CN116502291B - Data security storage equipment and data storage method based on three-dimensional heterogeneous integration - Google Patents

Data security storage equipment and data storage method based on three-dimensional heterogeneous integration Download PDF

Info

Publication number
CN116502291B
CN116502291B CN202310769745.3A CN202310769745A CN116502291B CN 116502291 B CN116502291 B CN 116502291B CN 202310769745 A CN202310769745 A CN 202310769745A CN 116502291 B CN116502291 B CN 116502291B
Authority
CN
China
Prior art keywords
data
module
write
instruction
storage device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310769745.3A
Other languages
Chinese (zh)
Other versions
CN116502291A (en
Inventor
曹玥
杨建国
韩永康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Lab
Original Assignee
Zhejiang Lab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Lab filed Critical Zhejiang Lab
Priority to CN202310769745.3A priority Critical patent/CN116502291B/en
Publication of CN116502291A publication Critical patent/CN116502291A/en
Application granted granted Critical
Publication of CN116502291B publication Critical patent/CN116502291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data security storage device and a data storage method based on three-dimensional heterogeneous integration, comprising the following steps: the access port module is communicated with the external processor through an external system bus and is used for receiving an access instruction of the external processor, so that the data security storage device is accessed as an external device in the mode of the access instruction; transmitting information to be identified and data before encryption to a security processing module, feeding back an encryption identification code, state information and decryption data to an external processor, and simultaneously locking an external access port after the security processing module feeds back error information; the plurality of safety processing modules are respectively connected with the access port module, receive the write activation instruction, the read/write data instruction and the data before encryption, perform key generation, identification, data encryption and decryption, and transmit the encrypted data to the storage module; the storage module is respectively connected with each safety processing module through a three-dimensional passage and is used for storing encrypted data.

Description

Data security storage equipment and data storage method based on three-dimensional heterogeneous integration
Technical Field
The application relates to the technical field of data security storage, in particular to a data security storage device and a data storage method based on three-dimensional heterogeneous integration.
Background
With the continuous development of big data and information technology, information storage security is also becoming an increasingly interesting issue. Compared with the rapid development of the software attack protection technology, the development of the hardware attack protection and the encryption technology directly based on the bottom hardware is still in a relatively primary stage, however, along with the gradual improvement of the importance of data and the cost of the software attack, the attack frequency aiming at the original weak point of the hardware protection is also improved year by year. Therefore, research on data security storage devices based on hardware protection is also of great importance.
The existing data security storage equipment is based on a two-dimensional plane structure, and has the following problems: firstly, because the encryption logic is different from the process required by the memory, the encryption module is separated from the storage module during manufacturing, and the structure enables the encryption module to be more easily physically positioned, so that physical attack on the module is easier to realize; meanwhile, the data transmission path between the encryption module and the storage module is easy to be positioned and split, and information is stolen. On the other hand, the design of the encryption module with strong confidentiality generally needs to occupy a larger chip area, which will affect the overall size of the storage device.
Disclosure of Invention
Aiming at the defects of the prior art, the application provides a data security storage device and a data storage method based on three-dimensional heterogeneous integration.
According to a first aspect of an embodiment of the present application, there is provided a data security storage device based on three-dimensional heterogeneous integration, including:
the access port module is communicated with the external processor through an external system bus and is used for receiving an access instruction of the external processor, so that the data security storage device is accessed as an external device in the mode of the access instruction; transmitting information to be identified and data before encryption to a security processing module, feeding back an encryption identification code, state information and decryption data to an external processor, and simultaneously locking an external access port after the security processing module feeds back error information; the access instruction comprises a formatting instruction, a writing activation instruction, a data reading and writing instruction and a writing completion instruction;
the plurality of safety processing modules are respectively connected with the access port module, receive the write activation instruction, the read/write data instruction and the data before encryption, perform key generation, identification, data encryption and decryption, and transmit the encrypted data to the storage module; the state information of the security processing module is fed back to the access port module;
the storage module is respectively connected with each safety processing module through a three-dimensional passage and is used for storing encrypted data.
According to a second aspect of the embodiment of the present application, there is provided a data storage method of a data security storage device based on three-dimensional heterogeneous integration, which is implemented by the data security storage device based on three-dimensional heterogeneous integration, the method including:
step S1, formatting the data security storage device to obtain a write activation identification code W i ,i=1,...,n;
Step S2, sending the encrypted interval ID and the corresponding activation identification code W to the data security storage device i Performing write activation;
step S3, after the write activation judgment is successful, a write request is sent to the data security storage device;
step S4, writing a write completion instruction into the data storage device, judging the memory access identification port, and feeding back a write completion signal and a corresponding read identification code R by the data storage device i
And S5, sending a read request to the data security storage device.
According to a third aspect of embodiments of the present application, there is provided a computer-readable storage medium storing a computer program which, when executed by a processor, implements the data storage method described above.
According to a fourth aspect of the embodiment of the present application, there is provided an electronic device including a memory, the above-mentioned three-dimensional heterogeneous integration-based data security storage device, and a program stored on the memory and executable on the three-dimensional heterogeneous integration-based data security storage device.
The data security storage device and the data storage method based on the three-dimensional heterogeneous integration have the advantages that the integration level of the encryption logic and the storage chip is improved through the three-dimensional heterogeneous integration technology, the utilization rate of the chip area is improved, meanwhile, the difficulty of accurately identifying the encryption logic is increased, and the risk of cracking the device by targeted physical attack is reduced. The encryption module is tightly combined with the memory module in a two-dimensional layer, so that the separation and positioning difficulty of the encryption module and the data transmission path is greatly improved. And by utilizing the characteristics that each logic module in the three-dimensional integrated structure is only connected with a target memory interval through a three-dimensional channel, the access range is limited and can not be interacted, the function of separate management of different users in the same device is realized, the separation of read-write authority management is realized, and the application range of the device is further expanded.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 is a schematic diagram of the connection of a three-dimensional heterogeneous integrated-based data security storage device in a computing system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an internal structure of a data security storage device based on three-dimensional heterogeneous integration according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an access port module according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a security processing module according to an embodiment of the present application;
fig. 5 is a flow chart of a data storage method of a data security storage device based on three-dimensional heterogeneous integration according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The implementations described in the exemplary embodiments are not representative of all implementations consistent with the application, and the various items of secure storage design data used in this example are merely one example consistent with aspects of the application. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
The application provides data security storage equipment based on three-dimensional heterogeneous integration, and a connection structure in a computing system is shown in figure 1. The data security storage device can be used as an external storage device to be accessed to an external system bus or an access port of an external processor, so that access control instructions of the external system bus to the data security storage device can be realized in the form of access instructions. In this example, assuming that the system memory address is represented as 32 bits, the physical unclonable function (Physical unclonable function, PUF) module and true random number generator (True random number generator, TRNG) module under the security processing module in the data security storage device generate 128-bit data, the security processing module adopts the advanced encryption standard (Advanced Encryption Stanadard, AES) algorithm to perform data security encryption, and for simplifying the description, the system access data bit width is 128 bits, and in practical cases, if the access bit width is smaller, the data can be transmitted through a plurality of periods. The data security storage device provided by the application is divided into 8 encryption sections.
As shown in fig. 2, the data security storage device provided by the application comprises a memory access port module, a plurality of security processing modules and a storage module.
The access port module is communicated with the external processor through an external system bus and is used for receiving an access instruction of the external system bus, so that the data security storage device is used as an external device to be accessed in the mode of the access instruction; transmitting information to be identified and data before encryption to a security processing module, feeding back an encryption identification code, state information and decryption data to an external processor, and simultaneously locking an external access port after the security processing module feeds back error information; the access instruction comprises a formatting instruction, a writing activation instruction, a data reading and writing instruction and a writing completion instruction;
the plurality of safety processing modules are respectively connected with the access port module, receive the write activation instruction, the read/write data instruction and the data before encryption, perform key generation, identification, data encryption and decryption, and transmit the encrypted data to the storage module; the state information of the security processing module is fed back to the access port module;
the storage module is respectively connected with each safety processing module through a three-dimensional passage and is used for storing encrypted data.
As shown in fig. 3, the access port module is composed of a state storage module, a determination module and a formatting control module.
The state storage module is configured to store state information of each security processing module, and includes: the method comprises the steps of writing activation state of the security processing modules, identification failure times fed back by each security processing module, writing failure times fed back by the judging module and whether the access port is in a locking state or not.
The judging module is used for identifying the access instruction of the external processor, judging the sequence and the area of the access instruction and updating the state storage module; acquiring feedback error information, and judging whether the access port is in a locking state or not; wherein identifying the memory access instruction of the external processor includes: a write activate instruction, a write instruction, a key flush instruction, a write complete instruction, a read instruction, and a format instruction are identified.
And the formatting control module is used for sending the formatting instructions to all the safety processing modules when the determining module identifies the formatting instructions. Formatting of all encryption intervals is achieved, all states in the state storage module are cleared, and all writing activation identification codes and default reading identification codes are fed back to an external system bus.
Next, a process of the determination module identifying the access instruction of the external processor will be described in detail:
it should be noted that, according to the access port locking state information obtained in the state storage module, whether the data security storage device is in a locking state is determined; if the device is in the locking state, the judging module does not transmit or update data and information according to any unexpected part instruction except the formatting.
(1.1) identifying a write activate instruction:
identifying from the address bits the encryption interval id, whether to force writing and whether to use the new read key; reading a write activation identification code from the data bit; transmitting the write activation instruction and the information to a corresponding safety processing module; and meanwhile, waiting for the feedback recognition result of the security processing module, and updating the state information of the security processing module writing activation state and whether the access port is locked or not stored in the state storage module according to the feedback recognition result.
(1.2) identifying a write instruction:
reading a write address from the address bits and reading write data from the data bits; judging whether the security processing module is in a write-active state currently or not according to the write-active state of each security processing module stored by the state storage module, and if not, feeding back a write failure to an external processor; if the write address is in the write activation state, judging whether the acquired write address is in a storage interval corresponding to the activated safety processing module, if the storage interval corresponding to the safety processing module is not activated, feeding back write failure to an external processor, and updating the write failure times fed back by a judging module in the state storage module and write activation state information of each safety processing module; if the corresponding storage interval of the security processing module is activated, transmitting the write instruction, the acquired write address and data to the corresponding security processing module.
(1.3) identifying a key flush instruction:
identifying an encryption zone id from the address bits, and reading a read identification code from the data bits; judging the activation state, if the activation state is activated, transmitting a key clearing instruction and the acquired read identification code to a corresponding security processing module; and waiting for the success and failure signals fed back by the safety processing module and transmitting the success and failure signals to an external processor.
(1.4) identifying a write completion instruction:
identifying an encryption zone id from the address bits; judging the activation state, if the activation state is activated, sending a write completion instruction to the corresponding security processing module, and resetting the number of times of the feedback write failure of the judging module in the state storage module and the write activation state information of each security processing module; and waiting for the read identification code fed back by the safety processing module and transmitting the read identification code to an external system through data.
(1.5) identifying a read instruction:
reading a read address from the address bits and a read identification code from the data bits; judging the corresponding safety processing module id according to the acquired reading address, and transmitting a reading instruction and the information to the corresponding safety processing module; meanwhile, waiting for the safety processing module to feed back the identification result, if the identification is wrong, feeding back identification error information to an external processor, and updating the identification failure times fed back by the safety processing module and the status information of whether the access port is locked or not, which are stored in the status storage module, according to the feedback result; if the identification is correct, transmitting the read data of the safety processing module to external processing, and resetting the identification failure times fed back by the corresponding safety processing module stored in the state storage module.
(1.6) identifying a formatting instruction:
when the determination module recognizes the formatting instructions, an activation request is issued to activate the formatting control module.
As shown in fig. 4, the security processing module includes a physical unclonable function (Physical unclonable function, PUF) module, a true random number generator (True random number generator, TRNG) module, a key management module, an encryption and decryption module, a data transmission module, and a formatting module.
The physical unclonable function module is used for generating unique and invariable data corresponding to each security processing module; specifically, the physical unclonable function module generates a first random number and a second random number, and encrypts the first random number and the second random number by using an advanced encryption standard algorithm (Advanced Encryption Stanadard, AES) to obtain a default read identification code and a default write activation identification code.
The true random number generator module is used for generating true random numbers for a plurality of times and taking the true random numbers as secret keys.
The key management module is used for feeding back a default read identification code and a write activation identification code to the access port module; receiving a write activation instruction and a write identification code, comparing the consistency of the write identification code and the write activation identification code, and judging whether activation is successful or not;
when the activation fails, a write instruction is received, whether the writing is possible is judged, and when the writing is possible, an encryption identification code is generated by using a physical unclonable function module, a secret key is generated by using a true random number generator module and is sent to an encryption and decryption module; when the encryption request is not writable, initiating the encryption request by using a default read identification code;
when the activation is successful, a write instruction is received, an encryption identification code is generated by using a physical unclonable function module, a secret key is generated by using a true random number generator module, and the secret key is sent to an encryption and decryption module;
when the activation is successful, the key management module further includes: and receiving a key clearing instruction, and clearing the corresponding record of the received key according to the key clearing instruction.
The key management module further includes: when a write-completion instruction is received, the encryption identification code is fed back to the access port module; when a reading instruction is received, key decoding is carried out, and whether decoding is successful or not is judged; if the decoding is unsuccessful, feeding back error information to the access port module; and if the decoding is successful, a decryption request is initiated to the encryption and decryption module and the corresponding secret key is transmitted.
The encryption and decryption module is used for receiving the encryption request and the corresponding secret key, encrypting the data transmitted from the access port according to the secret key, transmitting the encrypted data to the data transmission module, and initiating a data writing request; receiving the decryption request and the corresponding secret key, initiating a read data request to the data transmission module, decrypting the obtained data according to the secret key, and transmitting the decrypted data to the access port.
And the data transmission module initiates a data writing request and a data reading request to the storage module according to the data writing request and the data reading request sent by the encryption and decryption module, and transmits the read/write data. Further comprises: after the transmission of the read/write data is completed, a success signal is fed back to the access port module.
The formatting module is used for sequentially sending data writing requests to the data transmission module when receiving the formatting requests until the corresponding storage interval of the security processing module is completely covered, repeating the above processes for a plurality of times, and feeding back a formatting completion signal to the key management module after the completion.
Next, the key management module will be described in detail:
the key management module needs to comprise a key cache module, and can store 16 keys under the assumption that the storage space is 16, so that the access time can be judged whether new or old, and the items which are not accessed for the longest time are written in priority except empty items; the key management module can realize the following functions:
(2.1) two-shot during reception formattingThe living true random number generator module obtains and stores a first random number T R Second random number T w And activating the physical unclonable function module to obtain the identifier P i In P i As a key, the first random number T is encrypted by an advanced encryption standard (Advanced Encryption Stanadard, AES) algorithm R Second random number T w Generating a default read identification code R i And write activation identification code W i And after the formatting module feeds back the formatting, the default read identification code R i And write activation identification code W i And transmitting to the access port module.
(2.2) after receiving the write-activate command and the corresponding identification code, using the key P i Decrypting to obtain the number T to be identified w’ The number T to be identified w’ And a second random number T w Comparing, if the signals are inconsistent, the activation fails, and transmitting an identification error signal to the judging module; if the signals are consistent, the activation is successful, an activation success signal is transmitted to the judging module, and whether forced writing is carried out or not is stored; if a new identification code needs to be generated, activating a true random number generator module to obtain and temporarily store a random number T so as to obtain P i As the key, a new identification code R is obtained by encryption by AES algorithm and temporarily stored.
(2.3) after receiving the writing instruction, judging according to whether a new identification code is generated or not; if the new identification code is generated, checking whether the current cache is full, and if so, reading the item T0 which is not accessed for the longest time in the key cache to obtain P i As a key, an identification code R which is to be disabled is obtained by encryption of an AES algorithm 0 Feeding back to the access port module, pulling up the write failure signal, and waiting for a new instruction; if the cache is not full or the state is forced writing, storing the newly generated key T into the cache; if no new identification code is generated, the following encryption process uses the default reading key T R The control is true; key T or default read key T R (hereinafter collectively referred to as T) R ) Transmitting to the encryption and decryption module and initiating an encryption request.
(2.4) the identification code use Key P will be obtained upon receipt of the Key clear instruction i Decryption to obtain defaultRead key T R’ Comparing the access port with all keys in the key cache, if a consistent item exists, clearing the item, and sending a success signal to the access port; if the access ports are inconsistent, a failure signal is sent to the access ports.
(2.5) transmitting a new identification code R or a default read key Ri to the access port module according to the identification code update state when receiving a write completion instruction.
(2.6) the identification code usage key P will be obtained upon receipt of the read instruction i Decryption to obtain default read key T R’ And all keys in the key cache and the default key T R In contrast, if there is a consistent term, the key P is used to store i Transmitting to the encryption and decryption module, and initiating a decryption request; if not, an identification error signal is sent to the access port module.
(2.7) initiating a formatting request to the formatting module upon receipt of a read instruction.
As shown in fig. 5, the embodiment of the present application further provides a data security storage device and a data storage method based on three-dimensional heterogeneous integration, where only the steps of initializing, writing and reading are described to show all functions of the data security storage device, and it is assumed that the above operations are performed only for the encryption interval i, but in actual cases, the operations of reading and writing may be performed multiple times, and the reading and writing may be performed for different intervals; the method comprises the following steps:
step S1, when the system is initialized, a formatting instruction is sent to the data security storage device to obtain a write activation identification code W i I=1, n; n is a positive real number.
Step S2, sending the encrypted interval ID and the corresponding activation identification code W to the data security storage device i Performing write activation;
specifically, the step S2 specifically includes the following substeps:
step S201, the external processor sends a write activation instruction to the data security storage device via the external system bus, the address section includes an encryption section id, whether to forcibly write in and use new read key information, and the data section transmission corresponds to the activation identification code W i
Step S202, the access port module in the data security storage device transmits the write activation instruction and the corresponding address interval to the corresponding security processing module i.
Step S203, the security processing module determines the activation identification code W i Whether it is correct.
When writing the activation identification code W i When the data is correct, performing write activation on the data security storage device; storing instruction information, generating a read identification code according to requirements, and feeding back a finishing signal; the access port module receives the completion signal, clears the feedback recognition failure times of the corresponding safety processing module, and transmits the completion signal to the external processor.
When writing the activation identification code W i When the error occurs, the feedback recognition error signal is fed back, the feedback recognition failure frequency of the corresponding safety processing module is +1, if the updated recognition error frequency exceeds a threshold value (in the example, the threshold value is assumed to be 3 times), the locking state is pulled high, and after the external access port is locked, the safety processing module does not react to any instruction except the formatted instruction.
If the write activation instruction includes using the new read key, the security processing module regenerates the read key and the corresponding identification code R i’ The method comprises the steps of carrying out a first treatment on the surface of the If not, the default reading key and the corresponding identification code R are used i
And step S3, after the write activation judgment is successful, a write request is sent to the data security storage device.
Specifically, the step S3 specifically includes the following substeps:
in step S301, the external processor sends a write command, a write request target area, and write data to the data secure storage device.
In step S302, the access port module determines whether the write request target area coincides with the activated area of the secure processing module.
When the areas are inconsistent, the number of failures is recorded, and when the number of failures is greater than a threshold (in this example, the threshold is assumed to be 3 times), the activation state of the security processing module is cleared.
And when the areas are consistent, transmitting a write instruction and write data to the security processing module according to the write request target area.
In step S303, the security processing module encrypts the write data.
Specifically, the security processing module judges whether the writing is currently possible according to the condition of updating the identification code and forced writing, and if the writing is not possible, the security processing module feeds back a writing failure signal and a failure key; if the data can be written, the key cache module is updated, the written data is encrypted, and the encrypted data is transmitted to the storage module.
Meanwhile, the security processing module judges whether the writing is successful or not according to the writing instruction, if the writing is not forced, if the stored writing record is full and the new reading key is used, the writing failure and the information of the next covering record are fed back; if the record is not full or forced writing is carried out, the safety processing module encrypts the written data and feeds back successful information after the completion; and meanwhile, the external controller system sends a write clearing instruction to the data security storage device, and the security processing module clears the corresponding record according to the received write clearing instruction.
Step S4, after the writing instruction is executed, the external controller writes the writing completion instruction into the data storage device, judges the access identification port, and the data storage device feeds back the writing completion signal and the corresponding reading identification code R to the external controller i
And S5, sending a read request to the data security storage device.
Specifically, the step S5 specifically includes the following substeps:
step S501, the external processor sends a read command to the data security storage device, reads the address, and transmits the read identification code R in the data interval i’。
Step S502, the access port module judges the corresponding safety processing module according to the read address, and reads the instruction and the read identification code R i’ And transmitting to a corresponding safety processing module.
Step S503, the security processing module decrypts the read identification code into a key, and compares the key with the stored key; if the key is inconsistent with the stored key, feeding back an identification error signal, recording the number of identification errors, and locking the external access port when the number of identification errors is greater than a threshold (in the example, the threshold is assumed to be 3 times); if the key is consistent with the storage key, a reading request is sent to the storage module, the acquired data is decrypted by using the key, and the decrypted data is transmitted to the access port module and a reading completion signal is fed back.
The access port module processes according to the read completion signal fed back by the safety processing module, and when the read completion signal is obtained, the number of recognition errors fed back by the corresponding safety processing module is cleared, and the read completion signal and the secret-decoding data are transmitted to the external processor.
In summary, the encryption logic and the storage module are connected through the three-dimensional channel, and the PUF and the TRNG module are utilized to generate the key and the identification code in the encryption module, so that the data encryption and the storage of the hardware level are realized. The application improves the integration level of the encryption logic and the memory chip through the three-dimensional heterogeneous integration technology, increases the difficulty of precisely identifying the encryption logic while improving the utilization rate of the chip area, reduces the risk of cracking the device by targeted physical attack, and further expands the application range of the device by utilizing the characteristics that each logic module in the three-dimensional integrated structure is only connected with a specific memory interval through a three-dimensional channel, the memory access range is limited and can not be interacted, realizing the separation management function of different users in the same device, and realizing the separation of read-write authority management.
Correspondingly, the application also provides a computer readable storage medium, wherein computer instructions are stored on the computer readable storage medium, and the instructions are executed by a processor to realize the data storage method of the data security storage device based on three-dimensional heterogeneous integration. The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may also be an external storage device, such as a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), or the like, provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any device having data processing capabilities. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
Correspondingly, the application also provides electronic equipment which is characterized by comprising a memory, the data security storage equipment based on the three-dimensional heterogeneous integration and a program which is stored in the memory and can run on the data security storage equipment based on the three-dimensional heterogeneous integration.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. The specification and examples are to be regarded in an illustrative manner only.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof.

Claims (10)

1. A three-dimensional heterogeneous integration-based data security storage device, comprising:
the access port module is communicated with the external processor through an external system bus and is used for receiving an access instruction of the external processor, so that the data security storage device is accessed as an external device in the mode of the access instruction; transmitting information to be identified and data before encryption to a security processing module, feeding back an encryption identification code, state information and decryption data to an external processor, and simultaneously locking an external access port after the security processing module feeds back error information; the access instruction comprises a formatting instruction, a writing activation instruction, a data reading and writing instruction and a writing completion instruction;
the plurality of security processing modules are respectively connected with the access port module, receive the write activation instruction, the read/write data instruction and the data before encryption, perform key generation, identification, data encryption and decryption, and transmit the encrypted data to the storage module; the state information of the security processing module is fed back to the access port module;
the storage module is respectively connected with each safety processing module through a three-dimensional passage and is used for storing encrypted data.
2. The three-dimensional heterogeneous integrated data security storage device of claim 1, wherein the access port module comprises:
the state storage module is used for storing state information of each security processing module, including the write-activation state of the security processing module, the recognition failure times fed back by each security processing module, the write-in failure times fed back by the judging module and whether the access port is in a locking state or not;
the judging module is used for identifying the access instruction of the external processor, judging the sequence and the area of the access instruction and updating the state storage module; acquiring feedback error information, and judging whether the access port is in a locking state or not; wherein identifying the memory access instruction of the external processor includes: identifying a write activation instruction, a write instruction, a key clearing instruction, a write completion instruction, a read instruction and a formatting instruction;
and the formatting control module is used for sending the formatting instructions to all the safety processing modules when the determining module identifies the formatting instructions.
3. The three-dimensional heterogeneous integrated data security storage device of claim 1, wherein the security processing module comprises:
the physical unclonable function module is used for generating a default read identification code and a write activation identification code;
the true random number generator module is used for generating the true random number for a plurality of times to serve as a secret key;
the key management module is used for feeding back a default read identification code and a write activation identification code to the access port module; receiving a write activation instruction and a write identification code, comparing the consistency of the write identification code and the write activation identification code, and judging whether activation is successful or not;
when the activation fails, a write instruction is received, whether the writing is possible is judged, and when the writing is possible, an encryption identification code is generated by using a physical unclonable function module, a secret key is generated by using a true random number generator module and is sent to an encryption and decryption module; when the encryption request is not writable, initiating the encryption request by using a default read identification code;
when the activation is successful, a write instruction is received, an encryption identification code is generated by using a physical unclonable function module, a secret key is generated by using a true random number generator module, and the secret key is sent to an encryption and decryption module;
the encryption and decryption module is used for receiving the encryption request and the corresponding secret key, encrypting the data, transmitting the encrypted data to the data transmission module, and initiating a data writing request; receiving a decryption request and a corresponding secret key, decrypting the data, transmitting the decrypted data to a data transmission module, and initiating a read data request;
the data transmission module initiates a data writing request and a data reading request to the storage module according to the data writing request and the data reading request sent by the encryption and decryption module, and performs data reading/writing transmission;
and the formatting module is used for sequentially sending the data writing requests to the data transmission module when receiving the formatting requests until the storage interval corresponding to the security processing module is completely covered.
4. The three-dimensional heterogeneous integrated data security storage device of claim 3, wherein the key management module further comprises:
when a write-completion instruction is received, the encryption identification code is fed back to the access port module;
when a read instruction is received, key decoding is carried out, and whether decoding is successful or not is judged; if the decoding is unsuccessful, feeding back error information to the access port module; and if the decoding is successful, a decryption request is initiated to the encryption and decryption module and the corresponding secret key is transmitted.
5. A data storage method of a data security storage device based on three-dimensional heterogeneous integration, characterized in that it is implemented by the data security storage device based on three-dimensional heterogeneous integration according to any one of claims 1 to 4, the method comprising:
step S1, formatting the data security storage device to obtain a write activation identification code W i ,i=1,...,n;
Step S2, sending the encryption interval ID and the corresponding write activation identification code W to the data security storage device i Performing write activation;
step S3, after the write activation judgment is successful, a write request is sent to the data security storage device;
step S4, writing a write completion instruction into the data storage device, judging the memory access identification port, and feeding back a write completion signal and a corresponding read identification code R by the data storage device i;
And S5, sending a read request to the data security storage device.
6. The data storage method of the three-dimensional heterogeneous integrated data security storage device according to claim 5, wherein the step S2 specifically comprises the following sub-steps:
step S201, sending a write activation instruction and a corresponding address interval to the data security storage device, including: address section and data section transmission corresponding write activation identification code W i
Step S202, a memory access port module in the data security storage device transmits a write activation instruction and a corresponding address interval to a corresponding security processing module;
step S203, the security processing module determines the write activation identification code W i Whether or not it is correct;
when writing the activation identification code W i When the data is correct, performing write activation on the data security storage device;
when writing the activation identification code W i When the number of the identification errors exceeds a threshold value, the external access port is locked.
7. The method for data storage of a three-dimensional heterogeneous integrated data security storage device according to claim 5, wherein said step S3 comprises the following sub-steps:
step S301, an external processor sends a write instruction, a write request target area and write data to a data security storage device;
step S302, the access port module judges whether the write request target area is consistent with the activated area of the security processing module;
recording failure times when the areas are inconsistent, and clearing the activation state of the safety processing module when the failure times are greater than a threshold value;
when the areas are consistent, transmitting a write instruction and write data to the security processing module according to the write request target area;
in step S303, the security processing module encrypts the write data.
8. The method for data storage of a three-dimensional heterogeneous integrated data security storage device according to claim 5, wherein said step S5 comprises the following sub-steps:
step S501, an external processor sends a read instruction, a read address and a read identification code to a data security storage device;
step S502, the access port module judges the corresponding safety processing module according to the read address, and transmits the read instruction and the read identification code to the corresponding safety processing module;
step S503, the security processing module decrypts the read identification code into a key, and compares the key with the stored key;
when the key is inconsistent with the storage key, feeding back an identification error signal, recording the number of identification errors, and locking an external access port when the number of identification errors is greater than a threshold value;
if the key is consistent with the storage key, a reading request is sent to the storage module, the acquired data is decrypted by using the key, and the decrypted data is transmitted to the access port module and a reading completion signal is fed back.
9. A computer readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the data storage method of any of the preceding claims 5-8.
10. An electronic device comprising a memory, a three-dimensional heterogeneous integration-based data security storage device according to any one of claims 1-4, and a program stored on the memory and executable on the three-dimensional heterogeneous integration-based data security storage device.
CN202310769745.3A 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration Active CN116502291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310769745.3A CN116502291B (en) 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310769745.3A CN116502291B (en) 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration

Publications (2)

Publication Number Publication Date
CN116502291A CN116502291A (en) 2023-07-28
CN116502291B true CN116502291B (en) 2023-10-03

Family

ID=87325277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310769745.3A Active CN116502291B (en) 2023-06-28 2023-06-28 Data security storage equipment and data storage method based on three-dimensional heterogeneous integration

Country Status (1)

Country Link
CN (1) CN116502291B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833090A (en) * 2018-05-25 2018-11-16 四川斐讯信息技术有限公司 It is a kind of to store the encryption method of equipment, decryption method and storage equipment
CN113946290A (en) * 2021-10-14 2022-01-18 西安紫光国芯半导体有限公司 Storage device based on three-dimensional heterogeneous integration and storage system
CN114115752A (en) * 2022-01-27 2022-03-01 浙江大华技术股份有限公司 Data storage method and computer equipment
CN115576892A (en) * 2022-09-29 2023-01-06 西安紫光国芯半导体有限公司 Three-dimensional memory and data processing method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11487665B2 (en) * 2019-06-05 2022-11-01 Pure Storage, Inc. Tiered caching of data in a storage system
US11614892B2 (en) * 2020-12-17 2023-03-28 Micron Technology, Inc. Memory system architecture for heterogeneous memory technologies

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833090A (en) * 2018-05-25 2018-11-16 四川斐讯信息技术有限公司 It is a kind of to store the encryption method of equipment, decryption method and storage equipment
CN113946290A (en) * 2021-10-14 2022-01-18 西安紫光国芯半导体有限公司 Storage device based on three-dimensional heterogeneous integration and storage system
CN114115752A (en) * 2022-01-27 2022-03-01 浙江大华技术股份有限公司 Data storage method and computer equipment
CN115576892A (en) * 2022-09-29 2023-01-06 西安紫光国芯半导体有限公司 Three-dimensional memory and data processing method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Three dimensional heterogeneous chip integration process;David R. et al;《Pan Pacific Microelectronics Sympoisium 》;第1-7页 *
基于专用加密芯片的单片机软件加密系统设计;张炜轩 等;《单片机与嵌入式系统应用》;第2013年卷(第09期);第56-59页 *

Also Published As

Publication number Publication date
CN116502291A (en) 2023-07-28

Similar Documents

Publication Publication Date Title
US20210192090A1 (en) Secure data storage device with security function implemented in a data security bridge
US11861194B2 (en) Storage device configuration and method managing storage configuration
US6834333B2 (en) Data processing device, data storage device, data processing method, and program providing medium for storing content protected under high security management
US6687835B1 (en) Command authorization method
CN108139984B (en) Security subsystem
US20130138972A1 (en) Protection of security parameters in storage devices
US8910301B2 (en) System and method for locking and unlocking storage device
US20110072276A1 (en) Data storage apparatus having cryption and method thereof
US20080320314A1 (en) Apparatus for writing data to a medium
US8200964B2 (en) Method and apparatus for accessing an encrypted file system using non-local keys
US20120072736A1 (en) Memory device, memory system, and authentication method
US11157181B2 (en) Card activation device and methods for authenticating and activating a data storage device by using a card activation device
CN101615161B (en) Method for encrypting and decrypting hard disk, hard disk driving device and hard disk
TW201207862A (en) Memory identification code generating method, management method, controller and storage system
US11783044B2 (en) Endpoint authentication based on boot-time binding of multiple components
US20090187770A1 (en) Data Security Including Real-Time Key Generation
CN116070241A (en) Mobile hard disk encryption control method
US11423182B2 (en) Storage device providing function of securely discarding data and operating method thereof
CN112887077B (en) SSD main control chip random cache confidentiality method and circuit
CN113545021B (en) Registration of pre-authorized devices
CN116502291B (en) Data security storage equipment and data storage method based on three-dimensional heterogeneous integration
US8234501B2 (en) System and method of controlling access to a device
KR20200080011A (en) System and method for distributing and storing data
US11088832B2 (en) Secure logging of data storage device events
KR20200059930A (en) Vehicle and controlling method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant