Background
UASP (USB Attached SCSI protocol) is a new transmission protocol in the SCSI (Small Computer System Interface) protocol family in recent years, because it completely conforms to SAM-4 specification (SCSI Architecture Model 4), and supports asynchronous queue transmission, under the condition that both communication parties are well matched, the transmission efficiency of the underlying physical Interface can be close to full bandwidth, and it is very efficient. The transmission medium of the UASP bottom layer is USB, and a command channel, a state channel, a data OUT channel and a data IN channel are respectively established by utilizing 4 batch pipelines (Bulk Pipe) of the USB.
The USB3.0 can realize the maximization of transmission efficiency after carrying the UASP by means of the transmission rate of up to 5 Gbps. The UASP PROTOCOL is used to realize high-speed STORAGE OF data between devices, AND FOR example, US patent publication No. US20110296106a1 entitled "SYSTEM FOR real testing multiple-PORT STORAGE MEDIA BASED ON UASP PROTOCOL OF USB specific information 3.0 AND METHOD THEREOF" proposes a MULTI-PORT STORAGE MEDIA SYSTEM BASED ON the UASP PROTOCOL OF USB 3.0. However, how to ensure the security of data while achieving high transmission efficiency by using the UASP protocol is still a problem to be solved.
Disclosure of Invention
The invention aims to provide UASP-based efficient data encryption equipment, which realizes efficient encryption of key data by relying on UASP asynchronous queue technology and a bottom USB3.0 ultra-high-speed physical interface.
In order to achieve the above object, the technical solution adopted by the present invention is a high-efficiency data encryption Device based on UASP protocol, which comprises a usb3.0Device controller, a UASP controller, an encryption engine, and respective drivers of the three, and further comprises a data buffer at the Device end; the Host end comprises an application software app and a data buffer area; also included is a program that implements the following functions:
s1: reading a plaintext of a file to be encrypted from a hard disk to a memory data buffer area by the Host-end application software app;
s2: the Host-end application software app sends plaintext data in the memory to the encryption Device end through a UASP driver provided by an operating system;
s3: the encryption Device receives the plaintext data to an encryption engine through a UASP driver of the Device, starts encryption, and puts encrypted ciphertext data to a data buffer of the Device;
s4: the encryption equipment sends the ciphertext data to a Host end through a UASP driver of a Device end;
s5: the Host receives the ciphertext data through the application software app and stores the ciphertext data in the memory;
s6: and the Host end writes the ciphertext data back to the hard disk or stores the ciphertext data to other positions through the application software app.
Further, the Host-side application software app generates the UASP asynchronous queue by means of an asynchronous IO API provided by the operating system.
The data length of the asynchronous IO request generated by the Host-side application software app each time does not exceed the capacity of the device-side data buffer.
And the Host terminal continuously submits the asynchronous IO request to the device terminal, and when all asynchronous writing and asynchronous reading are finished, one complete file encryption action is finished.
In the encryption operation, asynchronously writing corresponding encryption and asynchronously reading corresponding reading encryption results; in the decryption operation, asynchronous "write" corresponds to decryption, and asynchronous "read" corresponds to reading the decryption result.
The buffer area of the Device end is small, and 32KB can achieve high performance so as to save hardware resources.
Compared with the prior art, the invention has the following beneficial effects:
1, the final product of the UASP-based high-efficiency data encryption equipment is very convenient to carry, the encryption and decryption of data can be completed at any time and any place, and the form is similar to a U Key; the secret key is positioned in the equipment, so that the safety is ensured;
2, the high bandwidth of USB3.0 can be fully utilized based on the UASP protocol, and very efficient encryption and decryption are realized;
3, based on the UASP protocol, the buffer requirement on the equipment end is extremely low, and the 32KB SRAM can achieve high performance;
4, the Host-side application software app can directly operate the encryption equipment through the application program without installing a driver, and the drive-free operation is really realized.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
The specific encryption algorithm selection and key management modes provided by the invention are irrelevant to the technical framework provided by the invention. The encryption equipment of the invention needs to be internally provided with an encryption engine, and can adopt any symmetric encryption algorithm such as AES, SM1, SM4 and the like to encrypt and decrypt the data flowing through. In the key management, the encryption key may be generated randomly in the inside, the key may be generated by asymmetric algorithm negotiation such as RSA and SM2, or any other acceptable key management method may be used.
The invention mainly realizes the USB device end supporting UASP, and then needs to compile USB host end software, and the two parts cooperate to realize the data encryption and decryption process. When the device is inserted into a USB host supporting UASP, the device can be identified as a mass storage device by the host, and host-side software can access the device without installing any driver, so that data encryption and decryption are realized. FIG. 1 is an application scenario of the present invention, which includes a Host end and a Device end, and arrows represent a process of encrypting (and decrypting) a piece of data.
The single-stroke data encryption process in fig. 1 is described as follows:
1. reading a plaintext of a file to be encrypted from a hard disk (FileSystem) to a memory (Buffer) by host-side application software (App);
2. the host application software sends the plaintext data in the memory to the encryption equipment through UASP drive provided by the operating system;
3. the encryption equipment receives plaintext data to an encryption and decryption Engine (Crypto Engine) through UASP drive of the equipment end, starts encryption, and puts encrypted ciphertext data into a Buffer memory (Buffer) of the equipment end;
4. the encryption equipment sends the ciphertext data to the host end through the UASP drive of the equipment end
5. The host receives the cipher text data through the application software and stores the cipher text data in the memory
6. The host writes the ciphertext data back to the hard disk (or stores the ciphertext data to other positions) through the application software
The single-stroke data encryption does not form an asynchronous queue, the high bandwidth of the USB3.0 cannot be fully utilized, and the bandwidth can be fully utilized by combining multi-stroke transmission with UASP, and a schematic diagram of the method is shown in FIG. 2.
The command queue in fig. 2 has 4 commands to be executed issued by host, which are write, read, write, and read in sequence, and are distinguished by tag inside the command structure, and denoted as CMD1, CMD2, CMD3, and CMD4(CMD is an abbreviation of command). The writing and reading occur in pairs, and each pair of writing and reading realizes one data encryption operation (see fig. 1). The Device terminal sequentially analyzes the commands and executes corresponding data receiving and receipt sending, wherein the data receiving is accompanied with the encryption action of the encryption engine, and the specific flow is explained as follows:
device first parses CMD1 and notifies host that CMD1 can be executed;
2, when the Host receives the notification, executing CMD1 and sending the data to be encrypted to the device; the device starts the encryption engine and receives the data. At the moment, the device CPU is released, and the analysis and the pretreatment of the CMD2 are continuously carried out;
3. after the data encryption is finished, the device informs the host CMD1 of being executed in a very short time and informs the host that CMD2 can be executed;
when the Host receives the notification, executing CMD2, and reading the ciphertext data back to the Host from the device; at this time, the CPU of the device can continue the preprocessing of CMD 3;
5. after the transmission of the ciphertext data is finished, the host considers that the encryption of the first block of data is finished; the device informs the host of the completion of the execution of CMD2 in a very short time and informs the host of the execution of CMD 3;
after receiving the notification, the Host continues to execute CMD3 and CMD 4; the flow of executing CMD3 and CMD4 is the same as CMD1 and CMD 2.
In step 3 and step 5 of this flow, the device notifies the host in a very short time, which is ensured by the asynchronous queue mechanism and the software and hardware cooperation of the device end. As seen by a time axis, the time occupied by the interval in fig. 2 is very short, which ensures that the receiving and encrypting and returning the ciphertext are basically continuous, thereby maximally ensuring the bandwidth utilization. This is the key to ensuring full utilization of the USB3.0 high bandwidth.
The implementation of the invention depends on the software and hardware cooperation of the USB3.0device end, namely, the USB host end (generally PC or application software App) is required to realize the program cooperating with the USB host end.
The technical scheme of a preferred embodiment is as follows:
1, Device end hardware resources, including USB3.0device controller, encryption engine, DMA, etc.;
2, the Device end needs to have a continuous SRAM as data buffer, and 32KB is enough;
3, a firmware program of the Device end needs to realize driving programs of a USB, an encryption engine and a DMA, and a UASP protocol is realized to realize efficient response to an asynchronous queue issued by host;
4, the PC program at the Host end needs to generate a UASP asynchronous queue by means of an asynchronous IO API provided by the OS;
5, the data length of each asynchronous IO request of the PC program at the Host end does not exceed the buffer size of the device end;
6, the Host continuously submits the asynchronous IO request to be issued to the device, and when all asynchronous writing and asynchronous reading are finished, a complete file encryption action is finished;
7. the encryption and decryption schemes are similar: for encryption, asynchronous "writes" are encryption; asynchronous "reading" is taking the encrypted result; for decryption, asynchronous "writes" are decryption, and asynchronous "reads" are fetching of the decryption result.
The above description of the specific embodiments is not intended to limit the present invention, and any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.