CN113810179A - Sector block key generation method, device, equipment and storage medium - Google Patents
Sector block key generation method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113810179A CN113810179A CN202010546514.2A CN202010546514A CN113810179A CN 113810179 A CN113810179 A CN 113810179A CN 202010546514 A CN202010546514 A CN 202010546514A CN 113810179 A CN113810179 A CN 113810179A
- Authority
- CN
- China
- Prior art keywords
- target
- logic unit
- sector
- key
- disk array
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 239000000835 fiber Substances 0.000 claims abstract description 79
- 230000015654 memory Effects 0.000 claims abstract description 52
- 230000003993 interaction Effects 0.000 claims abstract description 6
- 238000003491 array Methods 0.000 claims description 76
- 238000013507 mapping Methods 0.000 claims description 30
- 239000013307 optical fiber Substances 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000004422 calculation algorithm Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- RFHIWBUKNJIBSE-KQYNXXCUSA-N 2-amino-9-[(2r,3r,4s,5r)-3,4-dihydroxy-5-(hydroxymethyl)oxolan-2-yl]-7-methylpurin-9-ium-6-thiolate Chemical compound C12=NC(N)=NC([S-])=C2N(C)C=[N+]1[C@@H]1O[C@H](CO)[C@@H](O)[C@H]1O RFHIWBUKNJIBSE-KQYNXXCUSA-N 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 239000004744 fabric Substances 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000007599 discharging Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0637—Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a sector block key generation method, a sector block key generation device, sector block key generation equipment and a storage medium, wherein the sector block key generation method comprises the following steps: acquiring a fiber channel protocol message of interaction between a memory and a server; analyzing the fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located; acquiring a working key of the target logic unit according to the logic unit number of the target logic unit; and carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain a sector block key. The embodiment of the application adopts the combination of the double keys of the working key and the sector block key, ensures that each sector of each logic unit of each disk array uses different sector block keys, improves the availability and the usability of storage encryption and decryption, and ensures the safety of the storage encryption and decryption.
Description
Technical Field
The present application relates to the field of disk data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for generating a sector block key.
Background
Disk encryption is an underlying encryption that depends only on the format of the disk. The disk encryption is to directly write the corresponding ciphertext obtained by encrypting the plaintext data into the corresponding position of the disk, and perform decryption operation when the encrypted information needs to be read, so as to recover the ciphertext into the corresponding plaintext. However, the conventional encryption method is not suitable for the disk data because the encryption method expands the plaintext data.
In 2002, Moses Liskov, Ronald l.rivest and David Wagner proposed for the first time an adjustable Block cipher (TBC) for the features of disk encryption, which, compared to the conventional Block cipher, adds an input, called an adjustable value (Tweak), in addition to two inputs, namely an encryption key and a plaintext to be encrypted. Common adjustable block cipher algorithms include a narrow block cipher algorithm and a wide block cipher algorithm, wherein Xor encryption (Xor-Encrypt-Xor, XEX) in the narrow block cipher algorithm is an adjustable block cipher algorithm for encryption and decryption of data of a disk sector, and an adjustable value is expressed as a combination of a disk array number, a logical unit number and a sector address.
The conventional XEX adjustable block cipher algorithm is characterized in that an adjustable value is generated directly through combination of a disk array number, a logic unit number and a sector address, and then an encrypted plaintext is encrypted directly by combining the adjustable value and an encryption key.
Disclosure of Invention
The application provides a sector block key generation method, a sector block key generation device, sector block key generation equipment and a storage medium, and aims to solve the problem that in the prior art, different sectors of the same disk use the same encryption key to encrypt plaintext data, so that the security is low, ensure that each sector uses different keys when the data in the sector of the disk is encrypted and decrypted, and improve the security of storage encryption.
In a first aspect, the present application provides a sector block key generation method, applied to a fiber channel storage crypto machine, where the fiber channel storage crypto machine is located in a storage area network system, the storage area network system further includes a memory and a server in communication connection with the fiber channel storage crypto machine, the memory includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where to-be-processed data is located, the sector block key is used for encrypting or decrypting the to-be-processed data, and the method includes:
acquiring a fiber channel protocol message of interaction between the memory and the server;
analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located;
acquiring a working key of the target logic unit according to the logic unit number of the target logic unit;
and carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
In a possible implementation manner of the present application, the obtaining the working key of the target logical unit includes:
acquiring a logic unit number of a target logic unit where the data to be processed is located in the target disk array;
acquiring a logic block key factor randomly generated in advance;
and encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit.
In a possible implementation manner of the present application, the obtaining the sector block key by performing a hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector by using the working key includes:
performing series connection processing on the disk array number of the target disk array, the logical unit number of the target logical unit and the sector address of the target sector to obtain a connection string;
performing hash operation on the connection string to obtain a first hash;
dividing the first hash into a second hash and a third hash according to the byte number;
and carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.
In a possible implementation manner of the present application, before the obtaining the working key of the target logical unit, the method further includes:
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
acquiring a working key corresponding to each logic unit randomly generated in advance;
and generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.
In a possible implementation manner of this application, before the obtaining of the working key of the target logical unit where the to-be-processed data is located in the target disk array, the method further includes:
acquiring the disk array numbers of the plurality of disk arrays;
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
and generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.
In another aspect, the present application also provides a sector block key generation apparatus, including:
the acquisition module is used for acquiring the fiber channel protocol message interacted between the memory and the server;
the analysis module is used for analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located;
the working key acquisition module is used for acquiring the working key of the target logic unit according to the logic unit number of the target logic unit;
and the sector block key generation module is used for carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
In a possible implementation manner of the present application, the work key obtaining module is specifically configured to:
acquiring a logic unit number of a target logic unit where the data to be processed is located in the target disk array;
acquiring a logic block key factor randomly generated in advance;
and encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit.
In a possible implementation manner of the present application, the sector block key generation module is specifically configured to:
performing series connection processing on the disk array number of the target disk array, the logical unit number of the target logical unit and the sector address of the target sector to obtain a connection string;
performing hash operation on the connection string to obtain a first hash;
dividing the first hash into a second hash and a third hash according to the byte number;
and carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.
In a possible implementation manner of this application, the sector block key generation apparatus further includes a key mapping table module, where the key mapping table module is specifically configured to:
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
acquiring a working key corresponding to each logic unit randomly generated in advance;
and generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.
In a possible implementation manner of the present application, the sector block key generation apparatus further includes a disk mapping table module, where the disk mapping table module is specifically configured to:
acquiring the disk array numbers of the plurality of disk arrays;
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
and generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.
In another aspect, the present application also provides an apparatus, comprising:
one or more processors;
a memory; and
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor to implement the method of any of the first aspects.
In another aspect, the present application also provides a computer-readable storage medium having a computer program stored thereon, which is loaded by a processor to perform the steps of the method according to any one of the first aspect.
In the application, the data to be processed is not directly encrypted by using the working key, but the hash operation is performed on the disk array number of the target disk array where the data to be processed is located, the logical unit number of the target logical unit and the sector address of the target sector by using the working key to obtain the sector block key, and the data to be processed is processed by using the sector block key. In essence, the sector block key of the present application guarantees key security according to space division, and since the logical unit numbers of each logical unit of the same disk array are different, the working keys corresponding to each logical unit are also different, and further the sector block key of each sector of each logical unit is also different; for different disk arrays, even if the same logic unit has the same working key, because the disk array numbers of each disk array are different, the sector block keys of the same sector on the same logic unit numbers of different disk arrays are also different, so that the application adopts the combination of the working key and the sector block key double keys to ensure that each sector of each logic unit of each disk array uses different sector block keys, improve the availability and the usability of storage encryption and decryption, and ensure the safety of storage encryption and decryption.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a storage area network system according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of another scenario of a storage area network system provided in an embodiment of the present application;
FIG. 3 is a flow chart illustrating an embodiment of a sector block key generation method provided in an embodiment of the present application;
FIG. 4 is a schematic flowchart of an embodiment of step 303 in the present application;
FIG. 5 is a flowchart illustrating an embodiment of step 304 in the present application;
fig. 6 is a schematic flow chart of another embodiment of a sector block key generation method provided in the embodiment of the present application;
fig. 7 is a schematic flow chart of a sector block key generation method provided in an embodiment of the present application;
fig. 8 is a schematic structural diagram of an embodiment of a sector block key generation apparatus provided in an embodiment of the present application;
fig. 9 is a schematic structural diagram of an embodiment of the apparatus provided in the embodiments of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description of the present application, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are used merely for convenience of description and for simplicity of description, and do not indicate or imply that the referenced device or element must have a particular orientation, be constructed in a particular orientation, and be operated, and thus should not be considered as limiting the present application. Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
In this application, the word "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the application. In the following description, details are set forth for the purpose of explanation. It will be apparent to one of ordinary skill in the art that the present application may be practiced without these specific details. In other instances, well-known structures and processes are not set forth in detail in order to avoid obscuring the description of the present application with unnecessary detail. Thus, the present application is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
Some basic concepts involved in the embodiments of the present application are first described below:
storage Area Network (SAN): a SAN is a high-speed, storage-specific Network, typically independent of a Local Area Network (LAN). A SAN connects different data storage devices together to form a storage network. The user can add or delete nodes to the network, so that data backup and archiving and data protection can be easily realized.
Fibre channel Storage Area Network (FC-SAN): FC-SAN is usually composed of a Fibre Channel (FC) connected to a disk array, and in an FC-SAN network, data communication between a server and a client is performed by a Small Computer System Interface (SCSI) command instead of a Transmission Control Protocol/Internet Protocol (TCP/IP), and data processing is performed at a "Block Level" (Block Level). The FC-SAN takes data storage as a center, adopts a scalable network topology structure, provides multiple selectable data exchanges between any nodes in the FC-SAN through a direct connection mode of a fiber channel with high transmission rate, and concentrates data storage management in a relatively independent storage area network. The FC-SAN network is connected between the application server and the storage device formed by the storage array through a fabric Switch (FC Switch).
Fibre channel storage ciphers (SecFC): namely an FC storage cryptographic engine, in an FC-SAN network using an encryption mechanism, the FC storage cryptographic engine is used for encrypting and decrypting data of a plurality of disk arrays.
Embodiments of the present application provide a sector block key generation method, apparatus, device, and storage medium, which are described in detail below.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of a storage area network system according to an embodiment of the present application, where the storage area network system may include: the system comprises at least one server 100, a fiber channel storage cryptographic machine 300 and a storage 400 in communication connection with the fiber channel storage cryptographic machine, wherein the fiber channel storage cryptographic machine 300 is respectively in communication connection with the server 100 and the storage 400, the storage 400 comprises a plurality of disk arrays, the plurality of disk arrays comprise target disk arrays where to-be-processed data are located, and the plurality of disk arrays are in communication connection with the fiber channel storage cryptographic machine 300. In this embodiment, the server 100, the fiber Channel storage crypto-engine 300, and the memory 400 may communicate with each other in a FC Protocol (FCP) -based communication manner, and the fiber Channel storage crypto-engine 300 is configured to implement a data encryption and decryption mechanism based on the FC Protocol, and may implement centralized protection on the content of the memory 400. Referring to fig. 1, the memory 400 includes three disk arrays, which are a disk array a, a disk array B, and a disk array C, it should be noted that the memory according to the embodiment of the present application may further include more or less disk arrays, and the specific number is selected according to an actual application scenario, and is not limited herein.
In addition, the storage area network system according to the embodiment of the present application may further include other devices capable of communicating with the fibre channel cryptographic machine 300, as shown in fig. 2, the storage area network system according to the embodiment of the present application may further include: the fibre channel storage crypto-machine 300 is in communication connection with the fibre channel switch 200, and the fibre channel storage crypto-machine 300 is in communication connection with the server 100 through the fibre channel switch 200. The fibre channel storage cipher machine 300 analyzes the FC protocol between the server 100 and the memory 400 in the storage area network system, encrypts data in a write data request frame from the server side to the memory side, and decrypts data in a read data reply frame from the memory side to the server side, so as to ensure that the data stored in the memory 400 after passing through the fibre channel storage cipher machine 300 is a cipher, and the server 100 can still see a plaintext after passing through the fibre channel storage cipher machine 300 without changing the use of the memory 400.
In this embodiment, the server 100 may be an independent server, or may be a server network or a server cluster composed of servers, for example, the server 100 described in this embodiment includes, but is not limited to, a computer, a network host, a single network server, a plurality of network server sets, or a cloud server composed of a plurality of servers. Among them, the Cloud server is constituted by a large number of computers or web servers based on Cloud Computing (Cloud Computing). At least one Storage 400 is connected to each server 100 for storing data Of the servers 100, wherein each Storage 400 may be a Storage Device known in the art, such as one or more interconnected disk drives Of a Redundant array Of independent Disks (RAID), a cluster Of Disks (JBOD), a Direct Access Storage Device (DASD), such as a tape Storage Device Of one or more Storage units.
The fibre channel storage crypto-engine 300 may be deployed in front of the memory 400 or the server 100 without changing the original network topology. The fibre channel storage crypto-engine 300 may be accessed before the memory 400 or before the server 100.
The fibre channel storage crypto-engine 300 in the embodiment of the present application is mainly used for: acquiring an encryption request of data to be processed; responding to the encryption request, and acquiring a working key of a target logic unit where the data to be processed is located in the target disk array; and carrying out Hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector where the data to be processed is located by using the working key to obtain the sector block key.
Fibre channel FC has three common topologies: a Point-to-Point (Point-to-Point) structure, a fibre Channel arbitrated Loop (FC _ AL), and a fibre Switch (FC Switch) transport network (FC _ Fabric), wherein the intermediate transport network composed of fibre switches (FC switches) is called FC Switched network (FC Switched Fabric). The topology shown in fig. 2 is that an FC storage crypto-engine 300 is deployed before disk arrays A, B and C. Assuming that server a mounts LUN0 virtual disk of disk array a, when server a stores data to the disk, the data of each sector is encrypted by FC storage crypto 300 using a specific key; when server a reads data from the disk, each sector of data is decrypted by FC storage crypto engine 300 using a specific key. The data of each sector on LUN0 of disk array a is ciphertext, and the data seen by server a is always plaintext.
The above is an example of a topology with an optical fiber switch, and it can be understood that the technical solution of the embodiment of the present application can also be implemented without an optical fiber switch in an FC-SAN network, and does not form a limitation on the technical solution provided by the embodiment of the present application.
It should be noted that the scenario diagrams of the storage area network systems shown in fig. 1 and fig. 2 are only examples of the solution of the present application, and the storage area network systems and the scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application, other application scenarios may also include more or less memories 400 than shown in fig. 1 and 2, e.g., only 1 memory 400 is shown in fig. 1, it being understood that, the storage area network system may further include one or more other memories in communication with the fibre channel storage crypto-engine 300, and as will be appreciated by those skilled in the art, with the evolution of SAN systems and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
First, an embodiment of the present application provides a sector block key generation method, where an execution subject of the sector block key generation method is a sector block key generation device, the sector block key generation device is applied to a fibre channel storage crypto engine 300, the fibre channel storage crypto engine 300 is located in a storage area network system, the storage area network system further includes a memory 400 and a server 100, the memory 400 is in communication connection with the fibre channel storage crypto engine 300, the memory 400 includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where to-be-processed data is located, and the sector block key is used to encrypt or decrypt the to-be-processed data, and the sector block key generation method includes: acquiring a fiber channel protocol message of interaction between the memory and the server; analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located; acquiring a working key of the target logic unit according to the logic unit number of the target logic unit; and carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
As shown in fig. 3, which is a schematic flowchart of an embodiment of a sector block key generation method in the embodiment of the present application, the sector block key generation method includes:
301. and acquiring a fiber channel protocol message interacted between the memory and the server.
In this embodiment, the fibre channel protocol message acquired by the fibre channel storage cryptographic machine 300 may be a message of an encryption request for encrypting data in a write data request frame of the storage 400 when the server 100 initiates the encryption request, or a message of a decryption request for decrypting data in a read data request frame of the server 100 when the storage 400 initiates the decryption request, and the fibre channel storage cryptographic machine 300 analyzes an FC protocol between the server 100 and the storage 400, so as to acquire an encryption request for encrypting data in the write data request frame, or acquire a decryption request for decrypting data in the read data request frame, that is, acquire an encryption request or a decryption request for data to be processed.
302. And analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located.
In this embodiment, the Command Description Block (CDB) of the fibre channel protocol packet exchanged between the server 100 and the memory 400 includes the logical unit number of the logical unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located, so that the logical unit number of the target logical unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located can be obtained by analyzing the Command description block of the fibre channel protocol packet.
303. And acquiring the working key of the target logic unit according to the logic unit number of the target logic unit.
In this embodiment, the data to be processed is located in the target logical unit of the target disk array in the memory 400, and each logical unit of each disk array possesses a unique work key. Before encryption and decryption are performed by using the fibre channel storage crypto engine 300, the device administrator assigns a unique disk array number to each disk array, assigns a logical unit number to a logical unit of each disk array, and assigns a sector address to a sector of each logical unit. In a specific embodiment, after the optical fiber channel storage crypto-engine 300 is powered on and passes the authentication, a corresponding working key is generated for each logic unit of each disk array, and in a general case, the optical fiber channel storage crypto-engine 300 can store at most 1024 cipher text information of the working keys, so that after the power-on authentication of the optical fiber channel storage crypto-engine 300 passes, the optical fiber channel storage crypto-engine 300 can generate 1024 working keys at a time, and store the cipher text information of each working key and the corresponding relationship between the logic unit and the working key in a protocol parsing engine (FPGA) of the optical fiber channel storage crypto-engine 300, so as to search the working key corresponding to the target logic unit from the protocol parsing engine.
It should be noted that, in some other application scenarios, the work key in this embodiment may also be generated in real time according to the relevant information of the data to be processed when responding to the encryption request, and is not limited herein.
304. And carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
In a specific embodiment, the Hash operation uses an SM3 cryptographic Hash algorithm, and uses a working key as a key of the SM3 cryptographic Hash algorithm, and under a Hash-based Message Authentication Code (HMAC) mode of the SM3 cryptographic Hash algorithm, Hash processing is performed on a disk array number of a target disk array where data to be processed is located, a logical unit number of the target logical unit where the data to be processed is located, and a sector address of a target sector where the data to be processed is located, so as to obtain the sector block key. In this embodiment, since the logical unit number of each logical unit and the sector address of each sector block in the same disk array are different, the sector block key of each sector of each logical unit is different; although the same logical unit has the same logical unit number and the sector address of the same sector under the same logical unit is the same for different disk arrays, the sector block key of each sector of each logical unit under each disk array is different because the disk array number of each disk array is different.
In the embodiment of the present application, the sector block key is used for encrypting or decrypting data of a disk sector in the optical fiber channel, the disk array number of each disk array, the logical unit number of each logical unit, and the sector block address of each sector are in one-to-one correspondence, and the correspondence may be stored in a protocol parsing engine (FPGA) of the optical fiber channel storage crypto machine 300.
In a specific embodiment, when the target sector performs the data read-write operation of the data to be processed, the sector block key of the target sector of the target logic unit is dynamically calculated and obtained in step 304, and when the target sector of the target logic unit completes the data read-write operation of the data to be processed, the sector block key corresponding to the target sector is immediately destroyed.
In the embodiment of the application, the data to be processed is not directly encrypted by using the working key, but the hash operation is performed on the disk array number of the target disk array where the data to be processed is located, the logical unit number of the target logical unit and the sector address of the target sector by using the working key to obtain the sector block key, and the data to be processed is processed by using the sector block key. In essence, the sector block key of the present application guarantees key security according to space division, and since the logical unit numbers of each logical unit of the same disk array are different, the working keys corresponding to each logical unit are also different, and further the sector block key of each sector of each logical unit is also different; for different disk arrays, even if the same logic unit has the same working key, because the disk array numbers of each disk array are different, the sector block keys of the same sector on the same logic unit numbers of different disk arrays are also different, so that the application adopts the combination of the working key and the sector block key double keys to ensure that each sector of each logic unit of each disk array uses different sector block keys, improve the availability and the usability of storage encryption and decryption, and ensure the safety of storage encryption and decryption.
As shown in fig. 4, in some embodiments of the present application, the obtaining the working key of the target logical unit in step 303 may further include:
401. and acquiring the logic unit number of the target logic unit in which the data to be processed is positioned in the target disk array.
In this embodiment, before encryption and decryption are performed by using the fibre channel storage cryptographic machine 300, the device administrator assigns a unique disk array number to each disk array, assigns a logical unit number to a logical unit of each disk array, and assigns a sector address to a sector of each logical unit. After acquiring the fibre channel protocol packet exchanged between the server 100 and the storage 400, the fibre channel storage cryptographic machine 300 parses the packet, and obtains the logical unit number of the target logical unit where the data to be processed is located according to the command description block of the fibre channel protocol packet.
402. And acquiring a logic block key factor randomly generated in advance.
In one embodiment, the storage area network system further comprises a random number generator communicatively coupled to the fibre channel storage crypto-engine 300, the random number generator generating a logical block key factor for each logical unit, each logical block key factor being 128 bits in length; it should be noted that the logical block key factor in the embodiment of the present application may also be generated by a built-in random number generation program in the fibre channel storage crypto machine 300, and is not limited herein.
403. And encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit.
The working modes of the Block Cipher of the fibre channel storage Cipher machine 300 include an Electronic Code Book (ECB) mode, a Cipher Block Chaining (CBC) mode, a Cipher Feedback (CFB) mode, an Output Feedback (OFB) mode and a Counter (CTR) mode, in this embodiment, the block cipher mode of operation of the fibre channel storage cipher machine 300 is an Electronic Code Book (ECB) mode, encrypting the logic unit number of the target logic unit, specifically, under an ECB mode, taking a logic block key factor as a key, and encrypting the logic unit number of the target logic unit by adopting an SM4 cryptographic algorithm, wherein the packet length and the key length of the SM4 cryptographic algorithm are both 128 bits, the encryption algorithm and the key expansion algorithm both adopt 32-round nonlinear iteration structures, and an S box is a fixed 8-bit input 8-bit output. Assuming that LBK represents the working key, LKF represents the logical block key factor, LUNID represents the logical unit number of the target logical unit, and ECB _ MODE represents the electronic codebook MODE, the working key is calculated as:
LBK=SM4(LKF,LUNID,ECB_MODE)
because the logic unit numbers of each logic unit are different, the working keys corresponding to each logic unit are different; although the same logical unit has the same operation key in different disk arrays, the sector block keys of the same sector of the same logical unit in different disk arrays are different because the disk array numbers of the disk arrays are different.
As shown in fig. 5, in some embodiments of the application, the performing a hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector by using the working key in step 304 to obtain the sector block key may further include:
501. and performing serial connection processing on the disk array number of the target disk array, the logical unit number of the target logical unit and the sector address of the target sector to obtain a connection string.
Assuming that mesig represents a connection string, TID represents a disk array number of a target disk array, LUNID represents a logical unit number of a target logical unit, LBA represents a sector address of a target sector, LBK represents a work key, SBK represents a sector block key, where LBK is 128 bits, SBK is 16 bits, TID is 6 bits, LUNID is 19 bits, and LBA is 64 bits, a calculation formula of the connection string is:
MESG=LBA||LUNID||TID
where, | | represents string concatenation.
502. And carrying out Hash operation on the connection string to obtain a first Hash.
In this embodiment, the Hash operation is performed on the connection string, specifically, under a Hash-based Message Authentication Code (HMAC) mode of the SM3 cryptographic Hash algorithm, the Hash operation is performed on the connection string with the work key as the key, assuming that HMAC represents a first Hash, LBK represents the work key, MESG represents the connection string, and SM3_ HMAC represents the HMAC mode of the SM3 cryptographic Hash algorithm, the calculation formula of the first Hash is:
HMAC=SM3_HMAC(LBK,MESG)
in this embodiment, the first hash obtained by the calculation using the above calculation formula is 32 bits.
503. And dividing the first hash according to the byte number, and equally dividing the first hash into a second hash and a third hash.
In this embodiment, the first hash is divided equally by the number of bytes, and then the second hash and the third hash are both 16 bits, the second hash is represented as HMAC [ i ], and the third hash is represented as HMAC [ i +15], where i is 0, 1.
504. And carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.
Assuming that the SBK represents a sector block key, the sector block key is calculated as:
SBK[i]=HMAC[i]^HMAC[i+15],for i=0,1,...,15
where SBK [ i ] represents the ith byte of the sector block key and ^ represents an XOR operation.
As shown in fig. 6, in some embodiments of the present application, before the obtaining the working key of the target logical unit, the method may further include:
601. and acquiring the logic unit number of each logic unit of the plurality of disk arrays.
In this embodiment, the logical unit numbers are assigned to the logical units of each disk array by the device administrator before the encryption and decryption are performed by using the fibre channel storage crypto engine 300, the logical unit numbers of the logical units of the same disk array are different, and the logical unit numbers of the same logical unit of different disk arrays are the same.
602. And acquiring the working key corresponding to each logic unit randomly generated in advance.
In a specific embodiment, after the fiber channel storage cryptographic engine 300 is powered on and passes the authentication, the corresponding working key is generated for each logical unit of each disk array, and in a normal case, the fiber channel storage cryptographic engine 300 can store at most the ciphertext information of 1024 working keys, so that after the fiber channel storage cryptographic engine 300 passes the power-on authentication, the fiber channel storage cryptographic engine 300 can generate 1024 working keys at one time.
603. And generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.
In the embodiment of the present application, the key mapping relationship table is stored in a protocol parsing engine (FPGA) of the fibre channel storage crypto machine 300, and reflects a one-to-one correspondence between the logic unit numbers of the logic units of the plurality of disk arrays and the working keys corresponding to the logic units.
As shown in fig. 7, in some embodiments of the present application, before the obtaining the working key of the target logical unit, the method may further include:
701. and acquiring the disk array numbers of the plurality of disk arrays.
In this embodiment, the serial number of the disk array is an identifier that uniquely identifies the disk array and is allocated to each disk array by the device administrator before encryption and decryption are performed by using the fibre channel storage cryptographic machine 300, and therefore the serial numbers of the disk arrays are different.
702. And acquiring the logic unit number of each logic unit of the plurality of disk arrays.
In this embodiment, the logical unit numbers are assigned to the logical units of each disk array by the device administrator before the encryption and decryption are performed by using the fibre channel storage crypto engine 300, the logical unit numbers of the logical units of the same disk array are different, and the logical unit numbers of the same logical unit of different disk arrays are the same.
703. And generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.
In this embodiment, the disk mapping table is stored in a protocol parsing engine (FPGA) of the fibre channel storage crypto engine 300, and reflects a one-to-one correspondence between the disk array numbers of the plurality of disk arrays and the logic unit numbers of the logic units of the plurality of disk arrays.
Assuming that the storage space of a logical unit on a disk array is 1TB and the size of a sector is 1MB, the number of sector block keys allocated to the logical unit by the fibre channel storage crypto engine 300 can reach the million level; and one fibre channel storage cryptographic machine 300 supports 64 disk arrays at most, each disk array can configure 1024 logic units at most, and the total number of distributable sector block keys in the fibre channel cryptographic machine 300 is more than one trillion, so the sector block key of the embodiment of the present application can be a session key meeting the cryptographic standard of the quotient, and meets the requirement that one session corresponds to one session key.
On the other hand, because the read-write times in the design life cycle of each logic unit are within 3000, the number of the ciphertexts which are taken by the sector with the size of 1MB in the whole life cycle is less than 3GB, and the data with the magnitude is not enough to crack the sector block key by using the means of cipher text data attack, the embodiment of the application adopts the double key combination of the working key and the sector block key, improves the usability and the usability of storage encryption and decryption, and ensures the safety of storage encryption and decryption.
In addition, the fiber channel storage cryptographic machine 300 in this embodiment may also be in a cluster mode, that is, multiple fiber channel storage cryptographic machines 300 may operate in a master-slave mode, at this time, only the logical disk key factor of the master control device in the cluster needs to be encrypted and then distributed, and each cluster partner device obtains the encrypted logical disk key factor distributed by the master control device, decrypts the encrypted logical disk key factor, and encrypts the logical unit number of each logical unit of the disk array in the corresponding fiber channel storage cryptographic machine 300 by using the SM4 cryptographic algorithm to generate a working key. When the optical fiber channel storage ciphers 300, which are active and standby, access the same sector of the same logical unit of the same disk array, the same sector block key can be obtained according to the above step 304 or step 501 and 504, and by means of only transferring logical block key factors between devices in a cluster, the consistency of sector block keys between different devices is ensured, meanwhile, insecurity caused by transmission of an actual encryption key, i.e., the sector block key, is also avoided, the security of storage encryption and decryption is improved, so that the optical fiber channel storage ciphers 300 are more widely applied in a cluster environment.
In order to better implement the sector block key generation method in the embodiment of the present application, on the basis of the sector block key generation method, the embodiment of the present application further provides a sector block key generation device, where the sector block key generation device is applied to the fiber channel storage crypto engine 300, the fiber channel storage crypto engine 300 is located in a storage area network system, the storage area network system further includes a memory 400 and a server 100, which are communicatively connected to the fiber channel storage crypto engine 300, the memory 400 includes a plurality of disk arrays, the plurality of disk arrays include a target disk array where to-be-processed data is located, as shown in fig. 8, the sector block key generation device 800 includes:
an obtaining module 801, configured to obtain a fibre channel protocol packet in which the storage interacts with the server;
an analyzing module 802, configured to analyze the fibre channel protocol packet to obtain a logical unit number of a target logical unit where the to-be-processed data is located and a sector address of a target sector where the to-be-processed data is located;
a working key obtaining module 803, configured to obtain a working key of the target logic unit according to the logic unit number of the target logic unit;
a sector block key generating module 804, configured to perform hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector by using the working key, so as to obtain the sector block key.
In some embodiments of the present application, the work key obtaining module 803 is specifically configured to:
acquiring a logic unit number of a target logic unit where the data to be processed is located in the target disk array;
acquiring a logic block key factor randomly generated in advance;
and encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit.
In some embodiments of the present application, the sector block key generation module 804 is specifically configured to:
performing series connection processing on the disk array number of the target disk array, the logical unit number of the target logical unit and the sector address of the target sector to obtain a connection string;
performing hash operation on the connection string to obtain a first hash;
dividing the first hash into a second hash and a third hash according to the byte number;
and carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.
In some embodiments of the present application, the sector block key generation apparatus 800 further includes a key mapping table module 805, where the key mapping table module 805 is specifically configured to:
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
acquiring a working key corresponding to each logic unit randomly generated in advance;
and generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.
In some embodiments of the present application, the sector block key generating apparatus 800 further includes a disk mapping table module 806, where the disk mapping table module 806 is specifically configured to:
acquiring the disk array numbers of the plurality of disk arrays;
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
and generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.
An embodiment of the present application further provides an apparatus, which integrates any one of the sector block key generation devices provided in the embodiment of the present application, where the apparatus includes:
one or more processors;
a memory; and
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the processor for performing the steps of the sector block key generation method described in any of the above embodiments of the sector block key generation method.
The embodiment of the present invention further provides a device, which integrates any sector block key generation apparatus provided in the embodiment of the present application. As shown in fig. 9, it shows a schematic structural diagram of the apparatus according to the embodiment of the present application, specifically:
the apparatus may include components such as a processor 901 of one or more processing cores, memory 902 of one or more computer-readable storage media, a power supply 903, and an input unit 904. Those skilled in the art will appreciate that the configuration of the apparatus shown in fig. 9 does not constitute a limitation of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 901 is a control center of the apparatus, connects various parts of the entire apparatus using various interfaces and lines, and performs various functions of the apparatus and processes data by running or executing software programs and/or modules stored in the memory 902 and calling data stored in the memory 902, thereby performing overall monitoring of the apparatus. Optionally, processor 901 may include one or more processing cores; the Processor 901 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, and preferably the processor 901 may integrate an application processor, which handles primarily the operating system, user interfaces, application programs, etc., and a modem processor, which handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 901.
The memory 902 may be used to store software programs and modules, and the processor 901 executes various functional applications and data processing by operating the software programs and modules stored in the memory 902. The memory 902 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 902 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 902 may also include a memory controller to provide the processor 901 access to the memory 902.
The device further comprises a power supply 903 for supplying power to each component, and preferably, the power supply 903 may be logically connected to the processor 901 through a power management system, so that functions of managing charging, discharging, power consumption, and the like are realized through the power management system. The power supply 903 may also include any component including one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
The device may also include an input unit 904, the input unit 904 operable to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 901 in the device loads the executable file corresponding to the process of one or more application programs into the memory 902 according to the following instructions, and the processor 901 runs the application programs stored in the memory 902, thereby implementing various functions as follows:
acquiring a fiber channel protocol message of interaction between the memory and the server;
analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located;
acquiring a working key of the target logic unit according to the logic unit number of the target logic unit;
and carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, an embodiment of the present invention provides a computer-readable storage medium, which may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like. The computer program is loaded by a processor to execute the steps of any sector key generation method provided by the embodiments of the present application. For example, the computer program may be loaded by a processor to perform the steps of:
acquiring a fiber channel protocol message of interaction between the memory and the server;
analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located;
acquiring a working key of the target logic unit according to the logic unit number of the target logic unit;
and carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed descriptions of other embodiments, and are not described herein again.
In a specific implementation, each unit or structure may be implemented as an independent entity, or may be combined arbitrarily to be implemented as one or several entities, and the specific implementation of each unit or structure may refer to the foregoing embodiments, which are not described herein again.
The above detailed description is provided for a sector block key generation method, apparatus, device and storage medium provided in the embodiments of the present application, and a specific example is applied in the present application to explain the principle and implementation of the present application, and the description of the above embodiments is only used to help understanding the method and core ideas of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (8)
1. A sector block key generation method is applied to a fiber channel storage cryptographic machine, the fiber channel storage cryptographic machine is located in a storage area network system, the storage area network system further comprises a storage and a server which are in communication connection with the fiber channel storage cryptographic machine, the storage comprises a plurality of disk arrays, the disk arrays comprise a target disk array where to-be-processed data are located, and a sector block key is used for encrypting or decrypting the to-be-processed data, and the method comprises the following steps:
acquiring a fiber channel protocol message of interaction between the memory and the server;
analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located;
acquiring a working key of the target logic unit according to the logic unit number of the target logic unit;
and carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
2. The method of claim 1, wherein obtaining the working key of the target logical unit comprises:
acquiring a logic unit number of a target logic unit where the data to be processed is located in the target disk array;
acquiring a logic block key factor randomly generated in advance;
and encrypting the logic unit number of the target logic unit according to the logic block key factor to obtain a working key of the target logic unit.
3. The method of claim 1, wherein the performing a hash operation on the disk array number of the target disk array, the logical unit number of the target logical unit, and the sector address of the target sector by using the working key to obtain the sector block key comprises:
performing series connection processing on the disk array number of the target disk array, the logical unit number of the target logical unit and the sector address of the target sector to obtain a connection string;
performing hash operation on the connection string to obtain a first hash;
dividing the first hash into a second hash and a third hash according to the byte number;
and carrying out XOR processing on each byte of the second hash and each byte of the third hash in sequence according to byte number to obtain the sector block key.
4. The method of claim 1, wherein prior to said obtaining the working key of the target logical unit, the method further comprises:
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
acquiring a working key corresponding to each logic unit randomly generated in advance;
and generating a key mapping relation table according to the logic unit numbers of the logic units of the disk arrays and the working keys corresponding to the logic units, wherein in the key mapping relation table, the logic unit numbers of the logic units of the disk arrays correspond to the working keys corresponding to the logic units one by one.
5. The method of claim 1, wherein prior to said obtaining the working key of the target logical unit, the method further comprises:
acquiring the disk array numbers of the plurality of disk arrays;
acquiring the logic unit number of each logic unit of the plurality of disk arrays;
and generating a disk mapping table according to the disk array numbers of the multiple disk arrays and the logic unit numbers of the logic units of the multiple disk arrays, wherein the disk array numbers of the multiple disk arrays in the disk mapping table correspond to the logic unit numbers of the logic units of the multiple disk arrays one by one.
6. A sector block key generation apparatus, comprising:
the acquisition module is used for acquiring the fiber channel protocol message interacted between the memory and the server;
the analysis module is used for analyzing the optical fiber channel protocol message to obtain the logic unit number of the target logic unit where the data to be processed is located and the sector address of the target sector where the data to be processed is located;
the working key acquisition module is used for acquiring the working key of the target logic unit according to the logic unit number of the target logic unit;
and the sector block key generation module is used for carrying out hash operation on the disk array number of the target disk array, the logic unit number of the target logic unit and the sector address of the target sector by using the working key to obtain the sector block key.
7. An apparatus, comprising:
one or more processors;
a memory; and
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the processor to implement the sector block key generation method of any of claims 1 to 5.
8. A computer-readable storage medium, having stored thereon a computer program which is loaded by a processor to execute the steps in the sector block key generation method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010546514.2A CN113810179A (en) | 2020-06-16 | 2020-06-16 | Sector block key generation method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010546514.2A CN113810179A (en) | 2020-06-16 | 2020-06-16 | Sector block key generation method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113810179A true CN113810179A (en) | 2021-12-17 |
Family
ID=78892478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010546514.2A Pending CN113810179A (en) | 2020-06-16 | 2020-06-16 | Sector block key generation method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810179A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924835A (en) * | 2006-09-01 | 2007-03-07 | 西安交通大学 | Dynamic key based hardware data enciphering method and device thereof |
| US20090034715A1 (en) * | 2007-07-31 | 2009-02-05 | Arul Selvan Ramasamy | Systems and methods for encrypting data |
| JP4463320B1 (en) * | 2009-06-12 | 2010-05-19 | 株式会社ハギワラシスコム | ENCRYPTION STORAGE DEVICE, INFORMATION DEVICE, AND ENCRYPTION STORAGE DEVICE SECURITY METHOD |
| CN109033849A (en) * | 2018-06-29 | 2018-12-18 | 无锡艾立德智能科技有限公司 | The encryption method and device encrypted to deposit data of magnetic disk array |
-
2020
- 2020-06-16 CN CN202010546514.2A patent/CN113810179A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924835A (en) * | 2006-09-01 | 2007-03-07 | 西安交通大学 | Dynamic key based hardware data enciphering method and device thereof |
| US20090034715A1 (en) * | 2007-07-31 | 2009-02-05 | Arul Selvan Ramasamy | Systems and methods for encrypting data |
| JP4463320B1 (en) * | 2009-06-12 | 2010-05-19 | 株式会社ハギワラシスコム | ENCRYPTION STORAGE DEVICE, INFORMATION DEVICE, AND ENCRYPTION STORAGE DEVICE SECURITY METHOD |
| CN109033849A (en) * | 2018-06-29 | 2018-12-18 | 无锡艾立德智能科技有限公司 | The encryption method and device encrypted to deposit data of magnetic disk array |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106549750B (en) | With the method implemented by computer and use its system and computer program product | |
| US8397083B1 (en) | System and method for efficiently deleting a file from secure storage served by a storage system | |
| US9992019B2 (en) | Storage and retrieval of dispersed storage network access information | |
| JP5650348B2 (en) | System and method for securing data in motion | |
| US20190238323A1 (en) | Key managers for distributed computing systems using key sharing techniques | |
| US8448044B2 (en) | Retrieving data from a dispersed storage network in accordance with a retrieval threshold | |
| US8266433B1 (en) | Method and system for automatically migrating encryption keys between key managers in a network storage system | |
| US8762743B2 (en) | Encrypting data objects to back-up | |
| US8285993B1 (en) | System and method for establishing a shared secret among nodes of a security appliance | |
| US10922117B2 (en) | VTPM-based virtual machine security protection method and system | |
| US9774445B1 (en) | Host based rekeying | |
| US8245050B1 (en) | System and method for initial key establishment using a split knowledge protocol | |
| JP2022040957A (en) | Encryption key management system and encryption key controlling method | |
| US8189790B2 (en) | Developing initial and subsequent keyID information from a unique mediaID value | |
| CN112953930A (en) | Cloud storage data processing method and device and computer system | |
| CN113806756A (en) | Disk data encryption method, disk data decryption method, disk data encryption device, disk data decryption device, disk data encryption equipment and disk data decryption equipment | |
| JP4087149B2 (en) | Disk device sharing system and computer | |
| Prajapati et al. | Efficient cross user data deduplication in remote data storage | |
| CN113810179A (en) | Sector block key generation method, device, equipment and storage medium | |
| CN104022870A (en) | Encryption method of cloud data | |
| Kim et al. | Secure group services for storage area networks | |
| CN110636040B (en) | Information flow authentication system and method based on block chain communication | |
| CN111130788B (en) | Data processing method and system, data reading method and iSCSI server | |
| CN117234427B (en) | Data reading and writing method, device, equipment, system, storage medium and storage system | |
| CN113783970B (en) | Dynamic mapping method, device and equipment of fiber channel identifier and storage medium thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211217 |