CN107563228A - A kind of method of internal storage data encryption and decryption - Google Patents
A kind of method of internal storage data encryption and decryption Download PDFInfo
- Publication number
- CN107563228A CN107563228A CN201710657407.5A CN201710657407A CN107563228A CN 107563228 A CN107563228 A CN 107563228A CN 201710657407 A CN201710657407 A CN 201710657407A CN 107563228 A CN107563228 A CN 107563228A
- Authority
- CN
- China
- Prior art keywords
- key
- decryption
- module
- encryption
- encrypting module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention provides a kind of method of internal storage data encryption and decryption, belongs to data encryption processing technology field.Methods described includes S1, processor module sends key updating and asked to encrypting module, and the encrypting module produces new key after receiving request;S2, to each encrypted page in internal memory, encrypting module with old key to corresponding page data deciphering, and using the new key respectively to the page data re-encrypted after each decryption.By using a kind of method of internal storage data encryption and decryption provided by the invention, it can not only be effectively reduced and keep the constant malicious attack brought for SME technology secrecies key, so as to significantly improve the security of internal memory encryption;And the flexibility of safety approach is provided, user and system can dynamically update the key of encryption and decryption as needed.
Description
Technical field
The present invention relates to data encryption technology field, and in particular to a kind of method of internal storage data encryption and decryption.
Background technology
With the complexity more and more higher of modem computer systems, and the cloud computing occurred recent years and big data etc.
Raising of the emerging technology to computing environment security requirement, industry generally have recognized the need to from the bottom hardware of computer system
The encryption function of data is supported completely.Wherein, the CPU design in the U.S. and Advanced Micro Devices Inc. of manufacturer are proposed in safety
Encryption (SME) technology is deposited (referring specifically to [1] AMD Memory Encryption White Paper;[2] believe in processing system
Cryptoguard (the patent of breath:CN106062768A)).This technology adds internal memory encryption on the basis of existing CPU hardware
Module, so that data are write in internal memory again after being encrypted;When CPU needs to read data, encrypting module automatically will encryption
Data be decrypted, whole process is fully transparent for the software on upper strata.This method can effectively resist pin
Leaking data problem caused by physical attacks to memory, isolated failure caused by the software defect etc..But this method
Be always maintained at after being run due to the safe key of encryption in system it is constant, so easily causing malicious attacker to be directed to encryption side
The weakness of method implements cryptographic attack with cracking.As SEV ([1] AMD Memory Encryption Whi te Paper) scheme
Basis, above-mentioned security risk existing for SME seems in SEV usage scenario to be especially apparent.
Fig. 1 gives the structure chart of traditional SME schemes, by using hardware encryption module in memory modules access path
2 isolate security information.Wherein encrypting module 2 is located in Memory control module 3, and is provided to processor module 1 for every
It is individual access whether be secure access instruction.Encryption key in figure automatically generates in system electrification, and whole
Keep constant in system operation, this be easy for causing malicious attacker for weakness of encryption method implement cryptographic attack with
Crack.
The content of the invention
The invention provides a kind of method of internal storage data encryption and decryption, solves caused by encryption key keeps constant and dislikes
The problem of meaning attack.
The present invention provides a kind of method of internal storage data encryption and decryption, and methods described includes:
S1, processor module send key updating and asked to encrypting module, and the encrypting module produces newly after receiving request
Key;
S2, to each encrypted page in internal memory, encrypting module is with old key to corresponding page
Data deciphering, and using the new key respectively to the page data re-encrypted after each decryption.
Wherein, also include before step S1:Operating system check processor module current state, if the processor die
Block is busy then directly to be exited;
If processor module is in idle condition, operating system is hung up, does not receive the input of any other process
Output operation, and perform above-mentioned steps S1 and S2.
In addition, after above-mentioned steps successful execution, operating system returns to " success ";If the wrong appearance of above-mentioned steps, behaviour
Make system to return to " mistake " and terminate renewal process.
Wherein, step S1 also include encrypting module by new key preserve register into random access memory controller module or its in
In portion EEPROM.
Wherein, processor module realizes that sending key updating asks to encryption mould by key updating interface in step S1
Block.
Preferably, processor module is provided newly by new machine instruction, or controller firmware (FW) in step S1
Application programming interface realizes that sending key updating asks to encrypting module.
By using a kind of method of internal storage data encryption and decryption provided by the invention, it can not only be effectively reduced and be directed to
SME technology secrecies key keeps the constant malicious attack brought, so as to significantly improve the security of internal memory encryption;And provide
The flexibility of safety approach, user and system can dynamically update the key of encryption and decryption as needed.
Brief description of the drawings
Fig. 1 is the structural representation of traditional SME schemes;
Fig. 2 updates encryption key so as to increase the system structure diagram of internal memory cryptographic security to be a kind of by dynamic;
Fig. 3 is a kind of method flow diagram of internal storage data encryption and decryption provided in an embodiment of the present invention.
Embodiment
Below by drawings and examples, technical scheme is described in further detail.
As seen in figures 2 and 3, the present invention provides a kind of method of internal storage data encryption and decryption, and methods described includes:
S1, processor module 1 send key updating and asked to encrypting module 2, and the encrypting module produces after receiving request
New key;
S2, to each encrypted page in internal memory, encrypting module 2 is with old key to corresponding page
Data deciphering, and using the new key respectively to the page data re-encrypted after each decryption.
By using a kind of method of internal storage data encryption and decryption provided by the invention, it can not only be effectively reduced and be directed to
SME technology secrecies key keeps the constant malicious attack brought, so as to significantly improve the security of internal memory encryption;And provide
The flexibility of safety approach, user and system can dynamically update the key of encryption and decryption as needed.
Because the renewal of encryption key can cause the failure of current crypto data in internal memory, so being needed after key updating success
Encryption data in internal memory is decrypted, then makes encryption storage again of new key again.When system is in oepration at full load
In the state of when, system has substantial amounts of data and is stored in internal memory.If now go more new key, it will when consumption is very long
Between go the data in decryption/encryption internal memory, this can cause system unavailable in a very long time.
Therefore, in a preferred embodiment of the invention, also include before step S1:Operating system check processor module
1 current state, directly exited if the processor module 1 is busy;
If processor module 1 is in idle condition, operating system is hung up, does not receive the input of any other process
Output operation, and perform above-mentioned steps S1 and S2.
By using a kind of method of internal storage data encryption and decryption provided by the invention, it can not only be effectively reduced and be directed to
SME technology secrecies key keeps the constant malicious attack brought, so as to significantly improve the security of internal memory encryption;And provide
The flexibility of safety approach, user and system can dynamically update the key of encryption and decryption as needed.
In addition, after above-mentioned steps successful execution, operating system returns to " success ";If the wrong appearance of above-mentioned steps, behaviour
Make system to return to " mistake " and terminate renewal process.
Step S1 also include encrypting module by new key preserve register into random access memory controller module or its inside
In EEPROM.
Given in Fig. 2 it is a kind of by dynamic renewal encryption key so as to increasing the system of internal memory cryptographic security.This is
System by key updating interface between processor module 1 and encrypting module 2 by (interface as shown in phantom in Figure 3, realizing shape
Formula includes hardware instruction UPDATE_MEM_KEY, encrypting module FW and provides new API etc.), so as to support the dynamic of encryption key
More New function.After adding the function, operating system can suitable at the time of to encrypting module 2 send key updating request from
And generate new encryption key.In addition, processor module 1 passes through new machine instruction, or controller firmware in step S1
(FW) new application programming interface (API) is provided and realizes that sending key updating asks to encrypting module 2.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
Professional should further appreciate that, each example described with reference to the embodiments described herein
Unit and algorithm steps, it can be realized with electronic hardware, computer software or the combination of the two, it is hard in order to clearly demonstrate
The interchangeability of part and software, the composition and step of each example are generally described according to function in the above description.
These functions are performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.
Professional and technical personnel can realize described function using distinct methods to each specific application, but this realization
It is it is not considered that beyond the scope of this invention.
The method that is described with reference to the embodiments described herein can use hardware, computing device the step of algorithm
Software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only storage
(ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field
In any other form of storage medium well known to interior.
The embodiment being somebody's turn to do above, the purpose of the present invention, technical scheme and beneficial effect are carried out further in detail
Describe in detail it is bright, should be understood that more than should be only the present invention embodiment, the guarantor being not intended to limit the present invention
Scope is protected, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc., should be included in this
Within the protection domain of invention.
Claims (6)
- A kind of 1. method of internal storage data encryption and decryption, it is characterised in that methods described includes:S1, processor module send key updating and asked to encrypting module, the encrypting module receive produce after request it is new close Key;S2, to each encrypted page in internal memory, encrypting module is with old key to corresponding internal memory page data Decryption, and using the new key respectively to the page data re-encrypted after each decryption.
- 2. according to the method for claim 1, it is characterised in that also include before step S1:Operating system check processor module current state, directly exited if the processor module is busy;If processor module is in idle condition, operating system is hung up, does not receive the input and output of any other process Operation, and perform above-mentioned steps S1 and S2.
- 3. according to the method for claim 1, it is characterised in that after above-mentioned steps successful execution, operating system return " into Work(";If the wrong appearance of above-mentioned steps, operating system returns to " mistake " and terminates renewal process.
- 4. according to the method for claim 1, it is characterised in that step S1 also preserves new key to interior including encrypting module In register or its internal EEPROM in memory controller module.
- 5. according to the method for claim 1, it is characterised in that processor module is real by key updating interface in step S1 Key updating is now sent to ask to encrypting module.
- 6. according to the method for claim 1, it is characterised in that in step S1 processor module by new machine instruction, Or controller firmware (FW) provides new application programming interface and realizes that sending key updating asks to encrypting module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710657407.5A CN107563228B (en) | 2017-08-03 | 2017-08-03 | Memory data encryption and decryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710657407.5A CN107563228B (en) | 2017-08-03 | 2017-08-03 | Memory data encryption and decryption method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107563228A true CN107563228A (en) | 2018-01-09 |
| CN107563228B CN107563228B (en) | 2021-04-20 |
Family
ID=60973950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710657407.5A Active CN107563228B (en) | 2017-08-03 | 2017-08-03 | Memory data encryption and decryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107563228B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108427889A (en) * | 2018-01-10 | 2018-08-21 | 链家网(北京)科技有限公司 | Document handling method and device |
| CN109918897A (en) * | 2019-02-27 | 2019-06-21 | 苏州浪潮智能科技有限公司 | A kind of password authentification test method and system based on AEP memory |
| CN111614464A (en) * | 2019-01-31 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Method for safely updating key in block chain, node and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103218572A (en) * | 2012-01-23 | 2013-07-24 | 国际商业机器公司 | Memory address translation-based data encryption/compression |
| CN103679060A (en) * | 2012-09-19 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Encryption method and encryption device |
| US9411973B2 (en) * | 2013-05-02 | 2016-08-09 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a security gateway |
| US9536088B1 (en) * | 2015-11-09 | 2017-01-03 | AO Kaspersky Lab | System and method for protection of memory in a hypervisor |
| WO2017030745A1 (en) * | 2015-08-17 | 2017-02-23 | Micron Technology, Inc. | Encryption of executables in computational memory |
| US9639671B2 (en) * | 2014-05-27 | 2017-05-02 | Assured Information Security, Inc. | Secure execution of encrypted program instructions |
-
2017
- 2017-08-03 CN CN201710657407.5A patent/CN107563228B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103218572A (en) * | 2012-01-23 | 2013-07-24 | 国际商业机器公司 | Memory address translation-based data encryption/compression |
| CN103679060A (en) * | 2012-09-19 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Encryption method and encryption device |
| US9411973B2 (en) * | 2013-05-02 | 2016-08-09 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a security gateway |
| US9639671B2 (en) * | 2014-05-27 | 2017-05-02 | Assured Information Security, Inc. | Secure execution of encrypted program instructions |
| WO2017030745A1 (en) * | 2015-08-17 | 2017-02-23 | Micron Technology, Inc. | Encryption of executables in computational memory |
| US9536088B1 (en) * | 2015-11-09 | 2017-01-03 | AO Kaspersky Lab | System and method for protection of memory in a hypervisor |
Non-Patent Citations (1)
| Title |
|---|
| 刘巍等: "面向敏感进程的相变内存加密方法", 《中国科技论文》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108427889A (en) * | 2018-01-10 | 2018-08-21 | 链家网(北京)科技有限公司 | Document handling method and device |
| CN111614464A (en) * | 2019-01-31 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Method for safely updating key in block chain, node and storage medium |
| CN111614464B (en) * | 2019-01-31 | 2023-09-29 | 创新先进技术有限公司 | Method for safely updating secret key in blockchain, node and storage medium |
| CN109918897A (en) * | 2019-02-27 | 2019-06-21 | 苏州浪潮智能科技有限公司 | A kind of password authentification test method and system based on AEP memory |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107563228B (en) | 2021-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101930508B (en) | Safety treatment system | |
| US8977842B1 (en) | Hypervisor enabled secure inter-container communications | |
| US9047468B2 (en) | Migration of full-disk encrypted virtualized storage between blade servers | |
| CN100487715C (en) | Date safety storing system, device and method | |
| CN108885665A (en) | System and method for decrypting the network flow in virtualized environment | |
| US20170277898A1 (en) | Key management for secure memory address spaces | |
| CN109858265A (en) | A kind of encryption method, device and relevant device | |
| US20150334096A1 (en) | Method and arrangement for secure communication between network units in a communication network | |
| EP3306509B1 (en) | Vtpm-based method and system for virtual machine security and protection | |
| JP2015531928A (en) | System and method for providing a secure computing environment | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| CN113014444B (en) | Internet of things equipment production test system and safety protection method | |
| CN104318179A (en) | File redirection technology based virtualized security desktop | |
| US11489660B2 (en) | Re-encrypting data on a hash chain | |
| US20170200010A1 (en) | Security control method and network device | |
| CN104123769B (en) | The unblanking of a kind of safety intelligent lock, close lock control method | |
| CN107294710A (en) | A kind of key migration method and device of vTPM2.0 | |
| CN107563228A (en) | A kind of method of internal storage data encryption and decryption | |
| CN109190401A (en) | A kind of date storage method, device and the associated component of Qemu virtual credible root | |
| WO2024045407A1 (en) | Virtual disk-based secure storage method | |
| CN113485785B (en) | Virtual trusted platform module realization method, secure processor and storage medium | |
| CN106326733A (en) | Method and apparatus for managing applications in mobile terminal | |
| CN107315966A (en) | Solid state hard disc data ciphering method and system | |
| CN105184119B (en) | A kind of method for security protection of software | |
| CN106570395A (en) | Security protection method for operation system command |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20180109 Address after: 300143 Tianjin Haitai Huayuan Industrial Zone No. 18 West North 2-204 industrial incubation -3-8 Applicant after: Hai Guang Information Technology Co., Ltd. Address before: 201203 3F, No. 1388, 02-01, Zhang Dong Road, Pudong New Area, Shanghai Applicant before: Analog Microelectronics (Shanghai) Co., Ltd. |
|
| TA01 | Transfer of patent application right | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 300143 Tianjin Haitai Huayuan Industrial Zone No. 18 West North 2-204 industrial incubation -3-8 Applicant after: Haiguang Information Technology Co., Ltd Address before: 300143 Tianjin Haitai Huayuan Industrial Zone No. 18 West North 2-204 industrial incubation -3-8 Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |