CN112685353B - Bridging chip for converting USB (Universal Serial bus) to PCIE (peripheral component interface express) protocol and operation method thereof - Google Patents
Bridging chip for converting USB (Universal Serial bus) to PCIE (peripheral component interface express) protocol and operation method thereof Download PDFInfo
- Publication number
- CN112685353B CN112685353B CN202011633718.6A CN202011633718A CN112685353B CN 112685353 B CN112685353 B CN 112685353B CN 202011633718 A CN202011633718 A CN 202011633718A CN 112685353 B CN112685353 B CN 112685353B
- Authority
- CN
- China
- Prior art keywords
- key
- information
- unit
- decryption
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a bridging chip for converting USB to PCIE protocol and an operation method thereof, wherein the bridging chip comprises: the device comprises a USB protocol analysis unit, a drive letter distribution judgment unit, a second encryption and decryption circuit, a drive letter selection unit, a mapping relation storage unit, a drive letter identification cache unit, a key generation unit, at least one PCIE protocol controller and at least one PCIE interface, wherein each PCIE protocol controller is correspondingly connected with one PCIE interface. The mapping relation storage unit is used for storing the mapping relation between the read-write address area and the disc identifier identification information. When data is transmitted between the USB interface and the PCIE interface, the data is encrypted by the second encryption and decryption circuit and then transmitted to the corresponding PCIE interface, and the key information encrypted and decrypted by the second encryption and decryption circuit is generated by the key generation unit according to the corresponding disc identifier identification information, so that the safety of the data transmission process is effectively improved.
Description
Technical Field
The invention relates to the field of chip circuit design, in particular to a bridging chip for converting USB to PCIE protocol and an operation method thereof.
Background
Currently, the USB protocol and the PCIE protocol are currently mainstream high-speed interface protocols. The number of PCIE interfaces of the host device is limited, and when a user needs to use a PCIE interface with high speed or wants to be able to switch out a plurality of PCIE interfaces from a USB interface, a processing chip for switching from USB to PCIE interfaces is needed.
The significance of data security is very important for data transmission and storage, especially for storage devices storing personal critical data or government agency data. The interface protocol switching chip is located in the middle of storing data streams in the using process, but the current interface protocol switching chip does not have the data safety protection function, so that data leakage is easily caused in the data transmission process, and certain potential safety hazards exist. If the data security performance of the current interface protocol switching chip can be improved, the security protection of the whole data transmission process is significant.
Disclosure of Invention
Therefore, a technical scheme for data security of a USB to PCIE interface needs to be provided to solve the problem that a potential safety hazard of data leakage exists in the data transmission process of the existing interface protocol switching chip.
In order to achieve the above object, a first aspect of the present invention provides an operating method for a bridge chip for converting USB to PCIE protocol, where the method is applied to the bridge chip for converting USB to PCIE protocol, and the bridge chip includes: the device comprises a USB protocol analysis unit, a drive letter distribution judgment unit, a second encryption and decryption circuit, a drive letter selection unit, a mapping relation storage unit, a drive letter identification cache unit, a key generation unit, at least one PCIE protocol controller and at least one PCIE interface; the mapping relation storage unit is used for storing the mapping relation between the read-write address area and the disc identifier identification information;
the method comprises the following steps:
the USB protocol analysis unit is connected with a PCIE interface of the data read-write equipment, and each PCIE interface is correspondingly connected with a PCIE storage unit in a pluggable mode;
the USB protocol analysis unit receives a data read-write instruction sent by the data read-write equipment and analyzes a data read-write address corresponding to the data read-write instruction;
the drive symbol distribution judging unit determines the drive symbol identification information corresponding to the read-write address area where the current data read-write address is located according to the mapping relation, and stores the drive symbol identification information in the drive symbol identification cache unit;
the key generation unit acquires the disc identifier identification information from the disc identifier identification cache unit and generates access key information according to the acquired disc identifier identification information;
and the second encryption and decryption circuit decrypts the data read from the PCIE storage unit or encrypts the data to be written into the PCIE storage unit according to the access key information.
Furthermore, the bridge chip also comprises a digital signature comparison unit, a verification information storage unit and a digital signature operation unit;
the method comprises the following steps:
the digital signature operation unit performs hash operation on the access key information to obtain digital signature information to be authenticated;
the digital signature comparison unit acquires verification signature information from the verification information storage unit, compares the digital signature information to be authenticated with the verification signature information, passes verification if the digital signature information to be authenticated and the verification signature information are matched, and continues to execute the data read-write instruction; if the two are not matched, the verification is not passed, and the data reading and writing instruction is stopped to be executed.
Further, the bridge chip further comprises a first decryption circuit and a check key storage unit;
the method comprises the following steps:
the first decryption circuit acquires encrypted verification signature information from the verification information storage unit and verification key information from the verification key storage unit, decrypts the encrypted verification signature information by using the verification key information, and sends the decrypted verification signature information to the digital signature comparison unit.
Further, the method comprises:
the key generation unit acquires the disk identifier identification information cached in the current disk identifier cache unit, and generates access key information according to the acquired disk identifier identification information.
Further, the bridge chip further comprises a security level corresponding relation storage unit, and the security level corresponding relation storage unit is respectively connected with the drive letter distribution judgment unit and the key generation unit;
the method comprises the following steps:
the safety level corresponding relation storage unit stores the corresponding relation between the disc identifier identification information and the safety level of the secret key;
the key generation unit generates access key information matching the key security level.
Further, the key generation unit includes a source data decryption unit, a root key operation unit, a key mixing unit, and a hierarchy decryption operation unit; the source data decryption unit is connected with a key mixing unit, the key mixing unit is connected with the root key operation unit, and the root key operation unit is connected with a hierarchy decryption operation unit;
the method comprises the following steps:
the source data decryption unit obtains encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
a key mixing unit acquires the decrypted source key information and the disc identifier identification information, and generates mixed key information according to the decrypted source key information and the disc identifier identification information;
the root key operation unit calculates the root key information according to the mixed key information;
the hierarchy decryption operation unit acquires hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypts the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain access key information.
Further, the key generation unit further includes:
a hierarchy information storage unit stores hierarchy key information;
and the main control unit acquires the hierarchy key information from the hierarchy information storage unit according to the key security level corresponding to the current drive identifier information and sends the hierarchy key information to the hierarchy decryption operation unit.
Furthermore, the hierarchical decryption operation unit comprises a first-level decryption operation unit and a second-level decryption operation unit; the hierarchical key information includes first hierarchical key information and second hierarchical key information; the hierarchical key encryption and decryption algorithm comprises a first hierarchical key encryption and decryption algorithm and a second hierarchical key encryption and decryption algorithm;
the method comprises the following steps:
the master control unit acquires first-level key information from the level information storage unit and transmits the first-level key information to a first-level decryption operation unit, and acquires second-level key information from the level information storage unit and transmits the second-level key information to a second-level decryption operation unit;
the first-level decryption operation unit decrypts the first-level key information by adopting the root key information according to the first-level key encryption and decryption algorithm to obtain a first-level key;
and the secondary decryption operation unit acquires the primary key and decrypts the secondary level key information by adopting the primary key information according to the secondary level key encryption and decryption algorithm to obtain a secondary key.
Further, the hierarchy information storage unit is further configured to store handshake request information and handshake response information;
the key generation unit further comprises a handshake decryption operation circuit, a handshake encryption operation circuit and a handshake information check circuit, wherein the handshake decryption operation circuit is respectively connected with the main control unit and the handshake encryption operation circuit, and the handshake encryption operation circuit is respectively connected with the main control unit and the handshake information check circuit;
the method comprises the following steps:
the handshake decryption operation circuit decrypts the access key information by adopting the access key information to obtain handshake encryption key information;
the handshake encryption operation circuit receives the handshake request information sent by the main control unit, and encrypts the handshake request information by adopting the handshake encryption key information to obtain handshake encryption information;
and the handshake information check circuit acquires the handshake encryption information and handshake response information sent by the main control unit, judges whether the handshake encryption information and the handshake response information are matched, and outputs the access key information if the handshake encryption information and the handshake response information are matched.
The second aspect of the present invention further provides a bridging chip for USB to PCIE protocol, where the bridging chip for USB to PCIE protocol is the bridging chip for USB to PCIE protocol described in the first aspect of the present invention, and is configured to execute the method described in the first aspect of the present invention.
Different from the prior art, the invention provides a bridging chip for converting USB to PCIE protocol and an operation method thereof, wherein the bridging chip comprises: the device comprises a USB protocol analysis unit, a drive letter distribution judgment unit, a second encryption and decryption circuit, a drive letter selection unit, a mapping relation storage unit, a drive letter identification cache unit, a key generation unit, at least one PCIE protocol controller and at least one PCIE interface, wherein each PCIE protocol controller is correspondingly connected with one PCIE interface. The mapping relation storage unit is used for storing the mapping relation between the read-write address area and the disc identifier identification information. When data is transmitted between the USB interface and the PCIE interface, since the data is encrypted by the second encryption and decryption circuit and then transmitted to the corresponding PCIE interface, and the key information encrypted and decrypted by the second encryption and decryption circuit is generated by the key generation unit according to the corresponding drive identifier information (i.e., the drive identifier information corresponding to the address area where the current data read-write address is located), the security of the data transmission process is effectively improved.
Drawings
Fig. 1 is a schematic structural diagram of a key generation unit according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a key generation unit according to another embodiment of the present invention;
FIG. 3 is a schematic diagram of a key generation unit according to another embodiment of the present invention;
FIG. 4 is a flowchart of a key generation method according to an embodiment of the present invention;
FIG. 5 is a flowchart of a key generation method according to another embodiment of the present invention;
FIG. 6 is a flowchart of a key generation method according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of a bridge chip for converting USB to PCIE protocol according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a bridge chip for a USB to PCIE protocol according to another embodiment of the present invention;
fig. 9 is a flowchart of an operation method of a bridge chip for converting PCIE to USB protocol according to an embodiment of the present invention.
Description of reference numerals:
10. a bridging chip for converting USB to PCIE protocol;
201. a USB protocol analysis unit; 202. a drive letter allocation judgment unit; 203. a second encryption/decryption circuit; 204. a drive letter selection unit; 205. a mapping relation storage unit; 206. a drive letter identification cache unit;
207. a PCIE protocol controller; 2071. a first PCIE protocol controller; 2072. a second PCIE protocol controller; 2073. a third PCIE protocol controller;
208. a PCIE interface; 2081. a first PCIE interface; 2082. a second PCIE interface; 2083. a third PCIE interface;
209. an interface detection control unit; 210. identifying a dynamic partitioning unit; 211. a digital signature operation unit; 212. a first decryption circuit; 213. verifying the key storage unit; 214. a check information storage unit; 215. a digital signature comparison unit; 216. a security level correspondence storage unit;
30. a key generation unit;
301. a source data storage unit;
302. a source data decryption unit;
303. an algorithm information storage unit;
304. a hierarchy information storage unit;
305. a root key operation unit;
306. a hierarchical decryption operation unit; 3061. a first-level decryption operation unit; 3062. a secondary decryption operation unit; 3063. a third-level decryption operation unit;
307. a handshake decryption operational circuit; 3071. a first-stage handshake decryption operation circuit; 3072. a second-stage handshake decryption operation circuit; 3073. a three-stage handshake decryption operation circuit;
308. a handshake encryption arithmetic circuit; 3081. a first-stage handshake encryption operation circuit; 3082. a second-stage handshake encryption operation circuit; 3083. a three-stage handshake encryption operation circuit;
309. a handshake information check circuit;
310. a key selection unit;
311. an algorithm selection unit; 3111. a first-level algorithm selection unit; 3112. a secondary algorithm selection unit; 3113. a third-level algorithm selection unit;
312. a main control unit;
313. a key mixing unit;
40. a key recording unit;
50. a data read-write device; 501. a USB interface;
601. a first PCIE storage unit; 602. a second PCIE storage unit; 603. and a third PCIE memory unit.
Detailed Description
To explain technical contents, structural features, and objects and effects of the technical solutions in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
Fig. 9 is a flowchart illustrating an operation method of a bridge chip for USB to PCIE protocol according to an embodiment of the present invention. The method is applied to a bridging chip of a USB-to-PCIE protocol, and the bridging chip comprises the following steps: the device comprises a USB protocol analysis unit, a drive letter distribution judgment unit, a second encryption and decryption circuit, a drive letter selection unit, a mapping relation storage unit, a drive letter identification cache unit, a key generation unit, at least one PCIE protocol controller and at least one PCIE interface; the mapping relation storage unit is used for storing the mapping relation between the read-write address area and the disc identifier identification information;
the method comprises the following steps:
firstly, in step S901, the USB protocol parsing unit establishes a connection with a PCIE interface of a data read-write device, and each PCIE interface is connected to a PCIE storage unit in a pluggable manner;
then, step S902 is entered, the USB protocol parsing unit receives the data read-write command sent by the data read-write device, and parses a data read-write address corresponding to the data read-write command;
then step S903 is carried out, the drive symbol distribution judging unit determines the drive symbol identification information corresponding to the read-write address area where the current data read-write address is located according to the mapping relation, and the drive symbol identification information is stored in the drive symbol identification cache unit;
then step S904 is entered, the key generation unit obtains the identifier information of the drive from the drive identifier cache unit, and generates access key information according to the obtained identifier information of the drive;
then, in step S905, the second encryption and decryption circuit decrypts the data read from the PCIE memory unit or encrypts the data to be written into the PCIE memory unit according to the access key information.
In some embodiments, the bridge chip further includes a digital signature comparison unit, a verification information storage unit, and a digital signature operation unit. The method comprises the following steps: the digital signature operation unit performs hash operation on the access key information to obtain digital signature information to be authenticated; the digital signature comparison unit acquires verification signature information from the verification information storage unit, compares the digital signature information to be authenticated with the verification signature information, passes verification if the digital signature information to be authenticated and the verification signature information are matched, and continues to execute the data read-write instruction; if the two are not matched, the verification is not passed, and the data reading and writing instruction is stopped to be executed. According to the scheme, the digital signature information is calculated in real time and verified, so that the safety of data access can be effectively improved.
In some embodiments, the bridge chip further comprises a first decryption circuit and a check key storage unit. The method comprises the following steps: the first decryption circuit acquires encrypted verification signature information from the verification information storage unit and verification key information from the verification key storage unit, decrypts the encrypted verification signature information by using the verification key information, and sends the decrypted verification signature information to the digital signature comparison unit. The verification key information and the verification signature information are stored separately, and the verification signature information is stored in the verification information storage unit after being encrypted according to the verification key information, so that the safety of the data verification process can be effectively improved.
In certain embodiments, the method comprises: the key generation unit acquires the disk identifier identification information cached in the current disk identifier cache unit, and generates access key information according to the acquired disk identifier identification information. Further, the bridge chip further comprises a security level corresponding relation storage unit, and the security level corresponding relation storage unit is respectively connected with the drive letter distribution judgment unit and the key generation unit; the method comprises the following steps: the safety level corresponding relation storage unit stores the corresponding relation between the disc identifier identification information and the safety level of the secret key; the key generation unit generates access key information matching the key security level. In short, for data access in each PCIE memory unit connected to the PCIE interface, key information of different security levels may be configured to perform authentication, so that the data access in each PCIE memory unit is differentially protected, and the needs of an actual application scenario are met.
The second aspect of the present invention further provides a bridge chip for USB to PCIE protocol, where the bridge chip for USB to PCIE protocol is configured to execute the operation method according to the first aspect of the present invention. Fig. 7 is a schematic structural diagram of a bridge chip for converting PCIE to USB protocol according to an embodiment of the present invention.
The bridge chip includes: a USB protocol parsing unit 201, a drive letter allocation judging unit 202, a second encryption and decryption circuit 203, a drive letter selecting unit 204, a mapping relation storage unit 205, a drive letter identifier buffer unit 206, a key generating unit 30, a PCIE protocol controller 207, and at least one PCIE interface 208; the mapping relation storage unit 205 is configured to store a mapping relation between the read-write address area and the drive identifier information.
Each PCIE protocol controller 207 is correspondingly connected to one PCIE interface 208, each PCIE interface 208 is correspondingly connected to one PCIE memory unit, and each PCIE memory unit corresponds to one drive identifier information; each PCIE protocol controller 207 is connected to the drive letter selection unit 204, the drive letter selection unit 204 is connected to the second encryption and decryption circuit 203, the second encryption and decryption circuit 203 is connected to the drive letter allocation judgment unit 202, and the drive letter allocation judgment unit 202 is connected to the USB protocol analysis unit 201;
the mapping relationship storage unit 205 is connected to the drive letter selection unit 204 and the drive letter allocation judgment unit 202, the drive letter allocation judgment unit 202 is connected to the drive letter identification buffer unit 206, the drive letter identification buffer unit 206 is connected to the key generation unit 30, and the key generation unit 30 is connected to the second encryption/decryption circuit 203.
In this embodiment, the read-write address area refers to an address area where data can be currently read and written, and the drive identifier information refers to identifier information of a PCIE interface. For example, the storage address area of the PCIE memory unit connected to the PCIE interface with the number of a1 is 1000001 to 1100000, and when the data read/write address is located between 1000001 to 1100000, the drive identifier information corresponding to the data read/write address is a 1. The PCIE memory unit may be a PCIE solid state disk.
In the using process, the USB protocol parsing unit 201 may be connected to a USB interface on the data read-write device, and the PCIE interface may be connected to a PCIE memory unit, so that the data read-write device writes data into the PCIE memory unit through the bridge chip 10, or reads data from the PCIE memory unit connected to the PCIE interface.
When the data read-write device needs to write data to be written into the PCIE memory unit, the specific process is as follows: the data read-write device sends a data write instruction and data to be written to the USB protocol parsing unit 201 in the bridge chip 10 through the USB interface thereon, and the drive letter allocation determining unit 202 determines, according to the current mapping relation storage unit 205, identification information of a PCIE interface corresponding to a write address in the current data write instruction, and stores the identification information of the PCIE interface corresponding to the write address in the drive letter identification caching unit 206. The key generation unit 30 obtains the identification information of the PCIE interface from the drive identifier cache unit 206, and generates access key information according to the obtained identification information of the PCIE interface. The second encryption and decryption circuit 203 encrypts the data to be written by using the access key information. The drive letter selection unit 204 determines the current PCIE interface to be written according to the write address, transmits the encrypted data to be written to the PCIE interface to be written through the PCIE protocol controller 207, and then writes the data to be written into the PCIE memory unit connected to the PCIE interface to be written, thereby completing the data writing operation procedure.
When the data read-write device needs to read encrypted data from the PCIE memory unit, the specific flow is as follows: the data reading and writing device sends a data reading instruction to the USB protocol parsing unit 201 through the USB interface, and the USB protocol parsing unit 201 parses a reading address included in the data reading instruction. The drive letter allocation judgment unit 202 determines, according to the current mapping relationship storage unit 205, identification information of a PCIE interface corresponding to a read address in the current data read instruction, and stores the identification information of the PCIE interface corresponding to the read address in the drive letter identification cache unit 206. The key generation unit 30 obtains the identification information of the PCIE interface from the drive identifier cache unit 206, and generates access key information according to the obtained identification information of the PCIE interface. The drive identifier selection unit enables the corresponding PCIE protocol controller 207 according to the read address, so that the PCIE protocol controller 207 can read the encrypted data from the PCIE memory unit (i.e., the PCIE memory unit corresponding to the drive identifier information) connected to the PCIE interface 208. The second encryption and decryption circuit 203 decrypts the read encrypted data by using the access key information, and transmits the decrypted data back to the PCIE interface of the data read/write device through the USB protocol parsing unit 201, thereby completing the data reading operation flow.
In the above scheme, when data is transmitted between the USB interface in the data read/write device and the PCIE interface of the bridge chip, whether the data is to-be-written data or to-be-read data, the data needs to be encrypted or decrypted by the second encryption/decryption circuit, and the access key information used by the second encryption/decryption circuit during encryption/decryption is generated in real time by the key generation unit, and the key generation unit generates the access key information in real time according to the identification information of the PCIE interface corresponding to the read/write address included in the current read/write instruction, so that the security of the data transmission process is greatly improved.
In some embodiments, as shown in fig. 8, the number of the PCIE interfaces is multiple, and the bridge chip further includes an interface detection control unit 209 and an identifier dynamic partitioning unit 210. The interface detection control unit 209 is connected to each PCIE interface, and configured to send a corresponding control signal to the identifier dynamic partitioning unit 210 when detecting that the PCIE interface is connected to the PCIE memory unit. The identifier dynamic partitioning unit 210 is respectively connected to the interface detection control unit 209 and the mapping relation storage unit 205, and is configured to update the mapping relation stored in the mapping relation storage unit 205 according to the control signal.
The interface detection control unit 209 is responsible for monitoring the device access states of all PCIE interfaces, the input end of the interface detection control unit 209 is the detection pin of all PCIE interfaces, and the output end is whether all PCIE interfaces establish connection with the PCIE memory unit. When a detection pin of a certain PCIE interface is in an active state, it indicates that the PCIE interface is connected to the PCIE memory unit, the interface detection control unit 209 marks the port as active, and sends identification information (e.g., port number) of the PCIE interface whose current detection pins are in the active state to the identification dynamic partitioning unit 210 each time the detection pin state of the PCIE interface changes.
The identifier dynamic partitioning unit 210 is configured to allocate corresponding address ranges to PCIE interfaces that detect pins in an active state, and update the mapping relationship in the mapping relationship storage unit 205 after the address ranges correspond to corresponding drive identifier information. Whenever the number of PCIE memory units establishing connection with a PCIE interface increases, the dynamic identifier partitioning unit 210 maps the identifier information of the PCIE interface newly establishing connection with the read-write address range of the PCIE memory unit corresponding to the interface, and adds the newly increased mapping relationship to the mapping relationship stored in the original mapping relationship memory unit 205. Each time a PCIE memory unit is disconnected from a corresponding PCIE interface, the dynamic identifier partitioning unit 210 deletes the mapping relationship between the identification information of the disconnected PCIE interface and the read-write address range of the PCIE memory unit corresponding to the interface from the mapping relationship stored in the current mapping relationship memory unit 205.
In the above scheme, by setting the interface detection control unit 209 and the identifier dynamic partitioning unit 210, the mapping relationship (mapping relationship between PCIE interface identifier information and data read-write address region range) stored in the mapping relationship storage unit 205 can change in real time along with the connection or disconnection between the PCIE storage unit and the PCIE interface, so that the data read-write operation is more flexible.
In some embodiments, the bridge chip further includes a digital signature comparison unit 215, a verification information storage unit 214, and a digital signature operation unit 211; the digital signature comparison unit 215 is respectively connected to the second encryption/decryption circuit 203, the drive signature selection unit 204, the digital signature operation unit 211, and the verification information storage unit 214; the digital signature operation unit 211 is connected to the key generation unit 30; the verification information storage unit 214 is connected to the drive letter allocation judgment unit 202.
In this embodiment, the digital signature operation unit 211 performs hash operation on the access key information to obtain digital signature information to be authenticated, and transmits the digital signature information to be authenticated to the digital signature comparison unit 215, the digital signature comparison unit 215 obtains verification signature information from the verification information storage unit 214, compares the digital signature information to be authenticated with the verification signature information, if the two are matched, the verification is passed, and continues to execute the data read-write command, and the drive selection unit 204 writes data to be written into the PCIE storage unit through the corresponding PCIE protocol controller, or reads data from the PCIE storage unit according to an address in the data read-write command. And if the digital signature information to be authenticated is not matched with the verification signature information, the verification fails, the data reading and writing instruction is stopped to be executed, and an interrupt signal is sent to a processing unit (such as a CPU).
Further, the digital signature operation unit 211 generates digital signature information to be authenticated in real time according to the following manner: after acquiring the access key information, the digital signature operation unit 211 performs hash calculation on the access key information according to a preset encryption algorithm (e.g., SM3 encryption algorithm), so as to obtain digital signature information to be authenticated. The hash operation is a common function in encryption and decryption operations, and thus the digital signature operation unit 211 may be implemented by an encryption and decryption operation circuit having a hash operation module built therein. The digital signature information to be authenticated is generated in real time according to the access key information, and the execution of the data read-write instruction can continue the instruction only when the digital signature information generated in real time passes the authentication, so that the safety in the data access process is further enhanced.
In some embodiments, the bridge chip further includes a first decryption circuit 212 and a verification key storage unit 213, and the first decryption circuit 212 is connected to the verification key storage unit 213, the verification information storage unit 214, and the digital signature comparison unit 215, respectively. When the digital signature information generated by the digital signature operation unit 211 needs to be authenticated, the first decryption circuit 212 acquires the encrypted verification signature information from the verification information storage unit 214 and the verification key information from the verification key storage unit 213, decrypts the encrypted verification signature information by using the verification key information, and sends the decrypted verification signature information to the digital signature comparison unit 215, and then the digital signature comparison unit 215 compares the decrypted verification signature information with the to-be-authenticated digital signature information generated by the digital signature operation unit 211, and determines whether to continue to execute the data read-write instruction sent by the USB interface 501 of the data read-write device 50 according to the comparison result. In this embodiment, since the verification signature information is stored in the verification information storage unit 214 in an encrypted form, the verification key information used for encryption and decryption is additionally stored in the verification key storage unit 213, and the security of data access is further improved.
In some embodiments, the key generating unit 30 is configured to obtain the identifier information of the current disc identifier cached in the current disc identifier caching unit, and generate the access key information according to the obtained identifier information of the current disc identifier. The drive identifier information is identifier information of PCIE interfaces, the identifier information corresponding to each PCIE interface is different from each other, and the drive identifier information may be a serial number of the PCIE interfaces.
For example, the bridge chip 10 for USB to PCIE protocol shown in fig. 8 includes a first PCIE protocol controller 2071, a second PCIE protocol controller 2072, and a third PCIE protocol controller 2073. The first PCIE protocol controller 2071, the second PCIE protocol controller 2072, and the third PCIE protocol controller 2073 are respectively connected to a drive letter selection unit, the first PCIE protocol controller 2071 is connected to the first PCIE interface 2081, the second PCIE protocol controller 2072 is connected to the second PCIE interface, and the third PCIE protocol controller 2073 is connected to the third PCIE interface 2083. The first PCIE interface 2081 is connected to the first PCIE memory unit 601, the second PCIE interface 2082 is connected to the second PCIE memory unit 602, and the third PCIE interface 2083 is connected to the third PCIE memory unit 603. Since the drive identifier information corresponding to the first PCIE interface 2081, the second PCIE interface 2082, and the third PCIE interface 2083 is different from each other, the access key information generated by the key generation unit 30 is also different from each other, that is, in the data read-write access process of the first PCIE storage unit 601, the second PCIE storage unit 602, and the third PCIE storage unit 603, the key information used by the second encryption/decryption unit for encrypting and decrypting the access data is different from each other, so that the security of data access is effectively improved.
It should be noted that, in the present application, the connections between the first PCIE interface 2081, the second PCIE interface 2082, the third PCIE interface 2083 and the corresponding PCIE memory units are pluggable connections, that is, the first PCIE interface 2081 may be connected to the first PCIE memory unit 601, or disconnected from the first PCIE memory unit 601, and the second PCIE interface 2082 and the third PCIE interface 2083 are in the same manner. When any one of the first PCIE interface 2081, the second PCIE interface 2082, and the third PCIE interface 2083 is connected to or disconnected from the corresponding PCIE memory unit, the mapping relationship stored in the mapping relationship memory unit 205 is also adjusted correspondingly, so that the address ranges in the mapping relationship are all the address ranges of the PCIE memory units connected to the PCIE interfaces. Certainly, the number of the PCIE interfaces, the PCIE protocol controller, and the PCIE memory units is not necessarily three, and specifically, the number may be set according to actual needs, for example, one, two, or more than four.
Further, in some embodiments, the bridge chip 10 further includes a security level correspondence storage unit 216, and the security level correspondence storage unit 216 is respectively connected to the drive letter allocation determination unit 202 and the key generation unit 30. The security level correspondence storage unit 216 is configured to store correspondence between the disc identifier identification information and the security level of the key. In this way, keys of different security levels can be configured for different PCIE interfaces, and the key generation unit 30 can generate access key information that matches the security level of the current PCIE memory unit (i.e., the PCIE memory unit where the data read-write address in the current data read-write instruction is located) by reading the corresponding relationship in the security level corresponding relationship storage unit 216. For example, when a user needs to read and write important data, a PCIE memory unit that is to read and write data may be connected to a PCIE interface with a higher security level, and the key generation unit may generate access key information (i.e., a key with a higher security level) that matches the security level of the PCIE interface. Conversely, when the data that the user wants to read is less important, the PCIE memory unit that is to read and write data may be connected to the PCIE interface with a lower security level, and the key generation unit may generate the access key information (i.e., the key with a lower security level) that matches the security level of the PCIE interface. By the scheme, different security levels can be set for different PCIE interfaces, and differential protection of data security is realized.
The third aspect of the present invention further provides a data security system for a USB to PCIE interface, where the system includes a data read-write device, a bridge chip for USB to PCIE protocol, and at least one PCIE memory unit; the bridging chip for the USB to PCIE protocol is the bridging chip for the USB to PCIE protocol according to the second aspect of the present invention, the data read/write device includes a USB interface, and the USB interface is connected to a USB protocol parsing unit in the bridging chip for the USB to PCIE protocol; and one PCIE storage unit is connected with one PCIE interface in the bridging chip of the USB-to-PCIE protocol.
The key information is used as a tool for data encryption and decryption, is a key ring for data security authentication, and is very important for ensuring the security of the key generation process. In order to enhance the security of the key generation process, the application designs a special key generation unit 30 to generate the access key information required by the second encryption and decryption circuit for data encryption and decryption.
Fig. 1 is a schematic structural diagram of a key generation unit 30 according to an embodiment of the present invention. The key generation unit 30 includes:
the key generation unit 30 includes a source data decryption unit 302, a root key operation unit 305, a key mixing unit 313, and a hierarchical decryption operation unit 306; the source data decryption unit 302 is connected with a key mixing unit 313, the key mixing unit 313 is connected with the root key operation unit 305, and the root key operation unit 305 is connected with a hierarchy decryption operation unit 306;
and the source data decryption unit 302 is configured to obtain the encrypted source data for decryption, and obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm.
And a key mixing unit 313, configured to obtain the decrypted source key information and the drive identifier information, and generate mixed key information according to the decrypted source key information and the drive identifier information. Preferably, the key mixing unit 313 may directly combine the decrypted source key information and the drive identifier information to obtain the mixed key information, or may perform a hash operation on the decrypted source key information and the drive identifier information to obtain the mixed key information.
A root key operation unit 305, configured to calculate root key information according to the mixed key information;
the hierarchical decryption operation unit 306 is configured to obtain hierarchical key information, a hierarchical key encryption and decryption algorithm, and root key information, and decrypt the hierarchical key information with the root key information according to the hierarchical key encryption and decryption algorithm to obtain access key information.
Because the access key information is obtained by the source key through a multi-layer encryption means, the mixed key information generated by the key mixing unit in the encryption process is obtained by mixing the source key and the drive identifier information, and the interface identifier information of each PCIE interface is different, the access key information used for encrypting and decrypting data is different when each PCIE interface accesses the data, and the security of data access is greatly improved.
As shown in fig. 2, in some embodiments, the key generation unit 30 further includes:
and an algorithm information storage unit 303, configured to store the decrypted hierarchical key encryption/decryption algorithm. The hierarchical key encryption and decryption algorithm is an algorithm selected when hierarchical key encryption and decryption is performed subsequently, and specifically may include any one or more of an aes algorithm, a tdes algorithm, and an sm4 algorithm. After the source data storage unit 301 decrypts the hierarchical encryption/decryption algorithm, the hierarchical key encryption/decryption algorithm is stored in the algorithm information storage unit 303, so as to wait for a subsequent call.
And the algorithm selecting unit 311 is configured to select different hierarchical encryption and decryption algorithms to the hierarchical decryption arithmetic unit 306 according to the security level of the key corresponding to the disc identifier identification information determined by the current data read-write address recorded in the security level corresponding relationship storage unit 216. The higher the key security level corresponding to the drive identifier information is, the higher the key security level of the PCIE interface corresponding to the identifier information is, the higher the difficulty of accessing data of the PCIE memory unit connected to the PCIE interface is, and correspondingly, the more complicated the process of generating access key information by the key generation unit is.
In some embodiments, the key generation unit 30 further includes:
a hierarchy information storage unit 304 for storing hierarchy key information;
a main control unit 312, connected to the hierarchical information storage unit 304 and the hierarchical decryption operation unit 306, configured to obtain hierarchical key information from the hierarchical information storage unit 304 according to a key security level corresponding to the current drive identifier information, and send the hierarchical key information to the hierarchical decryption operation unit 306.
In this way, the decryption algorithm in the access key information generation process comes from the encryption and decryption algorithm in the algorithm information storage unit 303, and is screened by the algorithm selection unit 311, the decryption object of the screened encryption and decryption algorithm is the hierarchical key information sent by the main control unit 312, and the key used in the decryption process is the root key information, which specifically is: the hierarchical decryption operation unit 306 decrypts the hierarchical key information by using the root key information according to the hierarchical key encryption and decryption algorithm, so as to obtain access key information. The hierarchical key information, the hierarchical key encryption and decryption algorithm and the root key information are respectively from different units, so that the safety of the generated access key information is further improved.
In some embodiments, the main control unit 312 is further configured to send corresponding hierarchical key information to the hierarchical decryption unit according to the key security level corresponding to the current drive identifier information.
For example, the key security levels corresponding to the first PCIE interface 2081, the second PCIE interface 2082, and the third PCIE interface 2083 shown in fig. 8 are a low security level, a medium security level, and a high security level, respectively. The hierarchical key decryption operation unit comprises a first hierarchical key decryption operation unit, a second hierarchical key decryption operation unit and a third hierarchical key decryption operation unit. The algorithm information storage unit stores three encryption and decryption algorithms of a, b and c. The hierarchical key information includes a first layer source key, a second layer source key, and a third layer source key.
When data reading and writing are required to be performed from the first PCIE memory unit 601 connected to the first PCIE interface 2081, that is, access key information required for data encryption and decryption with the first PCIE memory unit 601 needs to be generated, the key generation unit 30 only needs to start the first-tier key decryption operation unit to complete encryption and decryption operation, the algorithm selection unit only needs to send the encryption and decryption algorithm a to the first-tier key decryption operation unit, and the first-tier key decryption operation unit decrypts the first-tier source key by using the root key information according to the encryption and decryption algorithm a, so as to obtain a first-tier key. For data access in the first PCIE memory unit 601, the primary key is access key information required when the second encryption and decryption circuit 203 encrypts and decrypts data.
When data read and write needs to be performed from the second PCIE memory unit 602 that is connected to the second PCIE interface 2082, that is, access key information needed for data encryption and decryption with the second PCIE memory unit 601 needs to be generated, the key generation unit 30 starts the first-level key decryption operation unit and the second-level key decryption operation unit to perform encryption and decryption operations. The algorithm selection unit selects an encryption and decryption algorithm a to send to the first-level key decryption operation unit, and after the first-level key decryption operation unit decrypts to obtain a first-level key (specifically, refer to a generation process of access key information corresponding to the first PCIE storage unit 601), the first-level key is sent to the second-level key decryption operation unit. When the second-level key decryption operation unit performs decryption operation, the main control unit sends the second-level source key to the second-level key decryption operation unit, and the algorithm selection unit selects the encryption and decryption algorithm b and sends the encryption and decryption algorithm b to the second-level key decryption operation unit. And then the second-level key decryption operation unit decrypts the second-level source key by adopting the first-level key according to an encryption and decryption algorithm b to obtain a second-level key. For data access in the second PCIE memory unit 602, the secondary key is access key information required when the second encryption and decryption circuit 203 encrypts and decrypts data.
When data read and write needs to be performed from the third PCIE memory unit 603 connected to the third PCIE interface 2083, that is, access key information required for data encryption and decryption with the third PCIE memory unit 603 needs to be generated, the key generation unit 30 not only starts the first-level key decryption operation unit and the second-level key decryption operation unit for encryption and decryption operation, but also starts the third-level key decryption operation unit for encryption and decryption operation. The algorithm selection unit selects the encryption and decryption algorithm a to be sent to the first-level key decryption operation unit, and sends the encryption and decryption algorithm b to the second-level key decryption operation unit when the second-level key decryption operation unit performs encryption and decryption operation. After the second-level key decryption operation unit decrypts the second-level key to obtain the second-level key (in the generation process of the access key information corresponding to the second PCIE storage unit 602), the second-level key is sent to the third-level key decryption operation unit. When the third-level key decryption operation unit performs encryption and decryption operation, the algorithm selection unit selects an encryption and decryption algorithm c to send to the third-level key decryption operation unit, and the main control unit also sends the third-level source key to the third-level key decryption operation unit, so that the third-level key decryption operation unit decrypts the third-level source key by using the second-level key according to the encryption and decryption algorithm c to obtain a third-level key. For data access in the third PCIE memory unit 603, the third-level key is access key information required when the second encryption and decryption circuit 203 encrypts and decrypts data.
As shown in fig. 2 and 3, the encrypted source data may be stored in the source data storage unit 301. Preferably, the source data storage unit 301 is an OTP storage unit (i.e. a one-time programmable unit), so that source data can be effectively prevented from being tampered. In order to prevent a hacker from directly obtaining source data from the source data storage unit 301, in the present application, the source data is encrypted and then stored in the OTP storage unit, and an initial key used for encrypting the source data may be stored in another storage unit, so as to improve the security of storing the source data.
In some embodiments, the hierarchy information storage unit 304 is further configured to store handshake request information and handshake response information. As shown in fig. 3, the key generating unit 30 further includes a handshake decryption operation circuit 307, a handshake encryption operation circuit 308, and a handshake information checking circuit 309, where the handshake decryption operation circuit 307 is respectively connected to the hierarchical decryption operation unit 306 and the handshake encryption operation circuit 308, and the handshake encryption operation circuit 308 is respectively connected to the main control unit 312 and the handshake information checking circuit 309.
And a handshake decryption operation circuit 307, configured to decrypt the access key information by using the access key information to obtain handshake encryption key information. The access key information is easy to intercept or tamper in the transmission process, but if the access key information is decrypted firstly, the difficulty of reverse cracking of a hacker is exponentially increased, so that the access key information is decrypted before key data verification is carried out, and handshake encryption key information is obtained.
And the handshake encryption operation circuit 308 is configured to receive the handshake request information, and encrypt the handshake request information by using the handshake encryption key information to obtain handshake encryption information. Handshake request information, which refers to information to be verified and is encrypted by handshake encryption key information, may be stored in the hierarchical information storage unit 304 in advance, so as to obtain handshake encryption information.
And a handshake information checking circuit 309, configured to obtain the handshake response information and the handshake encryption information, and determine whether the handshake response information and the handshake encryption information are matched, if yes, the access key information is output through checking. The handshake response information refers to check standard information which is pre-stored in the hierarchical information storage unit 304 and is obtained by encrypting the handshake request information. By comparing the handshake response information with the handshake encryption information, whether the current access key information is tampered or not can be deduced, and if the two are matched, the access key information can be output.
By arranging the handshake decryption operation circuit 307, the handshake encryption operation circuit 308 and the handshake information check circuit 309, the generated access key information can be further checked, so that the access key information is prevented from being intercepted and tampered in the generation process, and the security of the key is improved.
In certain embodiments, the hierarchical decryption operation unit 306 comprises a primary decryption operation unit 3061 and a secondary decryption operation unit 3062; the hierarchical key information includes first hierarchical key information and second hierarchical key information; the hierarchical key encryption and decryption algorithm comprises a first hierarchical key encryption and decryption algorithm and a second hierarchical key encryption and decryption algorithm;
a main control unit 312, connected to the primary and secondary decryption operation units 3061, 3062, respectively, for obtaining primary hierarchy key information from the hierarchy information storage unit 304 and transmitting the primary hierarchy key information to the primary decryption operation unit 3061, and obtaining secondary hierarchy key information from the hierarchy information storage unit 304 and transmitting the secondary hierarchy key information to the secondary decryption operation unit 3062;
a first-level decryption operation unit 3061, configured to decrypt, using the root key information, the first-level key information according to the first-level key encryption and decryption algorithm, so as to obtain a first-level key;
the secondary decryption operation unit 3062 is configured to obtain the primary key, and decrypt the secondary level key information with the primary key information according to the secondary level key encryption and decryption algorithm to obtain a secondary key.
As shown in fig. 3, the key generation unit 30 may generate the access key information of the corresponding security level according to the security level corresponding to the drive identifier information, and the higher the security level of the PCIE interface is, the higher the security of the access key information generated by the key generation unit is, and the generated access key information may be stored in the key recording unit 40.
Taking the example of the key level as three security levels, the key generation unit 30 includes a key selection unit 310. The decryption operation unit includes a primary decryption operation unit 3061, a secondary decryption operation unit 3062, and a tertiary decryption operation unit 3063. The handshake decryption operation circuit comprises a first-stage handshake decryption operation circuit 3071, a second-stage handshake decryption operation circuit 3072 and a third-stage handshake decryption operation circuit 3073. The handshake encryption operation circuit comprises a first-stage handshake encryption operation circuit 3081, a second-stage handshake encryption operation circuit 3082 and a third-stage handshake encryption operation circuit 3083. The algorithm information storage unit 303 is provided with a plurality of encryption and decryption algorithms, including a first-level encryption and decryption algorithm, a second-level encryption and decryption algorithm, and a third-level encryption and decryption algorithm, and sequentially selects the algorithms through a first-level algorithm selection unit 3111, a second-level algorithm selection unit 3112, and a third-level algorithm selection unit 3113. The hierarchical key information includes a first layer source key, a second layer source key, and a third layer source key.
Assuming that the security level corresponding to each PCIE interface has three levels, the key selection unit 310 may select a first-level key, a second-level key, or a third-level key according to the security level corresponding to each PCIE interface for output. Preferably, the security level of the third-level key is higher than that of the second-level key, and the security level of the second-level key is higher than that of the first-level key.
The primary key is generated as follows:
the source data decryption unit 302 obtains the encrypted source key and hierarchical key encryption and decryption algorithm in the source data storage unit 301 for decryption, obtains the decrypted source key and hierarchical key encryption and decryption algorithm, and sends the decrypted source key to the key mixing unit 313. The key mixing unit 313 acquires the decrypted source key information and the disc id information, and generates mixed key information according to the decrypted source key information and the disc id information. The root key operation unit 305 obtains the hybrid key information and the drive identifier information corresponding to the current read-write address stored in the drive identifier cache unit, and performs hash operation on the obtained drive identifier information according to the hybrid key information to obtain root key information.
The next-level decryption operation unit 3061 receives the first-level source key of the level information storage unit 304, and the first-level algorithm selection unit 3111 selects the first-level key encryption and decryption algorithm to the first-level decryption operation unit 3061, so that the first-level decryption operation unit 3061 decrypts the first-level source key by applying the root key information through the first-level key encryption and decryption algorithm to obtain the first-level key. If the security level corresponding to the current PCIE interface is one level, the key selection unit 310 may select the one level of key to output.
Before output, in order to prevent the first-level key from being tampered in the transmission process, the generated first-level key needs to be verified, specifically, the first-level key is encrypted once by using the first-level key through the first-level handshake decryption operation circuit 3071, so that first-level handshake encryption key information is obtained. And then, the first-level handshake request data transmitted by the hierarchical information storage unit 304 is received through the first-level handshake encryption operation circuit 3081, and the first-level handshake request data is encrypted by using the first-level handshake encryption key information, so as to obtain first-level handshake encryption information. And then, receiving the first layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the first layer handshake response data with the first layer handshake encryption information, and if the first layer handshake response data and the first layer handshake encryption information match, indicating that the first-level key is not tampered, outputting the first layer handshake response data through the key selection unit 310.
The secondary key is generated as follows:
the generation process of the secondary key is similar to that of the primary key, and the difference is that the primary key is used as an input parameter (equivalent to a root key input when the primary key is generated) for generating the secondary key, specifically, the secondary decryption operation unit 3062 receives the second-layer source key of the hierarchical information storage unit 304, and the secondary algorithm selection unit 3112 selects the secondary key encryption/decryption algorithm to the secondary decryption operation unit 3062, so that the secondary decryption operation unit 3062 applies the primary key to decrypt the second-layer source key by using the secondary key encryption/decryption algorithm, and a secondary key is obtained. If the security level corresponding to the current PCIE interface is two levels, the key selection unit 310 may select the second level key to output.
Before output, in order to prevent the second-level key from being tampered in the transmission process, the generated second-level key needs to be verified, specifically, the second-level key is encrypted once by using the second-level key through the second-level handshake decryption operation circuit 3072, so that the second-level handshake encryption key information is obtained. And then, the second-level handshake request data transmitted by the hierarchical information storage unit 304 is received through the second-level handshake encryption operation circuit 3082, and the second-level handshake request data is encrypted by using the second-level handshake encryption key information, so as to obtain second-level handshake encryption information. And then receiving second-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the second-layer handshake response data with the second-layer handshake encryption information, and if the two match, indicating that the secondary key is not tampered, outputting the second-layer handshake response data through the key selection unit 310, otherwise, sending a prompt message.
The generation process of the tertiary key is as follows:
the generation process of the third-level key is similar to that of the second-level key, and the difference is that the second-level key is used as an input parameter for generating the third-level key (equivalent to the first-level key input during generation of the second-level key), specifically, the third-level decryption operation unit 3063 receives the third-level source key of the hierarchical information storage unit 304, and the third-level algorithm selection unit 3113 selects the third-level key encryption/decryption algorithm to the third-level decryption operation unit 3063, so that the third-level decryption operation unit 3063 decrypts the third-level source key by using the second-level key using the third-level key encryption/decryption algorithm, and obtains the third-level key. If the security level corresponding to the current PCIE interface is three levels, the key selection unit 310 may select the three levels of key outputs.
Before outputting the third-level key, in order to prevent the third-level key from being tampered in the transmission process, the generated third-level key needs to be verified, specifically, the third-level key is encrypted once by using the third-level key through the third-level handshake decryption operation circuit 3073, so as to obtain the third-level handshake encryption key information. And then, the third-level handshake request data transmitted by the hierarchical information storage unit 304 is received through the three-level handshake encryption operation circuit 3083, and the third-level handshake request data is encrypted by using the three-level handshake encryption key information, so as to obtain third-level handshake encryption information. And then, receiving third-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the third-layer handshake response data with the third-layer handshake encryption information, and if the third-layer handshake response data and the third-layer handshake encryption information are matched, indicating that the third-layer key is not tampered, outputting the third-layer handshake response data through the key selection unit 310, otherwise, sending a prompt message.
Of course, in other embodiments, the number of the security levels corresponding to the set PCIE interfaces may also be other numerical values, such as two security levels or more than four security levels, and the setting is specifically performed according to actual needs. When the access key information has other levels, the access key information can be generated in a manner that is referred to the key generation process shown in fig. 3 and is not expanded here.
As shown in fig. 4, the present application also provides a key generation method, which is applied to the key generation unit described in the present application, and the method includes the following steps:
firstly, in step S401, the source data decryption unit obtains encrypted source data for decryption, and obtains a decrypted source key and a decrypted hierarchical key encryption/decryption algorithm.
And then step S402 is carried out, wherein the key mixing unit acquires the decrypted source key information and the disc character identification information, and generates mixed key information according to the decrypted source key information and the disc character identification information.
And then, the step S403 is carried out, and the root key operation unit calculates the root key information according to the mixed key information.
And then step S404 is carried out, the hierarchy decryption operation unit obtains hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and the hierarchy key information is decrypted by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain access key information.
Generally, before the bridge chip of the USB to PCIE protocol is put into use, certain factory settings need to be performed, specifically, some check data that needs to be used in the key generation process is solidified inside the bridge chip, as shown in fig. 5, the method includes the following steps:
firstly, step S501 is performed to preset a security level corresponding to each PCIE interface, and the set security level corresponding to each PCIE interface and corresponding drive identifier information are stored in a security level corresponding relationship storage unit.
And then proceeds to step S502 to set the source key.
Step S502 may be followed by step S503 of obtaining the hierarchical key information and the handshake request information through a derivation algorithm according to the source key. The derivation algorithm may be a hash operation, or may be an encryption or decryption operation performed on the source key itself.
Step S503 may be followed by step S504 of storing the hierarchical key information and the handshake request information in a hierarchical key information storage unit.
And then step S505 is performed to complete the initial setting of the access key information corresponding to each PCIE interface.
As shown in fig. 6, in some embodiments, the key generation method includes the steps of:
the method first proceeds to step S601, where the source data storage unit stores encrypted source data, where the source data includes a source key and a hierarchical key encryption and decryption algorithm.
Then, in step S602, the source data decryption unit may obtain the encrypted source data for decryption, to obtain a decrypted source key and a decrypted hierarchical key encryption/decryption algorithm, send the decrypted source key to the key mixing unit, and store the decrypted hierarchical key encryption/decryption algorithm in the algorithm information storage unit.
And then, the key mixing unit in step S603 obtains the decrypted source key information and the identifier information of the disc identifier, and generates mixed key information according to the decrypted source key information and the identifier information of the disc identifier.
In parallel with steps S601 to S603, it may be proceeded to step S604 where the hierarchy information storage unit stores hierarchy key information.
And then, in step S605, the root key operation unit obtains the disc identifier identification information and the decrypted source key stored in the current disc identifier cache unit, and performs hash operation on the disc identifier identification information according to the decrypted source key to obtain root key information.
After step S605, step S606 may be performed by the hierarchical decryption operation unit to obtain the hierarchical key encryption and decryption algorithm, the hierarchical key information, and the root key information, and the hierarchical key encryption and decryption algorithm is used to decrypt the hierarchical key information using the root key information, so as to obtain the access key information.
It should be noted that, although the above embodiments have been described herein, the invention is not limited thereto. Therefore, based on the innovative concepts of the present invention, the technical solutions of the present invention can be directly or indirectly applied to other related technical fields by changing and modifying the embodiments described herein or by using the equivalent structures or equivalent processes of the content of the present specification and the attached drawings, and are included in the scope of the present invention.
Claims (10)
1. An operation method of a bridge chip for a USB-to-PCIE protocol is characterized in that the method is applied to the bridge chip for the USB-to-PCIE protocol, and the bridge chip comprises the following steps: the device comprises a USB protocol analysis unit, a drive letter distribution judgment unit, a second encryption and decryption circuit, a drive letter selection unit, a mapping relation storage unit, a drive letter identification cache unit, a key generation unit, at least one PCIE protocol controller and at least one PCIE interface; the mapping relation storage unit is used for storing the mapping relation between the read-write address area and the disc identifier identification information;
the method comprises the following steps:
the USB protocol analysis unit is connected with a PCIE interface of the data read-write equipment, and each PCIE interface is correspondingly connected with a PCIE storage unit in a pluggable mode;
the USB protocol analysis unit receives a data read-write instruction sent by the data read-write equipment and analyzes a data read-write address corresponding to the data read-write instruction;
the drive letter distribution judging unit determines the drive letter identification information corresponding to the read-write address area where the current data read-write address is located according to the mapping relation, and stores the drive letter identification information in the drive letter identification cache unit;
the key generation unit acquires the disc identifier identification information from the disc identifier cache unit and generates access key information according to the acquired disc identifier identification information;
and the second encryption and decryption circuit decrypts the data read from the PCIE storage unit or encrypts the data to be written into the PCIE storage unit according to the access key information.
2. The method according to claim 1, wherein the bridge chip further comprises a digital signature comparison unit, a verification information storage unit, and a digital signature operation unit;
the method comprises the following steps:
the digital signature operation unit performs hash operation on the access key information to obtain digital signature information to be authenticated;
the digital signature comparison unit acquires verification signature information from the verification information storage unit, compares the digital signature information to be authenticated with the verification signature information, passes verification if the digital signature information to be authenticated and the verification signature information are matched, and continues to execute the data read-write instruction; if the two are not matched, the verification is not passed, and the data reading and writing instruction is stopped to be executed.
3. The method of claim 2, wherein the bridge chip further comprises a first decryption circuit and a verification key storage unit;
the method comprises the following steps:
the first decryption circuit acquires encrypted verification signature information from the verification information storage unit and verification key information from the verification key storage unit, decrypts the encrypted verification signature information by using the verification key information, and sends the decrypted verification signature information to the digital signature comparison unit.
4. The method of claim 1, wherein the method comprises:
the key generation unit acquires the disk identifier identification information cached in the current disk identifier cache unit, and generates access key information according to the acquired disk identifier identification information.
5. The method according to claim 1, wherein the bridge chip further comprises a security level correspondence storage unit, and the security level correspondence storage unit is connected to the drive letter allocation determination unit and the key generation unit, respectively;
the method comprises the following steps:
the safety level corresponding relation storage unit stores the corresponding relation between the disc identifier identification information and the safety level of the secret key;
the key generation unit generates access key information matching the key security level.
6. The method according to claim 4 or 5, wherein the key generation unit comprises a source data decryption unit, a root key operation unit, a key mixing unit, and a hierarchy decryption operation unit; the source data decryption unit is connected with a key mixing unit, the key mixing unit is connected with the root key operation unit, and the root key operation unit is connected with a hierarchy decryption operation unit;
the method comprises the following steps:
the source data decryption unit obtains encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
a key mixing unit acquires the decrypted source key information and the disc identifier identification information, and generates mixed key information according to the decrypted source key information and the disc identifier identification information;
the root key operation unit calculates the root key information according to the mixed key information;
the hierarchy decryption operation unit acquires hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypts the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain access key information.
7. The method of claim 6, wherein the key generation unit further comprises:
a hierarchy information storage unit stores hierarchy key information;
and the main control unit acquires the hierarchy key information from the hierarchy information storage unit according to the key security level corresponding to the current drive identifier information and sends the hierarchy key information to the hierarchy decryption operation unit.
8. The method of claim 7, wherein the hierarchical decryption unit comprises a first-level decryption unit and a second-level decryption unit; the hierarchical key information comprises first-level hierarchical key information and second-level hierarchical key information; the hierarchical key encryption and decryption algorithm comprises a first-level key encryption and decryption algorithm and a second-level key encryption and decryption algorithm;
the method comprises the following steps:
the master control unit acquires first-level key information from the level information storage unit and transmits the first-level key information to a first-level decryption operation unit, and acquires second-level key information from the level information storage unit and transmits the second-level key information to a second-level decryption operation unit;
the first-level decryption operation unit decrypts the first-level key information by adopting the root key information according to the first-level key encryption and decryption algorithm to obtain a first-level key;
and the secondary decryption operation unit acquires the primary key and decrypts the secondary level key information by adopting the primary key according to the secondary level key encryption and decryption algorithm to obtain a secondary key.
9. The method of claim 7, wherein the hierarchical information storage unit is further configured to store handshake request information and handshake response information;
the key generation unit further comprises a handshake decryption operation circuit, a handshake encryption operation circuit and a handshake information check circuit, wherein the handshake decryption operation circuit is respectively connected with the main control unit and the handshake encryption operation circuit, and the handshake encryption operation circuit is respectively connected with the main control unit and the handshake information check circuit;
the method comprises the following steps:
the handshake decryption operation circuit decrypts the access key information by adopting the access key information to obtain handshake encryption key information;
the handshake encryption operation circuit receives the handshake request information sent by the main control unit, and encrypts the handshake request information by adopting the handshake encryption key information to obtain handshake encryption information;
and the handshake information check circuit acquires the handshake encryption information and handshake response information sent by the main control unit, judges whether the handshake encryption information and the handshake response information are matched, and outputs the access key information if the handshake encryption information and the handshake response information are matched.
10. A bridge chip for USB to PCIE protocol, wherein the bridge chip for USB to PCIE protocol is the bridge chip for USB to PCIE protocol according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011633718.6A CN112685353B (en) | 2020-12-31 | 2020-12-31 | Bridging chip for converting USB (Universal Serial bus) to PCIE (peripheral component interface express) protocol and operation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011633718.6A CN112685353B (en) | 2020-12-31 | 2020-12-31 | Bridging chip for converting USB (Universal Serial bus) to PCIE (peripheral component interface express) protocol and operation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112685353A CN112685353A (en) | 2021-04-20 |
| CN112685353B true CN112685353B (en) | 2022-06-07 |
Family
ID=75456201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011633718.6A Active CN112685353B (en) | 2020-12-31 | 2020-12-31 | Bridging chip for converting USB (Universal Serial bus) to PCIE (peripheral component interface express) protocol and operation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112685353B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107092835A (en) * | 2017-04-21 | 2017-08-25 | 杭州华澜微电子股份有限公司 | The computer data enciphering device and method of a kind of virtual memory disk |
| CN110765501A (en) * | 2018-07-28 | 2020-02-07 | 虞加考 | Encrypted USB flash disk |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7949794B2 (en) * | 2006-11-02 | 2011-05-24 | Intel Corporation | PCI express enhancements and extensions |
| US8370645B2 (en) * | 2009-03-03 | 2013-02-05 | Micron Technology, Inc. | Protection of security parameters in storage devices |
| US9710406B2 (en) * | 2014-12-15 | 2017-07-18 | Intel Corporation | Data transmission using PCIe protocol via USB port |
| US10255200B2 (en) * | 2015-02-25 | 2019-04-09 | Western Digital Technologies, Inc. | Data storage device and method of operation using multiple security protocols |
| US10715501B2 (en) * | 2016-10-26 | 2020-07-14 | Intel Corporation | Providing secure data transmission over a universal serial bus (USB) interface |
-
2020
- 2020-12-31 CN CN202011633718.6A patent/CN112685353B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107092835A (en) * | 2017-04-21 | 2017-08-25 | 杭州华澜微电子股份有限公司 | The computer data enciphering device and method of a kind of virtual memory disk |
| CN110765501A (en) * | 2018-07-28 | 2020-02-07 | 虞加考 | Encrypted USB flash disk |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112685353A (en) | 2021-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112637166B (en) | Data transmission method, device, terminal and storage medium | |
| CN103220145B (en) | Method and system for electronic signature token to respond to operation request, and electronic signature token | |
| KR20180094118A (en) | Encryption of memory operations | |
| EP3968597B1 (en) | Methods for encrypting and decrypting data | |
| TW201642136A (en) | Address validation using signatures | |
| US20020174351A1 (en) | High security host adapter | |
| CN112685352B (en) | Bridging chip for PCIE-SATA protocol and operation method thereof | |
| TW201346618A (en) | Secure key storage using physically unclonable functions | |
| CN112685351B (en) | PCIE-to-USB protocol bridging chip and operation method thereof | |
| TW201539247A (en) | Password input and verification method and system thereof | |
| CN112364323A (en) | High-security storage access method and device based on user iris recognition | |
| CN116070241A (en) | Mobile hard disk encryption control method | |
| CN113872770A (en) | Security verification method, system, electronic device and storage medium | |
| WO2023046207A1 (en) | Data transmission method and apparatus, and non-volatile computer-readable storage medium | |
| CN112272090B (en) | Key generation method and device | |
| CN112685353B (en) | Bridging chip for converting USB (Universal Serial bus) to PCIE (peripheral component interface express) protocol and operation method thereof | |
| KR102542213B1 (en) | Real-time encryption/decryption security system and method for data in network based storage | |
| WO2020010831A1 (en) | Data acquisition method, data acquisition system, terminal, and diagnostic tool | |
| CN213814671U (en) | High-security-level data access device based on structured light array recognition | |
| CN112364316B (en) | High-security-level data access method and device based on structured light array identification | |
| CN213817804U (en) | Secret key generating device | |
| CN111512308A (en) | Storage controller, file processing method, device and system | |
| CN112364324A (en) | High-security-level data access method and device based on voiceprint recognition | |
| CN112149167B (en) | Data storage encryption method and device based on master-slave system | |
| CN213876728U (en) | SSD solid state hard drives main control chip security key generation device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: No.302, no.6, zone 2, Fuhai Industrial Zone, Fuyong community, Fuyong street, Bao'an District, Shenzhen City, Guangdong Province Patentee after: Shenzhen anjilite New Technology Co.,Ltd. Address before: No.302, no.6, zone 2, Fuhai Industrial Zone, Fuyong community, Fuyong street, Bao'an District, Shenzhen City, Guangdong Province Patentee before: Shenzhen anjili New Technology Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |