CN110929302B - Data security encryption storage method and storage device - Google Patents
Data security encryption storage method and storage device Download PDFInfo
- Publication number
- CN110929302B CN110929302B CN201911054134.0A CN201911054134A CN110929302B CN 110929302 B CN110929302 B CN 110929302B CN 201911054134 A CN201911054134 A CN 201911054134A CN 110929302 B CN110929302 B CN 110929302B
- Authority
- CN
- China
- Prior art keywords
- storage device
- data
- file
- user
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data security encryption storage method and a storage device, wherein the storage device divides a data file to be read and written into a volume data part and a metadata part, and the asymmetric and selective processing is carried out on the file reading and writing process, namely: encrypting and storing all volume data to be written into the data file, and not encrypting the metadata; and during reading operation, whether the data is decrypted is determined according to the user identity authentication condition, so that the security of file content encryption storage and controlled file decryption authority management are obtained. Meanwhile, the metadata is not encrypted, so that the host equipment can normally identify the encrypted file stored on the storage device under the condition of not decrypting the file body data, and good compatibility is kept. In some specific cases, when a host device such as a camera or a video camera is used for shooting, the normal shooting and recording storage functions are not influenced due to the encryption of the volume data by the storage device. The invention is also applicable to other host devices.
Description
Technical Field
The embodiment of the invention discloses a data security encryption storage method and a data security encryption storage device, and belongs to the field of data security.
Background
The storage device is a device which is often used for storing data in our daily life, such as an SD card, a TF card, a U disk, a removable hard disk (including a solid state disk), a hard disk, and the like, and is used for storing data such as documents, photos, or videos. Especially, the storage device is widely used due to the great popularization of digital audio-video equipment. Since the storage device itself cannot control the file read-write authority, the image data and other important information in the storage device are easily leaked due to poor storage and management. At present, two methods of data encryption and access control are mainly adopted for data storage security of the storage device to achieve the purpose of data protection. Data encryption is the most safe and effective method for realizing the safe storage of the storage device, and the storage device stores dataThe data is stored in the memory of the storage device in the form of files, and the encryption of the data of the storage device currently is implemented by encrypting both the metadata information and the content information of the files stored in the storage device, or encrypting all written data, namely full disk encryption. Document "Metadata "The information includes information such as file name (including suffix name), file size, creation time, modification time, file attribute, file type, etc., and also represents logical and physical structure information related to the file system type and physical storage of the file storage on the file storage medium, such as information such as block information, sector size, starting cluster address, cluster address of the next data block, end of file identifier, and underlying formatting data of the file. The file content information, i.e. the "volume data" of the file defined herein, refers to the content information of the document, photo, video, etc. that we want to store. The existing method for protecting data in a storage device by using an encryption or access control method may affect or limit the normal use of a special host device such as a camera or a video camera: the existing special host equipment such as a camera and a video camera cannot complete the identity authentication process of the storage device for realizing access control. Because the identity authentication process cannot be completed, the host device cannot identify the corresponding storage device, and normal use of the device is affected.
Disclosure of Invention
The invention aims to solve the problem that important information in a storage device is easily leaked due to poor storage and management because the storage device cannot control the read-write permission of a file, and provides a data security encryption storage method and a storage device, which can not influence the normal use of equipment such as a camera and a video camera on the basis of solving the problem of data security (preventing leakage).
In order to achieve the purpose, the method adopted by the invention comprises the following steps: a data security encryption storage device comprises an interface circuit, a controller, a storage medium, an encryption and decryption module and a processing module; before the storage device is used for the first time, personalized configuration operation needs to be carried out on the storage device, and related security policy setting, user management setting and corresponding user protection key (asymmetric key pair) generation operation are completed; the storage device is accessed into the host equipment through an interface and starts configuration program software on the host, then the security policy configuration of write-in encryption/read-out decryption operation of user management and security storage device is finished according to the prompt of the special configuration software, a corresponding user protection key (asymmetric key pair) is generated and stored in a special key storage area arranged in the storage device, and the host equipment carries out all formatting operation on the storage device without changing the configuration parameters stored by the personalized configuration operation.
The invention also discloses a data security encryption storage method, which comprises the following steps:
s1: accessing the storage device into a corresponding host, powering on and completing initialization;
s2: the storage device executes selectable user identity authentication operation to perform identity authentication, and selects a key set corresponding to the user as an encryption key of the data file according to an authentication result; if the user selects identity authentication, the step S21 is entered; otherwise, entering S22;
and S21, the storage device authenticates the identity of the user.
S211, the storage device judges whether the user identity authentication passes, if the user identity authentication passes, the step S211-A is carried out, otherwise, the step S22 is carried out;
S211-A, the storage device sets the status of the user identity authentication as 'yes' and records the authentication status in a designated storage unit of the storage device, and sets the ID value of the current user identity, and simultaneously generates a random number as the data encryption key of the current user.
S22, the storage device sets the status of user' S ID as NO and records the status in the memory unit, and sets the ID of current user as the default ID value, and generates a random number as the data encryption key of current user (default user).
S3, the storage device waits for the command from the host, and proceeds to S4 if there is a command, otherwise to S3.
S4: judging the instruction type of the host, and if the instruction type is a write instruction, entering S41; if yes, go to S42; if the command is other command, the process goes to S43;
s41: an encryption module of the storage device selectively encrypts data to be written by using a current user data encryption key to generate a data ciphertext, and simultaneously encrypts the data encryption key by using a user protection key corresponding to the user identity (ID value) in a key file to form a key ciphertext, inserts the key ciphertext into a data ciphertext designated position and stores the key ciphertext into a memory of the storage device;
s42: receiving a reading instruction of the host, the storage device respectively performs the following operations according to the result of the identity authentication performed by the user: if the status of the identity authentication is 'yes', the method goes to S42-A; otherwise, go to S42-B;
S42-A: if the user identity authentication state is 'yes', the storage device decrypts the data to be read by the host and transmits the data to the host;
S42-B: if the user identity authentication state is 'no', the storage device transmits the ciphertext of the data to be read by the host computer to the host computer without decryption.
S43: if the instruction is other instruction, the storage device enters S3 to wait after finishing processing the instruction;
as a preferred aspect of the present invention, the host using the storage device is a device capable of supporting reading and writing data of various file systems, including but not limited to computers, mobile phones, tablets, cameras, camcorders, etc., and the file system formats include but not limited to FAT12/16/32, exFAT, EXT2/4, etc.
As a preferred aspect of the present invention, the storage device is a device capable of reading and writing data files according to various file system formats, including but not limited to, a removable hard disk, a U disk, an SD card, a TF card, a CF card, etc., and the file system formats include but not limited to FAT12/16/32, exFAT, EXT2/4, etc.
Preferably, after the initialization of the storage device is completed, the user can select whether to perform the identity authentication, wherein the identity authentication can be realized by inputting an authentication code by software running on the host equipment and comparing the authentication code with an authentication code preset in the storage device, or by communication between a wireless communication module arranged in the storage device and a specific wireless device held by the user. The wireless communication can be in a Bluetooth mode, an NFC mode or other low-power-consumption wireless communication modes, the specific wireless equipment can be authorization equipment which is bound and paired with the built-in wireless communication module of the storage device in advance, and the specific wireless equipment can be various intelligent devices which have corresponding wireless communication functions and can be paired and communicated with the built-in wireless communication module of the storage device, such as a smart phone, a smart bracelet, a smart watch and the like.
Preferably, the data encryption key is a string of random numbers generated by a CPU in the storage device and regenerated every time power is turned on, and the data encryption algorithm may be an asymmetric encryption algorithm, a symmetric encryption algorithm, or a combination of the two algorithms.
Preferably, when the host device writes a data file into the storage apparatus, the storage apparatus is capable of recognizing a file system format adopted by the host device, and dividing the data file into "volume data" and "metadata". The volume data refers to the content itself (without additional information such as file name, type, size, etc.) of the data file to be written; the metadata includes all related information constituting a file storage structure and attributes, such as a file name (including a suffix), a file size, a file attribute, a starting cluster address of file storage, a file modification time and the like, except for file body data, and all information including logical and physical structure information related to a current file system, such as a boot area, an index table, a directory structure, a sector size, underlying formatted data and the like, stored by the storage device.
In a preferred embodiment of the present invention, when the host writes a data file to the storage device, only the volume data of the data file is encrypted, and the corresponding metadata is not encrypted.
Preferably, in step S42-a, the storage device decrypts the data encryption key by using the user protection key corresponding to the ID of the current user ID, and then decrypts the encrypted volume data by using the encryption key and transmits the decrypted volume data to the host.
As a preferred aspect of the present invention, after the storage device is powered on and operated, no matter whether an identity authentication process is performed or not and whether the identity authentication is verified, all written data files are stored after being selectively encrypted, that is, only the volume data of the data files are encrypted, and the metadata of the data files are not encrypted; when reading out the data file, the status of the authentication is checked to determine whether to execute the decryption operation.
When the storage device is used for the first time, personalized setting is required to be carried out under a specified environment, so that relevant parameters, user management, key generation, binding, security policy setting and the like are completed, and the setting is not influenced by operations such as formatting and the like. When the storage device is powered on and used, a user can select whether to perform identity authentication or not, the storage device records an authentication state in the storage device, and the storage device selectively encrypts a data file to be written into the storage device by a host regardless of the authentication state (except that different user protection keys are selected according to different authentication results): only the volume data content of the data file to be written by the host computer is encrypted, and the metadata of the data file is not encrypted; when the host computer reads the file data in the storage device, the storage device determines whether to decrypt the data and transmit the decrypted data to the host computer according to the state whether the user identity authentication passes or not.
Has the beneficial effects that: all the volume data written in the file are encrypted and stored through a selective encryption technology, so that the security protection and the controlled access authority management of the file are realized; since the metadata is not encrypted, the storage device maintains good compatibility with certain specific host devices (such as cameras, camcorders, etc.) without affecting the use of the storage device on the host devices.
Drawings
FIG. 1 is a flow chart of a host reading and writing operation to a storage device.
FIG. 2 is a flow chart of the read/write operation of the SD card user selecting the encryption mode.
Fig. 3 is a structure diagram of the SD card FAT file system storage DATA, where MBR is the main boot directory area, DBR is the boot sector, FAT1 and FAT2 are file allocation tables, DIR is the file directory entry area, i.e. the area storing the metadata information of the file, and DATA is the area storing the file body DATA.
Detailed Description
The technical scheme of the invention is further explained by combining the attached drawings and the examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
As shown in fig. 1, the present invention discloses a data security encryption storage method, which comprises the following steps:
s1: the storage device is accessed to a corresponding host, the host is powered on and initialized, the host using the storage device is a device which can support reading and writing data of various file systems, including but not limited to a computer, a mobile phone, a tablet, a camera, a video camera and the like, and the file system formats include but not limited to FAT12/16/32, exFAT, EXT2/4 and the like. The storage device is a device capable of reading and writing data files according to various file system formats, including but not limited to a removable hard disk, a U disk, an SD card, a TF card, a CF card, and the like, and the file system formats include but not limited to FAT12/16/32, exFAT, EXT2/4, and the like.
S2: the storage device executes selectable user identity authentication operation to perform identity authentication and records the authentication state (user name and authentication result) in a designated storage unit of the controller in the storage device; if the user does not select to carry out identity authentication operation or fails the user authentication verification, the user is processed according to the default user, and the authentication state is 'No' (failing to authenticate); selecting a key set corresponding to the user as an encryption key of the data file according to the authentication result; the key to encrypt the data may be a string of random numbers generated by a CPU in the storage device. The algorithm of the encryption key may be an asymmetric encryption algorithm or a symmetric encryption algorithm.
For host equipment such as computers, tablets, mobile phones and the like, the identity authentication can be realized by inputting authentication codes by software running on the host equipment and comparing the authentication codes with authentication codes preset in a storage device. For special host equipment such as a camera and a video camera, identity authentication can be performed by using a wireless communication module built in a storage device, for example, a bluetooth, NFC or other low-power consumption wireless communication module is built in the storage device, and identity authentication is completed by communicating the wireless communication module with a wireless communication module in other equipment held by a user.
S3: the storage device receives the host command, and proceeds to S4 if there is a command, otherwise waits in place.
S4: judging a read-write instruction of the host, and if the read-write instruction is the write instruction, entering S41; if yes, go to S42; if the instruction is the other instruction, the storage device jumps to S3 after the instruction is processed.
S41: the encryption module of the storage device selectively encrypts data to be written by using a key of the encrypted data to generate a ciphertext, and only encrypts file body data information written in the storage device, but not encrypts file metadata information when the data is written in the storage device. The file body data refers to the content itself (without information such as file name) of the data file to be written; the metadata includes all the information of file storage structure and attribute, such as file name (including suffix), file size, file attribute, initial cluster address of file storage, file modification time, and the like, except the file body data, and all the information of the boot area, index table, directory structure, sector size, and the like, which is related to the current file system and is stored by the storage device.
And meanwhile, encrypting the key of the encrypted data by using the key corresponding to the current user identification ID value in the key file to form a key ciphertext, and placing the key ciphertext in a ciphertext designated position and storing the key ciphertext in a memory of the storage device.
S42: receiving the read command from the host, the storage device performs the following operations according to the result of authenticating the user in S2: if the status of the identity authentication is 'yes', the method goes to S42-A; otherwise, go to S42-B;
s43: after the storage device has processed the instruction, the process proceeds to S3.
S42-A: if the user identity authentication state is 'yes', the storage device decrypts the data to be read by using the key corresponding to the current user identification ID value by the host and transmits the data to the host. The storage device decrypts the key ciphertext in the file body data by using the key to obtain the key of the encrypted data, decrypts the file body data information by using the key to obtain the plaintext, and transmits the plaintext to the host. If the status of the identity authentication is 'no', the storage device transmits the ciphertext to the host without decryption.
S42-B: if the user identity authentication state is 'no', the storage device transmits the ciphertext of the data to be read by the host computer to the host computer without decryption. Since the metadata information of the file is not encrypted, the storage device is compatible with various hosts, and the problems of data format errors, card damage caused by card reading failure and the like can be avoided.
When the host writes a data file into the storage device, the operation process is completely transparent; when the host reads the data file from the storage device, the corresponding strategy can be set during initialization according to the authentication state, so that the corresponding data file can be decrypted or not decrypted, but the reading operation of the host is not influenced.
The invention also discloses a data security encryption storage device, which comprises a corresponding interface circuit, a controller (processor), a storage medium, an encryption and decryption module and a related processing module, wherein the interface and the module complete the functions of data security encryption and decryption storage, reading and the like under the coordination of software programs. Before the storage device is used for the first time, initialization operation needs to be carried out on the storage device to complete operations such as related security policy setting, user management setting, key generation and the like, otherwise, the storage device executes related operations according to default configuration parameters, wherein the default configuration parameters include (but are not limited to) parameters such as a default security policy, a default user, a default key and the like. The storage device is accessed into the host computer through a proper interface and starts special configuration program software on the host computer, then completes the security policy configuration of the write-in encryption/read-out decryption operation of the user management and the security storage device according to the prompt of the special configuration software, generates a corresponding key and stores the key in a special key storage area arranged in the storage device.
Example 1:
the embodiment discloses a secure storage device of an SD card, which is characterized in that: the SD card comprises an SDIO interface circuit, a controller, a NAND Flash storage medium, an encryption and decryption module and a Bluetooth module; when the SD card is used for the first time, user personalized operation needs to be carried out on the SD card, and the SD card needs to be accessed into a host through an SD interface. The SD card provides two modes, one is an encryption mode, the other is a non-encryption mode, the default is the non-encryption mode, namely the SD card is a common SD card; if the user needs the encryption mode, the user needs to select the encryption mode from the special configuration software, at this time, the state of the user selection mode is stored in the SD card, the user management, the security policy configuration of the write-in encryption/read-out decryption operation of the SD card, the pairing communication management of the wireless module and the like are prompted according to the software, and a plurality of groups of public and private keys (e, d) are generated and stored in a key file of the SD card. The user performs all formatting operations on the SD card without changing the configuration parameters saved by the personalized configuration operation.
Referring to fig. 2 and 3, the present embodiment discloses a method for securely storing data in an SD card, which includes the following steps:
the following steps are steps of the SD card for encrypting data by selecting an encryption mode by a user, and comprise:
s1: SD card is inserted into host and started, and CPU generates a group of random numbers in card and transmits them to card encryption/decryption module as key k for encrypting data a And transmitting the data in the key file to an encryption and decryption module of the SD card.
S2: the SD card executes selectable identity authentication operation on the user, and if the user selects identity authentication, the SD card starts to record the user identity authentication state. The authentication process is as follows: if the Bluetooth module in the host used by the user is successfully paired with the Bluetooth module in the SD card, the SD card records the pairing state as 'yes' and stores the pairing state in the appointed position of the memory of the SD card and sets the ID value of the current user identity; if the pairing is unsuccessful, the authentication status is recorded as "no" and stored in the designated location of the memory thereof and the current user identification ID value is set as a default value. If the user does not perform identity authentication, the user authentication state is no and the user identity ID value is set to a default value.
S3: the SD card judges a read-write instruction of the host, and if the read-write instruction is the read-write instruction, the S31 is entered; if the instruction is a read instruction, the process proceeds to S32; if the command is another command, the SD card returns to S3 after completing the processing of the command.
S31: receiving the write command of the host, the encryption and decryption module in the SD card uses k a Symmetrically encrypting the volume data of the file to be written to generate a volume data ciphertext CM, and simultaneously encrypting a data encryption key k by using a public key e corresponding to the current user identity ID value a Carrying out asymmetric encryption to form a key ciphertext CK, placing the key ciphertext CK in a designated position of a body DATA ciphertext CM and storing the key ciphertext CK and the body DATA CM in a body DATA area (DATA) of the SD card; the metadata information to be written into the file is stored in the metadata area of the SD card without being encrypted.
S32: receiving a reading instruction of the host, starting to verify the user identity authentication state by the SD card, and entering S32-A if the user identity authentication state is 'yes'; if the status of the identity authentication is 'no', the method goes to S32-B;
S32-A: the user identity authentication state is 'yes', and the SD card decrypts and transmits the data to be read by the host to the host.
S32-B: and if the user identity authentication state is 'no', the SD card transmits the ciphertext of the data to be read by the host to the host without decryption.
Preferably, as shown in fig. 3, when the SD card selectively encrypts the data to be written, the SD card encrypts the volume data information of the file to be written in the SD card, but does not encrypt the metadata information of the file, and the file volume data refers to the content itself (not including information such as a file name) of the data file to be written; the file metadata includes all the information constituting the file storage structure and attributes, such as file name (including suffix), file size, file attributes, starting cluster address of file storage, file modification time and the like, except the file body data, and all the information stored by the SD card, such as the boot sector, FAT table, directory structure, sector size and the like, related to the current file system.
Preferably, when the user needs to read data, the SD card starts to verify the user authentication status, and if the user authentication status is "yes", the encryption and decryption module of the SD card determines whether the file is encrypted according to the encrypted flag in the file. If the file is encrypted, the encryption and decryption module of the SD card uses a private key d corresponding to the ID value of the user identity to asymmetrically decrypt a key ciphertext CK at the specified position of the file body data ciphertext CM to obtain a key k of encrypted data a Using k a Symmetrically decrypting the file volume data ciphertext CM to obtain volume data information and transmitting the decrypted volume data information to a host; and if the user identity authentication state is 'no', the SD card transmits the file which needs to be read by the user to the host without decryption. Because the metadata information of the file is not encrypted, the host device (such as a camera) can correctly identify the existence of the encrypted file, and no matter whether the image can be correctly displayed or not, the situation that the picture cannot be shot and stored by using the camera due to the incapability of identifying the SD card or the error reporting of the damage of the SD card cannot occur.
The above description is for the implementation of the present invention, and it should be noted that, for those skilled in the art, many modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (6)
1. A data security encryption storage method is characterized by comprising the following steps:
s1: accessing the storage device into a corresponding host, powering on and completing initialization;
s2: the storage device executes selectable user identity authentication operation to perform identity authentication, and selects a key set corresponding to the user as an encryption key of the data file according to an authentication result; if the user selects the identity authentication, the S21 is entered, otherwise, the S22 is entered;
s21, the storage device authenticates the user;
s211, the storage device judges whether the user identity authentication passes, if the user identity authentication passes, the S211-A is carried out, otherwise, the S22 is carried out;
S211-A, the storage device sets the status of the user identity authentication as 'yes' and records the authentication status in a designated storage unit of the storage device, and sets the ID value of the current user identity identification, and simultaneously generates a random number as a data encryption key;
s22, the storage device sets the status of user ' S identity authentication as NO and records the authentication status in the storage device ' S appointed storage unit, sets the current user ' S identity as the default ID value, and generates a random number as the data encryption key;
s3, the storage device waits for receiving the command of the host, if the command exists, the S4 is entered, otherwise, the S3 is entered;
s4: the storage device judges the command type of the host, if the command type is a write command, the S41 is entered, and if the command type is a read command, the S42 is entered; if the command is other command, the process goes to S43;
s41: the encryption module of the storage device selectively encrypts data to be written by using an encryption key generated randomly to generate a cipher text, and simultaneously encrypts the key of the encrypted data by using a user protection key corresponding to the user identity in a key file to form a key cipher text, and the key cipher text is placed in a cipher text designated position and stored in a memory of the storage device;
s42: receiving a reading instruction of the host, the storage device respectively performs the following operations according to the result of the identity authentication performed by the user: if the status of the identity authentication is 'yes', the method goes to S42-A; otherwise, go to S42-B;
s43: if the instruction is other instruction, the storage device enters S3 after finishing processing the instruction;
S42-A: if the user identity authentication state is 'yes', the storage device decrypts the data to be read by the host and transmits the data to the host;
S42-B: if the user identity authentication state is 'no', the storage device transmits the ciphertext of the data to be read by the host computer to the host computer without decryption;
the storage device comprises an interface circuit, a controller, a storage medium, an encryption and decryption module and a wireless communication module; the interface circuit is a data transmission channel between the host equipment and the storage device; before the storage device is used for the first time, personalized configuration operation is required to be carried out on the storage device, and related security policy setting, user management setting and corresponding user protection key generation operation are completed; the storage device is accessed into the host equipment through an interface circuit and starts configuration program software on the host, and then completes the security policy configuration of write-in encryption/read-out decryption operation of user management and a security storage device according to the prompt of the configuration program software, generates a corresponding user protection key and stores the user protection key in a special key storage area arranged in the storage device; the host equipment carries out all formatting operations on the storage device without changing the configuration parameters saved by the personalized configuration operations; when the host equipment writes a data file into the storage device, the storage device can identify a file system format adopted by the host equipment and divide the data file into two parts, namely 'volume data' and 'metadata'; the volume data refers to the content of a data file to be written, and does not contain the file name, the type and the size; the metadata includes file names except the data of the file body, all the related information forming the file storage structure and attributes including suffix, file size, file attribute, initial cluster address of file storage and file modification time, and the logic and physical structure information related to the current file system stored by the storage device, including guide area, index table, directory structure, sector size and bottom formatted data; when a host writes a data file into a storage device, only the volume data of the data file is encrypted, and the corresponding metadata is not encrypted.
2. A method for secure encrypted storage of data according to claim 1, characterized by: the host equipment using the storage device is equipment capable of supporting reading and writing data of various file systems, including a computer, a mobile phone, a tablet, a camera and a video camera, and the file system formats include FAT12/16/32, exFAT and EXT 2/3/4; the storage device can support the host equipment to read and write data files according to various file system formats, and the realization form of the storage device comprises a hard disk, a solid state disk, a mobile hard disk, a U disk, an SD card, a TF card and a CF card which support various interface forms.
3. A method for securely storing encrypted data according to claim 1, wherein: after the initialization of the storage device is completed, a user can select whether to perform identity authentication, the identity authentication can be realized by inputting an authentication code by software running on host equipment and comparing the authentication code with an authentication code preset in the storage device, or by communication between a wireless communication module arranged in the storage device and specific wireless equipment held by the user, the wireless communication comprises Bluetooth and NFC, the specific wireless equipment comprises authorization equipment which is bound and paired with a wireless communication module arranged in the storage device in advance, and various intelligent devices which have corresponding wireless communication functions and can be paired and communicated with the wireless communication module arranged in the storage device comprise smart phones, smart bracelets and smart watches.
4. A method for secure encrypted storage of data according to claim 1, characterized by: the data encryption key is a string of random numbers generated by a CPU in the storage device and is regenerated every time when the CPU is powered on, and the data encryption algorithm is an asymmetric encryption algorithm or a symmetric encryption algorithm or a combination of the two algorithms.
5. A method for secure encrypted storage of data according to claim 1, characterized by: in step S42-a, the storage device first decrypts the data encryption key using the user protection key corresponding to the ID of the current user ID, and then decrypts the encrypted volume data using the encryption key and transmits the decrypted volume data to the host.
6. A method for secure encrypted storage of data according to claim 1, characterized by: after the storage device is powered on and operated, whether an identity authentication process is executed or not and whether the identity authentication is verified or not are passed, all written data files are stored after being selectively encrypted, namely only the volume data of the data files are encrypted, and the metadata of the data files are not encrypted; when reading out the data file, the status of the authentication is checked to determine whether to execute the decryption operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911054134.0A CN110929302B (en) | 2019-10-31 | 2019-10-31 | Data security encryption storage method and storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911054134.0A CN110929302B (en) | 2019-10-31 | 2019-10-31 | Data security encryption storage method and storage device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110929302A CN110929302A (en) | 2020-03-27 |
| CN110929302B true CN110929302B (en) | 2022-08-26 |
Family
ID=69850072
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911054134.0A Active CN110929302B (en) | 2019-10-31 | 2019-10-31 | Data security encryption storage method and storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110929302B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112149167B (en) * | 2020-09-29 | 2024-03-15 | 北京计算机技术及应用研究所 | Data storage encryption method and device based on master-slave system |
| CN112836221B (en) * | 2021-01-13 | 2024-02-06 | 深圳安捷丽新技术有限公司 | Multi-security-level partition portable solid state disk and design method thereof |
| CN117216813B (en) * | 2023-11-02 | 2024-03-26 | 紫光同芯微电子有限公司 | Method, device and security chip for reading and writing data |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581774A (en) * | 2003-07-31 | 2005-02-16 | 索尼英国有限公司 | Access control for digital content |
| CN101925913A (en) * | 2008-01-31 | 2010-12-22 | 国际商业机器公司 | Method and system for encrypted file access |
| CN103003824A (en) * | 2010-07-14 | 2013-03-27 | 桑迪士克科技股份有限公司 | Storage device and method for providing a partially-encrypted content file to a host device |
| CN104205123A (en) * | 2012-03-26 | 2014-12-10 | 赛门铁克公司 | Systems and methods for secure third-party data storage |
| CN105678189A (en) * | 2016-01-15 | 2016-06-15 | 上海海事大学 | Encrypted data file storage and retrieval system and method |
| CN107222759A (en) * | 2017-06-28 | 2017-09-29 | 网易(杭州)网络有限公司 | Method, system, equipment and the medium of media file encryption and decryption |
| CN108133151A (en) * | 2018-02-08 | 2018-06-08 | 北京指掌易科技有限公司 | Document encrypting apparatus, document handling method and mobile terminal device |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8677504B2 (en) * | 2005-07-14 | 2014-03-18 | Qualcomm Incorporated | Method and apparatus for encrypting/decrypting multimedia content to allow random access |
| CN101122942B (en) * | 2007-09-21 | 2012-02-22 | 飞天诚信科技股份有限公司 | Data safe reading method and its safe storage device |
| CN101520854B (en) * | 2008-02-29 | 2012-12-05 | 锐迪科微电子(上海)有限公司 | Smart memory card, data safety control system and method thereof |
| CN103179086B (en) * | 2011-12-21 | 2016-05-18 | 中国电信股份有限公司 | Remote storage processing method and the system of data |
| CN102902634B (en) * | 2012-08-17 | 2015-05-27 | 杭州华澜微科技有限公司 | Storage device with encryption-based protection function |
| US9274978B2 (en) * | 2013-06-10 | 2016-03-01 | Western Digital Technologies, Inc. | Migration of encrypted data for data storage systems |
| CN103390125B (en) * | 2013-07-19 | 2016-01-06 | 丁贤根 | Design method of safety mobile storage controller using wireless terminal authorization and encryption and decryption |
| CN103632081A (en) * | 2013-11-15 | 2014-03-12 | 深圳市江波龙电子有限公司 | Encrypted storage device and authentication system and authentication method thereof |
| US10326588B2 (en) * | 2015-05-13 | 2019-06-18 | Bank Of America Corporation | Ensuring information security in data transfers by dividing and encrypting data blocks |
| CN105653986B (en) * | 2015-12-25 | 2018-11-16 | 成都三零嘉微电子有限公司 | A kind of data guard method and device based on microSD card |
| CN106161444B (en) * | 2016-07-07 | 2019-11-15 | 北京仁信证科技有限公司 | Secure storage method of data and user equipment |
| CN206348799U (en) * | 2016-09-19 | 2017-07-21 | 爱国者安全科技(北京)有限公司 | Encrypt storage device and safe storage system |
| CN107315966B (en) * | 2017-06-22 | 2020-10-23 | 湖南国科微电子股份有限公司 | Solid state disk data encryption method and system |
| CN107864133A (en) * | 2017-11-01 | 2018-03-30 | 卢冠熊 | A kind of wireless authentication secrecy flash memory device and encryption and authentication method |
-
2019
- 2019-10-31 CN CN201911054134.0A patent/CN110929302B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581774A (en) * | 2003-07-31 | 2005-02-16 | 索尼英国有限公司 | Access control for digital content |
| CN101925913A (en) * | 2008-01-31 | 2010-12-22 | 国际商业机器公司 | Method and system for encrypted file access |
| CN103003824A (en) * | 2010-07-14 | 2013-03-27 | 桑迪士克科技股份有限公司 | Storage device and method for providing a partially-encrypted content file to a host device |
| CN104205123A (en) * | 2012-03-26 | 2014-12-10 | 赛门铁克公司 | Systems and methods for secure third-party data storage |
| CN105678189A (en) * | 2016-01-15 | 2016-06-15 | 上海海事大学 | Encrypted data file storage and retrieval system and method |
| CN107222759A (en) * | 2017-06-28 | 2017-09-29 | 网易(杭州)网络有限公司 | Method, system, equipment and the medium of media file encryption and decryption |
| CN108133151A (en) * | 2018-02-08 | 2018-06-08 | 北京指掌易科技有限公司 | Document encrypting apparatus, document handling method and mobile terminal device |
Non-Patent Citations (1)
| Title |
|---|
| iSCSI网络存储系统中加密方法研究与设计;孟祥辉 等;《计算机工程与科学》;20161215;第38卷(第12期);第2456-2462页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110929302A (en) | 2020-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9813416B2 (en) | Data security system with encryption | |
| US8761403B2 (en) | Method and system of secured data storage and recovery | |
| CN110929302B (en) | Data security encryption storage method and storage device | |
| EP1910911B1 (en) | Mass storage device with near field communications | |
| EP2161673A1 (en) | Method and system for protecting data | |
| US8949626B2 (en) | Protection of security parameters in storage devices | |
| EP3355231B1 (en) | Mobile data storage device with access control functionality | |
| US20030167395A1 (en) | Implementation of storing secret information in data storage reader products | |
| US20090164709A1 (en) | Secure storage devices and methods of managing secure storage devices | |
| US10216913B2 (en) | Mobile device with built-in access control functionality | |
| US20090248966A1 (en) | Flash drive with user upgradeable capacity via removable flash | |
| WO2012037247A1 (en) | Secure transfer and tracking of data using removable non-volatile memory devices | |
| US20130191636A1 (en) | Storage device, host device, and information processing method | |
| WO2016045189A1 (en) | Data reading/writing method of dual-system terminal and dual-system terminal | |
| US7210044B2 (en) | Mobile phone with an encryption function | |
| US20110022850A1 (en) | Access control for secure portable storage device | |
| US10331365B2 (en) | Accessing a serial number of a removable non-volatile memory device | |
| CN101320355A (en) | Memory device, storing card access apparatus and its read-write method | |
| CN108287988B (en) | Security management system and method for mobile terminal file | |
| CN110807186B (en) | Method, device, equipment and storage medium for safe storage of storage equipment | |
| US20220123932A1 (en) | Data storage device encryption | |
| WO2005107287A1 (en) | Secure portable data communicator and viewer | |
| KR20020086444A (en) | Combination type usb drive having storage and operation function | |
| CN101617318A (en) | Be used for method and apparatus that content and licence are linked | |
| JP2010079426A (en) | Semiconductor storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |