CN113938278A - Key management and protection method for encrypted hard disk - Google Patents

Key management and protection method for encrypted hard disk Download PDF

Info

Publication number
CN113938278A
CN113938278A CN202111238902.5A CN202111238902A CN113938278A CN 113938278 A CN113938278 A CN 113938278A CN 202111238902 A CN202111238902 A CN 202111238902A CN 113938278 A CN113938278 A CN 113938278A
Authority
CN
China
Prior art keywords
key
hard disk
management system
encryption
key management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111238902.5A
Other languages
Chinese (zh)
Other versions
CN113938278B (en
Inventor
张宇轩
梁书铭
冯志华
罗重
李佩丽
安东博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN202111238902.5A priority Critical patent/CN113938278B/en
Publication of CN113938278A publication Critical patent/CN113938278A/en
Application granted granted Critical
Publication of CN113938278B publication Critical patent/CN113938278B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a key management and protection method for an encrypted hard disk, belonging to the field of information security. The invention realizes the centralized management and protection of the hard disk key by using the key management system, can distribute, back up and recover the hard disk encryption key, and uses a threshold scheme when backing up and recovering the key, so that the key which is backed up and stored is only the key component, and the key can be recovered only when at least t persons exist in n managers during backup, thereby improving the safety of the key management system. The invention divides the encryption key of the hard disk into two parts, one part is stored in the host, the other part is stored in the encryption hard disk, the host sends the key component to the hard disk to synthesize a complete key for decryption after the two-way authentication is carried out during the startup, thereby ensuring the physical separation of the encryption key and the protection data and enhancing the protection of the hard disk. By the method, the safety of the encrypted hard disk is improved.

Description

Key management and protection method for encrypted hard disk
Technical Field
The invention belongs to the field of information security, and particularly relates to a key management and protection method for an encrypted hard disk.
Background
The hard disk is used as a main data storage device of a computer, and once the hard disk is stolen or illegally accessed, confidential information and important data are leaked, and huge economic loss and security threats are brought to individuals, enterprises and governments. Therefore, the use of an encrypted hard disk as a storage medium is a common storage data protection method for enterprises and individuals.
The existing hard disk encryption technology can be divided into software encryption and hardware encryption. The software encryption technology, such as TrueCrypt, can establish a virtual disk on a hard disk without generating any file, a user can access the virtual disk according to a drive letter, and all files on the virtual disk are automatically encrypted and need to be accessed through a password. The slow operation speed of the software encryption technology and the insecurity of the system caused by reading the key into the memory make the hardware fully-encrypted hard disk an important choice. Most of the mainstream hardware encryption hard disk technologies in the market today store the key in the hard disk itself, and synthesize the key through a common password to form the final key. In the other part of the hard disk encryption technology, an encryption key is divided into two parts, one part of key components is stored in external equipment such as UKey, and the key components are transmitted to generate a key in a combined manner when the hard disk needs to encrypt and decrypt data, so that the physical separation of the encryption key and the protected data is realized.
At present, most hardware encryption hard disk technologies mostly adopt the method of storing the secret key in the hard disk, which is not beneficial to the centralized management and the hierarchical protection of the secret key, and an attacker can obtain the secret key by means of direct hard disk reading and the like under the condition of mastering a secret key protection scheme, so that important data stored in a hard disk medium is leaked. The other part of the encryption hard disk technology stores part of the key components in the external equipment, although the method can improve the security of the encryption hard disk to a certain extent, the problems of backup and recovery of the key and the like are not solved, if the key components are damaged or lost and the like, the encrypted data in the encryption hard disk cannot be decrypted, and serious consequences can be caused.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is how to provide a key management and protection method for an encrypted hard disk, so as to solve the problems that the existing hardware encrypted hard disk technology is not beneficial to centralized management and hierarchical protection of keys, and the backup recovery of keys is not solved.
(II) technical scheme
In order to solve the technical problem, the invention provides a key management and protection method of an encrypted hard disk, which is applied to a system comprising the encrypted hard disk, a key management system, identity authentication equipment and a host;
encrypting an operating system of a hard disk storage host, and storing an encryption key component;
the key management system is arranged on a server independent outside the host and used for distributing, backing up and recovering keys for the equipment under the operation of an administrator;
the identity authentication equipment is used for an administrator to log in the key management system;
the host is used for loading the hard disk, binding the hard disk and storing the component of the encryption key in the encrypted hard disk in the host; when the host is started, the host and the encrypted hard disk are subjected to bidirectional authentication, and after the authentication is passed, the key components are sent to the hard disk and combined to form an encrypted key to decrypt data of the hard disk;
the method comprises the following steps:
s11, the administrator connects the host and the encryption hard disk and then carries out initialization power-on, respectively generates a public and private key pair of identity authentication when the initialization power-on, and respectively exchanges public keys after encrypting the public keys by using own device secret keys;
s12, the administrator connects the identity authentication device, the host and the encrypted hard disk to the server or the single machine where the key management system is located, and inputs the PIN code of the identity authentication device in the key management system, and the key management system interacts with the identity authentication device to authenticate the identity of the administrator;
s13, verifying the PIN code by the identity authentication equipment, requesting retry after verification failure, and self-locking after the failure times exceed a certain threshold;
s14, after the identity authentication of the administrator is passed, operating the key management system to transmit the device key of the corresponding host computer into the hard disk, destroying the device key of the host computer after the hard disk decrypts the authentication public key of the host computer by using the device key, then operating the key management system by the administrator to transmit the device key of the corresponding hard disk into the host computer, and destroying the device key after the host computer decrypts the authentication public key of the hard disk by using the device key;
s15, the administrator generates a key in the key management system to generate an encryption key;
s16, the generated encryption key is divided into two parts, and the two parts are respectively encrypted by the corresponding device key and then injected into the corresponding hard disk and host.
Further, the device key is a key carried by the device at the time of factory shipment, and the device key is manually imported into the key management system before key distribution.
Further, in step S12, the authentication device, the host and the encrypted hard disk are connected to the key management server or the stand-alone machine where the system is located through a SATA interface or a USB interface.
Further, the identity authentication device is a UKey or a password card.
Furthermore, the identity authentication equipment needs to have a public and private key pair, and can perform asymmetric encryption and decryption operations.
The invention also provides a backup method of the encryption key, which comprises the following steps:
s21, the n administrators log in the key management system by using the identity authentication equipment of the administrators, and the identity authentication equipment identifies the PIN codes input by the administrators in the key management system;
s22, after the authentication is passed, the n identity authentication devices respectively transmit the self device numbers SID to the key management system;
s23, when generating and distributing the key, the inside of the key management system calculates the encryption key by using a threshold scheme to obtain n parts of sub-keys, wherein the x part of sub-keys is f (x), and the n parts of sub-keys are respectively sent to n identity authentication devices;
s24, the xth identity authentication device encrypts < x, f (x) > by using the own public key to obtain a ciphertext S (x), and sends the ciphertext S (x) and the own device number SIDx to the key management system;
and S25, the key management system saves the received information and the device number UID of the corresponding hard disk or host in a background database of the key management system.
The invention also provides a host computer starting method, the host computer loads the encrypted hard disk, the method comprises the following steps:
s31, after the host computer is started, the host computer actively carries out bidirectional authentication with the encrypted hard disk;
s32, after the bidirectional authentication is passed, the host sends the encryption key component stored by the host to the encryption hard disk;
s33, the encryption hard disk receives the encryption key component, and the encryption key component stored by the encryption hard disk are combined into a complete key component, and at the moment, the encryption hard disk can use the key to decrypt the stored data;
s34, the encryption hard disk is provided with an operating system of the host, the operating system is decrypted by using the encryption key, after the boot, the system is started, and the read-write operation can be carried out on the encryption disk after the boot.
The invention also provides an encryption key recovery method, which comprises the following steps:
s41, if the hard disk encryption key is lost, inserting the encryption hard disk and at least t identity authentication devices in the key management system, and the identity authentication devices identifying the PIN code input by the administrator;
s42, after passing the authentication, the service person transmits the device number UID of the hard disk of the key to be recovered to the key management system, and the identity authentication device transmits the device number SID of the identity authentication device to the key management system;
s43, the key management system acquires the backup encrypted sub-key corresponding to the device number from the database of the key management system and sends the encrypted sub-key to the identity authentication device corresponding to the SID for decryption;
s44, the identity authentication device decrypts the sub-key by using the private key of the identity authentication device and sends the sub-key to the key management system;
s45, the key management system sends the sub-key to the encrypted hard disk, and synthesizes the corresponding encrypted key component in the encrypted hard disk.
Further, t is 3 and n is 5.
Further, in step S45, corresponding encryption key components are synthesized inside the encrypted hard disk by using the lagrange interpolation method.
(III) advantageous effects
The invention provides a key management and protection method of an encrypted hard disk, which is an encrypted hard disk key management method capable of protecting, distributing, backing up and recovering the key of the encrypted hard disk, wherein the encrypted key is divided into two parts, one part is stored in the hard disk, the other part is stored in a host, and the two parts are combined when needed; and a key management system is added, so that the centralized management of the key can be realized, the hierarchical protection and backup recovery of the key are facilitated, and the safety of data stored in the hard disk and the safety of the key can be improved.
The invention realizes the management and protection of the encryption key in the encryption hard disk by adding the key management system. The key management system realizes the distribution of the encryption key of the encrypted hard disk, and divides the encryption key into two parts, one part is stored in the host computer, and the other part is stored on the encrypted hard disk, thereby realizing the safety protection of the encryption key; after the key distribution is realized, the key management system divides the encryption key of the encryption hard disk into a plurality of key components through a threshold algorithm and stores the key components in the key management system; if the encryption key is lost, then the key can be recovered by the key management system. Through the functions, the invention realizes the centralized management and protection of the encryption key in the encrypted hard disk, enhances the security of the encrypted hard disk, ensures that a computer loaded with the encrypted hard disk becomes safer, and is suitable for occasions with higher requirements on security.
Compared with the prior art, the invention realizes the centralized management and protection of the hard disk secret key by using the secret key management system, can distribute, back up and restore the hard disk encryption secret key, uses a threshold scheme when backing up and restoring the secret key, ensures that the secret key stored by backup is only a secret key component, ensures that at least t persons in n managers can restore the secret key when backing up, and improves the safety of the secret key management system. In addition, the invention divides the encryption key of the hard disk into two parts, one part is stored in the host, the other part is stored in the encryption hard disk, the host sends the key component to the hard disk to synthesize a complete key for decryption after the two-way authentication is carried out during the startup, thereby ensuring the physical separation of the encryption key and the protection data and enhancing the protection of the hard disk. By the method, the security of the encrypted hard disk is improved, and the security management and protection of the encrypted key of the encrypted hard disk are enhanced.
Drawings
FIG. 1 is an overall view of the solution of the invention;
FIG. 2 is a key distribution flow diagram;
FIG. 3 is a key backup flow diagram;
FIG. 4 is a flowchart of the boot process of the encrypted hard disk;
fig. 5 is a flowchart of the encrypted hard disk key recovery.
Detailed Description
In order to make the objects, contents and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
The invention aims to provide a method for managing the key of the encrypted hard disk, which can protect, distribute, backup and restore the key of the encrypted hard disk. The encryption key is divided into two parts, one part is stored in the hard disk, the other part is stored in the host, and the two parts are combined when needed; and a key management system is added, so that the centralized management of the key can be realized, the hierarchical protection and backup recovery of the key are facilitated, and the safety of data stored in the hard disk and the safety of the key can be improved.
A key management and protection method for encrypted hard disk can be applied to occasions with higher requirement on safety. As shown in fig. 1, the method is applied to a system including an encrypted hard disk, a key management system, an identity authentication device, and a host; the operating system of the hard disk storage host can be encrypted to safely encrypt and store data and decrypt and output the data, and an encryption key component is stored; the key management system is arranged on a server independent outside the host computer, and can distribute, back up and restore keys to the equipment under the operation of an administrator; the identity authentication equipment is used for a manager to log in the key management system, can be an UKey or a password card and the like, and can carry out asymmetric encryption and decryption operations as the identity authentication equipment needs to have a public and private key pair; the host is used for loading the hard disk and binding the hard disk, the component of the encryption key in the encrypted hard disk is stored in the host, the host and the encrypted hard disk are subjected to bidirectional authentication when the host is started, the key component can be sent to the hard disk after the authentication is passed, and the key component is combined into the encryption key to decrypt data of the hard disk.
As shown in fig. 2, the initialization operation of the encrypted hard disk and the host includes the following steps:
s11, the administrator connects the host and the encryption hard disk and then carries out initialization power-on, respectively generates a public and private key pair of identity authentication when the initialization power-on, and respectively exchanges public keys after encrypting the public keys by using own device secret keys;
s12, the administrator connects the identity authentication device, the host and the encrypted hard disk to the server or the single machine where the key management system is located, and inputs the PIN code of the identity authentication device in the key management system, and the key management system interacts with the identity authentication device to authenticate the identity of the administrator; further, the identity authentication device, the host and the encrypted hard disk are connected to the key management server or the stand-alone unit where the system is located through a SATA interface or a USB interface.
S13, verifying the PIN code by the identity authentication equipment, requesting retry after verification failure, and self-locking after the failure times exceed a certain threshold;
s14, after the identity authentication of the administrator is passed, operating the key management system to transmit the device key of the corresponding host computer into the hard disk, destroying the device key of the host computer after the hard disk decrypts the authentication public key of the host computer by using the device key, then operating the key management system by the administrator to transmit the device key of the corresponding hard disk into the host computer, and destroying the device key after the host computer decrypts the authentication public key of the hard disk by using the device key;
s15, the administrator generates a key in the key management system to generate an encryption key;
s16, dividing the generated encryption key into two parts, which are respectively encrypted by using corresponding device keys and then injected into corresponding hard disks and hosts;
as shown in fig. 3, the backup procedure of the encryption key is as follows:
s21, the n administrators log in the key management system by using the identity authentication equipment of the administrators, and the identity authentication equipment identifies the PIN codes input by the administrators in the key management system;
s22, after the authentication is passed, the n identity authentication devices respectively transmit the self device numbers SID to the key management system;
s23, when generating and distributing the key, the inside of the key management system calculates the encryption key by using a threshold scheme to obtain n parts of sub-keys, wherein the x part of sub-keys is f (x), and the n parts of sub-keys are respectively sent to n identity authentication devices;
s24, the xth identity authentication device encrypts < x, f (x) > by using the own public key to obtain a ciphertext S (x), and sends the ciphertext S (x) and the own device number SIDx to the key management system;
and S25, the key management system saves the received information and the device number UID of the corresponding hard disk or host in a background database of the key management system.
As shown in fig. 4, the starting process of the host loaded with the encrypted hard disk is as follows:
s31, after the host computer is started, the host computer actively carries out bidirectional authentication with the encrypted hard disk;
s32, after the bidirectional authentication is passed, the host sends the encryption key component stored by the host to the encryption hard disk;
s33, the encryption hard disk receives the encryption key component, and the encryption key component stored by the encryption hard disk are combined into a complete key component, and at the moment, the encryption hard disk can use the key to decrypt the stored data;
s34, the encryption hard disk is provided with an operating system of the host, the operating system is decrypted by using the encryption key, after the boot, the system is started, and the read-write operation can be carried out on the encryption disk after the boot.
As shown in fig. 5, the recovery flow of the encryption key includes the following steps:
s41, if the hard disk encryption key is lost, inserting the encryption hard disk and at least t identity authentication devices in the key management system, and the identity authentication devices identifying the PIN code input by the administrator; for example, t is 3, n is 5;
s42, after passing the authentication, the service person transmits the device number UID of the hard disk of the key to be recovered to the key management system, and the identity authentication device transmits the device number SID of the identity authentication device to the key management system;
s43, the key management system acquires the backup encrypted sub-key corresponding to the device number from the database of the key management system and sends the encrypted sub-key to the identity authentication device corresponding to the SID for decryption;
s44, the identity authentication device decrypts the sub-key by using the private key of the identity authentication device and sends the sub-key to the key management system;
and S45, the key management system sends the subkey to the encrypted hard disk, and the corresponding encrypted key component is synthesized in the encrypted hard disk by using a Lagrange interpolation method.
The identity authentication public and private key pair is generated during initialization, the hard disk and the host respectively store public keys of the other side and can be used for identity authentication of the host and the hard disk, and after authentication is passed, the host sends an encryption key component to the hard disk, so that the hard disk has a complete key and can encrypt and decrypt data; the device key is a key carried by the device when the device leaves a factory, the device key is manually introduced into a key management system before key distribution, and the device key can be directly used as a session key when the key distribution is carried out; the threshold scheme can divide the encryption key into n shares of components, and any key components larger than or equal to t shares can be combined to form a complete key.
The invention realizes the management and protection of the encryption key in the encryption hard disk by adding the key management system. The key management system realizes the distribution of the encryption key of the encrypted hard disk, and divides the encryption key into two parts, one part is stored in the host computer, and the other part is stored on the encrypted hard disk, thereby realizing the safety protection of the encryption key; after the key distribution is realized, the key management system divides the encryption key of the encryption hard disk into a plurality of key components through a threshold algorithm and stores the key components in the key management system; if the encryption key is lost, then the key can be recovered by the key management system. Through the functions, the invention realizes the centralized management and protection of the encryption key in the encrypted hard disk, enhances the security of the encrypted hard disk, ensures that a computer loaded with the encrypted hard disk becomes safer, and is suitable for occasions with higher requirements on security.
Compared with the prior art, the invention realizes the centralized management and protection of the hard disk secret key by using the secret key management system, can distribute, back up and restore the hard disk encryption secret key, uses a threshold scheme when backing up and restoring the secret key, ensures that the secret key stored by backup is only a secret key component, ensures that at least t persons in n managers can restore the secret key when backing up, and improves the safety of the secret key management system. In addition, the invention divides the encryption key of the hard disk into two parts, one part is stored in the host, the other part is stored in the encryption hard disk, the host sends the key component to the hard disk to synthesize a complete key for decryption after the two-way authentication is carried out during the startup, thereby ensuring the physical separation of the encryption key and the protection data and enhancing the protection of the hard disk. By the method, the security of the encrypted hard disk is improved, and the security management and protection of the encrypted key of the encrypted hard disk are enhanced.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A key management and protection method of an encrypted hard disk is characterized in that the method is applied to a system comprising the encrypted hard disk, a key management system, identity authentication equipment and a host;
encrypting an operating system of a hard disk storage host, and storing an encryption key component;
the key management system is arranged on a server independent outside the host and used for distributing, backing up and recovering keys for the equipment under the operation of an administrator;
the identity authentication equipment is used for an administrator to log in the key management system;
the host is used for loading the hard disk, binding the hard disk and storing the component of the encryption key in the encrypted hard disk in the host; when the host is started, the host and the encrypted hard disk are subjected to bidirectional authentication, and after the authentication is passed, the key components are sent to the hard disk and combined to form an encrypted key to decrypt data of the hard disk;
the method comprises the following steps:
s11, the administrator connects the host and the encryption hard disk and then carries out initialization power-on, respectively generates a public and private key pair of identity authentication when the initialization power-on, and respectively exchanges public keys after encrypting the public keys by using own device secret keys;
s12, the administrator connects the identity authentication device, the host and the encrypted hard disk to the server or the single machine where the key management system is located, and inputs the PIN code of the identity authentication device in the key management system, and the key management system interacts with the identity authentication device to authenticate the identity of the administrator;
s13, verifying the PIN code by the identity authentication equipment, requesting retry after verification failure, and self-locking after the failure times exceed a certain threshold;
s14, after the identity authentication of the administrator is passed, operating the key management system to transmit the device key of the corresponding host computer into the hard disk, destroying the device key of the host computer after the hard disk decrypts the authentication public key of the host computer by using the device key, then operating the key management system by the administrator to transmit the device key of the corresponding hard disk into the host computer, and destroying the device key after the host computer decrypts the authentication public key of the hard disk by using the device key;
s15, the administrator generates a key in the key management system to generate an encryption key;
s16, the generated encryption key is divided into two parts, and the two parts are respectively encrypted by the corresponding device key and then injected into the corresponding hard disk and host.
2. The key management and protection method of an encrypted hard disk according to claim 1, wherein the device key is a key that is carried by the device itself at the time of shipment, and the device key has been manually imported into the key management system before key distribution.
3. The key management and protection method of encrypted hard disk according to claim 1, wherein in step S12, the authentication device, the host and the encrypted hard disk are connected to the key management server or a stand-alone computer of the system through a SATA interface or a USB interface.
4. The key management and protection method of an encrypted hard disk according to claim 1, wherein the identity authentication device is a UKey or a password card.
5. The key management and protection method of encrypted hard disk according to claim 1, wherein the identity authentication device has a public and private key pair, and can perform asymmetric encryption and decryption operations.
6. A method for backup of encryption keys based on the method of any of claims 1-5, characterized in that the method comprises the steps of:
s21, the n administrators log in the key management system by using the identity authentication equipment of the administrators, and the identity authentication equipment identifies the PIN codes input by the administrators in the key management system;
s22, after the authentication is passed, the n identity authentication devices respectively transmit the self device numbers SID to the key management system;
s23, when generating and distributing the key, the inside of the key management system calculates the encryption key by using a threshold scheme to obtain n parts of sub-keys, wherein the x part of sub-keys is f (x), and the n parts of sub-keys are respectively sent to n identity authentication devices;
s24, the xth identity authentication device encrypts < x, f (x) > by using the own public key to obtain a ciphertext S (x), and sends the ciphertext S (x) and the own device number SIDx to the key management system;
and S25, the key management system saves the received information and the device number UID of the corresponding hard disk or host in a background database of the key management system.
7. A host startup method based on the method of any one of claims 1 to 5, characterized in that the host loads an encrypted hard disk, the method comprising the steps of:
s31, after the host computer is started, the host computer actively carries out bidirectional authentication with the encrypted hard disk;
s32, after the bidirectional authentication is passed, the host sends the encryption key component stored by the host to the encryption hard disk;
s33, the encryption hard disk receives the encryption key component, and the encryption key component stored by the encryption hard disk are combined into a complete key component, and at the moment, the encryption hard disk can use the key to decrypt the stored data;
s34, the encryption hard disk is provided with an operating system of the host, the operating system is decrypted by using the encryption key, after the boot, the system is started, and the read-write operation can be carried out on the encryption disk after the boot.
8. An encryption key recovery method based on the method of claim 6, characterized in that the method comprises the steps of:
s41, if the hard disk encryption key is lost, inserting the encryption hard disk and at least t identity authentication devices in the key management system, and the identity authentication devices identifying the PIN code input by the administrator;
s42, after passing the authentication, the service person transmits the device number UID of the hard disk of the key to be recovered to the key management system, and the identity authentication device transmits the device number SID of the identity authentication device to the key management system;
s43, the key management system acquires the backup encrypted sub-key corresponding to the device number from the database of the key management system and sends the encrypted sub-key to the identity authentication device corresponding to the SID for decryption;
s44, the identity authentication device decrypts the sub-key by using the private key of the identity authentication device and sends the sub-key to the key management system;
s45, the key management system sends the sub-key to the encrypted hard disk, and synthesizes the corresponding encrypted key component in the encrypted hard disk.
9. The key management and protection method of an encrypted hard disk according to claim 8, wherein t is 3 and n is 5.
10. The key management and protection method for the encrypted hard disk according to claim 8, wherein the step S45 is to synthesize the corresponding encryption key component by using lagrangian interpolation method inside the encrypted hard disk.
CN202111238902.5A 2021-10-25 2021-10-25 Key management and protection method for encrypted hard disk Active CN113938278B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111238902.5A CN113938278B (en) 2021-10-25 2021-10-25 Key management and protection method for encrypted hard disk

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111238902.5A CN113938278B (en) 2021-10-25 2021-10-25 Key management and protection method for encrypted hard disk

Publications (2)

Publication Number Publication Date
CN113938278A true CN113938278A (en) 2022-01-14
CN113938278B CN113938278B (en) 2024-03-15

Family

ID=79284056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111238902.5A Active CN113938278B (en) 2021-10-25 2021-10-25 Key management and protection method for encrypted hard disk

Country Status (1)

Country Link
CN (1) CN113938278B (en)

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101165696A (en) * 2006-10-16 2008-04-23 中国长城计算机深圳股份有限公司 Safety identification method based on safe computer
US20080263363A1 (en) * 2007-01-22 2008-10-23 Spyrus, Inc. Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption
CN101788959A (en) * 2010-02-03 2010-07-28 武汉固捷联讯科技有限公司 Solid state hard disk secure encryption system
CN102508791A (en) * 2011-09-28 2012-06-20 梁守龙 Method and device for encrypting hard disk partition
US20120254602A1 (en) * 2011-03-01 2012-10-04 Softex Incorporated Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
CN202711243U (en) * 2011-11-30 2013-01-30 航天信息股份有限公司 Encryption type movable storage device based on fingerprint authentication
CN103034817A (en) * 2012-12-06 2013-04-10 大连奥林匹克电子城腾飞办公设备商行 Hard disc encryption system for computer
CN103678174A (en) * 2012-09-11 2014-03-26 联想(北京)有限公司 Data safety method, storage device and data safety system
CN103701613A (en) * 2014-01-06 2014-04-02 立德高科(北京)数码科技有限责任公司 Bidirectional authentication method between authentication terminal and host and device
CN104503705A (en) * 2014-12-22 2015-04-08 吴剀劼 Trusted storage system constructed by flash memory devices and method for constructing trusted storage system by flash memory devices
CN104615938A (en) * 2015-02-25 2015-05-13 山东超越数控电子有限公司 Power-on authentication method based on solid-state hard disk drive
CN104951409A (en) * 2015-06-12 2015-09-30 中国科学院信息工程研究所 System and method for full disk encryption based on hardware
CN106971102A (en) * 2017-03-24 2017-07-21 山东超越数控电子有限公司 A kind of start authentication method and device based on harddisk password module
CN107403109A (en) * 2017-08-09 2017-11-28 苏州中科安源信息技术有限公司 Encryption method and encryption system
CN110795776A (en) * 2018-08-01 2020-02-14 胡建国 Safety hard disk
CN110795727A (en) * 2018-08-01 2020-02-14 胡建国 Starting control method for safety computer
CN112084472A (en) * 2020-08-13 2020-12-15 杭州电子科技大学 Real-time dynamic authentication method for multi-user secure storage

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101165696A (en) * 2006-10-16 2008-04-23 中国长城计算机深圳股份有限公司 Safety identification method based on safe computer
US20080263363A1 (en) * 2007-01-22 2008-10-23 Spyrus, Inc. Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption
CN101788959A (en) * 2010-02-03 2010-07-28 武汉固捷联讯科技有限公司 Solid state hard disk secure encryption system
US20120254602A1 (en) * 2011-03-01 2012-10-04 Softex Incorporated Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
CN102508791A (en) * 2011-09-28 2012-06-20 梁守龙 Method and device for encrypting hard disk partition
CN202711243U (en) * 2011-11-30 2013-01-30 航天信息股份有限公司 Encryption type movable storage device based on fingerprint authentication
CN103678174A (en) * 2012-09-11 2014-03-26 联想(北京)有限公司 Data safety method, storage device and data safety system
CN103034817A (en) * 2012-12-06 2013-04-10 大连奥林匹克电子城腾飞办公设备商行 Hard disc encryption system for computer
CN103701613A (en) * 2014-01-06 2014-04-02 立德高科(北京)数码科技有限责任公司 Bidirectional authentication method between authentication terminal and host and device
CN104503705A (en) * 2014-12-22 2015-04-08 吴剀劼 Trusted storage system constructed by flash memory devices and method for constructing trusted storage system by flash memory devices
CN104615938A (en) * 2015-02-25 2015-05-13 山东超越数控电子有限公司 Power-on authentication method based on solid-state hard disk drive
CN104951409A (en) * 2015-06-12 2015-09-30 中国科学院信息工程研究所 System and method for full disk encryption based on hardware
CN106971102A (en) * 2017-03-24 2017-07-21 山东超越数控电子有限公司 A kind of start authentication method and device based on harddisk password module
CN107403109A (en) * 2017-08-09 2017-11-28 苏州中科安源信息技术有限公司 Encryption method and encryption system
CN110795776A (en) * 2018-08-01 2020-02-14 胡建国 Safety hard disk
CN110795727A (en) * 2018-08-01 2020-02-14 胡建国 Starting control method for safety computer
CN112084472A (en) * 2020-08-13 2020-12-15 杭州电子科技大学 Real-time dynamic authentication method for multi-user secure storage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐欣;陈锦飞;: "基于Ukey和LiveOS的加密硬盘安全认证方案", 杭州电子科技大学学报(自然科学版), no. 06 *

Also Published As

Publication number Publication date
CN113938278B (en) 2024-03-15

Similar Documents

Publication Publication Date Title
CN106330868B (en) A kind of high speed network encryption storage key management system and method
US8312269B2 (en) Challenge and response access control providing data security in data storage devices
CN101159556B (en) Group key server based key management method in sharing encryption file system
Miller et al. Strong security for distributed file systems
US8200964B2 (en) Method and apparatus for accessing an encrypted file system using non-local keys
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
CN107908574B (en) Safety protection method for solid-state disk data storage
US20080016127A1 (en) Utilizing software for backing up and recovering data
KR20140126787A (en) Puf-based hardware device for providing one time password, and method for 2-factor authenticating using thereof
CN112560058B (en) SSD partition encryption storage system based on intelligent password key and implementation method thereof
CN111737770A (en) Key management method and application
CN112685786A (en) Financial data encryption and decryption method, system, equipment and storage medium
TWI476629B (en) Data security and security systems and methods
KR20230175184A (en) Computer file security encryption methods, decryption methods and readable storage media
CN110233729B (en) Encrypted solid-state disk key management method based on PUF
CN110837634B (en) Electronic signature method based on hardware encryption machine
CN102769525B (en) The user key backup of a kind of TCM and restoration methods
CN112787996B (en) Password equipment management method and system
CN1266617C (en) Computer data protective method
CN113342896B (en) Scientific research data safety protection system based on cloud fusion and working method thereof
KR101327193B1 (en) A user-access trackable security method for removable storage media
CN113938278B (en) Key management and protection method for encrypted hard disk
US11601285B2 (en) Securely authorizing service level access to a backup system using a specialized access key
CN111988330B (en) Information security protection system and method based on white-box encryption in distributed system
KR101947408B1 (en) Puf-based hardware device for providing one time password, and method for 2-factor authenticating using thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant