CN111131130A - Key management method and system - Google Patents

Key management method and system Download PDF

Info

Publication number
CN111131130A
CN111131130A CN201811278265.2A CN201811278265A CN111131130A CN 111131130 A CN111131130 A CN 111131130A CN 201811278265 A CN201811278265 A CN 201811278265A CN 111131130 A CN111131130 A CN 111131130A
Authority
CN
China
Prior art keywords
key
data
user
encryption
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811278265.2A
Other languages
Chinese (zh)
Other versions
CN111131130B (en
Inventor
王祎磊
黄好城
傅海龙
其他发明人请求不公开姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Starblaze Technology Co ltd
Original Assignee
Beijing Starblaze Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Starblaze Technology Co ltd filed Critical Beijing Starblaze Technology Co ltd
Priority to CN202210319862.5A priority Critical patent/CN115051806A/en
Priority to CN201811278265.2A priority patent/CN111131130B/en
Publication of CN111131130A publication Critical patent/CN111131130A/en
Application granted granted Critical
Publication of CN111131130B publication Critical patent/CN111131130B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key

Abstract

The application discloses a key management method and a key management system, and relates to the field of information security. The main technical scheme of the application is as follows: receiving an input user key, and performing hash operation on the user key to obtain a hash value of the user key; reading the encrypted value of the data key from the storage medium, decrypting the encrypted value of the data key by using the user key hash value to obtain the data key, and encrypting or decrypting the user data by using the data key. By adopting the key management method and the key management system provided by the application, the software running in the storage device can not directly access the key for encrypting and decrypting the data, so that the hardware-level protection of the key is achieved, and the risk of divulgence is reduced.

Description

Key management method and system
Technical Field
The present application relates to the field of information security, and in particular, to a key management method and system for data encryption or decryption of a storage device.
Background
FIG. 1 illustrates a block diagram of a storage device. The storage device 102 is coupled to a host for providing storage capabilities to the host. The host and the solid-state storage device 102 may be coupled by various methods, including but not limited to, connecting the host and the storage device 102 by, for example, SATA (Serial Advanced Technology Attachment), SCSI (small computer System Interface), SAS (Serial Attached SCSI), IDE (Integrated Drive Electronics), USB (Universal Serial bus), PCIE (Peripheral Component Interconnect Express, PCIE, high-speed Peripheral Component Interconnect), NVMe (NVM Express, high-speed nonvolatile storage), ethernet, fiber channel, wireless communication network, etc. The host may be an information processing device, such as a personal computer, tablet, server, portable computer, network switch, router, cellular telephone, personal digital assistant, etc., capable of communicating with the storage device in the manner described above. The Memory device 102 includes an interface 103, a control section 104, one or more NVM chips 105, and a DRAM (Dynamic Random Access Memory) 110.
NAND flash Memory, phase change Memory, FeRAM (Ferroelectric RAM), MRAM (magnetoresistive Memory), RRAM (Resistive Random Access Memory), XPoint Memory, and the like are common NVM.
The interface 103 may be adapted to exchange data with a host by means such as SATA, IDE, USB, PCIE, NVMe, SAS, ethernet, fibre channel, etc.
The control unit 104 is used to control data transfer between the interface 103, the NVM chip 105, and the DRAM 110, and also used for memory management, host logical address to flash physical address mapping, erase leveling, bad block management, and the like. The control component 104 can be implemented in various manners of software, hardware, firmware, or a combination thereof, for example, the control component 104 can be in the form of an FPGA (Field-programmable gate array), an ASIC (Application-specific integrated Circuit), or a combination thereof. The control component 104 may also include a processor or controller in which software is executed to manipulate the hardware of the control component 104 to process IO (Input/Output) commands. The control component 104 may also be coupled to the DRAM 110 and may access data of the DRAM 110. FTL tables and/or cached IO command data may be stored in the DRAM.
Control section 104 includes a flash interface controller (or referred to as a media interface controller, a flash channel controller) that is coupled to NVM chip 105 and issues commands to NVM chip 105 in a manner that conforms to an interface protocol of NVM chip 105 to operate NVM chip 105 and receive command execution results output from NVM chip 105. Known NVM chip interface protocols include "Toggle", "ONFI", etc.
Software operated by a control component of the existing storage device has an opportunity to contact a data key for encryption or decryption, so that a supplier of the storage device has an opportunity to contact sensitive information of a user, and hidden danger is brought to information safety.
Disclosure of Invention
According to a first aspect of the present application, there is provided a first key management method according to the first aspect of the present application, wherein an input user key is received, and a hash operation is performed on the user key to obtain a hash value of the user key; reading the encrypted value of the data key from the storage medium, decrypting the encrypted value of the data key by using the user key hash value to obtain the data key, and encrypting or decrypting the user data by using the data key.
According to a first key management method of a first aspect of the present application, there is provided a second key management method of the first aspect of the present application, wherein the user key is sent by the host to the storage device through the host interface.
According to the first or second key management method of the first aspect of the present application, there is provided the third key management method of the first aspect of the present application, wherein the encrypted value of the data key is stored in a storage medium inside or outside the control section.
According to the first to third key management methods of the first aspect of the present application, there is provided the fourth key management method of the first aspect of the present application, wherein the user data is written into the storage device by the host through the host interface, the user data is encrypted using the data key, and the encrypted data is written into the NVM chip.
According to the first to third key management methods of the first aspect of the present application, there is provided the fifth key management method of the first aspect of the present application, wherein in response to the host reading data from the storage device, the encrypted data read out from the NVM chip is decrypted using the data key, and the decrypted data is transmitted to the host.
According to the first to fifth key management methods of the first aspect of the present application, there is provided the sixth key management method according to the first aspect of the present application, wherein the firmware controls the encryption process but does not contact the encryption key and the data key.
According to the first to sixth key management methods of the first aspect of the present application, there is provided the seventh key management method of the first aspect of the present application, wherein the generated otp random number is used to encrypt the user key hash value, so as to obtain a user encryption key, and the user encryption key is written in the storage medium.
According to a seventh key management method of the first aspect of the present application, there is provided the eighth key management method of the first aspect of the present application, wherein before reading in the encrypted value of the data key from the storage medium, the method further comprises: and encrypting the user key hash value by using first data acquired from the OTP to obtain a first user encryption key, reading the user encryption key from the storage medium, and reading the encryption value of the data key from the storage medium if the first user encryption key is the same as the read user encryption key.
According to the first to eighth key management methods of the first aspect of the present application, there is provided the ninth key management method of the first aspect of the present application, wherein a first random number is generated; and carrying out Hash operation on the first random number to obtain the data key.
According to a ninth key management method of the first aspect of the present application, there is provided the tenth key management method of the first aspect of the present application, wherein the data key is encrypted using a user key hash value to obtain an encrypted value of the data key; and writing the encrypted value of the data key into a storage medium.
According to the first to eighth key management methods of the first aspect of the present application, there is provided the eleventh key management method of the first aspect of the present application, wherein, for each natural number i of 1 to N, the following operations are performed: generating an ith random number, and performing hash operation on the ith random number to obtain an ith-level data key; when 1< i ═ N, encrypting the i-level data key by using the (i-1) -level data key to obtain an encryption value of the i-level data key; when the i is 1, encrypting the ith-level data key by using the hash value of the user key to obtain an encryption value of the ith-level data key; writing the encrypted value of the ith-level data key into a storage medium; wherein the data key is an Nth-level data key, and N is a natural number greater than 1.
According to an eleventh key management method of the first aspect of the present application, there is provided the twelfth key management method of the first aspect of the present application, wherein the encrypted value of the first-level data key is read in from the storage medium, and the encrypted value of the first-level data key is decrypted using the user key hash value to obtain the first-level data key; sequentially taking the (i-1) th-level data key as a decryption key, reading the encryption value of the ith-level data key from the storage medium, and decrypting the encryption value of the ith-level data key to obtain the i-level data key; wherein 1< i > -N, N > -2; user data is encrypted or decrypted using the nth level data key.
According to the first to eighth key management methods of the first aspect of the present application, there is provided the thirteenth key management method of the first aspect of the present application, wherein M random numbers are generated; performing hash operation on each random number to obtain M data keys; wherein M is a natural number greater than 1.
According to a thirteenth key management method of the first aspect of the present application, there is provided the fourteenth key management method of the first aspect of the present application, wherein the M data keys are encrypted respectively using the user key hash values, to obtain encrypted values of the M data keys; and writing the encrypted values of the M data keys into the storage medium.
According to a thirteenth key management method of the first aspect of the present application, there is provided the fifteenth key management method of the first aspect of the present application, wherein the encrypted value of the data key is decrypted using the user key hash value by selecting one read-in from among the encrypted values of the M data keys of the storage medium to obtain the data key, and the user data is encrypted or decrypted using the data key.
According to a thirteenth key management method of the first aspect of the present application, there is provided the sixteenth key management method of the first aspect of the present application, wherein the encrypted values of M data keys are obtained from a storage medium, the encrypted values of M data keys are decrypted respectively using the user key hash value to obtain M data keys, and the user data is encrypted or decrypted using the M data keys.
According to the first to sixteenth key management methods of the first aspect of the present application, there is provided the seventeenth key management method of the first aspect of the present application, wherein each user key corresponds to one user encryption key stored in the storage medium and to an encrypted value of one or more data keys stored in the storage medium.
According to the first to seventeenth key management methods of the first aspect of the present application, there is provided the eighteenth key management method of the first aspect of the present application, wherein the generated random number, the user key hash value, and the N-level data key are accessed by enabling the corresponding random number enable bit.
According to a second aspect of the present application, there is provided a first key management system according to the second aspect of the present application, comprising: the user key generation subsystem and the processing subsystem; the user key generation subsystem is used for carrying out hash operation on the input user key to obtain a user key hash value; and the processing subsystem reads the encrypted value of the data key from the storage medium, decrypts the encrypted value of the data key by using the user key hash value to obtain the data key, and encrypts or decrypts the user data by using the data key.
According to a first key management system of a second aspect of the present application, there is provided the second key management system of the second aspect of the present application, wherein the data key generation subsystem generates the data key from the user key hash value, and stores an encrypted value obtained by encrypting the data key in the off-chip storage medium.
The second key management system according to the second aspect of the present application provides the third key management system according to the second aspect of the present application, wherein the data key generation subsystem includes a random number generation module and a hash operation module; the random number generation module generates M random numbers; the Hash operation module carries out Hash operation on each of the M random numbers to obtain M data keys.
The third key management system according to the second aspect of the present application provides the fourth key management system according to the second aspect of the present application, wherein the data key generation subsystem further includes an encryption module; the encryption module encrypts each of the M data keys by using the user key hash value to obtain encryption values of the M data keys; wherein the encrypted values of the M data keys are written to the storage medium.
According to a fourth key management system of the second aspect of the present application, there is provided the fifth key management system of the second aspect of the present application, wherein the user key generation subsystem further comprises the OTP and the first cryptographic module; the OTP is used for providing first data; the first encryption module is used for encrypting according to the first data and the user key hash value to obtain a user encryption key.
According to a fifth key management system of the second aspect of the present application, there is provided the sixth key management system of the second aspect of the present application, wherein the first encryption module encrypts the user key hash value using the first data to obtain the user encryption key; or encrypting the first data by using the hash value of the user key to obtain the user encryption key.
According to the first to sixth key management systems of the second aspect of the present application, there is provided the seventh key management system of the second aspect of the present application, wherein the user encryption key is written in the storage medium.
According to the first to seventh key management systems of the second aspect of the present application, there is provided the eighth key management system of the second aspect of the present application, wherein the data key generation subsystem includes a first random number generation module and a first hash operation module; the first random number generation module generates a first random number; and the first hash operation module performs hash operation on the first random number to obtain the data key.
According to an eighth key management system of the second aspect of the present application, there is provided the ninth key management system of the second aspect of the present application, wherein the data key generation subsystem further comprises a first encryption module and a first storage module; the first encryption module encrypts the data key by using a user key hash value to obtain an encrypted value of the data key; the first storage module writes the encrypted value of the data key into a storage medium.
The tenth key management system according to the second aspect of the present application is provided according to the first to ninth key management systems of the second aspect of the present application, wherein the data key generation subsystem includes N random number generation modules, N hash operation modules, and N encryption modules; the ith random number generation module generates an ith random number; the ith hash operation module performs hash operation on the ith random number to obtain an ith-level data key; when 1< i ═ N, the ith encryption module encrypts an i-level data key by using an (i-1) level data key to obtain an encryption value of the ith level data key; when the i is 1, encrypting the ith-level data key by using the hash value of the user key to obtain an encryption value of the ith-level data key; wherein an encrypted value of the ith-level data key is recorded in a storage medium; wherein the data key is an Nth-level data key, and N is a natural number greater than 1.
According to a tenth key management system of the second aspect of the present application, there is provided the eleventh key management system of the second aspect of the present application, wherein the processing subsystem reads in the encrypted value of the first-level data key from the storage medium, decrypts the encrypted value of the first-level data key using the user key hash value, to obtain the first-level data key; sequentially using the (i-1) th-level data key as a decryption key, and decrypting the encryption value of the ith-level data key read from the storage medium to obtain an i-level data key; wherein 1< i > -N, N > -2; user data is encrypted or decrypted using the nth level data key.
According to the first to eighth key management systems of the second aspect of the present application, there is provided the twelfth key management system of the second aspect of the present application, wherein the data key generation subsystem includes M random number generation modules and M hash operation modules; an ith random number generation module of the M random number generation modules generates an ith random number; and the ith hash operation module of the M hash operation modules performs hash operation on the ith random number to obtain an ith data key.
A twelfth key management system according to the second aspect of the present application provides the thirteenth key management system according to the second aspect of the present application, wherein the data key generation subsystem further includes M encryption modules and M storage modules; the ith encryption module of the M encryption modules encrypts an ith data key by using the hash value of the user key to obtain an encrypted value of the ith data key; wherein the encrypted values of the M data keys are written to the storage medium.
According to a thirteenth key management system of the second aspect of the present application, there is provided the fourteenth key management system of the second aspect of the present application, wherein the processing subsystem is specifically configured to select one of the encrypted values of M data keys of the storage medium to read in, decrypt the encrypted value of the data key using the user key hash value to obtain the data key, and encrypt or decrypt the user data using the data key.
The beneficial effect that this application realized is as follows: by adopting the key management method and the key management system provided by the application, the software running in the storage device can not directly access the key for encrypting and decrypting the data, so that the hardware-level protection of the key is achieved, and the risk of divulgence is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 illustrates a block diagram of a storage device;
FIG. 2 shows a schematic diagram of a key management system of the present application;
FIG. 3 is a diagram of a key management unit processing a user key to generate a user encryption key;
FIG. 4 is a flow chart of a method of generating a user encryption key;
FIG. 5 is a schematic diagram of a key management unit verifying a user key using a user encryption key;
FIG. 6 is a flow chart of a method for verifying a user key using a user encryption key;
FIG. 7 is a schematic diagram of a key management unit generating a data key from a user encryption key;
FIG. 8 is a flow chart of a method of generating a data key from a user encryption key;
FIG. 9 is a schematic diagram of yet another method for generating a data key based on a user encryption key;
FIG. 10 is a flow chart of a method of generating a data key from a user encryption key;
FIG. 11 is a schematic diagram of yet another alternative for generating a data key based on a user encryption key;
FIG. 12 is a flow chart of a method of generating a data key from a user encryption key;
FIG. 13 is a diagram illustrating a first-level key initialization process performed again after the chip is powered on or reset;
FIG. 14 is a flow chart of a method of encrypting data using a set primary data key;
FIG. 15 is a schematic diagram of encrypting data after power-on or reset of a chip using set M keys according to yet another embodiment of the present application;
FIG. 16 is a flowchart of a method of encrypting data using set M data keys;
FIG. 17 is a schematic diagram of encrypting data using a set N-level key according to yet another embodiment of the present application;
FIG. 18 is a flow chart of a method for encrypting data using a set N-level data key.
Detailed Description
The technical solutions in the embodiments of the present application are clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 2 is a schematic diagram of a key management system according to an embodiment of the present application.
According to an embodiment of the present application, the host 210 accesses the storage device through the host interface 221. The control section 220 includes a command processing unit 222 and a key management unit 223. The command processing unit 222 acquires and processes a command provided by the host 210. Commands provided by the host 210 include, for example, IO commands and key management commands.
By way of example, the key management command indicates, for example, a user key. The command processing unit 222 instructs the key management unit 223 to process the user key. The key management unit 222 also holds the processed user key (referred to as a user encryption key) and instructs the processing unit not to access the user encryption key. By way of further example, in response to receiving the IO command, the command processing unit may also instruct the key management unit 222 to encrypt and/or decrypt data accessed by the IO command. For example, for a read command, the key management unit 222 decrypts data read from the NVM chip according to the specified user encryption key and provides the decrypted data to the host interface 210. For a write command, the key management unit 222 encrypts data transmitted to the storage device according to the write command according to a specified user encryption key, and writes the encrypted data to the NVM chip 230 through the media interface 224. The key management unit 222 encrypts or decrypts data accessed by the IO command according to the instruction of the command processing unit 223, and the command processing unit 223 does not need to be able to contact the user encryption key.
For the user key, if the user key is a stand-alone user, the user key can be a boot password of the user or a password for a certain partition of the storage device; as a network store, the user key may be a password of a certain user transmitted through the network.
Fig. 3 is a schematic diagram of a key management unit processing a user key to generate a user encryption key.
In the key initialization stage, the storage device receives a user key in response to, for example, a key initialization command, and generates a user encryption key (C _ Pin _ hash) to be recorded in the storage medium, to be reproduced in the first random number, and to be stored in the otp module 310.
In response to the received user key, a first random number Data A is generated by a random number module. Optionally, the first random number Data a is also written into the otp module 310 and closes the storage space of the Data. The first random number Data a is one-time Data that, after being written to the otp module 310, can be configured to be used by the configuration register, but cannot be accessed. Alternatively, it may be desirable to generate multiple sets of hardware-protected random numbers.
The user key is provided to the hash operation module 320, and a corresponding hash value of the user key is generated and temporarily stored in the cache inside the chip. A first random number Data a is acquired. The first random number Data a is used as a key, the user key hash value is used as Data to be encrypted, the encryption module 330 is called to generate a user encryption key (C _ Pin _ hash), and the user encryption key (C _ Pin _ hash) is written into the storage medium 340.
Optionally, the user encryption key hash value is used as a key, the first random number Data a is used as Data to be encrypted, and the encryption module 330 is invoked to generate the user encryption key (C _ Pin _ hash).
In the whole process, the firmware cannot directly access the first random number and the user key hash value, and only can use the data by configuring corresponding registers.
Fig. 4 is a flow chart of a method of generating a user encryption key.
Receiving a user key, and performing hash operation on the user key to obtain a user key hash value (410); the generated first random number is used to perform an encryption operation on the user key hash value to obtain a user encryption key (420), and the user encryption key is stored in a storage medium (430).
Fig. 5 is a diagram illustrating a key management unit verifying a user key using a user encryption key.
In the process of using the storage device, the host identity is verified through the user key provided by the host again, and the storage device according to the embodiment of the application only allows the host to use the storage device through the identity verification.
After receiving the user key, the key management unit inputs the user key into the hash operation module 510, generates a corresponding hash value of the user key, and temporarily stores the hash value in the cache inside the chip. A first random number Data a is obtained from the otp module 520. The encryption module 530 is invoked to generate the user encryption key (C _ Pin _ hash) using the first random number Data a as the key and the user key hash value as the Data to be encrypted. By way of example, the encryption module 530 encrypts the user key hash value according to a prior art encryption algorithm such as XTS-AES. The user encryption key is read from the storage medium 540, and the determination module 550 determines whether the read user encryption key is equal to the generated user encryption key, if so, the verification is passed, otherwise, the verification fails.
In the whole process, the firmware cannot directly access the first random number Data A and the user key hash value, and can only use the Data by configuring corresponding registers.
For a plurality of user keys: according to the above process, each user key corresponds to a user encryption key stored in the storage medium, wherein the random numbers used for encrypting the user keys may be the same or different.
Fig. 6 is a flow chart of a method for verifying a user key using a user encryption key.
Carrying out Hash operation on a user key to generate a user key Hash value (610), acquiring a first random number, encrypting the user key Hash value by using the first random number to obtain a first user encryption key (620), reading the user encryption key (630) from a storage medium, judging whether the first user encryption key is the same as the read user encryption key (640), if so, the user key is a legal key, otherwise, the user key is an illegal key.
Fig. 7 is a diagram illustrating a key management unit generating a data key encryption value according to a user encryption key.
After receiving the user key, the key management unit inputs the user key into the hash operation module 710 to generate a corresponding hash value of the user key, and temporarily stores the hash value in the cache inside the chip. A first random number Data a is obtained from the otp module 720. The first random number Data a is used as a key, the user key hash value is used as Data to be encrypted, the encryption module 730 is called to generate a user encryption key C _ Pin _ hash, and the user encryption key C _ Pin _ hash is written into the storage medium 740. By way of example, the encryption module 730 encrypts the user key hash value according to a prior art encryption algorithm such as XTS-AES.
Optionally, to generate the Data key, the user encryption key C _ Pin _ hash is obtained from the storage medium 740, the first random number Data a is obtained from the one-time programmable module 720, the first random number Data a is used as a decryption key, the user encryption key C _ Pin _ hash is used as Data to be decrypted, and the user encryption key C _ Pin _ hash is decrypted by using the first random number Data a to obtain the user key hash value. As an example, the user encryption key C _ Pin _ hash is decrypted according to a related art encryption algorithm such as XTS-AES.
The random number generation module 750 generates a second random number (TRNG _ Data 1), inputs the second random number to the hash operation module 760, and generates a corresponding hash value, which is the Data key. The hash value of the user key is used as a key, the data key is used as data to be encrypted, the encryption module 770 is invoked to generate an encrypted value of the data key, and the encrypted value of the data key is written into the storage medium 740. By way of example, the encryption module 770 encrypts the user key hash value according to a prior art encryption algorithm such as XTS-AES.
The storage device encrypts the plaintext of the input user data by the encryption module 780 using the data key to obtain a user ciphertext, and stores the user ciphertext in the storage device.
Fig. 8 is a flow chart of a method of generating a data key from a user encryption key.
As an alternative embodiment, the process of generating the data key includes: the generated second random number is subjected to hash operation to obtain a hash value, and the hash value is used as a data key (810). The data key is encrypted using the user key hash value to generate a data key encrypted value (820), which is stored in the storage medium (830).
FIG. 9 is a diagram of generating a data key cryptographic value from a user cryptographic key according to yet another embodiment.
After receiving the user key, the key management unit inputs the user key into the hash operation module 910 to generate a corresponding hash value of the user key, and temporarily stores the hash value in the cache inside the chip. A first random number Data a is obtained from one-time programmable module 920. The first random number Data a is used as a key, the user key hash value is used as Data to be encrypted, the encryption module 930 is called to generate a user encryption key C _ Pin _ hash, and the user encryption key C _ Pin _ hash is written into the storage medium 940. By way of example, the encryption module 930 encrypts the user key hash value according to a prior art encryption algorithm such as XTS-AES.
Optionally, to generate the Data key, the user encryption key C _ Pin _ hash is obtained from the storage medium 940, the first random number Data a is obtained from the one-time programmable module 920, the first random number Data a is used as a decryption key, the user encryption key C _ Pin _ hash is used as Data to be decrypted, and the user encryption key C _ Pin _ hash is decrypted by using the first random number Data a to obtain a user key hash value. As an example, the user encryption key C _ Pin _ hash is decrypted according to a related art encryption algorithm such as XTS-AES.
The random number generation module 950 generates M random numbers (M is a natural number), and each generated random number is input to the hash operation module 960 to generate M corresponding hash values, which are M data keys. The user key hash value is used as a key, the M data keys are respectively used as data to be encrypted, the encryption module 970 is called to generate M data key encrypted values, and the M data key encrypted values are written into the storage medium 940.
One of the M data keys is selected to encrypt the user data plaintext by the encryption module 980 to obtain a user ciphertext, and the user ciphertext is stored in the storage medium 940.
Fig. 10 is a flowchart of a method of generating a data key encryption value from a user encryption key.
As an alternative embodiment, to generate M data keys, M random numbers are generated (1010); performing hash operation on each random number to obtain M data keys (1020); respectively encrypting the M data keys by using the hash value of the user key to obtain encrypted values of the M data keys (1030); the encrypted values of the M data keys are written to the storage medium (1040).
Fig. 11 is a diagram illustrating generation of a data key encryption value according to a user encryption key according to still another embodiment.
In the embodiment according to fig. 11, a higher-strength data key is generated using a single user key, and an nth-level data key encrypted value is generated through an N-level encryption process, where N is a natural number greater than 1.
After receiving the user key, the key management unit inputs the user key into the hash operation module 1110 to generate a corresponding hash value of the user key, and temporarily stores the hash value in the cache inside the chip. A first random number Data a is obtained from the one-time programmable module 1111. The first random number Data a is used as a key, the user key hash value is used as Data to be encrypted, the encryption module 1112 is invoked, a user encryption key C _ Pin _ hash is generated, and the user encryption key C _ Pin _ hash is written into the storage medium 1113. For example, the encryption module 1112 encrypts the user key hash value according to a prior art encryption algorithm such as XTS-AES.
Optionally, to generate the Data key, the user encryption key C _ Pin _ hash is obtained from the storage medium 1113, the first random number Data a is obtained from the one-time programmable module 1111, the first random number Data a is used as a decryption key, the user encryption key C _ Pin _ hash is used as Data to be decrypted, and the user encryption key C _ Pin _ hash is decrypted by using the first random number Data a to obtain the user key hash value. As an example, the user encryption key C _ Pin _ hash is decrypted according to a related art encryption algorithm such as XTS-AES.
According to the embodiment of fig. 11, N data keys and N data key encrypted values from the first to the nth are generated. The nth data key is used for encrypting the user data plaintext or decrypting the user data ciphertext. And in the data key initialization process, generating N data key encrypted values. And after the data key is initialized, the data key encryption value recorded in the storage medium 1113 is decrypted to obtain the Nth-level data key which is used for encrypting the user data plaintext or decrypting the user data ciphertext.
And inputting the ith data key generated by the ith-level random number generation module into a hash operation module to generate a corresponding ith-level hash value serving as the ith data key, wherein 1< ═ i < ═ N. And encrypting the ith data key by using the ith-1 data key as a key to obtain an ith-level data key encryption value, wherein 2< i < N. And for the 1 st data key, encrypting the 1 st data key by using the user key hash value to obtain a 1 st level data key encryption value. The N data key encrypted values are all recorded on the storage medium 1113.
The first-level random number generation module 1120 generates a first-level random number, inputs the first-level random number to the hash operation module 1121, and generates a corresponding first-level hash value as a first-level data key. The hash value of the user key is used as a key, the first-level data keys are respectively used as data to be encrypted, the encryption module 1122 is called to generate a first-level data key encryption value, and the first-level data key encryption value is written into the storage medium 1113.
And sequentially inputting the data key of the previous stage as the key of the next-stage encryption module.
The nth-level random number generation module 1130 generates an nth-level random number, inputs the nth-level random number to the hash operation module 1131, and generates a corresponding nth-level hash value as an nth-level data key. And generating an N-th level data key encryption value by using the N-1 th level data key as a key and the N-th level data key as data to be encrypted through the encryption module 1132, and writing the N-th level data key encryption value into the storage medium 1113.
Fig. 12 is a flowchart of a method of generating an encrypted value of a data key from a user encryption key.
For each natural number i from 1 to N, the following operations are performed: generating an ith random number (1210), and performing hash operation on the ith random number to obtain an ith-level data key (1220); and when i is greater than 1, encrypting the i-level data key by using the (i-1) -level data key to obtain an encrypted value of the i-level data key (1230). And when the i is 1, encrypting the ith-level data key by using the user key hash value to obtain an encrypted value of the ith-level data key. The encrypted value of the ith-level data key is written to the storage medium (1240).
Fig. 13 is a diagram illustrating verification of a user key and generation of a data key.
After the storage equipment is powered on or reset, in response to an access request of a user to the storage equipment, a user key is checked firstly, and a data key is obtained according to the user key and is used for encrypting user data plaintext or decrypting the user data ciphertext.
After receiving the user key, the key management unit inputs the user key into the hash operation module 1310 to generate a corresponding hash value of the user key, and temporarily stores the hash value in the internal cache of the chip. A first random number Data a is obtained from the otp module 1320. The first random number Data a is used as a key, the hash value of the user key is used as Data to be encrypted, and the encryption module 1330 is invoked to generate the user encryption key C _ Pin _ hash. The user encryption key is read from the storage medium 1340, and the determination module 1350 determines whether the read user encryption key is equal to the generated user encryption key, if so, the verification is passed, otherwise, the verification fails.
In response to the verification passing, a process of generating a data key is initiated. And if the verification fails, refusing to generate the data key.
To generate the data key, the data key encrypted value is read from the storage medium, and the data key encrypted value is decrypted by the decryption module 1360 using the user key hash value to obtain the data key. In one example, the hash module 1310 hashes the user key to obtain a user key hash value as the decryption key of the decryption module 1360. In another example, in response to the decision module 1350 indicating that the user key check passes, the user encryption key read from the storage medium 1340 is decrypted using the first random number Data a as the decryption key, resulting in a user key hash value.
In an alternative embodiment, the user key verification process is omitted. To generate the Data key, a first random number Data a is obtained from the otp module 1320 as a key, and the user encryption key read from the storage medium 1340 is decrypted to obtain a user key hash value.
In the process of writing user data into the storage device, a data key is used for encrypting a user data plaintext through the encryption module 1370 to obtain a user ciphertext, and the user data ciphertext is stored in the storage device. In the process of reading user data from the storage device, the user data ciphertext read from the storage device is decrypted by using the data key to obtain the user data plaintext.
FIG. 14 is a flow chart of a method for verifying a user key and generating a data key.
To verify the user key, a hash operation is performed on the received user key to obtain a user key hash value (1410), a first random number is obtained, the user key hash value is encrypted with the first random number to generate a user encryption key (1420), the user encryption key is read from the storage medium (1430), and the generated user encryption key and the read user encryption key are compared for consistency to verify the received user key (1440).
To generate the data key, the data key encrypted value is read from the storage medium (1450), decrypted using the user key hash to obtain the data key (1460), and the user data is encrypted or decrypted using the data key (1470).
Fig. 15 is a schematic diagram of verifying a user key and generating a data key according to another embodiment of the present application.
After receiving the user key, the key management unit inputs the user key into the hash operation module 1510 to generate a corresponding hash value of the user key, and temporarily stores the hash value in the cache inside the chip. A first random number Data a is obtained from one-time programmable module 1520. The first random number Data a is used as a key, the hash value of the user key is used as Data to be encrypted, and the encryption module 1530 is called to generate the user encryption key. The user encryption key is read from the storage medium 1540, and the determination module 1550 determines whether the read user encryption key is equal to the generated user encryption key, and if so, the verification is passed, otherwise, the verification fails.
There are M data keys, one or more of which are selected for encrypting or decrypting user data. The data key used is determined, by way of example, based on the logical address of the user data, the namespace, the current time, or the host's designation.
Under the condition that the user key passes the verification, one of the encrypted values of the M data keys in the storage medium 1540 is selected and read, and the encrypted value of the data key is decrypted by the decryption module 1560 using the hash value of the user key to obtain the data key.
Or, the encrypted values of the M data keys are obtained from the storage medium, and the encrypted values of the M data keys are decrypted by the decryption module 1560 using the user key hash value, so as to obtain the M data keys.
In an alternative embodiment, the user key verification process is omitted. To generate the Data key, the first random number Data a is obtained from the otp module 1520 as a key, and the user encryption key read from the storage medium 1540 is decrypted to obtain the user key hash value.
The user data plaintext is encrypted by the data key through the encryption module 1570 to obtain a user data ciphertext, and the user data ciphertext is stored in the storage device. Or decrypt the user data ciphertext read from the storage medium 1540 using the data key to obtain the user data plaintext.
FIG. 16 is a flow chart of a method of verifying a key and generating a data key.
To verify the user key, a hash operation is performed on the received user key to obtain a user key hash (1610), a first random number is obtained from the otp module, and the user key hash is encrypted with the first random number to generate a user encryption key (1620). The user encryption key is read from the storage medium (1630), and the generated user encryption key is compared to the read user encryption key (1640) to verify the received user key.
If the user key is verified, to generate a data key, one of the M data key encrypted values of the storage medium is selected to be read in (1650), the data key encrypted value is decrypted by using the user key hash value to obtain a data key (1660), and the user data is encrypted or decrypted by using the data key (1670).
Or, obtaining the encrypted values of the M data keys from the storage medium, decrypting the encrypted values of the M data keys respectively by using the user key hash value to obtain the M data keys, and encrypting or decrypting the user data by using the M data keys.
Fig. 17 is a diagram illustrating verification of a user key and generation of a data key according to yet another embodiment of the present application.
After receiving the user key, the key management unit inputs the user key into the hash operation module 1710, generates a corresponding hash value of the user key, and temporarily stores the hash value in the cache inside the chip. A first random number Data a is obtained from one time programmable module 1720. The first random number Data a is used as a key, the hash value of the user key is used as Data to be encrypted, and the encryption module 1730 is called to generate the user encryption key. The user encryption key is read from the storage medium 1740, and the determination module 1750 determines whether the read user encryption key is equal to the generated user encryption key, if so, the verification is passed, otherwise, the verification fails.
Under the condition that the user key passes the verification, the first-stage data key encryption value is read in from the storage medium 1740, and the first-stage data key encryption value is decrypted by the decryption module 1760 by using the user key hash value to obtain the first-stage data key.
In an alternative embodiment, the user key verification process is omitted. To generate the Data key, the first random number Data a is obtained from the one-time programmable module 1720 as the key, and the user encryption key read from the storage medium 1740 is decrypted to obtain the user key hash value. The first-level data key encryption value is decrypted by the decryption module 1760 by using the user key hash value to obtain a first-level data key.
Sequentially taking the (i-1) th-level data key as a decryption key, reading the encryption value of the ith-level data key from the storage medium 1740, and decrypting the encryption value of the ith-level data key to obtain an i-level data key; wherein 1< i < ═ N, N > 2. As N increases, the strength of the nth level data key also increases.
The user data plaintext is encrypted by the encryption module 1780 using the nth-level data key to obtain a user data ciphertext, and the user data ciphertext is stored in the storage medium 1740. Or decrypting the user data ciphertext read from the storage medium by using the Nth-level data key to obtain the user data plaintext.
FIG. 18 is a flow chart of a method of verifying a user key and generating a data key.
To verify the user key, a hash operation is performed on the received user key to obtain a user key hash value (1810), a first random number is obtained from the otp module, and the user key hash value is encrypted with the first random number to generate a user encryption key (1820). The user encryption key is read from the storage medium (1830) and the generated user encryption key is compared to the read user encryption key (1840) to verify the received user key.
In the case where the user key is authenticated, a data key is generated. To generate the data key, the encrypted value of the first level data key is read from the storage medium (1850), and the encrypted value of the first level data key is decrypted using the user key hash value to obtain a first level data key (1860).
For each natural number i from 2 to N, sequentially taking the (i-1) th-level data key as a decryption key, reading the encryption value of the ith-level data key from a storage medium, and decrypting the encryption value of the ith-level data key to obtain the i-level data key; wherein 1< i < ═ N, N > -2 (1870).
The user data is encrypted or decrypted using the nth level data key (1880).
In the whole process, the generated random number, the hash value of the user key and the data key are invisible and can be accessed only by enabling the corresponding register.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A key management method, comprising:
receiving an input user key, and performing hash operation on the user key to obtain a hash value of the user key;
reading the encrypted value of the data key from the storage medium, decrypting the encrypted value of the data key by using the user key hash value to obtain the data key, and encrypting or decrypting the user data by using the data key.
2. The key management method of claim 1, wherein the user encryption key is obtained by encrypting a user key hash value using the generated otp random number, and the user encryption key is written in the storage medium.
3. The key management method of claim 2, wherein reading the encrypted value of the data key from the storage medium further comprises: and encrypting the user key hash value by using first data acquired from the OTP to obtain a first user encryption key, reading the user encryption key from the storage medium, and reading the encryption value of the data key from the storage medium if the first user encryption key is the same as the read user encryption key.
4. The key management method of claim 1,
generating a first random number;
and carrying out Hash operation on the first random number to obtain the data key.
5. The key management method of claim 4,
encrypting the data key by using a user key hash value to obtain an encrypted value of the data key;
and writing the encrypted value of the data key into a storage medium.
6. The key management method according to claim 1,
for each natural number i from 1 to N, the following operations are performed:
generating an ith random number, and performing hash operation on the ith random number to obtain an ith-level data key;
when 1< i ═ N, encrypting the i-level data key by using the (i-1) -level data key to obtain an encryption value of the i-level data key; when the i is 1, encrypting the ith-level data key by using the hash value of the user key to obtain an encryption value of the ith-level data key;
writing the encrypted value of the ith-level data key into a storage medium;
wherein the data key is an Nth-level data key, and N is a natural number greater than 1.
7. The key management method of claim 6,
reading an encrypted value of a first-stage data key from a storage medium, and decrypting the encrypted value of the first-stage data key by using the user key hash value to obtain a first-stage data key;
sequentially taking the (i-1) th-level data key as a decryption key, reading the encryption value of the ith-level data key from the storage medium, and decrypting the encryption value of the ith-level data key to obtain the i-level data key; wherein 1< i > -N, N > -2;
user data is encrypted or decrypted using the nth level data key.
8. The key management method of claim 1,
generating M random numbers;
performing hash operation on each random number to obtain M data keys; wherein M is a natural number greater than 1.
9. The key management method of claim 8,
respectively encrypting the M data keys by using the hash value of the user key to obtain the encrypted values of the M data keys;
and writing the encrypted values of the M data keys into the storage medium.
10. A key management system, comprising: the user key generation subsystem and the processing subsystem;
the user key generation subsystem is used for carrying out hash operation on the input user key to obtain a user key hash value;
and the processing subsystem reads the encrypted value of the data key from the storage medium, decrypts the encrypted value of the data key by using the user key hash value to obtain the data key, and encrypts or decrypts the user data by using the data key.
CN201811278265.2A 2018-10-30 2018-10-30 Key management method and system Active CN111131130B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210319862.5A CN115051806A (en) 2018-10-30 2018-10-30 Control component
CN201811278265.2A CN111131130B (en) 2018-10-30 2018-10-30 Key management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811278265.2A CN111131130B (en) 2018-10-30 2018-10-30 Key management method and system

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202210319862.5A Division CN115051806A (en) 2018-10-30 2018-10-30 Control component

Publications (2)

Publication Number Publication Date
CN111131130A true CN111131130A (en) 2020-05-08
CN111131130B CN111131130B (en) 2022-04-22

Family

ID=70484832

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202210319862.5A Pending CN115051806A (en) 2018-10-30 2018-10-30 Control component
CN201811278265.2A Active CN111131130B (en) 2018-10-30 2018-10-30 Key management method and system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202210319862.5A Pending CN115051806A (en) 2018-10-30 2018-10-30 Control component

Country Status (1)

Country Link
CN (2) CN115051806A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541723A (en) * 2020-07-07 2020-08-14 飞天诚信科技股份有限公司 Method and terminal for processing key data
CN111600882A (en) * 2020-05-15 2020-08-28 杭州溪塔科技有限公司 Block chain-based account password management method and device and electronic equipment
CN111767553A (en) * 2020-05-29 2020-10-13 上海橙群微电子有限公司 Data encryption and decryption method, MCU, electronic equipment and readable storage medium
CN112165384A (en) * 2020-10-15 2021-01-01 清华大学 Data encryption method and decryption method, and data encryption device and decryption device
CN112887085A (en) * 2021-01-13 2021-06-01 深圳安捷丽新技术有限公司 Method, device and system for generating security key of SSD (solid State disk) main control chip
CN113079001A (en) * 2021-03-08 2021-07-06 北京忆芯科技有限公司 Key updating method, information processing apparatus, and key updating device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1806410A (en) * 2003-06-12 2006-07-19 松下电器产业株式会社 Encryption communication system
CN101340279A (en) * 2008-07-09 2009-01-07 深圳市金蝶移动互联技术有限公司 Method, system and apparatus for data ciphering and deciphering
CN102346716A (en) * 2011-09-20 2012-02-08 记忆科技(深圳)有限公司 Encryption method and decryption method of hard disk storage device and encryption and decryption system used for hard disk storage device
CN102694650A (en) * 2012-06-13 2012-09-26 苏州大学 Secret key generating method based on identity encryption
CN103577768A (en) * 2012-08-06 2014-02-12 三星电子株式会社 Method of managing key for secure storage of data and apparatus therefor
CN103914666A (en) * 2013-09-17 2014-07-09 亚欧宝龙信息安全技术(湖南)有限公司 File encryption and decryption method and device on the basis of partitions
CN104468094A (en) * 2013-09-24 2015-03-25 瑞萨电子株式会社 Encryption Key Providing Method, Semiconductor Integrated Circuit, and Encryption Key Management Device
WO2016139079A1 (en) * 2015-03-02 2016-09-09 Siemens Ag Österreich Protection of memory contents of a memory of a computer system by using a hash function
CN106452748A (en) * 2016-10-18 2017-02-22 西安电子科技大学 Multiple users-based outsourcing database audit method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1806410A (en) * 2003-06-12 2006-07-19 松下电器产业株式会社 Encryption communication system
CN101340279A (en) * 2008-07-09 2009-01-07 深圳市金蝶移动互联技术有限公司 Method, system and apparatus for data ciphering and deciphering
CN102346716A (en) * 2011-09-20 2012-02-08 记忆科技(深圳)有限公司 Encryption method and decryption method of hard disk storage device and encryption and decryption system used for hard disk storage device
CN102694650A (en) * 2012-06-13 2012-09-26 苏州大学 Secret key generating method based on identity encryption
CN103577768A (en) * 2012-08-06 2014-02-12 三星电子株式会社 Method of managing key for secure storage of data and apparatus therefor
CN103914666A (en) * 2013-09-17 2014-07-09 亚欧宝龙信息安全技术(湖南)有限公司 File encryption and decryption method and device on the basis of partitions
CN104468094A (en) * 2013-09-24 2015-03-25 瑞萨电子株式会社 Encryption Key Providing Method, Semiconductor Integrated Circuit, and Encryption Key Management Device
WO2016139079A1 (en) * 2015-03-02 2016-09-09 Siemens Ag Österreich Protection of memory contents of a memory of a computer system by using a hash function
CN106452748A (en) * 2016-10-18 2017-02-22 西安电子科技大学 Multiple users-based outsourcing database audit method

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111600882A (en) * 2020-05-15 2020-08-28 杭州溪塔科技有限公司 Block chain-based account password management method and device and electronic equipment
CN111767553A (en) * 2020-05-29 2020-10-13 上海橙群微电子有限公司 Data encryption and decryption method, MCU, electronic equipment and readable storage medium
CN111767553B (en) * 2020-05-29 2024-04-12 上海橙群微电子有限公司 Data encryption and decryption method, MCU, electronic equipment and readable storage medium
CN111541723A (en) * 2020-07-07 2020-08-14 飞天诚信科技股份有限公司 Method and terminal for processing key data
CN111541723B (en) * 2020-07-07 2020-10-13 飞天诚信科技股份有限公司 Method and terminal for processing key data
CN112165384A (en) * 2020-10-15 2021-01-01 清华大学 Data encryption method and decryption method, and data encryption device and decryption device
CN112887085A (en) * 2021-01-13 2021-06-01 深圳安捷丽新技术有限公司 Method, device and system for generating security key of SSD (solid State disk) main control chip
CN113079001A (en) * 2021-03-08 2021-07-06 北京忆芯科技有限公司 Key updating method, information processing apparatus, and key updating device
CN113079001B (en) * 2021-03-08 2023-03-10 北京忆芯科技有限公司 Key updating method, information processing apparatus, and key updating device

Also Published As

Publication number Publication date
CN115051806A (en) 2022-09-13
CN111131130B (en) 2022-04-22

Similar Documents

Publication Publication Date Title
CN111131130B (en) Key management method and system
CN108139984B (en) Security subsystem
CN106599735B (en) Data protection device, method and storage controller
US9489540B2 (en) Memory controller with encryption and decryption engine
KR102453780B1 (en) Apparatuses and methods for securing an access protection scheme
EP3355232A1 (en) Input/output data encryption
WO2017041603A1 (en) Data encryption method and apparatus, mobile terminal, and computer storage medium
TWI747007B (en) Configurable security memory region
US10180804B1 (en) Obfuscation-enhanced memory encryption
US11683155B2 (en) Validating data stored in memory using cryptographic hashes
JP2022554288A (en) Delegation of cryptographic keys to the memory subsystem
KR20210132723A (en) Proof of data in memory
CN116420145A (en) Endpoint verification based on boot time binding of multiple components
US20230336337A1 (en) Single-use password generation
JP2022526934A (en) Validation of memory commands based on blockchain
TW202403773A (en) Semiconductor device, and system and method for managing secure operations in the same
EP2945092A1 (en) Memory device with secure test mode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant