JP2009025812A - Digital information protecting method and apparatus, and computer accessible recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a digital information protecting method so that protected digital information cannot be easily reconstructed or recovered. <P>SOLUTION: The method for protecting digital information comprises: converting a protected address range into a plurality of address blocks on the basis of a preset conversion unit, and generating an address block rearranging rule using the address blocks as a parameter; and, when it is desired to load data into an address batch of the protected address range, converting the address batch into a plurality address blocks on the basis of the conversion unit; locating rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loading the data into the rearranged addresses. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a method and apparatus for data protection, and more particularly to a method and apparatus for protecting digital information and preventing unauthorized access to digital information.

  With the development of computer technology, almost all government agencies, laboratories, academic organizations and companies use computers to create documents and files. Furthermore, with the rapid development of computer peripheral storage devices, these storage devices are used to store important documents, file data, technical data, confidential data and their backup data. Using a storage device to store documents and files not only reduces the time to create and retrieve data, but also reduces paper usage and extends the life of stored data. . In addition, since the portable storage device is easy to store and is convenient for transportation and small in size, users frequently use the portable storage device for storing data and backup data. However, the convenience of a portable storage device increases the risk of leakage of data stored in the computer. In order to overcome such drawbacks, various data protection methods using encryption have been proposed. Nevertheless, encrypted data can be decrypted using a large number of computers and a large amount of computation, so how to improve data security so that protected data cannot be recovered after theft. Has become the biggest concern.

  Accordingly, it is an object of the present invention to provide a digital information protection method in which protected digital information is not easily reconstructed or recovered.

In one aspect of the present invention, a digital information protection method includes:
(A) converting a protected address region into a plurality of address blocks based on a preset translation unit, and generating an address block reordering rule using the address block as a parameter;
(B) when loading data into an address batch of the protected address area, converting the address batch into a plurality of address blocks based on the translation composition unit;
(C) searching for a rearranged address of an address block in the protected address area according to an address block rearrangement rule, and loading the data into the rearranged address;
including.

According to another aspect of the present invention, a digital information protection method includes:
(A) dividing the protected address area into a plurality of first translation batches; converting the address area of each first translation batch into a plurality of first address blocks based on the first translation composition unit; And generating a first address block reordering rule to reorder the first address block using the first address block as a parameter;
(B) dividing the protected address area into a plurality of second conversion batches, converting the address area of each second conversion batch into a plurality of second address blocks based on a preset second conversion configuration unit. Generating a second address block reordering rule to reorder the second address block using the second address block as a parameter; and
(C) dividing the protected address area into at least one third translation batch, based on a preset third translation composition unit, the address area of the at least one third translation batch is a plurality of third address blocks And generating a third address block reordering rule to reorder the third address block using this third address block as a parameter;
(D) when loading data into an address batch of the protected address area, determining a first translation batch to which the address batch belongs, based on the first translation composition unit, Converting the batch into a plurality of address blocks; searching for the rearranged addresses of the address blocks in the protected address area according to the first, second, third address block reordering rules; And loading the data into the rearranged addresses thus retrieved,
including.

Further features and advantages of the present invention will become apparent from the following detailed description of the preferred embodiments with reference to the drawings.
FIG. 1 is a diagram showing main functional blocks in one embodiment of the present invention.
FIG. 2 is a diagram showing main functional blocks in another preferred embodiment of the present invention.
FIG. 3 is a diagram showing main functional blocks in still another preferred embodiment of the present invention.
FIG. 4 shows a protected area address mapping table constructed using predetermined address translation rules in a preferred embodiment of the present invention.
FIG. 5 illustrates a protected area address mapping table constructed using another address translation rule in a preferred embodiment of the present invention.
FIG. 6 schematically illustrates an example in which source data is encrypted using an encryption algorithm, and the encrypted data is decrypted into source data using a decryption algorithm.
FIG. 7 schematically illustrates how a system-specified access area initial address sequence is converted to an access area custom address sequence in a preferred embodiment of the present invention.
FIG. 8 is a flowchart of a preparatory operation in another embodiment of the digital information protection method according to the present invention.
FIG. 9 is a flow diagram of the actual access operation in the preferred embodiment.
FIG. 10 is a schematic diagram for explaining the first address conversion in the preferred embodiment.
FIG. 11 is a schematic diagram illustrating the second address conversion in the preferred embodiment.
FIG. 12 is a schematic diagram for explaining the third address conversion in the preferred embodiment.
FIG. 13 is a flowchart in still another embodiment of the digital information protection method according to the present invention.
FIG. 14 is a schematic diagram for explaining address conversion in the present preferred embodiment.

  Before elaborating the present invention, it should be noted that like elements are designated by like reference numbers throughout the present disclosure.

  FIG. 1 is a block diagram showing the main functions of a preferred first embodiment of the present invention. A hardware system 10 in the figure includes a data encryption / decryption module 20 and a storage space address translation module 25. A computer 11 and a peripheral storage device 12 including a storage device 30 are provided. FIG. 2 is a block diagram showing the main functions of the second preferred embodiment of the present invention. The hardware system 10 in FIG. 2 includes a computer 11 including a data encryption / decryption module 20, and a storage space address. A peripheral storage device 12 including a conversion module 25 and a storage device 30 is provided. FIG. 3 is a block diagram showing the main functions of the third preferred embodiment of the present invention. The hardware system 10 in FIG. 3 includes a computer 11, a data encryption / decryption module 20, and a storage space address conversion. A peripheral storage device 12 including a module and a storage device 30 is provided.

  The function of the storage space address conversion module 25 is as follows. (1) An address translation rule 60 is set in accordance with the address translation key 95 and the protection area initial address sequence 70, and a protection area address mapping table 65 is constructed using the address translation rule 60, whereby a protection area initial address is created. Convert sequence 70 to protected area custom address sequence 75. (2) Use the protected area address mapping table 65 to obtain the access area custom address sequence 85 corresponding to the access area initial address sequence 80, or perform the calculation according to the address conversion rule 60 to obtain the access area initial address An access area custom address sequence 85 corresponding to the sequence 80 is acquired.

The function of the data encryption / decryption module 20 is as follows.
(1) Encrypt the encrypted source data 50 into the encrypted data 55 according to the encryption code 90 and the encryption algorithm 40. (2) Decrypt the encrypted data 55 into the source data 50 according to the decryption code 92 and the decryption algorithm 45.

  If data is to be stored in a protected area of the storage device 30, the data encryption / decryption module 20 is used to encrypt the source data 50 into encrypted data 55, and then a storage space address translation. Module 25 is used to obtain an access area custom address sequence 85 corresponding to the system specified access area initial address sequence 80. Thereafter, the encrypted data 55 is stored in a storage location corresponding to the access area custom address sequence 85. On the other hand, when reading data, the storage space address translation module 25 is used to obtain an access area custom address sequence 85 corresponding to the system specified access area initial address sequence 80, and then the access area custom address. The encrypted data 55 is read from the storage position corresponding to the sequence 85. Thereafter, the encryption / decryption module 20 is used to decrypt the encrypted data 55 into the source data 50.

  The above is the outline of the main functions of the present invention. An initialization process using the digital information protection apparatus of the present invention will be described below.

  The storage space address conversion module 25 sets the address conversion rule 60 in accordance with the address conversion key 95 and the protected area initial address sequence 70 (Pi, i = 0, 1,..., N) of the area to be protected of the storage device 30. Used to determine. The address translation rule 60 is used to construct the protection area address mapping table 65, and the protection area initial address sequence 70 (Pi, i = 0, 1,..., N) is the protection area custom address sequence (Si. , I = 0, 1,..., N). The address translation rule 60 can be executed by using a function having the address translation key 95 and the protected area initial address sequence 70 (Pi, i = 0, 1,..., N) as parameters. A one-to-one correspondence between the range (Pi, i = 0, 1,..., N) and the range (Si, i = 0, 1,..., N) must be satisfied. Hereinafter, for the purpose of explanation, several methods for generating the function will be described.

(A) Only the protected area address area is used as a parameter. As shown in FIG. 4, the protected area initial address sequence 70 is (0, 1,..., 1000), and therefore the address area in it is 0-1000. The address translation rule 60 can be set as follows.
f (x) = 1000−x

  Therefore, according to the address conversion rule 60, the protected area initial address sequence 70 (0, 1,..., 1000) is converted into a protected area custom address sequence 75 (1000, 999,..., 0).

(B) The address conversion key 95 and the protected area address area are used as parameters. As shown in FIG. 5, since the protected area initial address sequence 70 is (0, 1,..., 499) and the address conversion key 95 is “a1K9”, the address conversion ASCII character code is 97-49- 75-57. This character code is extended using unused 128, resulting in a character code of 97-49-75-57-128-128-128-128. As a result, the address translation rule 60 is
f (x) = 96−x (when 0 ≦ x <97)
f (x) = 145−x + 97 (when 97 ≦ x <146)
f (x) = 220−x + 146 (when 146 ≦ x <221)
f (x) = 277−x + 221 (when 221 ≦ x <278)
f (x) = 405−x + 278 (when 278 ≦ x <406)
f (x) = 499−x + 406 (when 406 ≦ x <500)
It becomes.

  Therefore, this address translation rule 60 converts the protected area initial address sequence 70 (0, 1,..., 96..., 145..., 220..., 499) into the protected area custom address sequence 75 (96, 95). , ..., 0 ..., 97 ..., 146, ..., 221, ..., 406).

  The following are the procedures and methods that the information protection device takes when storing data in the protected area of the storage device 30.

  1. The data encryption / decryption module 20 encrypts the source data 50 (Di, i = 0, 1,..., M) into encrypted data 55 (Ri, i = 0, 1,..., K). used. The total length of the source data 50 is equal to or longer than the total length of the encrypted data 55. Because the stored data does not have a clear continuity, it can prevent accurate and complete reading of stored data that does not have a clear continuity, thereby enhancing the protection of the stored data Can do. This point will be described using the following encryption algorithm.

The encryption code 90 is set to “SSun”, and the encrypted ASCII character code is 0x53-0x53-0x75-0x6E. If a symmetric algorithm is used, the encryption algorithm 40 is as follows.
Xi = Xi to Xi _-1 (when i.noteq.0)
Xi to 0x5353756E (when i = 0)
Here, i is 8 to 0, “˜” indicates “exclusive OR” operation, and the length unit of Xi is 32 bits.

  In FIG. 6, the encryption algorithm 40 is used to encrypt the source data 50 (0x645BCF98, 0x6839274D, 0x4B652188, ..., 0x7890123E) into the encrypted data 55 (0x3708BAF6, 0x0C62E8D5, 0x235C06C5, ..., 0x5EA5B9CC). .

  2. The storage space address translation module 25 is used to follow the protected area address mapping table 65 or to directly use the address translation rule 60, and the system specified access area initial address sequence 80 (Ui, i = 0, 1,... , X) is converted into an access area custom address sequence 85 (Vi, i = 0, 1,..., X), which is stored in order. The address translation rule 60 and the protected area address mapping table 65 in FIG. 7 are the same as those shown in FIG. The system specified access area initial address sequence 80 (1, 2, 4, 6, 7, 996) is converted into an access area custom address sequence 85 (999, 998, 996, 994, 993, 4). Therefore, the encrypted data 55 (Ri, i = 0, 1, 2,..., K) is stored in the storage location corresponding to the access area custom address sequence 85 (999, 998, 996, 994, 993, 4). Is done.

  The procedures and methods necessary for reading data in the protected area of the storage device 30 are as follows.

  1. Either the storage space address translation module 25 is used to follow the protected area address mapping table 65 or the address translation rule 60 is used directly, and the system specified access area initial address sequence 80 (Ui, i = 0, 1, .., X) are converted into an access area custom address sequence 85 (Vi, i = 0, 1,..., X). The address translation rule 60 and the protected area address mapping table 65 in FIG. 7 are the same as those shown in FIG. 4, and the access area initial address sequence 80 (1, 2, 4, 6, 7,996) is converted to an access area custom address sequence (999,998,996,994,993,4). Therefore, the encrypted data 55 (Ri, i = 0, 1, 2,..., K) is read from the storage location corresponding to the access area custom address sequence 85 (999, 998, 996, 994, 993, 4). It is done.

  2. After reading the encrypted data (Ri, i = 0, 1, 2,..., K) according to the access area custom address sequence 85 (Vi, i = 0, 1,..., X), the data encryption / Using the decryption module 20, according to the decryption code 92 and the decryption algorithm 45, the encrypted data 55 (Ri, i = 0, 1, 2,..., K) is converted into the source data (Di, i = 0, 1, ..., m). This will be described using the following decoding algorithm.

The decryption code 92 is set to “SSun”, and the decrypted ASCII character code is 0x53-0x53-0x75-0x6E. When a symmetric algorithm is used, the decoding algorithm 45 is as follows.
Xi = Xi to 0x5353756E (when i = 0)
Xi to Xi _-1 (when i ≠ 0)
Here, i is 8 to 0, “˜” indicates “exclusive OR” operation, and the length unit of Xi is 32 bits.

  6, encrypted data 55 (0x3708baf6, 0x0c62e8d5, 0x235c06c5,..., 0x5ea5b9cc) is decrypted into source data 50 (0x645bcf98, 0x6839274d, 0x4b652188,..., 0x7890123e) using the decryption algorithm 45.

  8 and 9 show another preferred embodiment of the digital information protection method according to the present invention. The present embodiment is for protecting digital information stored in a storage device such as a hard disk by computer software stored in a computer-accessible storage medium in a digital information protection device such as a computer system. A procedure and method for executing digital information protection using the computer software program of the present embodiment will be described below with reference to FIGS.

  First, the size of each storage address is 1 byte, and the basic storage configuration unit of the storage device is 512 bytes (that is, 1 sector). The protected address area of the storage device is a total of 20971520 bytes from the 2048th byte to the 2097568th byte.

In this embodiment, the program is divided into a preparation operation shown in FIG. 8 and an actual access operation shown in FIG. In the preparatory operation shown in FIG. 8, three address translation rules are first generated according to three different translation units. In accordance with the three address conversion rules generated in this way, address conversion is performed on the address accessed by the subsequent actual access operation (as shown in FIG. 9).
Preparation operation (see Fig. 8)
1. First address translation

  In step 11 of FIG. 8, the program uses a conversion batch of 1024 bytes (hereinafter, referred to as “first conversion batch”), and the 20971520 bytes of the protected address are 20480 (20971520 bytes / 1024 bytes) first. It is divided into conversion batches, that is, 0-1023, 1024-2047, 2048-3071,. Next, as shown in FIG. 3, the address area of each first conversion batch is 2048 (1024 bytes / 4 bits) with 4 bits as one conversion configuration unit (hereinafter referred to as “first conversion configuration unit”). Number of address blocks (hereinafter referred to as “first address block”). As an example, taking the first first conversion batch 0 to 1023, the first address block can be represented as an address sequence [0, 1, 2, 3,..., 2047]. Thereafter, step 12 is executed, and an address block reordering rule (hereinafter referred to as a first address block reordering rule) is generated using the address area [0, 1, 2, 3,..., 2047] as parameters. Is done. For example, a non-reproducible random number sequence arrangement scheme is used. A random number sequence is generated based on information such as a computer operating rate, a hard disk access speed, and a network access data amount within a certain time, and the range of this random number sequence is 0 to 2047, for example, [231, 1038, 3, 49, 26, 322,...]. Then, the address of the i-th position of this random number sequence is exchanged with the i-th address of the address sequence. For example, the 0th address of the address sequence, that is, “0” is exchanged with the address of the 0th position of the random number sequence, that is, “231”. Also, the first address of the address sequence, that is, “1” is exchanged with the address of the first position of the random number sequence, that is, “1038”. In this way, an address block conversion table (hereinafter referred to as a first address block conversion table) [231, 1038, 73, 27,...] As shown in FIG.

  The first address / block conversion table of the second first conversion batch is obtained by converting (adding) the numerical values of the first first address / block conversion table by 2048, or the like. In this way, the first address block conversion table is obtained for all the first conversion batches (20480 batches).

  Since the random number sequence described above cannot be reproduced, the program needs to store this random number sequence or the first address block conversion table so that they can be easily used for address conversion in future data access. .

2. In the second address conversion step 13, as shown in FIG. 11, 81920 bytes are regarded as one conversion batch (hereinafter referred to as a second conversion batch), and the program sets 256 protected addresses of 20971520 bytes (20997120 bytes / 81920 bytes). ), Ie, 0 to 81919, 81920 to 163839, 163840 to 245759, and so on. Next, as shown in FIG. 11, using 640 bytes as one conversion composition unit (hereinafter referred to as “second conversion composition unit”), the address area of each second conversion batch is 128 (81920 bytes / 640 bytes) address blocks (hereinafter “second address blocks”). For example, in the case of 0 to 81919 which is the first second conversion batch, the converted second address block can be expressed as an address sequence [0, 1, 2, 3,... 127]. Thereafter, step 14 is executed, and an address block [0, 1, 2, 3,..., 127] is used as a parameter to generate an address block reordering rule (hereinafter, second address block reordering rule). Is done. For example, an encryption sequence arrangement scheme using a data encryption standard (hereinafter referred to as DES, data encryption standard) is used to rearrange the address sequence [0, 1, 2, 3,... 127]. First, the address sequence [0, 1, 2, 3,...] Is represented by a binary number sequence [0000000, 00000001, 0000010, 0000011,. Then, using a DES calculation process, this binary number sequence [0000000,0000001,0000010,0000011, ...], for example, using a code such as “1h% j9˜ & f” [0101000,1000100,1100000 , 001000, ...] (this is [40,68,96,24, ...] in decimal). Then, the address of the i-th position of this number sequence is exchanged with the i-th address of the address sequence. For example, the 0th address of the address sequence, that is, “0” is exchanged with the 0th address of the number sequence, that is, “40”. Also, the first address in the address sequence, that is, “1” replaces the address in the first position in the number sequence, that is, “68”. In this way, the address block conversion table (hereinafter referred to as second address block conversion table) [40, 68, 101, 8,...] Shown in FIG. The second address / block conversion table of the second second conversion batch is obtained by converting (adding) the numerical values of the first second address / block conversion table by 128, and the like. In this way, the second address block conversion table is obtained for all the second conversion batches (256 batches).

  In addition, because the number sequence described above is generated using an encryption process, the program must store the encryption code so that they can be used for the same address translation for future data access. There is.

3. In the third address conversion step 15, the program sets the conversion batch for the third conversion (hereinafter referred to as the third conversion batch) to 20971520 bytes (ie, corresponding to the size of the protected address area), 81920 A byte is one conversion structural unit (hereinafter referred to as a third conversion structural unit), and the third conversion batch of 20971520 bytes is 256 (20997120 bytes / 81920 bytes) address blocks (hereinafter referred to as third address blocks). Is converted to Therefore, the converted third address block is represented as an address sequence [0, 1, 2, 3,..., 255]. Thereafter, step 16 is executed to generate an address block reordering rule (hereinafter, third address block reordering rule) using the address region [0, 1, 2, 3,..., 255] as a parameter. Is done. For example, using a reproducible random number sequence arrangement scheme using a computer Rand function with a seed of 27498, a random number sequence in the range of 0 to 255, for example, [12,187,3,49,26,244,. Can be adjusted. Thereafter, the i th address in the address sequence is exchanged with the i th address in the random number sequence. For example, the 0th address of the address sequence, that is, “0” is exchanged with the 0th address of the random number sequence, that is, “12”. Also, the first address of the address sequence is exchanged with the address of the first position of the random number sequence, that is, “187”. In this way, the address conversion table (hereinafter, third address conversion table) [12, 187, 36, 28,...] Shown in FIG.

  Furthermore, since the random number sequence described above is generated using a reproducible random number sequence array scheme, the program stores the seed value of the computer's Rand function and uses the same address translation table for future data access. It needs to be easy to use.

  Accordingly, consider the case where the program receives a computer request from the computer operating system to write data on the storage device in step 21 of FIG. For example, if data is to be written to the 2043 to 2057th byte addresses of the storage device 30, some of the addresses to which the data is written contain unprotected areas, ie, the 2043 to 2047th bytes. The program first allows data to be written to the unprotected area (by directly executing the data write operation), and then allows data to be written to the protected area, ie, the 2048th to 2057th bytes. To.

Furthermore, since the data in this embodiment is encrypted before saving and the amount of data processed in each process of decryption / encryption is 8 bytes, the program sets the write range from the 2048th to the 2063th. There is a need to adjust to bytes (ie, an integer multiple of 8 bytes) and this data encryption and writing is performed in two operations. Further, since the area where data is written for the first time, that is, the 2048th to 2055th bytes is a data area that needs to be updated over the entire area, the program does not have to execute data reading first. The write operation may be performed directly after data encryption.
For example, the data to be written is
0x75, 0x52, 0x21, 0x67, 0x45, 0x9A, 0xB5, 0xC3
Suppose that In this case, the encrypted data generated as a result of digital data encryption (DES) using the encryption code [9dY2aB] is:
0x9D, 0xC5, 0xF7, 0x11, 0x0A, 0x83, 0x17, 0x44
It is.

  Therefore, in order to protect the encrypted data before the data is written to the storage device 30, the program of the present invention can perform three conversions on this address area. That is, in the address area of the 2048th to 2055th bytes in which data is first written, three address conversions according to the first, second, and third address block reordering rules generated above are performed, The write address of the encrypted data is found.

Actual access operation (see Fig. 9)
1. First Address Translation First, in step 22, the program determines the first translation batch to which the address batch 2048-2055 belongs, and the address batch 2048-2055 is one of the first translation batches described above, i.e., 0- Recognizing that it belongs to 1023. Therefore, the write address area, that is, the 2048th to 2055th bytes (total length: 8 bytes) is converted into 16 address blocks based on the first conversion structural unit (that is, 4 bits), and this is converted into the address sequence [0. , 1, 2, ..., 15]. Thereafter, the step 23 performs a rearranged address sequence [231, 1038, 73, 23,...] (Hereinafter referred to as a first address sequence) corresponding to the address sequence [0, 1, 2,. Is executed to search. This correspondence is based on the first address block conversion table generated according to the address block reordering rule.

2. Second Address Translation First, at step 24, the program determines the second translation batch to which the value of the first address sequence belongs. Assuming that all the values of the converted first address sequence [231, 1038, 73, 23,...] Are 0 to 1280 (1280 = 640 bytes / 4 bits), 0 to 1280 addresses. The batch belongs to the first batch of the second translation batch of the second address translation and is the first address area of the second address block, ie the second block address sequence [0, 1, 2,..., 128]. Positioned within [0]. In step 24, the program calculates the value of the second address block conversion table [40, 68, 101, 8,...] From the second address block conversion table generated based on the second address block reordering rule. , Find that the value corresponding to the first value [0] of the second address block is [40]. Therefore, the address in the first address sequence is converted into the address area of the 40th second address block. That is, 51200 (40 × 1280 bytes) is added to each value of the first address sequence [231, 1038, 73, 23,...], And the address area of each second block is 1280 bytes. In this way, the second address sequence [51431, 52238, 51203, 51202,...] Can be obtained.

3. Third Address Translation Similarly, in step 25, the program first determines the third translation batch to which the second address sequence [51431, 52238, 51203, 51202, ...] belongs, and then determines the second address sequence [51431, 52238. , 51203, 51202,...] Within the range of 0 to 163840 (163840 = 81920 bytes / 4 bits), that is, the first area of the third address block, that is, the first number of the third conversion batch. Verify that it is at the first value [0] in the 3-address block sequence [0, 1, 2, 3,..., 256]. Further, from the third address block conversion table [12, 187, 36, 28,...] Generated based on the third address block reordering rule, the third address block conversion table [12, 187, 36,. ..]], The first value of the third address block, that is, the value corresponding to [0] is found to be [12]. Therefore, the address of the second address sequence is translated into the 12th address area in the third address block of the third translation batch. That is, 1966080 (12 × 163840 bytes) is added to each value of the second address sequence [231, 1038, 73, 23,...], And the address area of each third address block becomes 163840 bytes. In this way, the third address sequence [20157511, 2014318, 2017283, 2017282,...] Can be obtained.

  Finally, in step 26, the program converts the address of the third address sequence into an address where the data is actually written to the storage device 30 based on the storage unit of the storage device. For example, assuming that the storage unit of the storage device 30 is 512 bytes (one sector), the addresses in the third address sequence corresponding to the write address of the storage device are [1970. xx, 1971. xx, 1970. xx, 1970. xx, ...], where 1970. xx means 2015111/1024 (512 bytes / 4 bits) = 1970... 231 (remainder), that is, the 231st address of the 1970 sector.

  Thereafter, the encrypted 8-byte data is divided into 16 data blocks represented by a 4-bit write unit, and this data is stored in the write address [1970. xx, 1971. xx, 1970. xx, 1970. xx,...]. That is, each data block is recorded in the first 4 bits or the last 4 bits of each write address.

  After completing the first data write, the program performs a second data write process. Of the 2056th to 2063th bytes in the second data write area, the data of the 2058th to 2063th bytes are not updated. Therefore, the program first reads the data of the 2056-2063 bytes, decodes this data, It is necessary to encrypt all data again after updating the data of the 2056th to 2057th bytes. Thereafter, the rearranged address (that is, the third address) of the addresses of the 2056th to 2063rd bytes after the address conversion is found by the above-described method, and this is converted into an actual write address on the storage device 30. Subsequently, the encrypted data is written into the storage device 30.

  As is clear from the above description, the protected address area of the storage device in the digital information protection apparatus of the present embodiment has a plurality of conversions (3 in this embodiment) using different conversion rules that are remapped to different addresses. Two translations or one basic translation), so that data written to the protected address area can be distributed and distributed to discontinuous addresses in the protected address area To do. In this way, even if the data stored in the storage device is stolen, the distributed data is not reconstructed into the original encrypted data, thereby making the data stored in this storage device sufficiently and powerful. Can be protected.

  FIG. 13 shows another embodiment of the digital information protection method according to the present invention, which is applied to a server end or a client end that transmits data through a wired or wireless network, and is transmitted from a transmission end (server end or client end). It is intended to protect the segment of data that is being processed. Therefore, the digital information protection method of the present embodiment is in the form of a computer software program in a recording medium that can be accessed by a computer of a digital information protection device (such as a computer system) disposed at a server end and / or a client end. The digital information transmitted from the client end to the server end and / or the digital information transmitted from the server end to the client end is intended to be protected.

  Using the case where the preset data configuration unit is 1 byte and the transmitted unit data amount is 8 bytes as an example, when the server end and the client end transmit data to each other, a communication connection is first established. After the communication connection is established, identification authentication, protected area start / end communication, storage space address conversion rule and code communication, data encryption / decryption, and code communication are performed. Hereinafter, the identification and authentication procedure will be briefly described using a conventional authentication method.

  During identification and authentication, each of the server end and the client end has its own public key infrastructure (PKI). First, the client end generates a random sequence signal as an identification authentication value. For example, the current CPU operating rate is obtained as a seed value, 8 consecutive bytes such as [32,145,204,9,158,3,222,68] are obtained by the Rand function, and two types of 16 consecutive bytes are obtained. One is a protected area start signal, for example, [129, 33, 56, 188, 7, 8, 251, 2, 139, 193, 6, 88, 27, 18, 201, 12], and the other is protected. Obtained as a region end signal, for example, [42, 111, 2, 38, 107, 248, 51, 72, 10, 31, 176, 238, 9, 45, 35, 142] using the Rand function . In addition, the address translation rules are set using a preset translation scheme (details below), and the address translation code is a value of 4 consecutive bytes obtained using the Rand function, eg [13, 213, 6, 88]. And so on. A preset DES (digital encryption standard) is used for encryption / decryption. The encryption code is a value of 8 consecutive bytes obtained by using the Rand function, for example, [6, 23, 145, 231, 255, 9, 83, 121].

  Therefore, when the client end establishes and sets communication start and end signals, address conversion rules and conversion codes, such data is obtained from the certificate authority or stored in advance at the client end and transmitted to the server end. Encrypted based on the key.

  After the server end receives the above data, the server end uses the private key to decrypt the received data. Also, the server end encrypts the identification authentication value (random sequence signal) obtained from the decryption using the public key of the client end obtained from the certificate authority or stored in advance at the server end, and transmits this to the client end To do.

  After the client end receives the confirmation data from the server end, the client end decrypts the received data using the private key, and the identification authentication value (random sequence signal) obtained from the decryption is generated previously. Compare the server end to confirm the identity.

  The same verification procedure is initiated and verified at the server end in the opposite direction, ie from the server end to the client end. Thereafter, the client end and the server end can send respective protected area start signals, and protect data using encryption and data encryption according to address translation rules before transmission. When the server end or the client end receives a protected area start signal from the other party, it must convert the received data using the scheme defined in the communication procedure and decode this data to obtain the correct data.

  Furthermore, when transmitting a protected data character string, the number of bytes of valid data to be transmitted must be recorded in the character string start field, and the amount of data to be transmitted must be an integral multiple of the unit data amount of 8 bytes. However, the defect is compensated by a random number or any other number. For example, when sending 59 bytes of data, the first 2 bytes of this data string are used to record the number 59, and 3 bytes of blank data are added after the data string (ie 59 + 2 + 3 = 64). , 8 sets of 8-byte data need to be configured.

  The encryption procedure is the same as described above, and re-description is omitted here for simplicity. These eight sets of data are encrypted to [0x23, 0x43, 0xF6, 0xA8, 0x07, 0x8D, 0x51, 0x92] [...] [...] [...] [...] [...] [...] [...] Shall.

  The digital information protection method of this embodiment is shown in step 61 of FIG. First, as shown in FIG. 14, the program permits the conversion of the protected address area to be protected. That is, the 8-byte address area of each data set of this embodiment is divided into 32 (8 bytes / 2 bits) address blocks by, for example, a 2-bit preset conversion unit. Subsequently, in step 62, the program uses the address block to generate an address block reordering rule as a parameter, which in this embodiment is a modified congruential method (DE Knuth, The Art of of. (Computer Programming, Vol. 2: Seminal Algorithms, Chapter 3, Addison-Wesley, 1969) is adopted as a random sequence generation method. In this generation method, in accordance with the preset address conversion code [13, 213, 6, 88], the prime number Prm1 is the thirteenth prime number selected from 373, that is, 443 (where 373 was randomly selected). The number should not be too large, because this is a prime number calculation formula {Rm [i + 1] = MOD (Mult ...) determined after sequentially selecting prime numbers [443,1871,401,947]. } So that the calculated value does not exceed the numerical value range of the processor. The prime number Prm2 is the 213th prime number 1871 from 373. Pls is the sixth prime number 401 from 373. The initial value Rm [0] of the random number sequence is the 88th prime number 947 from 373.

The random sequence value is calculated by:
Multit = Prm1 × Prm2 + 1 = 165240
Div = Prm1 × Prm2 × Prm2 = 61634147
Rm [i + 1] = MOD (Mult × Rm [i] + Pls, Div) = Mod (165240 × Rm [i] +401,61634147)
Rm = [947,33214387,9420372,51887196,37334665,274432626,221145379,21484824,25450961,34043790,4726311,3475377,25948282, ...]. A total of 32 values are obtained.

  The value of Rm is divided by 32 to obtain a total of 32 remainder values Rma: [19, 19, 20, 28, 5, 18, 3, 24, 17, 14, 15, 17, 26,.

  Next, the numerical value of the Rma [i] th address is sequentially stored in the [i] th address. If the value of Rma [i] is already used, the increment value of Rma [i] (the value obtained by dividing by 32 and increasing to a value that has not been used so far) , [I] th address. In this way, the address block conversion table RM [19, 20, 21, 28, 5, 18, 3, 24, 17, 14, 15, 22, 26...] Shown in FIG. 14 can be obtained.

  Therefore, if the first set of encrypted data is to be loaded into an address batch (ie, an 8-byte protected address area) after the address translation rules and address block translation table RM are configured as described above, In step 63, an 8-byte address space is first converted to 32 address blocks using 2 bits as a translation building block. Thereafter, the addresses of the address blocks in the address batch are rearranged based on the address block conversion table RM. The first set of encrypted data is then divided into 32 data blocks using 2 bits as a storage unit. This is in decimal notation [0, 2, 0, 3, 1, 0, 0, 3, 3, 3, 1, 2, 2, 2, 2, 0, 0, 0, 3, 3, 2, 0, 3, 1, 2, 2, 0, 1, 2, 1, 0, 2]. In step 65, the 32 data blocks are sequentially stored in the reordered 32 address blocks. Thus, as shown in FIG. 14, the first set of encrypted data after being sequentially stored in the 32 rearranged address blocks is [3, 2, 0, 2, 0, 3, 3, 2 , 0, 2, 0, 3, 0 ...]. Similarly, the second through eighth sets of encrypted data are rearranged using the conversion scheme described above, after which these data are transmitted in the manner described above.

  As is apparent from the above, in the present embodiment, the address batch occupied by the unit data amount transmitted to a plurality of address blocks based on the translation composition unit (that is, the above-described protected data) is transmitted before data transmission. A digital information protection device for converting the address area) is provided at the transmitting end, and based on this address block, an address conversion rule is generated, and an address conversion table is generated from this rule, thereby being occupied by the data. The address batch is converted into a plurality of address blocks based on the translation building unit, and the addresses of the address blocks are rearranged according to a previously generated address translation rule or address translation table. The data is then loaded sequentially into the rearranged address blocks to form a data sequence and then transmitted. In this way, the data is sufficiently distributed before transmission, so even if there is an interruption in the middle of the transmission process, the encrypted data cannot be reconstructed into the original encrypted data. Provides complete and strong protection during the transmission process.

  Further, although the digital information protection method is implemented as computer program software configured to be stored in a computer system, the method of the present invention is an integrated circuit, electronic circuit, electronic circuit that can be controlled once by a program ( Or a programmable logic circuit) that includes or does not include a central processing circuit, and one that has a logical computing capability.

  Furthermore, in order to prevent unauthorized access to the address translation scheme leading to cracking of the encrypted data, multiple (three) translation procedures performed in the first preferred embodiment are executed and controlled on different devices. You can also. For example, a code input by a user is used as a conversion code for first address conversion, a conversion table read from a chip card inserted into a computer system by a user is used for execution of second address conversion, and a network server However, the third address translation can be controlled and executed. Such a control scheme can be applied to the above-described preparation operation and actual access operation.

  Furthermore, the address conversion rule, the address conversion table, or the conversion code generated in the above embodiment is a magnetic property such as a magnetic card, CD, DVD, smart card, RAM disk, chip card, RF device, infrared light emitting diode device, etc. , Optical, integrated circuit, electronic circuit, or a storage medium for reading (or writing) using electromagnetic waves. In addition, easy access to the address translation scheme can be further prevented by inputting the above-described conversion code through a keyboard or by obtaining from the biological characteristics of the user.

  While the invention has been described in connection with the most practical and preferred embodiments, the invention is not limited to the disclosed embodiments and is intended to fall within the broadest spirit and scope of interpretation. It is intended to include configurations and is understood to encompass all configurations equivalent to such improvements.

It is a figure which shows the main functional block in one Embodiment of this invention. It is a figure which shows the main functional block in another preferable embodiment of this invention. It is a figure which shows the main functional block in another preferable embodiment of this invention. Fig. 4 shows a protected area address mapping table constructed using predetermined address translation rules in a preferred embodiment of the present invention. FIG. 6 illustrates a protected area address mapping table configured using another address translation rule in a preferred embodiment of the present invention. FIG. An example of encrypting source data using an encryption algorithm and decrypting encrypted data into source data using a decryption algorithm will be schematically shown. In the preferred embodiment of the present invention, it schematically illustrates how a system-specified access area initial address sequence is converted to an access area custom address sequence. It is a preparation operation | movement flowchart in another embodiment of the digital information protection method by this invention. FIG. 6 is a flow diagram of an actual access operation in a preferred embodiment. It is a mimetic diagram explaining the 1st address translation in a suitable embodiment. It is a mimetic diagram explaining the 2nd address translation in a suitable embodiment. It is a schematic diagram explaining the 3rd address translation in suitable embodiment. It is a flowchart in further another embodiment of the digital information protection method by this invention. It is a schematic diagram explaining the address conversion in this suitable embodiment.

Claims (26)

A method of protecting digital information,
(A) converting a protected address region based on a preset translation unit into a plurality of address blocks, and generating address block reordering rules using the address blocks as parameters;
(B) when loading data into address batches of the protected address area, converting the address batches into a plurality of address blocks based on the translation composition unit;
(C) searching for a rearranged address of the address block in the protected address area according to the address block rearrangement rules, and loading the data into the rearranged address. A method for protecting digital information, characterized in that: The protected address area is a storage address space of the storage device (30);
In step (C), before loading the data into the reordered address, each of the reordered addresses is stored in the storage device (30) according to the storage unit of the storage device (30). The method of protecting digital information according to claim 1, wherein the digital information is converted into an actual write address.   The method of protecting digital information according to claim 1, wherein the conversion unit is one of 1 byte, 4 bits, and 2 bits. In step (A), a scheme for arranging a non-reproducible random sequence is used as the address block reordering rule, and a computer for generating a random number array from 0 to the number of address blocks Using the internal hardware operation information of (11),
Exchanging the i-th address block with an i-th address block in the random number array by generating an address translation table;
The digital information according to claim 1, wherein in step (C), the rearranged addresses of the address blocks in the protected address area are retrieved based on the address translation table. How to protect.   In step (A), an externally entered address translation key (95) is accepted and the address block reordering rule uses a number of the address blocks and the address translation key (95). The method of protecting digital information according to claim 1, comprising: In step (A), the address block reordering rule uses an encrypted ordering scheme that includes utilizing a data encryption standard that uses the address exchange key (95) as an encryption code (90);
Encrypting a numerical order that is a binary representation of an address sequence constituted by the address blocks; representing a decimal encrypted binary number order to form an address block sequence;
6. The method of claim 5, further comprising exchanging an i-th address block with an i-th address block in the address block sequence by generating an address translation table. To protect your digital information.   7. Protect digital information according to claim 6, characterized in that, in step (C), the rearranged addresses of the address blocks in the protected address area are searched according to the address translation table. how to.   In step (A), the address block reordering rule comprises utilizing a Rand function of a seeded computer to generate a random number array from 0 to the number of address blocks. -Using the sequence array scheme and generating an address translation table, including replacing the i-th address block with an address block having the i-th position in the random number array. The method of protecting digital information according to claim 5.   9. Protect digital information according to claim 8, characterized in that, in step (C), the rearranged addresses of the address blocks in the protected address area are searched according to the address translation table. how to.   Digital information according to claim 1, characterized in that in step (B) the data is encrypted data encrypted using an encryption algorithm and an encryption code (90). How to protect. A method of protecting digital information,
(A) dividing the protected address area into a plurality of first conversion batches, converting the address area of each of the first conversion batches into a plurality of first address blocks based on a first conversion composition unit; Generating the first address block reordering rule to reorder the first address block using the first address block as a parameter;
(B) dividing the protected address area into a plurality of second conversion batches, and converting the address areas of each of the second conversion batches into a plurality of second address blocks based on a preset second conversion composition unit. Translating and generating the second address block reordering rule to reorder the second address block using the second address block as a parameter;
(C) dividing the protected address area into at least one third translation batch, the address area of the at least one third translation batch based on a preset third translation composition unit being a plurality of third address blocks And generating the third address block reordering rule to reorder the third address block using the third address block as a parameter;
(D) when loading data into an address batch of the protected address area, determining the first translation batch to which the address batch belongs; based on the first translation composition unit; Converting a batch into a plurality of address blocks, searching for a rearranged address of the address block in the protected address area according to the first, second and third address block rearrangement rules. And loading the data into the thus rearranged addresses thus retrieved, a method for protecting digital information. Step (D)
(D1) retrieving the rearranged first address of each of the address blocks in the first translation batch according to the first address block reordering rule;
(D2) determining the second translation batch to which each of the rearranged first addresses belongs, and according to the second address block reordering rule, to which the respective rearranged first address belongs. Retrieving the rearranged second address of each of the rearranged first addresses in a second translation batch;
(D3) determining the third translation batch to which each of the reordered second addresses belongs, and according to the third address block reordering rule, to which the respective reordered second addresses belong Retrieving a rearranged third address of each of the rearranged second addresses in a third translation batch; and loading the data into the rearranged third address. 12. A method for protecting digital information according to claim 11 characterized in that: The protected address area is a storage address space of a storage device (30);
Step (D3)
Before loading the data into the rearranged third address, each of the rearranged third addresses is stored in the actual storage device (30) according to the storage unit of the storage device (30). The method of protecting digital information according to claim 12, characterized in that it is converted to a write address and the data is stored at the actual write address thus converted.   The first address block reordering rule uses operation information of internal hardware of the computer to generate a random number array within a range of the number of the first address blocks of each of the first conversion batches. A first address block having an i th position in the random number array by using a non-reproducible random sequence array scheme that includes and generating a first address block translation table 13. A method for protecting digital information according to claim 12, comprising the step of exchanging for address blocks.   15. In step (D1), the rearranged first addresses of each of the address blocks in the first translation batch are searched based on the first address translation table. How to protect the digital information described in.   The second address block reordering rule uses a data encryption standard and an address translation key (95) to generate a random number array within the second address block of each second translation batch And exchanging the i-th second address block with the second address block having the i-th position in the random number array by generating a second address block conversion table. 13. A method for protecting digital information according to claim 12, characterized in that:   In step (D2), the rearranged second address of each of the rearranged first addresses in the second translation batch is searched based on the second address translation table. The method of protecting digital information according to claim 16.   The third address block reordering rule utilizes a seeded computer Rand function to generate a random number array within the third address block of the at least one third translation batch; An address block having an i th position in the random number array by using a reproducible random sequence array scheme including and generating a third address block translation table The method of protecting digital information according to claim 12, comprising the step of:   In step (D3), the rearranged third address of each of the rearranged second addresses in the third translation batch is retrieved based on the third address block translation table. The method of protecting digital information according to claim 18.   The method for protecting digital information according to claim 16, characterized in that the address translation key (95) is input externally.   The method of claim 18, wherein the seed value is input externally.   The method for protecting digital information according to claim 11, characterized in that the data is encrypted data encrypted using an encryption algorithm and an encryption code (90). A computer-accessible recording medium storing a program for protecting digital information,
In order to carry out the steps of the method for protecting digital information, the program is readable and executable to run a computer (11),
The method
(A) converting a protected address region based on a preset translation unit into a plurality of address blocks, and generating address block reordering rules using the address blocks as parameters;
(B) when loading data into address batches of the protected address area, converting the address batches into a plurality of address blocks based on the translation composition unit;
(C) searching for a rearranged address of the address block in the protected address area according to the address block rearrangement rules, and loading the data into the rearranged address. The computer-accessible recording medium which recorded the program which protects digital information characterized by the above-mentioned. A computer-accessible recording medium storing a program for protecting digital information,
In order to carry out the steps of the method for protecting digital information, the program is readable and executable for executing a computer (11),
The method
(A) dividing the protected address area into a plurality of first conversion batches; converting the address area of each of the first conversion batches into a plurality of first address blocks based on a first conversion composition unit; And generating a first address block reordering rule to reorder the first address block using the first address block as a parameter;
(B) dividing the protected address area into a plurality of second conversion batches, converting the address area of each of the second conversion batches into a plurality of second address blocks based on a preset second conversion configuration unit; And generating a second address block reordering rule to reorder the second address block using the second address block as a parameter;
(C) dividing the protected address area into at least one third conversion batch, the address area of the at least one third conversion batch based on a preset third conversion composition unit having a plurality of third addresses; Converting to a block; and generating the third address block reordering rule to reorder the third address block using the third address block as a parameter;
(D) when loading data into an address batch of the protected address area, determining the first translation batch to which the address batch belongs; based on the first translation composition unit; Converting a batch into a plurality of address blocks, searching for a rearranged address of the address block in the protected address area according to the first, second and third address block rearrangement rules. And a computer-accessible recording medium recording a program for protecting digital information, comprising loading the data into the thus rearranged addresses thus retrieved. A device for protecting digital information loaded with a program for protecting digital information,
The apparatus for protecting digital information has the ability to read and execute a program for protecting the digital information so as to perform the steps of the method for protecting digital information;
The method
(A) converting a protected address region based on a preset translation unit into a plurality of address blocks, and generating address block reordering rules using the address blocks as parameters;
(B) when loading data into address batches of the protected address area, converting the address batches into a plurality of address blocks based on the translation composition unit;
(C) searching for a rearranged address of the address block in the protected address area according to the address block rearrangement rules, and loading the data into the rearranged address. A device that protects digital information. A device for protecting digital information loaded with a program for protecting digital information,
The apparatus for protecting digital information has the ability to read and execute a program for protecting the digital information so as to perform the steps of the method for protecting digital information;
The method
(A) dividing the protected address area into a plurality of first conversion batches; converting the address area of each of the first conversion batches into a plurality of first address blocks based on a first conversion composition unit; And generating the first address block reordering rule to reorder the first address block using the first address block as a parameter;
(B) dividing the protected address area into a plurality of second conversion batches, and converting the address areas of each of the second conversion batches into a plurality of second address blocks based on a preset second conversion composition unit. Translating and generating the second address block reordering rule to reorder the second address block using the second address block as a parameter;
(C) dividing the protected address area into at least one third translation batch, the address area of the at least one third translation batch based on a preset third translation composition unit being a plurality of third address blocks And generating the third address block reordering rule to reorder the third address block using the third address block as a parameter;
(D) when loading data into an address batch of the protected address area, determining the first translation batch to which the address batch belongs, based on the first translation composition unit, Converting a batch into a plurality of address blocks, searching for a rearranged address of the address block in the protected address area according to the first, second and third address block reordering rules. And a device for protecting digital information, comprising loading the data into the thus rearranged addresses thus retrieved.

Images