JP4480513B2 - Information leakage prevention device for HDD - Google Patents

Description

  The present invention relates to an information leakage prevention apparatus for an HDD that can reliably prevent information leakage of an HDD (hard disk drive) in which user data is recorded during maintenance work in an information processing apparatus such as a computer.

  In a contractor who performs maintenance work on information processing apparatuses scattered in various places such as personal computers (hereinafter abbreviated as PCs), user data remains recorded for replacement or investigation of HDDs installed in the apparatus. There are many cases of transportation and storage in the state. In this way, if the HDD in which user data is recorded is transported or stored, if information is leaked due to theft or the like, not only will the user be damaged significantly, but the person in charge will be seriously damaged. .

  Therefore, the conventional HDD information leakage prevention apparatus overwrites the recorded data with a well-known symbol character, for example, the numeral symbol “0”, for erasing data when the data recorded in the HDD is not required. The recorded data is hidden so that it cannot be read out.

  In such overwriting of data, the execution time is proportional to the capacity of the HDD or the amount of data recorded. Therefore, in modern HDDs with a large capacity, it takes a very long time to complete, which is not realistic. In addition, since the original data that has been recorded is substantially erased, the internal data cannot be restored and reused. Therefore, it is impossible to collect data for investigating soft faults.

  JP-A-2001-84174 (Patent Document 1) is disclosed as a conventional information leakage prevention device that solves such problems. This information leakage prevention apparatus makes it possible to protect information stored in the information storage means against unauthorized actors who decipher or steal other people's content.

  That is, in the information leakage prevention apparatus, when information is stored in the information storage means, the information is encrypted based on the encryption algorithm and stored in the information storage means. When reading information from the information storage means, a control means for decoding the read information based on a decoding algorithm is provided in an electronic apparatus provided with the information storage means. Further, an external device for supplying the encryption key for encryption and the decryption key for decryption to the control means is provided outside the electronic device, and the external device is connected to the control means via the communication means. On the other hand, the encryption key and the decryption key are supplied.

  When data is recorded in the HDD, such an information leakage prevention device converts the internal data using, for example, a secret key encryption “RC5 (registered trademark)” disclosed by the algorithm, and decrypts it even if the data is read. I can't do it. However, encryption is very difficult to decrypt, but the data itself can be taken out. Therefore, there is a great risk that it will be easily decrypted due to recent rapid advances in decryption technology.

  In order to solve these problems, for example, Japanese Patent Application Laid-Open No. 7-44330 (Patent Document 2) cannot prevent easy access from a connected host system and can prevent theft of recorded data. A disk device is disclosed.

  This magnetic disk device reads / writes data from / to a magnetic disk by an access command received from a connected host system, and is a writable nonvolatile memory that stores and sets identification information input from the host system. It has a sex memory. When the power is turned on, the access command for the magnetic disk input from the host system is not executed unless the same identification information as that set in the nonvolatile memory is input from the host system.

  Such a function has been proposed to prevent theft of recorded data when a magnetic recording device such as an HDD is connected to a portable PC (personal computer) using an expansion card, a so-called PC card. The identification information input to the magnetic disk device is input from a host system that is always connected. The connection specification between the portable PC and the HDD is based on a unified standard jointly established by PCMCIA (Personal Computer Memory Card International Association) in the United States and JEIDA (Japan Electronics Industry Promotion Association) in Japan.

  Therefore, since the passwords that can be unlocked are usually different for each of the scattered PCs, it is necessary for the contractor performing the maintenance work to have an information leakage device.

  In addition, when a supplier who performs maintenance work on information processing apparatuses scattered in various places replaces an HDD mounted on the apparatus, the function of inputting identification information using a PC card as described above is provided on the HDD mounting apparatus. It is not equipped. Further, even if the identification information input function is provided, the record information cannot be read unless the set identification information is input in the host system of the supplier. Therefore, for example, it is very bad from the viewpoint of information leakage that the contractor moves the identification information input to each HDD accommodated in the information processing apparatus in each place for maintenance work together with the HDD secretly to, for example, a factory. It may be impossible.

JP 2001-084174 A Japanese Patent Application Laid-Open No. 07-044330

  The problem to be solved is that in order to prevent leakage of data information recorded in the HDD when the HDD that is fixedly connected to the information processing apparatus without being connected to the PC card is transported or stored for maintenance work, for example. However, it is difficult to decrypt the code, and it is difficult to handle the identification information on the HDD, which does not help prevent information leakage.

  It is an object of the present invention to provide an information leakage prevention device for HDD that locks stored data by inputting identification information and a password to a target HDD by a vendor while inputting the release information of the same vendor. It is aimed.

  The present invention relates to an ATA / ATAPI (AT Attachment / AT Attachment Packet) standardized in the United States as a data transfer method between an information processing device such as a PC and a device such as an HDD connected to the target HDD. Interface) standard is applied. In the present invention, as the identification information, a “SECURITY SET PASSWORD” command (hereinafter abbreviated as “SSP command”) in the ATA / ATAPI standard is used, and the lock PW (password) up to 32 bytes is obtained by this SSP command. Is set. Therefore, the HDD information leakage prevention apparatus according to the present invention receives a predetermined lock PW setting from the PC in advance.

  In the HDD information leakage prevention apparatus according to the present invention, when a target HDD is connected and the security lock function is selected, an SSP command and a lock PW are sent to the HDD to shift the target HDD to the locked state. Thus, access to the target HDD storage data thereafter is denied. Therefore, the “SECURITY DISABLE PASSWORD” command (hereinafter referred to as the SDP command) that disables the PW (password) even if the HDD is unlocked with the “SECURITY UNLOCK” command (hereinafter referred to as SUL command) as the unlock command. And the lock PW, the recorded data in the HDD cannot be accessed. In other words, the HDD internal data cannot be read unless it returns to the normal state after unlocking.

  Therefore, it is desirable that the HDD information leakage prevention device for unlocking be installed only in a safe workplace or survey department that cannot be taken outside.

  Also, when taking out an HDD that is not normally locked, for example, as data for investigation, the data from the investigation target HDD is moved and stored in an HDD that is not subject to investigation and can be normally locked. Good.

  The erasing method is, for example, overwriting the head area 1MB and the tail area 1MB of the HDD with erasing data, for example, the numerical symbol “0 (zero)”, and then using a random LBA (Logical Block) using a random number for the remaining portion. 20,000 Addressing) are generated, and the LBA is overwritten with erasure data or the like. As a result, the disk management area of the HDD is completely erased, the data portion becomes worm-eaten, and it becomes very difficult to collect meaningful data even if file restoration software is used. In this method, the execution time is constant regardless of the difference in HDD capacity.

  It is preferable that the HDD information leakage prevention device for setting the lock PW in the HDD and the HDD information leakage prevention device for releasing the lock PW from the HDD are separate products. As a result, even if the HDD information leakage prevention device and the HDD are stolen together, the possibility of information leakage is kept low. Further, by making the difference between the two products different between the internal firmware, the function can be selected by downloading the firmware. In this case, operational flexibility is improved.

  Once the HDD information leakage prevention apparatus of the present invention sets the lock PW set from the PC in the HDD, access to the HDD is prohibited unless the same password is used, and the HDD is virtually unusable. It becomes a state. This state cannot be released even by the HDD manufacturer, so the security level is very high, and sufficient security can be ensured during transportation or storage. Further, the execution time for locking is the setting time of the locking PW and does not depend on the storage capacity of the HDD, so that the locking process can be performed in the same time for either 30 GB or 300 GB. For this reason, the burden on the worker is minimized.

  Since data is stored in the locked HDD, when investigating a failure, the investigation department can release the lock and perform an accurate investigation using the failure data. In addition, when the HDD does not have the PW lock function or when the HDD cannot be locked for some reason, the HDD information leakage prevention apparatus uses the HDD recording data as erasure data, for example, a numeric symbol “ It has a data erasure function for overwriting with "0". A security guard can be realized using this erasing function.

  The purpose of preventing data leakage by making it impossible to read the data stored in the HDD with a simple operation is that of the ATA / ATAPI (AT Attachment / AT Attachment Packet Interface) standardized for HD (hard disk) connection. By using the “SECURITY SET PASSWORD” command (SSP command) to set a predetermined lock PW (password) in the HDD, this was realized without losing the conventional configuration. When the lock PW is released, the “SECURITY DISABLE PASSWORD” command (SDP command) and the lock PW are used.

  First, an outline of the information leakage prevention apparatus 1 for HDD will be described with reference to FIG.

  As shown in the figure, the information leakage prevention apparatus 1 connects a PC (personal computer) 2 for PW setting via a connection cable 20 on the one hand, and connects the HDD 3 via a connection cable 30 on the other hand. The information leakage prevention apparatus 1 is written with a PW of 32 or less alphanumeric characters preset by the PC 2. The written PW is held in the HDD 3 and valid until it is reset.

  The information leakage prevention apparatus 1 includes a function selection switch 4, a function display 5, a start switch 6, and a determination display 7 on the surface. The function selection switch 4 is pushed by the user when selecting a function such as data lock, lock release, and data erasure of the HDD 3, and the selected function is switched every time the function is pushed, and characters are displayed on the function display 5, for example. The start switch 6 is pushed by the user after a function is selected, and starts execution of the function. The determination display 7 displays the function execution result in color by, for example, lighting of a lamp. “Green” is lit when the function is completed, and “Red” is lit when execution fails due to a malfunction.

  Next, with reference to FIG. 2, the configuration of the information leakage prevention apparatus 1 for HDD and the related apparatuses PC2 and HDD3 will be described.

  In addition to the function selection switch 4, the function display 5, the start switch 6, and the determination display 7, the information leakage prevention apparatus 1 includes a key switch I / F (interface) 11, a connection connector 12, an HDD controller 13, and a PW ( Password) memory 14, display I / F 15, and system controller 16.

  The key switch I / F 11 receives the operation information of the function selection switch 4 and the start switch 6 and notifies the system controller 16 of the operation information. The connection connector 12 connects the HDD controller 13 to the HDD 3.

  The HDD controller 13 is connected to the HDD 3 via the connection connector 12, converts a command sent from the system controller 16 into a signal to be sent to the HDD 3, and controls the functional operation of the HDD 3, while the signal sent from the HDD 3 is It has a function to send to the controller 16. The connection method between the information leakage prevention apparatus 1 and the HDD 3 is based on the ATA / ATAPI standard standardized for HD connection. Furthermore, the HDD controller 13 has an overwriting operation function in the HDD 3.

  The PW memory 14 stores and stores a password received from the PC 2 via the system controller 16. The display I / F 15 notifies the display data received from the system controller 16 to the function display 5 and the determination display 7 and displays them.

  The system controller 16 interprets the switch information received from the key switch I / F 11, generates the function and determination at the time of function processing into display data, and displays the function display 5 and the determination display via the display I / F 15. 7 and further generates an ATA command based on the ATA (AT Attachment) standard to be sent to the HDD controller 13. Details will be described with reference to a flowchart.

  The PC 2 has software that is connected using, for example, a USB (Universal Serial Bus) interface and sets a password in the information leakage prevention apparatus 1. Also, it is assumed that the PC 2 has previously set a password in the PW memory 14 via the system controller 16 of the information leakage prevention apparatus 1 before controlling the HDD 3.

  The HDD 3 includes an HD drive unit 31, an HDD information memory 32, and an HD 33. The HD drive unit 31 is driven by the information leakage prevention apparatus 1 to turn on the power and start operation. The information leakage prevention procedure at the start time will be described later with reference to a flowchart. The HDD information memory 32 is controlled by the HD drive unit 31, stores predetermined HDD information, and includes a password storage area. An HD (hard disk) 33 is a hard disk recording medium that records data information received from an operating information processing apparatus under the control of the HD drive unit 31 when mounted on an information processing apparatus such as a PC.

  Next, the main operation procedure of the information leakage prevention apparatus 1 will be described with reference to FIGS.

  First, as shown in FIG. 3, the function selection switch 4 performs function selection (procedure S1). The function selection includes security lock (procedure S2), information deletion (procedure S20), and security unlock (procedure S40).

  When step S2 is “YES” and the security lock is selected, the system controller 16 receives this via the key switch I / F 11 and drives the HDD controller 13. The HDD controller 13 drives the HD drive unit 31 of the HDD 3 to issue the “IDENTIFY” command (confirmation command) to the HD drive unit 31 with the HDD 3 powered “ON” (step S3). Information is acquired (step S4).

  When the system controller 16 receives the HDD information acquired by the HDD controller 13 and determines that the security lock is possible from the “Security Supported” state in the HDD information (YES in step S5), the system controller 16 passes the HDD information through the HDD controller 13. An SSP command is issued to the drive unit 31, and a password composed of an arbitrary character string of 32 bytes or less is acquired from the PW memory 14 and transmitted (step S6). The HD drive unit 31 stores the received password in a predetermined area of the HDD information memory 32.

  Next, the HDD controller 13 issues a reset command to the HD drive unit 31 (procedure S7) to shift the HDD 3 to the locked state, and subsequently issues a “READ DATA” command (read command) (procedure S8). As a result, when the HDD controller 13 cannot perform normal reading (step S9 is NO), the HDD controller 13 is normally locked, so the HDD controller 13 turns off the power of the HD drive unit 31 (step S10). The system controller 16 is notified of “normal lock end”. The system controller 16 turns on the determination display 7 via the display I / F 15 to display “green”, displays “normal end of lock” (step S11), and ends the procedure.

  After this state, even if the HDD 3 is accessed and the power is turned on, if there is no password that matches the password set in the HDD 3, the access command is not accepted, so the internal data is not stored. It cannot be read.

  When the procedure S5 is “NO” and the acquired HDD information does not correspond to the lock, or when the procedure S9 is “YES” and the lock is abnormal because it is readable, the HDD controller 13 The power source of the HD drive unit 31 is turned off (step S12), and “abnormal lock end” is notified to the system controller 16. The system controller 16 turns on the determination display 7 through the display I / F 15 to display “red”, displays “lock abnormal end” (step S13), and ends the procedure.

  Next, when “YES” is selected in the step S20 and “deletion of recorded information” is selected by overwriting data, for example, when the security lock is selected, the HDD is not selected for the security lock, and is selected again. .

  In FIG. 4, when “information deletion” is selected in the function selection, the system controller 16 receives this selection information from the key switch I / F 11 and drives the HDD controller 13. The HDD controller 13 drives the HD drive unit 31 to turn on the HDD 3 (step S21), and overwrites the first 1 MB area of the HD 33 with data preset for data deletion, for example, the number “0” ( In step S22), after the overwriting is completed, the overwriting state is determined (step S23).

  If this procedure S23 is “YES” and the overwrite is normally completed, the HDD controller 13 overwrites the last 1 MB area of the HD 33 with data set in advance for data deletion, for example, the number “0” (procedure S24). When this overwriting is completed, the overwriting state is determined (step S25).

  When this procedure S25 is “YES” and the overwriting is completed normally, the HDD controller 13 generates 20,000 random LBA (Logical Block Addressing) areas using random numbers in the remaining part of the HD 33, and the LBA area Is erased (step S26). When the writing of 20,000 times is completed, the HDD controller 13 determines the overwriting writing state in the LBA area (step S27).

  When this step S27 is “YES” and the overwriting to the LBA area is normally completed, the HDD controller 13 turns off the power of the HD drive unit 31 (step S28), and “successfully erased” is sent to the system controller 16. Notice. The system controller 16 lights the determination display 7 “green” through the display I / F 15, displays “normal end of erasure” (step S 29), and ends the procedure.

  With this procedure, the disk management area of the HDD is completely erased, the data portion becomes worm-eaten, and it becomes very difficult to collect meaningful data even if file restoration software is used. In this method, the execution time is constant regardless of the difference in HDD capacity.

  If step S23 is “NO” and the overwrite of the top area is abnormal, step S25 is “NO” and the overwrite of the trailing area is abnormal, or if step S27 is “NO” and the overwrite of all LBA areas is abnormal, The HDD controller 13 turns off the power of the HD drive unit 31 (step S31), and notifies the system controller 16 of “abnormal end of overwriting”. The system controller 16 turns on the determination display 7 “red” via the display I / F 15, displays “abnormal end of overwriting” (step S 32), and ends the procedure.

  Next, when “YES” is selected in step S40 and “security unlock” is selected, the system controller 16 receives this via the key switch I / F 11 and drives the HDD controller 13.

  In FIG. 5, the HDD controller 13 drives the HD drive unit 31, issues the “IDENTIFY” command (confirmation command) to the HD drive unit 31 with the HDD 3 powered “ON” (step S <b> 41), and the HDD information memory 32. HDD information is acquired from (step S42).

When the HDD controller 13 determines that the security lock can be released from the “Security Supported” state in the acquired HDD information (YES in step S43), the HDD controller 13 sends the SUL (unlock) as a reset command to the HD drive unit 31. A command is issued (step S44) to release the HDD 3 from the locked state, and then an SDP (password invalid) command is issued to the HD drive unit 31 and a password using a character string that is already set up to 32 bytes ( Step S45). The HD drive unit 31 compares the received password with the password stored in a predetermined area of the HDD information memory 32 and returns “match information” to the HDD controller 13. The SDP command can invalidate the lock password by matching this password.

  Since the HDD controller 13 accepts the password match from the HD drive unit 31 (YES in step S46), it issues a “READ DATA” command (read command) to the HD drive unit 31 (step S47). As a result, when the HDD controller 13 can perform normal reading (YES in step S48), the lock has been normally released, so the HDD controller 13 instructs the HD drive unit 31 to turn off the power (step S49). ) To notify the system controller 16 of “end of normal lock release”. The system controller 16 lights the determination display 7 “green” via the display I / F 15, displays “end of normal unlocking” (step S 50), and ends the procedure.

  On the other hand, if the procedure S43 is “NO” and the security lock cannot be released, the procedure S46 is “NO” and the password does not match, or if the procedure S48 is “NO” and the reading is impossible, the HDD controller 13 does not read the HD. The power source of the drive unit 31 is turned off (step S51), and “abnormal termination of unlocking” is notified to the system controller 16. The system controller 16 turns on the determination indicator 7 through the display I / F 15 to display “red”, displays “abnormal end of unlocking” (step S52), and ends the procedure.

For such that above configuration, by the information leak-preventing apparatus for releasing the security apparatus and HDD password from the HDD to set a HDD password in the HDD with another product, even if there each security apparatus theft The possibility of information leakage is kept low. By making the difference between the two products different between the internal firmware, the function can be selected by downloading the firmware, so that the degree of freedom of operation is improved. It is desirable that the information leakage prevention device with the HDD password release be installed only in a factory or a research department where security is ensured and not taken outside.

  Next, the driving procedure of the HDD 3 will be described with reference to FIG.

  The HD drive unit 31 is initially set (procedure S62) when it is driven from the connected information processing apparatus and powered on (procedure S61). Next, since the HD drive unit 31 accepts the confirmation command, it sends out the HDD information in the HDD information memory 32 (step S63). If there is a password setting in HDD information memory 32 (YES in step S64), HD drive unit 31 should subsequently accept the password (YES in step S65), and the received password is stored and set. There is a match determination (step S66) with the existing password. When this step S66 is determined as “YES”, or when the above-mentioned step S64 is “NO” and the password is not set in the HDD information memory 32, the access command to the HD 33 can be received and the command waits ( The procedure enters step S67).

  If step 65 is “NO” and no password is accepted, or if step 66 is “NO” and the password is accepted but the passwords do not match, the HDD 3 cannot accept the access command and can read and write. Can not.

  As described above, in this embodiment, when a HDD in which user data is recorded in maintenance work is transported, for example, for failure analysis, the password or identification information set by the user is canceled, and then the present invention is applied to the HDD. Information leakage is prevented by setting a password from the information leakage prevention device. This password can also be changed in settings, which is very useful for a vendor to prevent user information leakage at their own risk.

  Applying the ATA standard standardized in the United States, one of the methods for connecting PC (personal computer) and HD (hard disk), it is easy to prevent leakage of information data recorded on HDD (hard disk drive). In addition, since data can be erased by a sufficient overwrite process, it can be applied to applications where it is essential to prevent information leakage for HDDs.

It is explanatory drawing which showed one Embodiment of the external appearance of the information leakage prevention apparatus for HDD by this invention, and the external appearance of the apparatus connected to it, and its connection state. It is explanatory drawing which showed one Embodiment of the block structure in the apparatus shown by FIG. It is the flowchart which showed one Embodiment of the main operation | movement procedure which concerns on the security lock selection of the information leakage prevention apparatus shown by FIG. 3 is a flowchart showing an embodiment of a main operation procedure related to information erasure selection of the information leakage prevention apparatus shown in FIG. 1. It is the flowchart which showed one Embodiment of the main operation | movement procedure which concerns on the security unlock selection of the information leakage prevention apparatus shown by FIG. It is the flowchart which showed an example of the drive initial operation procedure in HDD which has a security lock function.

Explanation of symbols

1 Information leakage prevention device 2 PC (personal computer)
3 HDD (Hard Disk Drive Device)
4 Function selection switch 5 Function indicator 6 Start switch 7 Judgment indicator 11 Key switch I / F (interface)
12 Connector 13 HDD controller 14 PW memory (password memory)
15 Display I / F
16 System Controller 20, 30 Connection Cable 31 HD Drive Unit 32 HDD Information Memory 33 HD (Recording Medium)

Claims (3)

  In an information leakage prevention apparatus for HDD that conforms to the ATA (AT Attachment) standard and prevents information leakage of an HDD (Hard Disk Drive Device) in which information data is recorded, between the HDD and a connection destination of the HDD A device for receiving a lock password from the connection destination and storing it in advance in a memory, and applying the standard between the HDD and connecting the HDD subject to information leakage prevention And a means for setting the lock password in the HDD by using a lock setting (SSP) command defined in the standard and setting the HDD in a locked state. apparatus.   2. The HDD information leakage prevention apparatus according to claim 1, wherein when the lock password is set by the lock setting (SSP) command, the lock release (SUL) command defined in the standard and the lock An information leakage prevention apparatus for HDD, comprising means for releasing a lock state set in the HDD using a password.   2. The HDD information leakage prevention apparatus according to claim 1, wherein after the HDD is unlocked using an unlock (SUL) command defined in the standard, an invalid password (SDP) command and the lock password are changed. An HDD information leakage prevention apparatus, comprising: means for invalidating the lock password set in the HDD.

Images