service data.
In one possible implementation, the first encryption module 701 may be configured to: encrypting the service data by the key to obtain encrypted service data; the expansion card decrypts the encrypted service data acquired from the first storage unit in response to the computing task to perform the computing task using the decrypted service data, and may include: the expansion card decrypts the encrypted service data acquired from the first storage unit using the key in response to the calculation task to perform the calculation task using the decrypted service data.
In one possible implementation, the key may be an updated key, and the apparatus may further include: and the second sending module is used for sending a key change request to the expansion card at intervals of a preset period, wherein the key change request can comprise a key obtained by encrypting a public key, and the key change request is used for decrypting the key obtained by encrypting the public key by using a private key by the expansion card in response to the key change request to obtain an updated key.
In one possible implementation, the key may be stored in a second storage unit connected to the bus on the expansion card, the updated key may be written to the second storage unit by the expansion card, the expansion card decrypting the encrypted service data obtained from the first storage unit using the key in response to the computing task to perform the computing task using the decrypted service data, and may include: the expansion card decrypts the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to the calculation task to perform the calculation task using the decrypted service data.
In one possible implementation, the expansion card may include a system management unit and an encryption and decryption unit, where the system management unit may be configured to write a key to the second storage unit, and the encryption and decryption unit may be configured to read the key stored in the second storage unit to decrypt or encrypt data, where the second storage unit may deny write access from outside the system management unit, and deny read access from outside the encryption and decryption unit.
In one possible implementation manner, in the case that the processed data is to be transmitted through the bus, the processed data is encrypted by the expansion card and then transmitted through the bus, and the processed data is obtained after the expansion card performs a calculation task by using the decrypted service data.
In one possible implementation, the case where the processed data is to be transmitted through the bus may include that the processed data is to be sent to a display engine of the expansion card for display, and that the processed data is to be sent to the first storage unit for storage.
In one possible implementation, the encrypted service data and the processed data may be obtained by encrypting using a symmetric encryption algorithm.
In one possible implementation, the expansion card may be a graphics processor GPU and the first memory unit may be a video memory of the GPU.
According to the embodiment of the application, the service data acquired by the expansion card of the host through the bus is encrypted service data sent by the host, so that the data security when the data is transmitted on the bus can be ensured. And because the data stored on the storage unit of the expansion card is also encrypted service data, the service data content can be obtained by the host when being mapped to the host, and the ciphertext is obtained by the host instead of the plaintext, thereby further ensuring the integrity, confidentiality and reliability of the data. When a calculation task exists, the encrypted service data acquired by the expansion card from the storage unit is decrypted for subsequent operation in response to the calculation task, and the encryption and decryption method in the process is simple and direct without complex operation, so that the performance and response time of the system can be considered.
In some embodiments, functions or modules included in an apparatus provided by the embodiments of the present disclosure may be used to perform a method described in the foregoing method embodiments, and specific implementations thereof may refer to descriptions of the foregoing method embodiments, which are not repeated herein for brevity.
The embodiment of the disclosure also provides a data security operation device, which comprises: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the above-described method when executing the instructions stored in the memory.
The disclosed embodiments also provide a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the above-described method. The computer readable storage medium may be a volatile or nonvolatile computer readable storage medium.
The embodiment of the disclosure also provides an electronic device, which comprises: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the above-described method when executing the instructions stored by the memory.
Embodiments of the present disclosure also provide a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in a processor of an electronic device, performs the above method.
FIG. 8 is a block diagram illustrating an apparatus 1900 for secure operation of data, according to an example embodiment. For example, the apparatus 1900 may be provided as a server or terminal device. Referring to fig. 8, the apparatus 1900 includes a processing component 1922 that further includes one or more processors and memory resources represented by memory 1932 for storing instructions, such as application programs, that are executable by the processing component 1922. The application programs stored in memory 1932 may include one or more modules each corresponding to a set of instructions. Further, processing component 1922 is configured to execute instructions to perform the methods described above.
The apparatus 1900 may further comprise a power component 1926 configured to perform power management of the apparatus 1900, a wired or wireless network interface 1950 configured to connect the apparatus 1900 to a network, and an input/output interface 1958 (I/O interface). The apparatus 1900 may operate based on an operating system stored in the memory 1932, such as Windows Server TM ,Mac OS X TM ,Unix TM ,Linux TM ,FreeBSD TM Or the like.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 1932, including computer program instructions executable by processing component 1922 of apparatus 1900 to perform the above-described methods.
The present disclosure may be a system, method, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for causing a processor to implement aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.
Computer program instructions for performing the operations of the present disclosure can be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present disclosure are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information of computer readable program instructions, which can execute the computer readable program instructions.
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The foregoing description of the embodiments of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the technical improvements in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (16)
1. A method for secure operation of data, the method for use with an expansion card of a host, the method comprising:
the method comprises the steps of obtaining encrypted service data sent by a host through a bus, wherein the encrypted service data is obtained by encrypting the service data by the host;
storing the encrypted service data to a first storage unit on the expansion card;
and decrypting the encrypted service data acquired from the first storage unit in response to a calculation task to perform the calculation task using the decrypted service data.
2. The method of claim 1, wherein the encrypted service data is obtained by encrypting the service data by the host using a key;
the decrypting, in response to a computing task, the encrypted service data acquired from the first storage unit to perform the computing task using the decrypted service data, includes:
in response to a computing task, the encrypted service data acquired from the first storage unit is decrypted using the key to perform the computing task using the decrypted service data.
3. The method of claim 2, wherein the key is an updated key, the method further comprising:
receiving a key change request sent by the host computer every a preset period, wherein the key change request comprises a key obtained by encrypting the public key by the host computer;
and in response to the key change request, decrypting the key obtained by encrypting the public key by the host by using the private key to obtain the updated key.
4. A method according to claim 3, wherein the key is stored on a second memory unit on the expansion card connected to the bus, and wherein the decrypting the encrypted service data obtained from the first memory unit using the key in response to a computing task to perform the computing task using the decrypted service data comprises:
Decrypting the encrypted service data acquired from the first storage unit using the key read out from the second storage unit in response to a calculation task to perform the calculation task using the decrypted service data;
the method further comprises the steps of:
and writing the updated key into the second storage unit.
5. The method of claim 2, wherein the expansion card includes a system management unit and an encryption/decryption unit, the system management unit is configured to write the key to a second storage unit, the encryption/decryption unit is configured to read the key stored in the second storage unit to decrypt or encrypt data, and the second storage unit is configured to reject write access from outside the system management unit and reject read access from outside the encryption/decryption unit.
6. The method according to claim 1, wherein the method further comprises:
and under the condition that the processed data is to be transmitted through the bus, encrypting the processed data and transmitting the encrypted data through the bus, wherein the processed data is obtained by executing the calculation task by using the decrypted service data.
7. The method of claim 6, wherein the condition of the processed data to be transmitted over the bus includes the processed data to be sent to a display engine of the expansion card for display, and the processed data to be sent to the first storage unit for storage.
8. The method of claim 6, wherein the encrypted traffic data and the processed data are obtained by encrypting using a symmetric encryption algorithm.
9. The method of claim 1, wherein the expansion card is a graphics processor GPU and the first memory unit is a video memory of the GPU.
10. A method of secure operation of data, the method for use with a host, the method comprising:
encrypting the service data to obtain encrypted service data;
and sending the encrypted service data to an expansion card of the host through a bus, wherein the encrypted service data is used for being stored to a first storage unit on the expansion card by the expansion card, so that the expansion card responds to a calculation task, and the encrypted service data acquired from the first storage unit is decrypted so as to execute the calculation task by utilizing the decrypted service data.
11. The method of claim 10, wherein encrypting the service data to obtain encrypted service data comprises:
encrypting the service data by using a secret key to obtain the encrypted service data;
the expansion card decrypts the encrypted service data acquired from the first storage unit in response to a calculation task to perform the calculation task using the decrypted service data, including:
the expansion card decrypts the encrypted service data acquired from the first storage unit using the key in response to a computing task to perform the computing task using the decrypted service data.
12. The method of claim 11, wherein the key is an updated key, the method further comprising:
and sending a key change request to the expansion card at intervals of a preset period, wherein the key change request comprises a key obtained by encrypting a public key, and the key change request is used for decrypting the key obtained by encrypting the public key by using a private key by the expansion card in response to the key change request to obtain the updated key.
13. A data security operation device, wherein the device is used for an expansion card of a host, the device comprising:
the acquisition module is used for acquiring encrypted service data sent by the host through a bus, wherein the encrypted service data is obtained by encrypting the service data by the host;
the storage module is used for storing the encrypted service data to a first storage unit on the expansion card;
and the first decryption module is used for decrypting the encrypted service data acquired from the first storage unit in response to the calculation task so as to execute the calculation task by utilizing the decrypted service data.
14. A data security operation device, the device being for a host, the device comprising:
the first encryption module is used for encrypting the service data to obtain encrypted service data;
the first sending module is used for sending the encrypted service data to an expansion card of the host through a bus, the encrypted service data is used for being stored to a first storage unit on the expansion card by the expansion card, the expansion card responds to a calculation task, the encrypted service data acquired from the first storage unit is decrypted, and the calculation task is executed by using the decrypted service data.
15. A data security operation device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any one of claims 1 to 9, or to implement the method of any one of claims 10 to 12, when executing the instructions stored by the memory.
16. A non-transitory computer readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method of any of claims 1 to 9 or the method of any of claims 10 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310920641.8A CN117113370A (en) | 2023-07-25 | 2023-07-25 | Data security operation method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310920641.8A CN117113370A (en) | 2023-07-25 | 2023-07-25 | Data security operation method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117113370A true CN117113370A (en) | 2023-11-24 |
Family
ID=88799217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310920641.8A Pending CN117113370A (en) | 2023-07-25 | 2023-07-25 | Data security operation method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117113370A (en) |
-
2023
- 2023-07-25 CN CN202310920641.8A patent/CN117113370A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109150499B (en) | Method and device for dynamically encrypting data, computer equipment and storage medium | |
| CN107248984B (en) | Data exchange system, method and device | |
| EP3682364B1 (en) | Cryptographic services utilizing commodity hardware | |
| CN108880812B (en) | Method and system for data encryption | |
| CN111274611A (en) | Data desensitization method, device and computer readable storage medium | |
| US9111123B2 (en) | Firmware for protecting data from software threats | |
| JP7486530B2 (en) | Method, system, and program for accessing shared confidential information in a controlled container environment | |
| CN111756751B (en) | Message transmission method and device and electronic equipment | |
| US10305693B2 (en) | Anonymous secure socket layer certificate verification in a trusted group | |
| US10528708B2 (en) | Prevention of unauthorized resource updates | |
| CN109711178B (en) | Key value pair storage method, device, equipment and storage medium | |
| CN113794706B (en) | Data processing method and device, electronic equipment and readable storage medium | |
| US9112907B2 (en) | System and method for managing TLS connections among separate applications within a network of computing systems | |
| CN113630412B (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
| CN111178874A (en) | Transaction method and system based on block chain cold wallet | |
| CN117061105A (en) | Data processing method and device, readable medium and electronic equipment | |
| CN114615087B (en) | Data sharing method, device, equipment and medium | |
| CN108154037B (en) | Inter-process data transmission method and device | |
| CN117113370A (en) | Data security operation method, device and storage medium | |
| CN113961931A (en) | Adb tool using method and device and electronic equipment | |
| Negi et al. | Network security in embedded system using TLS | |
| CN114584299A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115001828A (en) | Secure access method, system, electronic device and medium for transaction data | |
| CN113672954A (en) | Feature extraction method and device and electronic equipment | |
| CN110390516B (en) | Method, apparatus and computer storage medium for data processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |