Summary of the invention
In order to guarantee to use the fail safe that iscsi technology carries out data in data storage and the transmission, the invention provides a kind of method and device of data security storage transmission.
For the method that realizes a kind of data security storage transmission that the object of the invention provides may further comprise the steps:
Local iSCSI chip is encrypted processing to the data that are written to local memory disc;
When needs transmitted data to long-range iSCSI chip or other compatible equipment, local iSCSI chip read the data that will transmit from local memory disc, be not decrypted, and directly sent described long-range iSCSI chip or other compatible equipment to;
Local iSCSI chip carries out authority checking to each local user, allows through the local user who authorizes the data in the local memory disc to be read;
When described during through the data in local user's read local memory disc of authorizing, the data in the local iSCSI chip read local memory disc, and send to local user through authorizing after the data that read of deciphering.
Preferably, as a kind of embodiment, described local iSCSI chip is encrypted processing to the data that are written to local memory disc key is provided by local storage control or home server, and perhaps the third party by the mutual stage provides.
Preferably, as a kind of embodiment, described local memory disc comprises one or more memory discs that are connected to this locality.
Preferably, as a kind of embodiment, described local iSCSI chip is one group of random number to the key initial value that the data that are written to local memory disc are encrypted processing, is perhaps provided by local storage control or home server, is perhaps provided by the third party in the mutual stage.
Preferably, as a kind of embodiment, the security mechanism of described iSCSI chip is per flow or connection mechanism.
Device based on a kind of data security storage of same inventive concept is transmitted comprises an iSCSI chip, and described iSCSI chip comprises data encryption module, data transmission module, authority checking module and user's read module;
Wherein:
Described data encryption module is used for the data that are written to local memory disc are encrypted processing;
Described data transmission module is used for reading the data that will transmit from local memory disc in the time need to transmitting data to long-range iSCSI chip or other compatible equipment, is not decrypted, and directly sends described long-range iSCSI chip or other compatible equipment to;
Described authority checking module is used for each local user is carried out authority checking, allows through the local user who authorizes the data in the memory disc to be read;
Described user's read module is used for when described data through user's read local memory disc of authorizing, the data in the read local memory disc, and send to local user through mandate after the data that read of deciphering.
Preferably, as a kind of embodiment, the security mechanism of described iSCSI chip is per flow or connection mechanism;
Described local memory disc comprises one or more memory discs that are connected to this locality;
Described local iSCSI chip is encrypted processing to the data that are written to local memory disc key is provided by local storage control or home server, and perhaps the third party by the mutual stage provides.
Beneficial effect of the present invention comprises:
Method and the device of a kind of data security storage transmission provided by the invention are encrypted the data that are written in the memory disc, thereby have guaranteed the fail safe of data in the memory disc, even also can not cause the leakage of data in the situation that memory disc is lost; When reading data in the memory disc through the local user of checking, data in the memory disc are sent to after being decrypted through the checking local user, and data are transferred to long-range iSCSI chip or other mutually during compatible device through local iSCSI chip, data are not decrypted, thereby have guaranteed the fail safe of data in the transmission course.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing the method for the data security storage transmission of the embodiment of the invention and the embodiment of device are described.Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.
The method of the data security storage transmission of the embodiment of the invention as shown in Figure 1, may further comprise the steps:
S100, local iSCSI chip is encrypted processing to the data that are written to local memory disc;
Described local memory disc comprises one or more memory discs that are connected to this locality, be written to when being connected to one or more local memory discs when there being data communication device to cross the iSCSI chip, local iSCSI chip at first is encrypted the data that will store in the described local memory disc, and the transfer of data after will encrypting again is to local memory disc storage.
Preferably, as a kind of embodiment, that use in the present embodiment is the AES(Advance Encryption Standard of international standard) algorithm is encrypted processing.
Described iSCSI chip can be provided by storage control or home server the encryption key that the data that store local memory disc into are encrypted, and also can be provided by the third party in mutual stage.
Storage control or home server will be pre-if the encryption key that generates sends to local iSCSI chip, and the key that the utilization of local iSCSI chip receives is encrypted the data that will be stored in memory disc.
If in the mutual stage, described encryption key can be provided by the Third Party Authentication authority server, when the user by local iSCSI chip access links to local memory disc carry out data when storage, then local iSCSI chip can be encrypted storing local data into by the encryption key that described Third Party Authentication authority server provides.
Preferably, as a kind of embodiment, in the method for the data security of the present embodiment storage, local iSCSI chip is provided by local storage control the encryption key that the data that store local memory disc into are encrypted.
The initial value of described local iSCSI chip encryption can be one group of random number, is perhaps provided by this locality storage control, is perhaps provided by home server, is perhaps provided by third-party server in the mutual stage.
The described mutual stage refers to, the user sends visit information to home server, home server feedback information or the stage of carrying out corresponding operating.
Preferably, as a kind of embodiment, the local iSCSI chip encryption of the secure storage method of data of the present embodiment initial value is provided by local storage control.Local storage control is that local iSCSI chip is set the initial value of encrypting in initialization procedure.
After the data of memory disc were encrypted, the data that then are kept at local memory disc were in encrypted state, are safe to said write.Even the hard disk of storage data is lost, but because the data on the hard disk can't be decrypted, therefore, the data on the hard disk also just can not be stolen.Thereby guaranteed the fail safe by iscsi technology storage data.
Preferably, as a kind of embodiment, the security mechanism of described iSCSI chip is per flow or connection mechanism, thereby reaches safe maximization.
S200, when needs transmitted data to long-range iSCSI chip or other compatible equipment, local iSCSI chip read the data that will transmit from local memory disc, be not decrypted, and directly sent described long-range iSCSI chip or other compatible equipment to.
When carrying out data backup or carrying out the operation of other transfer of data, need to transmit data to long-range iSCSI chip or other compatible equipment, then local iSCSI chip reads the data that will transmit from memory disc, S100 is described according to step, data in the local memory disc all are to pass through by local storage control through local iSCSI chip, or home server, the encryption key that is perhaps provided by third-party server in the mutual stage is encrypted the data of processing, at this moment, local iSCSI chip is not decrypted the data that the needs that read transmit, and directly sends described long-range iSCSI chip or other compatible equipment to.
Therefore, when the data on sending local memory disc arrive described long-range iSCSI chip or other compatible equipment, be in encrypted state during the data transmitted, therefore, even the data of transmitting are intercepted in transmission course, also can factor data can not be decrypted and data can not be stolen, thereby guaranteed the Information Security in the data transmission procedure.
Need to prove, its relevant setting of described long-range iSCSI chip arranges identical with local iSCSI chip herein; Described other compatible equipment that transmit data to also comprise, with the data backup in the local memory disc or dump in local another memory disc.
When with the data backup in the local memory disc or when dumping in local another memory disc, data in local iSCSI chip read local one memory disc, equally, the data that read are not decrypted, and directly the data that read are written in described another memory disc, thereby the data in the assurance memory disc all are in encrypted state, guarantee the fail safe of data.
S300, local iSCSI chip carries out authority checking to each local user, allows through the local user who authorizes the data in the local memory disc to be read.
When having the local user to send data read request to local iSCSI chip, local iSCSI chip carries out authority checking to the transmission user of the data read request received, to the user through authorizing, local iSCSI chip reads corresponding data, sends to the user after the deciphering; For not through the user of mandate, refuse its data read request.Thereby protected the fail safe of the data of storing from another angle.
Preferably, as a kind of embodiment, in the embodiment of the invention, for not through the user of mandate, when refusing its data read request, send the unauthorized access alarm signal, eject unauthorized access alarm frame to display interface.
Described authority checking is mature technology, describes in detail no longer one by one herein.
S400, when described during through the data in local user's read local memory disc of authorizing, the data in the local iSCSI chip read local memory disc, and send to local user through authorizing after the data that read of deciphering;
Preferably, as a kind of embodiment, step S400 specifically may further comprise the steps:
S410, the data of the assigned address of local iSCSI chip read local designated store dish;
When the data that need through the local user who authorizes on the read local memory disc, then can send corresponding reading command to home server, local iSCSI chip receives described reading command, reads the data of the assigned address of designated store dish according to command information.
S420, the data of the assigned address of the local designated store dish that local iSCSI decryption chip reads;
Local iSCSI chip is decrypted the data that read.
Need to prove herein, as described in step S100, in the method for the data security storage of the present embodiment, input, namely store data in the memory into all through encrypting, therefore, when being used for reading the data of described memory disc, need to the data that read from memory disc be decrypted, the data after the deciphering send to the user and use.
S430 sends deciphering data afterwards to described local user through authorizing.
The data that step S410 reads are through deciphering data after the step S420, and this moment, data were the initial data that is stored in the disk, and described initial data is generally expressly, also comprises the enciphered data of original storage.To send to through the data of deciphering and carry out the data that data read, the data user who then sends to the user can directly use, and need not to carry out other operation.
Based on same inventive concept, the device of a kind of data security storage transmission of the embodiment of the invention is because the principle of this device solves problem is similar to the method for aforementioned a kind of data security storage transmission, therefore, the enforcement of this device can realize according to aforementioned method steps, repeats part and repeats no more.
The device of a kind of data security storage transmission that the embodiment of the invention provides comprises an iSCSI chip, and described iSCSI chip as shown in Figure 2, comprises data encryption module 110, data transmission module 120, authority checking module 130 and user's read module 140.
Described data encryption module 110 is used for the data that are written to local memory disc are encrypted processing.
Described local memory disc comprises one or more memory discs that are connected to this locality, be input to when being connected to one or more local memory discs when there being data communication device to cross the iSCSI chip, local iSCSI chip at first is encrypted the data that will store in the described local memory disc, and the transfer of data after will encrypting again is to local memory disc storage.
Preferably, as a kind of embodiment, described in the present embodiment the data that will store in the described local memory disc are encrypted the AES(Advance Encryption Standard that adopts international standards).
Described iSCSI chip can be provided by storage control or home server the encryption key that the data that store local memory disc into are encrypted, and also can be provided by the third party in mutual stage.
Storage control or home server will be pre-if the encryption key that generates sends to local iSCSI chip, and the key that the utilization of local iSCSI chip receives is encrypted the data that will be stored in local memory disc.
If in the mutual stage, described encryption key can be provided by the Third Party Authentication authority server, when the user by local iSCSI chip access links to local memory disc carry out data when storage, then local iSCSI chip can be encrypted storing local data into by the encryption key that described Third Party Authentication authority server provides.
Preferably, as a kind of embodiment, in the method for the data security of the present embodiment storage, local iSCSI chip is provided by local storage control the encryption key that the data that store local memory disc into are encrypted.
The initial value of described local iSCSI chip encryption can be one group of random number, perhaps has local storage control to provide, and is perhaps provided by home server, is perhaps provided by third-party server in the mutual stage.
Preferably, as a kind of embodiment, the local iSCSI chip encryption of the secure storage method of data of the present embodiment initial value is provided by local storage control.Local storage control is that local iSCSI chip is set the initial value of encrypting in initialization procedure.
Said write after the data of memory disc are encrypted, then is kept at memory disc, and namely the data on the hard disk are in encrypted state, are safe.Even the hard disk of storage data is lost, but because the data on the hard disk can't be decrypted, therefore, the data on the hard disk also just can not be stolen.Thereby guaranteed the fail safe by iscsi technology storage data.
Preferably, as a kind of embodiment, the security mechanism of described iSCSI chip is per flow or connection mechanism, thereby reaches safe maximization.
Described data transmission module 120 is used for reading the data that will transmit from local memory disc in the time need to transmitting data to long-range iSCSI chip or other compatible equipment, is not decrypted, and directly sends described long-range iSCSI chip or other compatible equipment to.
When carrying out data backup or carrying out the operation of other transfer of data, need to transmit data to long-range iSCSI chip or other compatible equipment, then local iSCSI chip reads the data that will transmit from memory disc.Data in the local memory disc all are to pass through by local storage control through local iSCSI chip, or home server, the encryption key that is perhaps provided by third-party server in the mutual stage is encrypted the data of processing, at this moment, local iSCSI chip is not decrypted the data that the needs that read transmit, and directly sends described long-range iSCSI chip or other compatible equipment to.
From the above mentioned as can be known, when the data on sending local memory disc arrive described long-range iSCSI chip or other compatible equipment, be in encrypted state during the data transmitted, therefore, even the data of transmitting are intercepted in transmission course, also can factor data can not be decrypted and data can not be stolen, thereby guaranteed the Information Security in the data transmission procedure.
Need to prove, its relevant setting of described long-range iSCSI chip arranges identical with local iSCSI chip herein; Described other compatible equipment that transmit data to also comprise, with the data backup in the local memory disc or dump in local another memory disc.
Described authority checking module 130 is used for each local user is carried out authority checking, allows through the local user who authorizes the data in the memory disc to be read.
When having the local user to send data read request to local iSCSI chip, local iSCSI chip carries out authority checking to the transmission user of the data read request received, to the user through authorizing, local iSCSI chip reads corresponding data, sends to the user after the deciphering; For not through the user of mandate, refuse its data read request.Thereby protected the fail safe of the data of storing from another angle.
Preferably, as a kind of embodiment, in the embodiment of the invention, for not through the user of mandate, when refusing its data read request, send the unauthorized access alarm signal, eject unauthorized access alarm frame to display interface.
Described user's read module 140 is used for when described data through local user's read local memory disc of authorizing, the data in the read local memory disc, and send to local user through mandate after the data that read of deciphering.
Preferably, as a kind of embodiment, described user's read module 140 comprises data-reading unit 141, decryption unit 142 and data transmission unit 143.
Described data-reading unit 141 is used for the data of the assigned address of read local designated store dish.
Described decryption unit 142 is for the data of the assigned address of deciphering the local designated store dish that reads.
Described data transmission unit 143 is used for sending deciphering data afterwards to described local user through authorizing.
After decryption unit 142 deciphering, this moment, data were the initial data that is stored in the local disk, described initial data is generally expressly, the enciphered data that also comprises original storage, to send to through the data of deciphering and carry out the data that data read, the data user who then sends to the user can directly use, and need not to carry out other operation.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to claim of the present invention.Should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.