CN101123507A - A protection method and storage device for data information in storage device - Google Patents
A protection method and storage device for data information in storage device Download PDFInfo
- Publication number
- CN101123507A CN101123507A CNA2007101641629A CN200710164162A CN101123507A CN 101123507 A CN101123507 A CN 101123507A CN A2007101641629 A CNA2007101641629 A CN A2007101641629A CN 200710164162 A CN200710164162 A CN 200710164162A CN 101123507 A CN101123507 A CN 101123507A
- Authority
- CN
- China
- Prior art keywords
- storage device
- configuration file
- boot
- authentication procedure
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a protection method of the data information on a storage device, which has four steps. Firstly, the storage device is formatted as a boot partition and at least one system partition, wherein the boot partition is provided with a boot load program, an authentication program and a starting boot configuration file; secondly, applications and transaction data are stored in the system partition; thirdly, before the system partition is directly accessed, the authentication program needs to be accessed first; finally, after the current user passes the identity authentication, the starting boot configuration file is loaded, and then the booting of a corresponding application is completed; otherwise the current user quits the identity authentication or the storage device is formatted. The embodiment of the present invention can safely, economically and efficiently resolve the defects existing in the present encryption technology.
Description
Technical field
The present invention relates to network equipment technical field, particularly relate to a kind of guard method of storage device for data information in and use the storage device of this method.
Background technology
Along with the propelling of development of internet technology and informatization, data security has been subjected to the safety that mechanism such as extensive concern, particularly government, army, the finance of government, society payes attention to data more.In case the generation leakage of a state or party secret not only brings huge economic loss, even also may have influence on national security because of betrayal of state secrets.
And data information itself be passive, can flow everywhere, data information itself does not possess any identification and protective capacities, therefore, if data data itself is not done any encryption, the data information especially leakage of sensitive data information is always unavoidable, bring loss difficult to the appraisal can for the owner of data information.As shown in Figure 1, it is the structural representation that a kind of typical case of the network equipments such as prior art router or switch in the internet uses.Along with the development of the network equipment, jumbo storage device, particularly big capacity hard disk is widely used in the network equipment.In order to manage the data on these mass storage devices, must select general file system for use, manage with the form of file, cause therefore that the data in the universal document system are discernible on these storage devices.And the data on these storage devices mainly comprise two parts content: a part is the software product of company, the application program of equipment operation and configuration file, and these content exposure will be revealed out a large amount of design informations in face of the professional person; Another part is that according to the service needed of product, information such as the network message of buffering or business diary have comprised a large amount of user profile in these contents.And in this two parts content, owing to comprised the information of a large amount of needs to be keep secret, do not take the measure of any encryption if the storage device in the network equipment only adopts general file system that these information are managed, bring potential safety hazard can for undoubtedly the owner of a right of these information.
For avoiding security information in these storage devices stolen or lose, industry has also adopted some encryptions to arrange and has dragged, but concludes, nothing more than adopting software cryptography or two kinds of schemes of hardware encipher:
One, software cryptography
This scheme mainly is to realize encryption/decryption functionality by encryption software according to specific method.This mode of software cryptography depends on operating system, and comes data are changed/arithmetic operation by CPU.
Yet, realize there is following deficiency in the encryption of data by software: encryption needs the processor of computer to participate in the overall process, therefore not only can consume a large amount of system resource, but also can take a lot of processors and memory source, will certainly reduce the speed of computer encipher/deciphering, particularly,, can have a strong impact on the normal function and the performance of high performance network equipment if any data that deposit on the storage medium are all carried out the encrypt/decrypt computing at the high performance network equipment.And the key of software cryptography/deciphering is stored in the storage device usually, if this storage device of preserving key is lost, just is easy to find corresponding key from this storage device, thereby easily with data decryption, causes the leakage of data message.
Two, hardware encipher
The process of hardware encipher and software cryptography comparatively speaking, the characteristics of hardware encipher are complete separating system, and are transparent for operating system, do not need the participation of processor.This scheme realizes that encrypted process finishes encrypt/decrypt computing to data by independently encrypting control chip usually; the omnidistance support that does not need processor basically; its principle is that the data transaction that will need protection becomes unrecognizable data module, and is therefore good in the mode than software on the encrypt/decrypt speed and in the fail safe.
Equally, also there is the deficiency of self in hardware encipher, and for example: hardware encipher realizes that cost is too high, needs to increase multiple chips; The hardware designs difficulty strengthens, and causes fabric swatch area anxiety; And the hardware encipher mode too relies on encryption chip, in case encryption chip damages, even user oneself also can't enter the machine of encrypted mistake again, and the production firm of encryption chip also has no idea to duplicate new key and comes out, thereby causes loss of user data.
Therefore, how to provide a kind of safe, efficient and economic encryption technology, become one of industry urgent problem at storage device.
Summary of the invention
Purpose of the present invention addresses the above problem exactly, a kind of guard method of storage device for data information in is provided and uses the storage device of this method, with safety, efficiently and economically ensure the safety that is stored in data in the storage device.
For achieving the above object, the embodiment of the invention proposes a kind of guard method of storage device for data information on the one hand, may further comprise the steps: storage device format is turned to boot partition and at least one system partitioning, and wherein said boot partition is provided with authentication procedure and starts boot configuration file; Described system partitioning then stores application program and business datum; Before directly visiting described system partitioning, carry out the visit of authentication procedure; After described active user is by authentication, loads described startup boot configuration file, and then finish the corresponding application program startup; Otherwise, then withdraw from authentication or format described storage device.
Wherein, described before directly visiting described system partitioning, the visit that carry out authentication procedure specifically comprises: after system powers on, start the authentication procedure on the boot partition, require the active user to carry out authentication.
Wherein, further be provided with bootstrap loader on the boot partition of described storage device, described authentication procedure starts by this bootstrap loader channeling conduct.
Wherein, described boot configuration file is to encrypt in advance, after authentication procedure is passed through, before loading boot configuration file, needs in advance boot configuration file to be decrypted.
Wherein, described boot configuration file when electricity under described storage device, carry out the described boot configuration file that certain cryptographic algorithm will load and encrypt by waking authentication procedure once more up, and the file after key and the encryption is kept in the described boot partition.
Wherein, described authentication procedure is to realize described boot configuration file is encrypted by partition table information and/or the file control information of revising corresponding system partitioning on the boot partition.
Wherein, described boot configuration file when electricity under described storage device, revise the described startup boot configuration file that loads by waking authentication procedure once more up.
The present invention also proposes a kind of storage device of using said method, and this storage device comprises boot partition and at least one system partitioning, and wherein said boot partition is provided with authentication procedure and starts boot configuration file; Described system partitioning then stores application program and business datum, also comprises: the authentication procedure administration module is used for starting authentication procedure before directly visiting described system partitioning; Whether the authentication determination module is used to judge described active user by described authentication procedure, and after judging that described active user is by described authentication procedure, the notification profile load-on module loads described startup boot configuration file; Described configuration file load-on module is used for loading the startup boot configuration file of described boot partition after described authentication determination module judges that described active user is by described authentication procedure; The application program launching module is used for after described configuration file load-on module loads the startup boot configuration file of described boot partition, starts corresponding application program.
Wherein, also comprise and withdraw from authentication module or formatting module, be used for judging that in described authentication determination module described active user does not retreat out authentication or formats described storage device by described authentication procedure.
Wherein, described configuration file load-on module comprises the deciphering submodule, is used for after described authentication determination module judges that described active user is by described authentication procedure, with the startup boot configuration file deciphering of encrypting in advance.
Wherein, also comprise modified module, be used under described storage device, after the electricity, revising the startup boot configuration file that described configuration file load-on module loads.
Wherein, also comprise encrypting module, be used under described storage device, after the electricity, will being kept at described boot section after the startup boot configuration file encryption that load, and revising the startup boot configuration file of described loading, system area can not normally be visited.
Wherein, described startup boot configuration file comprises partition table information and/or file control information.
The present invention compares with the prior art scheme and has the following advantages; because in storage device, adopt special boot partition to carry out the protection of storage device data access; promptly have only corresponding bootstrap loader to discern to it; thereby do not need to realize encrypting as by hardware encipher, buying independent encryption chip; do not need as software cryptography, need take a large amount of system resources such as CPU yet, solved the deficiency that exists in the existing encryption technology safety, economical and efficient.In addition,, also solved after this storage device is lost or be stolen, be articulated to the problem of other these storage devices of device access because the present invention encrypts by start boot configuration file in storage device.
Description of drawings
Fig. 1 is the typical structure chart of the prior art network equipment;
Fig. 2 is the flow chart of bootstrap loader in the prior art;
Fig. 3 is the flow chart of the encryption method of embodiment of the invention storage device;
Fig. 4 is the flow chart in when electricity under the embodiment of the invention system;
Fig. 5 is the structure chart of embodiment of the invention storage device.
Embodiment
In the network equipments such as router/switch, bootstrap loader (BootLoader) is the code that system's electrifying startup preprocessor is carried out at first, briefly, bootstrap loader is exactly one section small routine of operation before operating system nucleus or user application operation.By this section small routine, can initiating hardware equipment, set up the mapping graph of memory headroom, finish the most basic initialization of hardware systems, and provide human-computer interaction function to the user, finish the loading of maim body and start maim body and carry out; But bootstrap loader does not participate in the compiling of maim body, is a relatively independent part, only finishes necessary basic functions such as system start-up, download, and numerous and diverse follow-up work is then given maim body and gone to finish.As shown in Figure 2, be the flow chart of bootstrap loader in the prior art.After powering on, system carries out bootstrap loader, this bootstrap loader is by BIOS and be positioned at hard disk MBR (Master Boot Record, MBR) boot in is formed together, BIOS is after finishing hardware detection and resource allocation, boot among the hard disk MBR is read among the RAM of system, given boot with control then.By the hardware on the boot initialization veneer, set up the mapping graph of memory headroom, thereby take the hardware environment of system to a proper state, so that, after finishing above-mentioned preparation, start corresponding application for final call operation system is ready to correct environment.Therefore from foregoing description as can be seen, the bootstrap loader of prior art does not carry out any protection to storage device.
Usually there are following two kinds of forms in the illegal visit to storage device, and a kind of is by starting the network equipment, utilizing the direct access to storage device of application program in the network equipment.Another kind be storage device lose or stolen after, be articulated on other equipment, for example be articulated on the ordinary PC, as this PC from the dish, under the guiding of PC operating system, discern and visit this storage device.At above-mentioned two kinds of illegal access stencils, the bootstrap loader of prior art all fails to make effective protection.
Core concept of the present invention is by the improvement to bootstrap loader and storage device partition, after the initialization veneer, bootstrap loader can start in this storage device corresponding authentication procedure in the boot partition automatically, and having only could normal access to storage device by the user of this authentication.And because the boot partition of storage device adopts the self-defining file format of manufacturer, therefore the startup boot in the boot partition can only and load by the respective guide loading procedure identification that is used with this storage device, and other manufacturers are not owing to know the file format of boot partition and can't it be visited, so the present invention can be efficiently, economy and realize safely data is encrypted.
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail:
As shown in Figure 3, be the flow chart of the encryption method of embodiment of the invention storage device, this embodiment may further comprise the steps:
Step S301 turns to boot partition and at least one system partitioning with storage device format, and boot partition is used to place bootstrap loader, authentication procedure and starts boot configuration file accordingly; System partitioning is used to preserve application program that the network equipment uses and business datum etc.Wherein, the file system of boot partition adopts self-defining form, and other manufacturers can't not visit it owing to know the file system format that boot partition adopts like this.In the present invention, authentication procedure in the described boot partition mainly has three functions, the authentication of device start, provide the necessary startup boot configuration file and the guiding of application program for storage device, the guiding function that wherein starts boot is similar to the boot among the prior art MBR, does not repeat them here.The authentication program of having only the active user of this storage device to pass through to start just can be loaded in the system partitioning starting boot configuration file accordingly, allows the active user that the system partitioning in this storage device is normally visited.
As a preferred embodiment of this step, the present invention proposes the novel file system format of bootstrap loader on a kind of boot partition, as follows:
The file system format of table 1 bootstrap loader
| Boot partition Header | Keep | Start boot | Keep | Start boot configuration file |
Wherein, in last table 1, boot partition Header is used for after storage device powers on, start boot and search the original position of authentication procedure and boot configuration file, the reserved area is used for bootstrap loader is expanded, and the form of boot partition Header and startup boot configuration file is respectively shown in following table 2 and table 3:
Table 2 boot partition Header form
| Field | Byte Length | Description |
| Type | 2 | The boot partition type |
| Version | 2 | Version number |
| Flags | 2 | Reserved |
| Length | 2 | The length of Header head |
| The authentication procedure original position | 4 | Initial head number, sector and the stagnation surface of authentication procedure number |
| The authentication procedure end position | 4 | End head number, sector and the stagnation surface of authentication procedure number |
| Start the boot configuration file original position | 4 | Start initial head number, sector and the stagnation surface number of boot configuration file |
| Start the boot configuration file end position | 4 | Start end head number, sector and the stagnation surface number of boot configuration file |
| Verification and | 4 | Verification and |
Table 3 starts the boot configuration file form
| Field | Byte Length | Description |
| Magic | 4 | The configuration file type identification |
| Version | 4 | Version number |
| Flags | 4 | Keep |
| Time | 4 | Document time stamp |
| Authentication username | 16 | |
| The authenticated user password | 16 | |
| Enciphered message node number | 16 | |
| Keep | 16 | |
| Enciphered message node 1-type | 4 | 0-partition table 1-filesystem information |
| Enciphered message node 1-type | 4 | The system partitioning file system type |
| Enciphered message node 1-position | 4 | The prime information POS INT position of enciphered message correspondence |
| Enciphered message node 1-position | 4 | The prime information position end position of enciphered message correspondence |
| Enciphered message node 1-information | 32 | Nodal information after the encryption |
Shown in above-mentioned table 1, table 2 and table 3, after starting, bootstrap loader at first can transfer the startup boot of table 1 file format; After starting, this startup boot can read the original position and the end position of authentication procedure among the boot partition Header shown in the table 2, after obtaining the positional information of this authentication procedure, start boot and read from the relevant position of boot partition and start this authentication procedure.Authentication procedure requires current user to carry out authentication after starting, and obtain starting the original position and the end position information of boot configuration file according to the boot partition Header of table 2, and reading this startup boot configuration file, the file format that wherein starts boot configuration file is as shown in table 3.In this startup boot configuration file, preserve the username and password of user rs authentication, judge by the username and password authentication procedure of preserving whether the active user passes through authentication procedure, if by this authentication procedure, then will read this startup boot configuration file, and should start boot configuration file and be loaded in the system partitioning according to the address information of the startup boot configuration file of preserving in this document form (table 3).In the table 3, can be that the startup boot configuration file that 0 or 1 judgement is preserved is partition table information or filesystem information wherein by preserving enciphered message node 1-type; Reserve area in the table 3 then can be realized the expansion to above-mentioned startup boot configuration file; How many bar information the representative of enciphered message node number has encrypted, just has what locational data messages to need reduction; And the system partitioning file system type is only effective when enciphered message is filesystem information, and which kind of universal document system type what the system partitioning that its expression is encrypted adopted is, as FAT16/FAT32.
Step S302, bootstrap loader is set, make the authentication procedure of this bootstrap loader boot partition on system powers on back startup storage device, be specially: bootstrap loader is transferred the startup boot in the boot partition after system powers on, can start corresponding authentication procedure according to the initial end position of the authentication procedure of preserving among the boot partition Header (table 2) after starting boot, require the active user to carry out authentication, for example point out the active user to import username and password.The present invention transfers authentication procedure by the startup boot in the boot partition, certainly also can directly start authentication procedure by bootstrap loader, the present invention mainly is behind system's electrifying startup, require the current active user who attempts access to storage device to carry out authentication, having only could normal this storage device of visit by the user of authentication.
Whether step S303 judges the active user by authentication, for example judges that according to the username and password of active user's input whether this current user is by authentication.The user name password that passes through that the embodiment of the invention proposes judges whether that by authentication be the more excellent execution mode of the embodiment of the invention, also can by other such as: voice, RMs such as fingerprint are judged.
Step S304, if judge that the active user is by authentication, then the startup boot configuration file that will preserve in boot partition of authentication procedure is loaded into system partitioning, if this startup boot configuration file is to encrypt in advance, then needs be decrypted boot configuration file in advance.By the correct startup boot configuration file of will preserve in the boot partition, thereby can allow the active user that the data on the system partitioning are normally visited.
Step S305 starts application program.
Step S306, if judge that the active user is by authentication, then write down the not number of times by authentication of active user, and judge further whether the active user does not surpass the default frequency of failure by the number of times of authentication, if there is not to surpass the default frequency of failure, then allow this current user to proceed authentication; If surpassed the default frequency of failure, then withdraw from authentication or format storage device automatically.
Because in the ordinary course of things; requisite file is to start boot configuration file during the access system subregion; in order to prevent that the undesirable person is by being suspended to this storage device outward on other equipment; and then utilize other plug-in devices directly the system partitioning of this storage device to be conducted interviews; in the present invention; dispatch from the factory or before system descends electricity at every turn at storage device; also need to start the authentication procedure that resides in the internal memory, the boot configuration file of the system partitioning at the data information place that protect is encrypted, destroyed or revises.As shown in Figure 4, the flow chart of the system partitioning that needs protection being handled for when electricity under the embodiment of the invention system.
Step S401: under the system.
Step S402: system finishes the preceding all application close operation of normal power down.
Step S403: system wake-up resides in the startup authentication procedure in the internal memory.
Step S404: authentication procedure is encrypted, is revised or destroy the boot configuration file of memory device system subregion.
Step S405: system closing.
Like this; because under system before the electricity; authentication procedure has been carried out encryption, modification or destruction to the boot configuration file of system partitioning; therefore; even this storage device is suspended to outward on other equipment; other equipment be owing to can't find the boot configuration file of correct system partitioning, thereby can't conduct interviews to this storage device, and then have realized the protection to the data information on the storage device.And on former plant, in case,, thereby this system partitioning can correctly be visited owing to authentication procedure can be re-loaded in the system partitioning originally being kept at startup boot configuration file correct in the boot partition by the authentication procedure authentication.
Particularly, in embodiments of the present invention, boot configuration file comprises the partition table information and the file control information of storage device.
For partition table, because partition table is on Boot Sector, and Boot Sector is meant 0 magnetic head, 0 magnetic track, No. 1 sector of storage device hard disk, first sector of hard disk just, it is by MBR (Master Boot Record, MBR), DPT (Disk Partition Table, hard disk partition table) and Boot Record ID three parts form, Boot Sector structure is as shown in table 4 below:
Table 4Boot Sector structure chart
| Master Boot Record MBR (446 byte) | |
| Partition table information 1 (16 byte) | |
| Partition table information 2 (16 byte) | |
| Partition table information 3 (16 byte) | |
| Partition table information 4 (16 byte) | |
| 55 | AA |
As above shown in the table 4, the MBR MBR is preserved general partition table type information, in the prior art by bootstrap loader to the transferring of this MBR, thereby obtain the partition table information of preserving among this storage device Boot Sector; In the last table 55 and AA be the identification information sign indicating number of this Boot Sector; Primary partition table is divided into four subregion items (partition table information 1,2,3,4), and each subregion item is 16 bytes, and the structure of every subregion item is as shown in table 5 below:
| Length | Name | Describe |
| BYTE | State | Subregion state, the 0=un-activation, 0x80=activates |
| BYTE | StartHead | The initial head number of subregion |
| WORD | StartSC | Subregion initial sector and cylinder number, low 6 of end byte is sector number, and high 2 is the 9th, 10 of cylinder number, and high byte is the least-significant byte of cylinder number |
| BYTE | Type | Divisional type, as 0x0B=FAT32,0x83=Linux etc., this does not use 00 expression |
| BYTE | EndHead | Divide the end of extent head number |
| WORD | EndSC | Divide end of extent sector and cylinder number, definition is the same |
| DWORD | Relative | Subregion relative sector address under linear addressing system |
| DWORD | Sectors | Partition size (total sector number) |
As above shown in the table 5, last table 5 has comprised the key message that whole storage device is correctly validated, and therefore has only correct partition table, visits this storage device thereby can correctly discern partition information.
For file control information, also can not obtain scarce equally for this storage device of normal visit, because for file, be stored in the storage device according to certain form of organization exactly, the file of any form all needs corresponding file control information that the file of storage is managed, these file control informations have comprised the organization and management information of file, so this document management information also is necessary for the normal visit of storage device.
In order to prevent that storage device from being hung on other equipment and be identified outward, the embodiment of the invention is exactly by handling and prevent effectively this problem generation to said system partition table and file control information, particularly, in the present invention, two kinds of settling modes have been proposed:
Mode one: in when electricity under system, needs are carried out the system partitioning table and the file control information of the system partitioning of data protection by the authentication procedure that starts and encrypt.
Mode two: in when electricity under system, the system partitioning table of system partitioning correspondence and file control information are made amendment or destroy by the authentication procedure that starts.
Because system partitioning table and file control information by after the above-mentioned dual mode processing (as encrypting or destroy, revising) do not have the preceding correct boot configuration file information of system partitioning of handling.So, by the present invention, even the equipment that this storage device is suspended to other manufacturers outward gets on, because this equipment can not correctly be discerned correct partition table of this storage device and file control information, therefore, the data message of preserving in can't the access file system.
Need to prove; the startup boot configuration file that the embodiment of the invention proposes is not limited in partition table and the file control information that the above embodiment of the present invention proposes; the necessary file of any access to storage device can be set to startup boot configuration file of the present invention, therefore all should be embodiment of the invention protection range about the variation that starts boot configuration file and contains.
As shown in Figure 5, use the structure chart of the storage device of said method for the present invention, this storage device 2 comprises boot partition and at least one system partitioning, boot partition storage bootstrap loader, authentication procedure and start boot configuration file accordingly, system partitioning are used to store preserves application program that the network equipment uses and business datum etc.In addition, described storage device 2 also comprises: authentication procedure administration module 21 was used for before directly visiting described system partitioning, start authentication procedure, be specially: thus transfer corresponding authentication procedure by the authentication procedure starting and ending position that starts boot visit boot partition Header, and this authentication procedure requires the active user to carry out authentication; Whether authentication determination module 22 is used to judge described active user by described authentication procedure, and after judging that described active user is by described authentication procedure, notification profile load-on module 23 loads and starts boot configuration file; Configuration file load-on module 23 is used for judging that in authentication determination module 22 described active user is by after the authentication procedure, load the startup boot configuration file of described boot partition, correct partition table or the file control information that for example will preserve in boot partition are loaded in the system partitioning.Application program launching module 24 is used for starting corresponding application program after described configuration file load-on module 23 loads the startup boot configuration file of described boot partition.
Wherein, also comprise and withdraw from authentication module 25 or formatting module 26, be used for judging that in described authentication determination module described active user does not retreat out authentication or formats described storage device by described authentication procedure.Preferably, the not number of times by authentication of user can be set, it is not 10 times by the number of times of authentication that the active user for example is set, if then the active user not by authentication then, also can allow this current user to proceed to land, if the frequency of failure reaches 10 times, illustrate that then the active user may be the user of illegal visit, then withdraw from authentication automatically or format this storage device.From foregoing description as can be seen, the embodiment of the invention is not made any restriction by the number of times of authentication to what set, therefore all should be embodiment of the invention protection range about the above-mentioned not variation of the number of times by authentication yet and contains.
Wherein, configuration file load-on module 23 comprises deciphering submodule 231, is used for judging the active user by after the authentication procedure in authentication determination module 22, with the startup boot configuration file deciphering of encrypting in advance.
Wherein, storage device 2 also comprises modified module 27, be used under storage device after the electricity, revise the configuration file load-on module and be loaded into startup boot configuration file in the system partitioning, system partitioning can't normally be visited by the startup boot configuration file of destroying in the system partitioning.
Wherein, storage device 2 also comprises encrypting module 28, is used for after the electricity, will being kept at described boot section after the startup boot configuration file encryption that load under described storage device, and revise the startup boot configuration file of described loading, system area can not normally be visited.
Wherein, described startup boot configuration file comprises partition table information and/or file control information
The embodiment of the invention is carried out the protection of storage device visit by adopt special boot partition in storage device; have only corresponding bootstrap loader to discern to it; thereby do not need to realize encrypting as by hardware encipher, buying independent encryption chip; do not need as software cryptography, need take a large amount of system resources such as CPU yet, solved the deficiency that exists in the existing encryption technology safety, economical and efficient.The embodiment of the invention also can be encrypted the startup boot configuration file in the storage device in addition, thereby solves after this storage device is lost or be stolen, is articulated to other equipment and visits the problem of this storage device.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, or realizes with the form of software product merely.Any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (13)
1. the guard method of a storage device for data information in is characterized in that, may further comprise the steps:
Storage device format is turned to boot partition and at least one system partitioning, and wherein said boot partition is provided with authentication procedure and starts boot configuration file; Described system partitioning then stores application program and business datum;
Before directly visiting described system partitioning, carry out the visit of authentication procedure;
After described active user is by authentication, loads described startup boot configuration file, and then finish the corresponding application program startup; Otherwise, then withdraw from authentication or format described storage device.
2. the guard method of storage device for data information in as claimed in claim 1 is characterized in that, described before directly visiting described system partitioning, the visit that carry out authentication procedure specifically comprises:
After system powers on, start the authentication procedure on the boot partition, require the active user to carry out authentication.
3. the guard method of storage device for data information in as claimed in claim 1 is characterized in that, further is provided with bootstrap loader on the boot partition of described storage device, and this bootstrap loader channeling conduct started after described authentication procedure was passed through.
4. as the guard method of claim 1 or 3 described storage device for data information in; it is characterized in that described startup boot configuration file is to encrypt in advance, after authentication procedure is passed through; before loading the startup boot configuration file, need be decrypted starting boot configuration file in advance.
5. the guard method of storage device for data information in as claimed in claim 4; it is characterized in that; when electricity under described storage device; carry out the described startup boot configuration file encryption that certain cryptographic algorithm will load by waking authentication procedure once more up, and the file after key and the encryption is kept in the described boot partition.
6. the guard method of storage device for data information in as claimed in claim 5; it is characterized in that described authentication procedure is to realize described boot configuration file is encrypted by the partition table information of revising corresponding system partitioning on the boot partition and/or file control information.
7. the guard method of storage device for data information in as claimed in claim 4 is characterized in that, described startup boot configuration file when electricity under described storage device, revises the described startup boot configuration file that loads by waking authentication procedure once more up.
8. a storage device of using said method is characterized in that, this storage device comprises boot partition and at least one system partitioning, and wherein said boot partition is provided with authentication procedure and starts boot configuration file; Described system partitioning then stores application program and business datum, and this storage device also comprises:
The authentication procedure administration module is used for starting authentication procedure before directly visiting described system partitioning;
Whether the authentication determination module is used to judge described active user by described authentication procedure, and after judging that described active user is by described authentication procedure, the notification profile load-on module loads described startup boot configuration file;
Described configuration file load-on module is used for loading the startup boot configuration file of described boot partition after described authentication determination module judges that described active user is by described authentication procedure;
The application program launching module is used for after described configuration file load-on module loads the startup boot configuration file of described boot partition, starts corresponding application program.
9. as storage device as described in the claim 8, it is characterized in that, this storage device also comprises and withdraws from authentication module or formatting module, is used for judging that in described authentication determination module described active user does not retreat out authentication or formats described storage device by described authentication procedure.
10. as storage device as described in claim 8 or 9, it is characterized in that, described configuration file load-on module also comprises the deciphering submodule, is used for after described authentication determination module judges that described active user is by described authentication procedure, with the startup boot configuration file deciphering of encrypting in advance.
11. as storage device as described in the claim 10, it is characterized in that described storage device also comprises the boot configuration file modified module, be used under described storage device, after the electricity, revising described boot configuration file.
12. as storage device as described in the claim 10, it is characterized in that described storage device also comprises encrypting module, when being used under described storage device electricity, encrypt boot configuration file.
13., it is characterized in that described startup boot configuration file comprises partition table information and/or file control information as storage device as described in the claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101641629A CN101123507A (en) | 2007-10-08 | 2007-10-08 | A protection method and storage device for data information in storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101641629A CN101123507A (en) | 2007-10-08 | 2007-10-08 | A protection method and storage device for data information in storage device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101123507A true CN101123507A (en) | 2008-02-13 |
Family
ID=39085696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007101641629A Pending CN101123507A (en) | 2007-10-08 | 2007-10-08 | A protection method and storage device for data information in storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101123507A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103294969A (en) * | 2013-06-21 | 2013-09-11 | 福建伊时代信息科技股份有限公司 | File system mounting method and file system mounting device |
| CN103617209A (en) * | 2013-11-19 | 2014-03-05 | 华为终端有限公司 | File management method and file management device for mobile terminal |
| CN103679037A (en) * | 2013-12-05 | 2014-03-26 | 长城信息产业股份有限公司 | Asymmetric encryption authentication method and embedded device based on asymmetric encryption authentication |
| CN104484611A (en) * | 2014-11-10 | 2015-04-01 | 福建联迪商用设备有限公司 | Partition-mounting control method and device of Android system |
| CN104573421A (en) * | 2014-12-30 | 2015-04-29 | 北京兆易创新科技股份有限公司 | Multi-partition based MCU chip information protection method and device |
| CN104871167A (en) * | 2012-10-25 | 2015-08-26 | 英特尔公司 | Anti-theft in firmware |
| CN108897583A (en) * | 2018-06-27 | 2018-11-27 | 北京东土军悦科技有限公司 | Interchanger starts method, interchanger and storage medium |
| CN111400700A (en) * | 2020-03-10 | 2020-07-10 | 深圳市三旺通信股份有限公司 | Encryption method, device and equipment of switch and computer readable storage medium |
| CN112613011A (en) * | 2020-12-29 | 2021-04-06 | 北京天融信网络安全技术有限公司 | USB flash disk system authentication method and device, electronic equipment and storage medium |
| CN113553296A (en) * | 2020-04-24 | 2021-10-26 | 北京全路通信信号研究设计院集团有限公司 | Data security transmission system |
-
2007
- 2007-10-08 CN CNA2007101641629A patent/CN101123507A/en active Pending
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9824226B2 (en) | 2012-10-25 | 2017-11-21 | Intel Corporation | Anti-theft in firmware |
| CN104871167A (en) * | 2012-10-25 | 2015-08-26 | 英特尔公司 | Anti-theft in firmware |
| US10762216B2 (en) | 2012-10-25 | 2020-09-01 | Intel Corporation | Anti-theft in firmware |
| CN103294969A (en) * | 2013-06-21 | 2013-09-11 | 福建伊时代信息科技股份有限公司 | File system mounting method and file system mounting device |
| CN103617209A (en) * | 2013-11-19 | 2014-03-05 | 华为终端有限公司 | File management method and file management device for mobile terminal |
| CN103679037A (en) * | 2013-12-05 | 2014-03-26 | 长城信息产业股份有限公司 | Asymmetric encryption authentication method and embedded device based on asymmetric encryption authentication |
| CN104484611A (en) * | 2014-11-10 | 2015-04-01 | 福建联迪商用设备有限公司 | Partition-mounting control method and device of Android system |
| CN104573421A (en) * | 2014-12-30 | 2015-04-29 | 北京兆易创新科技股份有限公司 | Multi-partition based MCU chip information protection method and device |
| CN104573421B (en) * | 2014-12-30 | 2017-12-22 | 北京兆易创新科技股份有限公司 | A kind of MCU chip information protecting method and device based on some subregions |
| US10592644B2 (en) | 2014-12-30 | 2020-03-17 | Gigadevice Semiconductor (Beijing) Inc. | Information protection method and device based on a plurality of sub-areas for MCU chip |
| WO2016106933A1 (en) * | 2014-12-30 | 2016-07-07 | 北京兆易创新科技股份有限公司 | Sub-area-based method and device for protecting information of mcu chip |
| CN108897583A (en) * | 2018-06-27 | 2018-11-27 | 北京东土军悦科技有限公司 | Interchanger starts method, interchanger and storage medium |
| CN108897583B (en) * | 2018-06-27 | 2022-03-25 | 北京东土军悦科技有限公司 | Switch starting method, switch and storage medium |
| CN111400700A (en) * | 2020-03-10 | 2020-07-10 | 深圳市三旺通信股份有限公司 | Encryption method, device and equipment of switch and computer readable storage medium |
| CN111400700B (en) * | 2020-03-10 | 2023-07-21 | 深圳市三旺通信股份有限公司 | Encryption method, device and equipment of switch and computer readable storage medium |
| CN113553296A (en) * | 2020-04-24 | 2021-10-26 | 北京全路通信信号研究设计院集团有限公司 | Data security transmission system |
| CN112613011A (en) * | 2020-12-29 | 2021-04-06 | 北京天融信网络安全技术有限公司 | USB flash disk system authentication method and device, electronic equipment and storage medium |
| CN112613011B (en) * | 2020-12-29 | 2024-01-23 | 北京天融信网络安全技术有限公司 | USB flash disk system authentication method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101123507A (en) | A protection method and storage device for data information in storage device | |
| US11374967B2 (en) | Systems and methods for detecting replay attacks on security space | |
| CN100386707C (en) | Generating key hierarchy for use in isolated execution environment | |
| CN103268455B (en) | The access method of data and device | |
| US10216648B2 (en) | Maintaining a secure processing environment across power cycles | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| US7364087B2 (en) | Virtual firmware smart card | |
| US10536274B2 (en) | Cryptographic protection for trusted operating systems | |
| US10372628B2 (en) | Cross-domain security in cryptographically partitioned cloud | |
| US10565130B2 (en) | Technologies for a memory encryption engine for multiple processor usages | |
| CN109918919A (en) | Authenticate the management of variable | |
| CN108108631A (en) | A kind of root key processing method and relevant apparatus | |
| CN105446713A (en) | Safe storage method and equipment | |
| CN105122260A (en) | Context based switching to a secure operating system environment | |
| CN106716435B (en) | Interface between a device and a secure processing environment | |
| KR20140051350A (en) | Digital signing authority dependent platform secret | |
| US20140219445A1 (en) | Processors Including Key Management Circuits and Methods of Operating Key Management Circuits | |
| CN114528603B (en) | Isolation dynamic protection method, device, equipment and storage medium of embedded system | |
| CN110188051B (en) | Method, processing system and device for marking control information related to physical address | |
| CN105205416A (en) | Mobile hard disk password module | |
| CN101464934B (en) | Mutual binding and authenticating method for computer platform and storage device, and computer thereof | |
| US8972745B2 (en) | Secure data handling in a computer system | |
| CN101150459B (en) | Method and system for improving safety of information safety device | |
| CN112131615B (en) | Data storage mechanism supporting supervision | |
| CN109583196B (en) | Key generation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20080213 |