CN101101617A - Cipher processor for avoiding reciphering and method for accessing data using same - Google Patents
Cipher processor for avoiding reciphering and method for accessing data using same Download PDFInfo
- Publication number
- CN101101617A CN101101617A CNA2007100527486A CN200710052748A CN101101617A CN 101101617 A CN101101617 A CN 101101617A CN A2007100527486 A CNA2007100527486 A CN A2007100527486A CN 200710052748 A CN200710052748 A CN 200710052748A CN 101101617 A CN101101617 A CN 101101617A
- Authority
- CN
- China
- Prior art keywords
- key
- file
- user
- algorithm
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Purpose of the invention is not to carry out encrypting again when user withdraws, avoids operation with large spending under cipher in order to raise system performance. The cipher processor is composed of SDRAM and control interface, Flash chip and control intrface, DMA controller, built-in processor, PCI bus controller. The method of the cipher processor for accessing data consists of key generation phase, storing data phase, and fetching data phase in sequence. In the invention, user's private key and key for file are only existed in the cipher processor in form of plain text, and are not exposed to any user. Thus, when user withdraws, it is unnecessary to regenerate key for file so as to avoid large spending on encrypting operation again. Raising security and performance, the invention is suitable to secure storage system involved in encrypting operation.
Description
Technical field
The invention belongs to computer memory technical field, be specifically related to a kind of cipher processor of avoiding re-encryption and with the method for its access data, be used to avoid re-encryption when the user cancels in encrypting storage system, be applicable to any safe storage system that Password Operations does not want to expose key information again that relates to.
Background technology
The frequent generation of the develop rapidly of adjoint network technology and security incident, the safety of storage system obtains common concern, and cryptographic technique is an important means that ensures storage system safety, and a series of encryption storage system also has been born.
There is file key the lay equal stress on problem of new issue new key of encrypt file again that regenerates when the user cancels in encrypting storage system, present encryption storage system has three kinds of re-encryption schemes: (1) re-encryption immediately, when promptly cancelling a user, search for the file that all these users can visit, regenerate the file key, again encrypt All Files, the new issue new key of laying equal stress on is given the user who does not cancel.If the number of users of at a time cancelling is quite a lot of, the expense of re-encryption may cause system's cisco unity malfunction.(2) postpone re-encryption, i.e. encrypt file again just when file upgrades next time, before renewal, all are undone the user has the key of the file of access rights all may be exposed to the assailant, thereby causes data dangerous so.(3) regularly re-encryption, this scheme and scheme (2) are similar, and also may cause system's cisco unity malfunction in its expense of the moment of re-encryption.
Above-mentioned three kinds of schemes finally all need re-encryption, the difference on opportunity of re-encryption just, and exist dangerous or cause the problem of system's cisco unity malfunction.Password Operations itself be one to the very large work of performance impact, too big at the Password Operations expense, in application system, should avoid Password Operations as far as possible.
Summary of the invention
The present invention proposes a kind of cipher processor of avoiding re-encryption, and the method with its access data is provided simultaneously, and purpose is not need re-encryption when the user cancels fully, avoids the big Password Operations of expense as far as possible, to improve system performance.
A kind of cipher processor of avoiding re-encryption of the present invention links to each other with main frame by pci bus; By synchronous DRAM SDRAM and control interface thereof, Flash chip and control interface thereof, direct memory access (DMA) controller DMA, internal processor, interconnection bus of peripheral devices pci controller and data/control bus constitutes, synchronous DRAM SDRAM is connected with data/control bus electric signal by the SDRAM control interface, the Flash chip is connected direct memory access (DMA) controller DMA by the Flash control interface with data/control bus electric signal, internal processor, the interconnection bus of peripheral devices pci controller is connected with data/control bus electric signal respectively;
Described Flash chip is used to deposit public private key pair generating algorithm, enciphering and deciphering algorithm, signature algorithm and hash algorithm;
Described synchronous DRAM is used to deposit the handled intermediate data of internal processor;
Described interconnection bus of peripheral devices pci controller is used for the operation requests of main control system to this cipher processor, is handled by internal processor;
Described internal processor is carried out user's requested operation according to the processing request that the user sends, public private key pair generating algorithm, enciphering and deciphering algorithm, signature algorithm or hash algorithm got the synchronous DRAM SDRAM and by internal processor from the Flash chip carry out, when carrying out the public private key pair generating algorithm, PKI is returned main frame, and private key is kept in the Flash chip; Other algorithm execution result is stored in synchronous DRAM;
The direct access synchronized dynamic RAM of described direct memory access (DMA) dma controller does not need internal processor to interfere, and the result of internal processor is returned to main frame.
The present invention is made of key generation phase, deposit data stage and the stage of fetching data in regular turn with the method for described cipher processor access data,
The key generation phase, the user files a request to cipher processor by client host, and cipher processor generates this user's public private key pair, only this client public key is returned main frame, and this private key for user is kept in the cipher processor;
In the deposit data stage, order comprises:
(1) file encryption step, the user uses file key and the selected cryptographic algorithm encrypt file that generates at random, uses this subscriber authorisation user's public key encryption file key, generates key file;
(2) Hash operation step, the user carries out Hash operation to key file together with cryptographic algorithm, obtains their cryptographic hash; Described cryptographic hash, key file are submitted cipher processor respectively together with cryptographic algorithm and asked for an autograph;
(3) cipher processor signature step, cipher processor returns the signature S1, key file of the cryptographic hash signature S2 together with cryptographic algorithm to the user;
(4) deposit step, user's use authority user's public key encryption cryptographic hash signature S1, the cryptographic hash that obtains encrypting signature C1; With the cryptographic hash signature C1 that encrypts, key file is stored in the file server of main frame together with the signature S2 of cryptographic algorithm, and encrypt file is stored in memory device;
Fetch data the stage, order comprises:
(1) deciphering and Hash operation step, the PKI decruption key of user's use file own obtains key file together with cryptographic algorithm together with the signature S2 ' of cryptographic algorithm, and it is carried out Hash operation, obtains its cryptographic hash H1 '; With the cryptographic hash signature C1 ' that encrypts, the cryptographic hash H1 ' input cipher processor that key file calculates together with cryptographic algorithm, client;
(2) cipher processor deciphering determining step, cipher processor use the cryptographic hash signature C1 ' of this private key for user enabling decryption of encrypted, obtain cryptographic hash signature S1 '; Use document creation person's PKI deciphering S1 ', the cryptographic hash H1 ' of decrypted result and input relatively judges whether identically, is that then order is carried out, otherwise end;
(3) cipher processor declassified document step, cipher processor request user imports encrypt file, uses this private key for user to decipher the file key that this client public key is encrypted; Use this document secret key decryption encrypt file, and return clear text file to main frame;
(4) main frame output clear text file.
When system moves for the first time, host requests cipher processor operation public private key pair generating algorithm program, internal processor loads public private key pair generating algorithm program to SDRAM, is carried out by internal processor, and PKI returned main frame, private key only is kept in the Flash chip of cipher processor; When system moves, send various processing requests by main frame, internal processor is with the enciphering and deciphering algorithm in the Flash chip, and signature algorithm or hash algorithm routine call are carried out by internal processor to the SDRAM chip, at last result are returned to main frame.
The public private key pair generating algorithm, enciphering and deciphering algorithm, signature algorithm and hash algorithm program are used disclosed algorithm routine.
Utilize cipher processor of the present invention to avoid the re-encryption operation effectively, and can further improve the performance of encrypting storage system.File key that the input client public key is encrypted and the file data that uses the file secret key encryption, cipher processor output clear text file data, private key for user and file key only exist with the plaintext form in cipher processor, thereby can not be exposed to Any user, only need revise the access control chained list when cancelling the user and cancel user right, needn't regenerate the file key encrypt file new issue new key of laying equal stress on again, avoided the big Password Operations of expense, also avoided potential dangerous or cause the problem of system's cisco unity malfunction, be applicable to the current safe storage system more and more higher performance requirement.
Description of drawings
Fig. 1 is a cipher processor structural representation of the present invention;
Fig. 2 carries out the method synoptic diagram of access data with cipher processor for the present invention;
Fig. 3 is a deposit data stage schematic flow sheet of the present invention;
Fig. 4 is the stage schematic flow sheet that fetches data of the present invention.
Embodiment
Fig. 1 is a cipher processor structural representation of the present invention, by synchronous DRAM (SDRAM) and control interface thereof, Flash chip and control interface thereof, the direct memory access (DMA) dma controller, internal processor, interconnection bus of peripheral devices pci controller and data/control bus constitutes, synchronous DRAM SDRAM is connected with data/control bus electric signal by the SDRAM control interface, peripheral Flash is connected the direct memory access (DMA) dma controller by the Flash control interface with data/control bus electric signal, internal processor, the interconnection bus of peripheral devices pci controller is connected with data/control bus electric signal respectively; Cipher processor links to each other with main frame by pci bus.Synchronous DRAM SDRAM control interface, Flash chip controls interface, direct memory access (DMA) dma controller, internal processor and interconnection bus of peripheral devices pci controller can adopt the SOC (system on a chip) framework, use on-site programmable gate array FPGA or application-specific integrated circuit ASIC chip to realize.
When SOC (system on a chip) used on-site programmable gate array FPGA to realize, the Flash chip also needed to deposit the SOC (system on a chip) configuration information; The SOC (system on a chip) configuration information is to use hardware description language to describe the information of SOC (system on a chip) circuit, and wherein each module can adopt the module that the hardware vendor provides; Read the SOC (system on a chip) configuration information after cipher processor powers on, generate the SOC (system on a chip) circuit, process is as follows:
(1) synthesis tool that uses the hardware vendor to provide changes into actual circuit meshwork list with the SOC (system on a chip) configuration information;
(2) instrument that is provided by the hardware vendor generates the circuit of SOC (system on a chip) according to circuit meshwork list.
When system moves for the first time, host requests cipher processor operation public private key pair generating algorithm program, cipher processor loads public private key pair generating algorithm program to SDRAM, is carried out by internal processor, and PKI returned main frame, private key only is kept in the Flash chip of cipher processor.When system moves, send various processing requests by main frame, internal processor is with the enciphering and deciphering algorithm in the Flash chip, and signature algorithm and hash algorithm routine call are carried out by internal processor to the SDRAM chip, at last result are returned to main frame.The public private key pair generating algorithm, enciphering and deciphering algorithm, signature algorithm and hash algorithm program are used disclosed algorithm routine.
Fig. 2 adds cipher processor for the present invention carries out the method synoptic diagram of access data with cipher processor on existing storage system basis.Deposit data will be handled through cipher processor before memory device, the user also will handle through cipher processor after the memory device reading of data, to guarantee that file key and private key only exist with the plaintext form in cipher processor, user oneself does not know file key and private key yet, thereby avoids the re-encryption operation when cancelling the user.
Method of the present invention is made of key generation phase, deposit data stage and the stage of fetching data in regular turn, at the key generation phase, the user files a request to cipher processor by client host, cipher processor generates this user's public private key pair, only this client public key is returned main frame, this private key for user is kept in the cipher processor; The flow process in the deposit data stage and the stage of fetching data respectively as shown in Figure 3 and Figure 4.
Fig. 3 is a deposit data stage schematic flow sheet of the present invention, carries out following step:
(1) file encryption step, the user is the spanned file key at random, selects cryptographic algorithm, uses this document key and selected cryptographic algorithm encrypt file; Use this subscriber authorisation user's public key encryption file key, generate key file;
(2) Hash operation step, the user carries out Hash operation to key file together with cryptographic algorithm, obtains their cryptographic hash H1; Described cryptographic hash H1, key file are submitted cipher processor respectively together with cryptographic algorithm and asked for an autograph;
(3) cipher processor signature step, cipher processor returns the signature S1, key file of the cryptographic hash H1 signature S2 together with cryptographic algorithm to the user;
(4) deposit step, user's use authority user's public key encryption cryptographic hash signature S1, the cryptographic hash that obtains encrypting signature C1; With the cryptographic hash signature C1 that encrypts, key file is stored in the file server of main frame together with the signature S2 of cryptographic algorithm, and encrypt file is stored in memory device.
Fig. 4 is the stage schematic flow sheet that fetches data of the present invention, carries out following step:
(1) deciphering and Hash operation step, the PKI decruption key of user's use file own obtains key file together with cryptographic algorithm together with the signature S2 ' of cryptographic algorithm, and it is carried out Hash operation, obtains its cryptographic hash H1 '; With the cryptographic hash signature C1 ' that encrypts, the cryptographic hash H1 ' input cipher processor that key file calculates together with cryptographic algorithm, client;
(2) cipher processor deciphering determining step, cipher processor use the cryptographic hash signature C1 ' of this private key for user enabling decryption of encrypted, obtain cryptographic hash signature S1 '; Use document creation person's PKI deciphering S1 ', the cryptographic hash H1 ' of decrypted result and input relatively judges whether identically, is that then order is carried out, otherwise end;
(3) cipher processor declassified document step, cipher processor request user imports encrypt file, takes out the file key that uses this client public key to encrypt, and uses this private key for user deciphering this document key; Use this document secret key decryption encrypt file, and return clear text file to main frame;
(4) main frame output clear text file.
Claims (2)
1. a cipher processor of avoiding re-encryption links to each other with main frame by pci bus; By synchronous DRAM SDRAM and control interface thereof, Flash chip and control interface thereof, the direct memory access (DMA) dma controller, internal processor, interconnection bus of peripheral devices pci controller and data/control bus constitutes, synchronous DRAM SDRAM is connected with data/control bus electric signal by the SDRAM control interface, the Flash chip is connected the direct memory access (DMA) dma controller by the Flash control interface with data/control bus electric signal, internal processor, the interconnection bus of peripheral devices pci controller is connected with data/control bus electric signal respectively;
Described Flash chip is used to deposit public private key pair generating algorithm, enciphering and deciphering algorithm, signature algorithm and hash algorithm;
Described synchronous DRAM is used to deposit the handled intermediate data of internal processor;
Described interconnection bus of peripheral devices pci controller is used for the operation requests of main control system to this cipher processor, is handled by internal processor;
Described internal processor is carried out user's requested operation according to the processing request that the user sends, public private key pair generating algorithm, enciphering and deciphering algorithm, signature algorithm or hash algorithm got the synchronous DRAM SDRAM and by internal processor from the Flash chip carry out, when carrying out the public private key pair generating algorithm, PKI is returned main frame, and private key is kept in the Flash chip; Other algorithm execution result is stored in synchronous DRAM;
The direct access synchronized dynamic RAM of described direct memory access (DMA) dma controller does not need internal processor to interfere, and the result of internal processor is returned to main frame.
2. with the method for the described cipher processor access data of claim 1, constitute by key generation phase, deposit data stage and the stage of fetching data in regular turn,
The key generation phase, the user files a request to cipher processor by client host, and cipher processor generates this user's public private key pair, only this client public key is returned main frame, and this private key for user is kept in the cipher processor;
In the deposit data stage, order comprises:
(1) file encryption step, the user uses file key and the selected cryptographic algorithm encrypt file that generates at random, uses this subscriber authorisation user's public key encryption file key, generates key file;
(2) Hash operation step, the user carries out Hash operation to key file together with cryptographic algorithm, obtains their cryptographic hash; Described cryptographic hash, key file are submitted cipher processor respectively together with cryptographic algorithm and asked for an autograph;
(3) cipher processor signature step, cipher processor returns the signature S1, key file of the cryptographic hash signature S2 together with cryptographic algorithm to the user;
(4) deposit step, user's use authority user's public key encryption cryptographic hash signature S1, the cryptographic hash that obtains encrypting signature C1; With the cryptographic hash signature C1 that encrypts, key file is stored in the file server of main frame together with the signature S2 of cryptographic algorithm, and encrypt file is stored in memory device;
Fetch data the stage, order comprises:
(1) deciphering and Hash operation step, the PKI decruption key of user's use file own obtains key file together with cryptographic algorithm together with the signature S2 ' of cryptographic algorithm, and it is carried out Hash operation, obtains its cryptographic hash H1 '; With the cryptographic hash signature C1 ' that encrypts, the cryptographic hash H1 ' input cipher processor that key file calculates together with cryptographic algorithm, client;
(2) cipher processor deciphering determining step, cipher processor use the cryptographic hash signature C1 ' of this private key for user enabling decryption of encrypted, obtain cryptographic hash signature S1 '; Use document creation person's PKI deciphering S1 ', the cryptographic hash H1 ' of decrypted result and input relatively judges whether identically, is that then order is carried out, otherwise end;
(3) cipher processor declassified document step, cipher processor request user imports encrypt file, uses this private key for user to decipher the file key that this client public key is encrypted; Use this document secret key decryption encrypt file, and return clear text file to main frame;
(4) main frame output clear text file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100527486A CN100458816C (en) | 2007-07-13 | 2007-07-13 | Cipher processor for avoiding reciphering and method for accessing data using same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100527486A CN100458816C (en) | 2007-07-13 | 2007-07-13 | Cipher processor for avoiding reciphering and method for accessing data using same |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101101617A true CN101101617A (en) | 2008-01-09 |
| CN100458816C CN100458816C (en) | 2009-02-04 |
Family
ID=39035889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100527486A Active CN100458816C (en) | 2007-07-13 | 2007-07-13 | Cipher processor for avoiding reciphering and method for accessing data using same |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100458816C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685125A (en) * | 2012-05-07 | 2012-09-19 | 上海市共进通信技术有限公司 | System for realizing cloud-end encrypted control of wireless device and cloud-end encryption starting method |
| CN103490878A (en) * | 2013-10-15 | 2014-01-01 | 上海杉德金卡信息系统科技有限公司 | Methods for dynamic secret key storing and stored secret key reading and deleting |
| CN104426647A (en) * | 2013-08-30 | 2015-03-18 | 约翰内斯·海德汉博士有限公司 | Method and apparatus for synchronising a control unit and at least one associated peripheral unit |
| CN106254324A (en) * | 2016-07-26 | 2016-12-21 | 杭州文签网络技术有限公司 | A kind of encryption method storing file and device |
| CN106487507A (en) * | 2016-10-28 | 2017-03-08 | 成都力雅信息技术有限公司 | A kind of micro- disk control system of data encryption |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7334124B2 (en) * | 2002-07-22 | 2008-02-19 | Vormetric, Inc. | Logical access block processing protocol for transparent secure file storage |
| US20050050342A1 (en) * | 2003-08-13 | 2005-03-03 | International Business Machines Corporation | Secure storage utility |
| CN1929379A (en) * | 2006-07-18 | 2007-03-14 | 菜艳 | Intelligent cipher key capable of security control for movable storage device and its working method |
-
2007
- 2007-07-13 CN CNB2007100527486A patent/CN100458816C/en active Active
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685125A (en) * | 2012-05-07 | 2012-09-19 | 上海市共进通信技术有限公司 | System for realizing cloud-end encrypted control of wireless device and cloud-end encryption starting method |
| CN104426647A (en) * | 2013-08-30 | 2015-03-18 | 约翰内斯·海德汉博士有限公司 | Method and apparatus for synchronising a control unit and at least one associated peripheral unit |
| CN103490878A (en) * | 2013-10-15 | 2014-01-01 | 上海杉德金卡信息系统科技有限公司 | Methods for dynamic secret key storing and stored secret key reading and deleting |
| CN103490878B (en) * | 2013-10-15 | 2016-09-21 | 上海杉德金卡信息系统科技有限公司 | Reading after a kind of key dynamic storage method and storage, delet method |
| CN106254324A (en) * | 2016-07-26 | 2016-12-21 | 杭州文签网络技术有限公司 | A kind of encryption method storing file and device |
| CN106254324B (en) * | 2016-07-26 | 2019-05-17 | 杭州文签网络技术有限公司 | A kind of encryption method and device of storage file |
| CN106487507A (en) * | 2016-10-28 | 2017-03-08 | 成都力雅信息技术有限公司 | A kind of micro- disk control system of data encryption |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100458816C (en) | 2009-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019381268B2 (en) | Systems and methods for distributed data storage and delivery using blockchain | |
| CN101241527B (en) | System and method for ordinary authentication | |
| KR101608510B1 (en) | System and method for key management for issuer security domain using global platform specifications | |
| CN110460439A (en) | Information transferring method, device, client, server-side and storage medium | |
| US20130080765A1 (en) | Secure cloud storage and synchronization systems and methods | |
| CN110889696A (en) | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology | |
| RU2011150271A (en) | PROTECTED AND CONFIDENTIAL STORAGE AND PROCESSING OF BACKUP FOR TRUSTED CALCULATION SERVICES AND DATA | |
| CN105245328A (en) | User and file key generation and management method based on third party | |
| CN109768862B (en) | A kind of key management method, key call method and cipher machine | |
| CN103236930A (en) | Data encryption method and system | |
| CN104866784B (en) | A kind of safe hard disk, data encryption and decryption method based on BIOS encryptions | |
| WO2020123926A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
| CN100458816C (en) | Cipher processor for avoiding reciphering and method for accessing data using same | |
| US20210167955A1 (en) | Data transmission | |
| CN114021164B (en) | Credit system privacy protection method based on block chain | |
| CN102694650A (en) | Secret key generating method based on identity encryption | |
| Lai et al. | Secure file storage on cloud using hybrid cryptography | |
| CN102831360B (en) | Personal electronic document safety management system and management method thereof | |
| CN105357005A (en) | Electric power trusted computing cryptographic module for PCI/PCI-E interface | |
| WO2022212396A1 (en) | Systems and methods of protecting secrets in use with containerized applications | |
| CN114697113A (en) | Hardware accelerator card-based multi-party privacy calculation method, device and system | |
| Maruti et al. | Authorized data Deduplication using hybrid cloud technique | |
| KR20220086311A (en) | Method and apparatus for mnemonic words backup of hierarchical deterministic wallet | |
| KR101474744B1 (en) | Apparatus and method for managing usim data of device by using mobile trusted module | |
| CN110650152B (en) | Cloud data integrity verification method supporting dynamic key updating |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |