CN116582255A - Locking method, system and storage medium based on solid state disk command - Google Patents
Locking method, system and storage medium based on solid state disk command Download PDFInfo
- Publication number
- CN116582255A CN116582255A CN202310496107.9A CN202310496107A CN116582255A CN 116582255 A CN116582255 A CN 116582255A CN 202310496107 A CN202310496107 A CN 202310496107A CN 116582255 A CN116582255 A CN 116582255A
- Authority
- CN
- China
- Prior art keywords
- command
- solid state
- state disk
- data
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 239000007787 solid Substances 0.000 title claims abstract description 97
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 39
- 238000004364 calculation method Methods 0.000 claims abstract description 9
- 230000004044 response Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- KJLPSBMDOIVXSN-UHFFFAOYSA-N 4-[4-[2-[4-(3,4-dicarboxyphenoxy)phenyl]propan-2-yl]phenoxy]phthalic acid Chemical compound C=1C=C(OC=2C=C(C(C(O)=O)=CC=2)C(O)=O)C=CC=1C(C)(C)C(C=C1)=CC=C1OC1=CC=C(C(O)=O)C(C(O)=O)=C1 KJLPSBMDOIVXSN-UHFFFAOYSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Abstract
The application provides a locking method, a locking system and a storage medium based on a solid state disk command, wherein the method comprises the following steps: generating a random number by the solid state disk based on an acquired characteristic command sent by the host, returning the random number to the host, encrypting the random number by using a manufacturer specific algorithm based on an initial key configured in the solid state disk, and obtaining a first secondary key; taking a command operation code or a characteristic identifier corresponding to the lock operation command as a message, and performing HMAC calculation based on the message, the first secondary key and a vendor specific algorithm to obtain first integrity certification data; the solid state disk obtains second integrity authentication data after receiving a lock operation command sent by the host; judging whether the first integrity data is equal to the second integrity data; if the command is equal, determining that the security authentication of the lock operation command is successful, and executing the lock operation command to lock or unlock the command operation code or the feature identifier. The application ensures the security of the command or feature to be locked or unlocked.
Description
Technical Field
The present application relates to the field of storage technologies, and in particular, to a method, a system, and a storage medium for locking a command based on a solid state disk.
Background
At present, the solid state disk is widely applied due to the advantages of low time delay, high performance, low power consumption and the like, and the functions supported by the solid state disk are more and more. However, the commands, features or private commands of the solid state disk manufacturer supported by the solid state disk part are not expected to be used by some users, or are not opened, or are prevented from being attacked maliciously under an open environment, etc., and if the commands are not limited, the commands may be used, so that the commands or features need to be locked and unlocked when needed.
A Command and feature Lockdown (command and function lock) feature is now added to the NVME (NVM Express, non-volatile memory host controller interface specification) 2.0 protocol, which can be used to disable execution of commands submitted to NVM Express controllers and/or management endpoints in the NVME subsystem, but which does not have security credentials, and anyone can issue this command to lock and unlock commands, and power down fails.
Disclosure of Invention
Therefore, the present application is directed to a method, a system and a storage medium for locking a command based on a solid state disk, which are used for solving the problem that in the prior art, the locking function characteristic of the NVME protocol of the solid state disk does not have security authentication, so that anyone can lock and unlock the command through the characteristic, resulting in unsafe.
Based on the above purpose, the application provides a locking method based on a solid state disk command, which comprises the following steps:
the method comprises the steps that a solid state disk generates a random number based on an acquired characteristic command sent by a host, the random number is returned to the host, and the host encrypts the random number based on an initial key configured in the solid state disk and by means of a manufacturer specific algorithm to obtain a first secondary key;
taking a command operation code or a characteristic identifier corresponding to the lock operation command as a message, and performing HMAC calculation based on the message, the first secondary key and a vendor specific algorithm to obtain first integrity certification data;
after receiving a lock operation command sent by a host, the solid state disk obtains second integrity authentication data based on an initial key, a random number, a manufacturer specific algorithm and a message;
judging whether the first integrity data is equal to the second integrity data;
and in response to the first integrity data being equal to the second integrity data, determining that the lock operation command is successfully authenticated and executing the lock operation command to lock or unlock the command operation code or the feature identifier.
In some embodiments, executing the lock operation command to lock the command opcode or the feature identifier includes:
and executing the lock operation command to store the command operation code or the feature identifier into the nonvolatile memory of the solid state disk, and disabling the corresponding command according to the command operation code or setting the corresponding feature according to the feature identifier.
In some embodiments, executing the lock operation command to unlock the command opcode or the feature identifier includes:
and executing the lock operation command to delete the command operation code or the characteristic identifier from the nonvolatile memory of the solid state disk.
In some embodiments, the lock operation command includes a data pointer, a first field, and a second field;
the data pointer points to a memory address for storing messages in the solid state disk, and the messages are data transmitted to the solid state disk by the host;
the first field defines the size of the message;
the second field defines the message as belonging to the command opcode or feature identifier and defines whether the message is to be locked or unlocked.
In some embodiments, the method further comprises:
and in response to the solid state disk receiving a lock operation command sent by the host, clearing the random number.
In some embodiments, obtaining, by the solid state disk after receiving the lock operation command sent by the host, second integrity certification data based on the initial key, the random number, the vendor specific algorithm, and the message includes:
after receiving a lock operation command sent by a host, the solid state disk encrypts the random number by utilizing a manufacturer specific algorithm based on the initial key to obtain a second-level key, and performs HMAC calculation based on the message, the second-level key and the manufacturer specific algorithm to obtain second integrity authentication data.
In some embodiments, the method further comprises:
and splicing the information with the first integrity data, and taking the spliced data as data to be transmitted.
In some embodiments, generating, by the solid state disk, the random number based on the get feature command sent by the host includes:
and responding to the solid state disk to receive a feature acquisition command sent by the host, generating a random number with a preset byte number by using an internal true random number generator, wherein the feature acquisition command is configured with a feature identifier for acquiring the random number.
In another aspect of the present application, there is also provided a locking system based on a solid state disk command, including:
the encryption module is configured to generate a random number based on an acquired characteristic command sent by the solid state disk and return the random number to the host, and the host encrypts the random number based on an initial key configured in the solid state disk and by utilizing a manufacturer specific algorithm to obtain a first secondary key;
the first computing module is configured to take a command operation code or a characteristic identifier corresponding to the lock operation command as a message, and perform HMAC computation based on the message, the first secondary key and a vendor specific algorithm to obtain first integrity certification data;
the second computing module is configured to obtain second integrity authentication data based on the initial key, the random number, the vendor specific algorithm and the message after the solid state disk receives a lock operation command sent by the host;
the judging module is configured to judge whether the first integrity data is equal to the second integrity data; and
and the execution module is configured to determine that the security authentication of the lock operation command is successful in response to the first integrity data being equal to the second integrity data, and execute the lock operation command to lock or unlock the command operation code or the feature identifier.
In yet another aspect of the present application, there is also provided a computer readable storage medium storing computer program instructions which, when executed by a processor, implement the above-described method.
In yet another aspect of the present application, there is also provided a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, performs the above method.
The application has at least the following beneficial technical effects:
according to the locking method based on the solid state disk command, the corresponding command operation code or the characteristic identifier can be locked or unlocked safely and reliably through the locking operation command, so that the attack of malicious software in an open environment can be prevented from damaging data in a disk, and the purpose that only specified users use specific functions is achieved; the random number is obtained each time, and the initial key is used for encrypting the random number to obtain the secondary key, so that the secondary keys are different each time, and replay attack can be prevented; the integrity authentication data is calculated on the data to be transmitted by using the secondary key, so that the legality of a sender is authenticated, the integrity of the transmitted data is ensured, the transmitted data is prevented from being maliciously added or deleted, the command or the feature to be locked or unlocked is ensured not to be randomly modified by an attacker, and the safety is ensured.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application and that other embodiments may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a locking method based on a solid state disk command according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a lock operation command according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a locking system based on a solid state disk command according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a computer readable storage medium implementing a solid state disk command based locking method according to an embodiment of the present application;
fig. 5 is a schematic hardware structure diagram of a computer device for executing a locking method based on a solid state disk command according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the following embodiments of the present application will be described in further detail with reference to the accompanying drawings.
It should be noted that, in the embodiments of the present application, all the expressions "first" and "second" are used to distinguish two non-identical entities with the same name or non-identical parameters, and it is noted that the "first" and "second" are only used for convenience of expression, and should not be construed as limiting the embodiments of the present application. Furthermore, the terms "comprise" and "have," and any variations thereof, are intended to cover a non-exclusive inclusion, such as a process, method, system, article, or other step or unit that comprises a list of steps or units.
Based on the above object, in a first aspect of the embodiments of the present application, an embodiment of a locking method based on a solid state disk command is provided. Fig. 1 is a schematic diagram of an embodiment of a locking method based on a solid state disk command provided by the application. As shown in fig. 1, the embodiment of the present application includes the following steps:
step S10, generating a random number by the solid state disk based on an acquired characteristic command sent by the host, returning the random number to the host, and encrypting the random number by the host based on an initial key configured in the solid state disk and by utilizing a manufacturer specific algorithm to obtain a first secondary key;
step S20, taking a command operation code or a characteristic identifier corresponding to a lock operation command as a message, and performing HMAC calculation based on the message, a first secondary key and a vendor specific algorithm to obtain first integrity authentication data;
step S30, after receiving a lock operation command sent by a host, the solid state disk obtains second integrity authentication data based on an initial key, a random number, a vendor specific algorithm and a message;
step S40, judging whether the first integrity data is equal to the second integrity data;
and step S50, determining that the security authentication of the lock operation command is successful in response to the first integrity data being equal to the second integrity data, and executing the lock operation command to lock or unlock the command operation code or the feature identifier.
HMAC is an abbreviation for key dependent Hash message authentication code (Hash-based MessageAuthentication Code). H in HMAC refers to a Hash algorithm, and HMAC may use a variety of single-phase hashes, such as SHA-1.HMAC (K, M) =h (kj_opad_h (kj_ipad_m)), where 'K' represents a key, 'M' represents a message, 'x' represents an XOR operation, 'H' represents a hash operation, and 'x' represents front and back data concatenated together. ipad=0×36 of one byte (byte) is repeated 64 times; opad=0×5c of one byte (byte) is repeated 64 times.
According to the locking method based on the solid state disk command, the corresponding command operation code or the characteristic identifier can be locked or unlocked safely and reliably through the locking operation command, so that attack of malicious software in an open environment can be prevented from damaging data in a disk, and only specified users can use specific functions; the random number is obtained each time, and the initial key is used for encrypting the random number to obtain the secondary key, so that the secondary keys are different each time, and replay attack can be prevented; the integrity authentication data is calculated on the data to be transmitted by using the secondary key, so that the legality of a sender is authenticated, the integrity of the transmitted data is ensured, the transmitted data is prevented from being maliciously added or deleted, the command or the feature to be locked or unlocked is ensured not to be randomly modified by an attacker, and the safety is ensured.
In some embodiments, executing the lock operation command to lock the command opcode or the feature identifier includes: and executing the lock operation command to store the command operation code or the feature identifier into the nonvolatile memory of the solid state disk, and disabling the corresponding command according to the command operation code or setting the corresponding feature according to the feature identifier.
In some embodiments, executing the lock operation command to unlock the command opcode or the feature identifier includes: and executing the lock operation command to delete the command operation code or the characteristic identifier from the nonvolatile memory of the solid state disk.
In some embodiments, the lock operation command includes a data pointer, a first field, and a second field; the data pointer points to a memory address for storing messages in the solid state disk, and the messages are data transmitted to the solid state disk by the host; the first field defines the size of the message; the second field defines the message as belonging to the command opcode or feature identifier and defines whether the message is to be locked or unlocked.
In the present embodiment, by a lock operation command (NVME command of command or Feature security locking and unlocking), the configuration is used to prohibit or allow execution of a Set Feature command for a specified command or a specified Feature identifier. The command opcode of the command is a custom value that cannot be the same as any common NVME (NVM Express, nonvolatile memory host controller interface specification) command opcode.
Fig. 2 is a schematic diagram of a structure of a lock operation command according to an embodiment of the present application. As shown in fig. 2, the NVME command includes 64 bytes, i.e., 16 dwords (one Dword is 4 byte units). The lock operation command uses data pointer, command Dword 10 and command Dword 11 fields. The fields used are presented below:
for the data pointer, the data pointer informs the solid state disk of which memory address to acquire the data transmitted by the host. The data format of the transmission is shown in table 1 below (note: the total length of data transmitted at one time cannot exceed 4096 bytes). After the solid state disk acquires the data, the command operation code or the feature identifier is stored, and the corresponding command or feature is locked or unlocked.
TABLE 1
| Bytes | Description (Description) |
| 03:00 | Command opcode 1 or feature identifier 1 |
| 07:04 | Command opcode 2 or feature identifier 2 |
| …… | |
| (N-1)*4+3:(N-1)*4 | Command operation code n or feature identifier n |
Command Dword 10 defines the number of dwords of data to be transmitted (i.e., dwords of messages).
Command Dword 11 each field is defined as shown in table 2 below:
TABLE 2
In some embodiments, the method further comprises: and in response to the solid state disk receiving a lock operation command sent by the host, clearing the random number.
In some embodiments, generating, by the solid state disk, the random number based on the get feature command sent by the host includes: and responding to the solid state disk to receive a feature acquisition command sent by the host, generating a random number with a preset byte number by using an internal true random number generator, wherein the feature acquisition command is configured with a feature identifier for acquiring the random number.
In this embodiment, a Feature identifier random fid needs to be defined, and when a Get Feature command (i.e. a Feature acquisition command) sent by a host to a solid state disk is provided with the Feature identifier, the solid state disk uses an internal true random number generator to generate a 16-byte random number, and returns through the Get Feature command.
In some embodiments, obtaining, by the solid state disk after receiving the lock operation command sent by the host, second integrity certification data based on the initial key, the random number, the vendor specific algorithm, and the message includes: after receiving a lock operation command sent by a host, the solid state disk encrypts the random number by utilizing a manufacturer specific algorithm based on the initial key to obtain a second-level key, and performs HMAC calculation based on the message, the second-level key and the manufacturer specific algorithm to obtain second integrity authentication data.
In some embodiments, the method further comprises: and splicing the information with the first integrity data, and taking the spliced data as data to be transmitted.
In this embodiment, the generated secondary key (key) is used for the message (msg), and the integrity certification data (32 bytes of data if it is the SM3 algorithm) is calculated by HMAC (key, msg) using vendor specific algorithm (SM 3 or SHA256, etc.). The first integrity certification data is added to the back of the msg data, generally as transmission data. The first integrity data is added to the base of table 2, as shown in table 3 below.
TABLE 3 Table 3
| Bytes | Description (Description) |
| 03:00 | Command opcode 1 or feature identifier 1 |
| 07:04 | Command opcode 2 or feature identifier 2 |
| …… | |
| (N-1)*4+3:(N-1)*4 | Command operation code n or feature identifier n |
| (N)*4+M:(N)*4 | M+1 bytes of integrity authentication data |
The following is an exemplary embodiment of a solid state disk command-based locking method of the present application:
1. initializing operation before leaving factory of SSD
Before leaving the factory, an initial key of 16 bytes is written into a nonvolatile memory in the SSD, and no external instruction can be read in the space, so that the space can only be read and used in firmware in the SSD. The method ensures that an illegal person cannot acquire the initial key and cannot tamper the data.
2. Locking or unlocking corresponding commands or features
(1) And configuring a Feature identifier in the Get Feature command (namely, an acquisition Feature command) as a self-defined random number acquisition Feature identifier random fid, and sending the Get Feature command to the solid state disk.
(2) After receiving the Get Feature command, the solid state disk uses an internal true Random number generator to generate a 16-byte Random number (Random), and returns data to the host.
Note that: the generated random number is temporarily stored in the solid state disk, and the random number in the solid state disk can be cleared under the following conditions, so that the replay prevention requirement is ensured:
a. the method comprises the steps that the level of a solid state disk controller is cleared when reset;
b. when a lock operation command is received, the random number is cleared, whether or not verification is successful.
(3) After receiving the random number, the host encrypts the random number by using a vendor specific algorithm (symmetric encryption algorithm SM4 or triple data encryption algorithm 3DES or advanced encryption standard AES, etc.) according to an initial key written into the solid state disk by the sender when leaving the factory (only the vendor knows the key), so as to obtain a secondary key.
(4) The command operation code or feature identifier that organizes locking or unlocking to be sent is as shown in table 1 above, and the data transmitted is either both command operation codes or feature identifiers, not both.
With these data as messages msg, first integrity certification data is calculated by HMAC (key, msg) using a vendor specific algorithm using the generated secondary key. The first integrity certification data is added to the back of the msg data, generally as transmission data.
(5) The Dword 10 field of the NVME command is set to the Dword byte number of the data to be transferred. Dword 11 is set depending on whether the operation is a lock or unlock, and whether the data transferred is a message opcode or a feature identifier. And sending the lock operation command to the solid state disk.
(6) After the solid state disk receives the lock operation command, an initial key which is written in a nonvolatile memory in advance when leaving a factory is used, a manufacturer specific algorithm is used for encrypting the random number to obtain a secondary key, the secondary key is used for calculating a transmitted command operation code or a characteristic identifier by using the manufacturer specific algorithm to obtain second integrity authentication data, the second integrity authentication data is compared with the first integrity authentication data in the received command, if the first integrity authentication data is equal, the authentication is successful, and the data is effective. If the command is locked, the incoming command operation code or the feature identifier is saved in the nonvolatile memory, and then the corresponding command is disabled or the corresponding feature is set according to the data. If the command is unlocked, the incoming command operation code or the feature identifier is deleted from the corresponding nonvolatile memory.
The following effects can be achieved in this embodiment:
(1) The flexibility is provided: the same set of firmware can be used for all the solid state disks, and a specific user can use a specific hard disk function through locking or unlocking commands, and can directly unlock through the commands when other functions are needed, so that the firmware does not need to be upgraded. When the solid state disk has problems, manufacturers can unlock corresponding private commands to debug the solid state disk, and the problems are quickly positioned.
(2) The safety is provided with: before sending the locking and unlocking command, a random number (anti-replay) needs to be acquired to generate a secondary key, then the secondary key is used for calculating HMAC (hidden Markov random access) on data to be sent, and the sender is authenticated while the integrity of the data is ensured, so that the security is realized.
In a second aspect of the embodiment of the application, a locking system based on a solid state disk command is also provided. Fig. 3 is a schematic diagram of an embodiment of a locking system based on a solid state disk command provided by the present application. As shown in fig. 3, a locking system based on a solid state disk command includes: the encryption module 10 is configured to generate a random number based on an acquired feature command sent by the solid state disk and return the random number to the host, and encrypt the random number by the host based on an initial key configured in the solid state disk and by using a vendor specific algorithm to obtain a first secondary key; a first calculation module 20, configured to use a command operation code or a feature identifier corresponding to the lock operation command as a message, and perform HMAC calculation based on the message, the first secondary key and the vendor specific algorithm, to obtain first integrity certification data; the second computing module 30 is configured to obtain, by the solid state disk after receiving the lock operation command sent by the host, second integrity certification data based on the initial key, the random number, the vendor specific algorithm and the message; a judging module 40 configured to judge whether the first integrity data and the second integrity data are equal; and an execution module 50 configured to determine that the lock operation command security authentication is successful in response to the first integrity data being equal to the second integrity data and execute the lock operation command to lock or unlock the command opcode or the feature identifier.
In a third aspect of the embodiment of the present application, a computer readable storage medium is provided, and fig. 4 is a schematic diagram of a computer readable storage medium for implementing a locking method based on a solid state disk command according to an embodiment of the present application. As shown in fig. 4, the computer-readable storage medium 3 stores computer program instructions 31. The computer program instructions 31 when executed by a processor implement the method of any of the embodiments described above.
It should be appreciated that all of the embodiments, features and advantages set forth above for the solid state drive command based locking method according to the present application apply equally, without conflict, to the solid state drive command based locking system and storage medium according to the present application.
In a fourth aspect of the embodiment of the present application, there is also provided a computer device, including a memory 402 and a processor 401 as shown in fig. 5, where the memory 402 stores a computer program, and the computer program is executed by the processor 401 to implement the method of any one of the embodiments above.
Fig. 5 is a schematic hardware structure diagram of an embodiment of a computer device for executing a locking method based on a solid state disk command according to the present application. Taking the example of a computer device as shown in fig. 5, a processor 401 and a memory 402 are included in the computer device, and may further include: an input device 403 and an output device 404. The processor 401, memory 402, input device 403, and output device 404 may be connected by a bus or otherwise, for example in fig. 5. The input device 403 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the solid state drive command based locking system. The output 404 may include a display device such as a display screen.
The memory 402 is used as a non-volatile computer readable storage medium, and may be used to store non-volatile software programs, non-volatile computer executable programs, and modules, such as program instructions/modules corresponding to the solid state disk command-based locking method in the embodiment of the present application. Memory 402 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created based on the use of the solid state disk command locking method, and the like. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some embodiments, memory 402 may optionally include memory located remotely from processor 401, which may be connected to the local module via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor 401 executes various functional applications of the server and data processing, that is, implements the solid state disk command-based locking method of the above method embodiment, by running nonvolatile software programs, instructions, and modules stored in the memory 402.
Finally, it should be noted that the computer-readable storage media (e.g., memory) herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, RAM may be available in a variety of forms such as synchronous RAM (DRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that as used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items. The foregoing embodiment of the present application has been disclosed with reference to the number of embodiments for the purpose of description only, and does not represent the advantages or disadvantages of the embodiments.
Those of ordinary skill in the art will appreciate that: the above discussion of any embodiment is merely exemplary and is not intended to imply that the scope of the disclosure of embodiments of the application, including the claims, is limited to such examples; combinations of features of the above embodiments or in different embodiments are also possible within the idea of an embodiment of the application, and many other variations of the different aspects of the embodiments of the application as described above exist, which are not provided in detail for the sake of brevity. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the embodiments should be included in the protection scope of the embodiments of the present application.
Claims (10)
1. The locking method based on the solid state disk command is characterized by comprising the following steps of:
generating a random number by the solid state disk based on an acquired characteristic command sent by a host, returning the random number to the host, and encrypting the random number by the host based on an initial key configured in the solid state disk and by utilizing a manufacturer specific algorithm to obtain a first secondary key;
taking a command operation code or a characteristic identifier corresponding to a lock operation command as a message, and performing HMAC calculation based on the message, the first secondary key and the vendor specific algorithm to obtain first integrity certification data;
after receiving the lock operation command sent by the host, the solid state disk obtains second integrity authentication data based on the initial key, the random number, the vendor specific algorithm and the message;
judging whether the first integrity data is equal to the second integrity data;
and in response to the first integrity data being equal to the second integrity data, determining that the lock operation command is successfully authenticated for security, and executing the lock operation command to lock or unlock the command operation code or the feature identifier.
2. The method of claim 1, wherein executing the lock operation command to lock the command opcode or the feature identifier comprises:
and executing the lock operation command to store the command operation code or the feature identifier into the nonvolatile memory of the solid state disk, and disabling a corresponding command according to the command operation code or setting a corresponding feature according to the feature identifier.
3. The method of claim 1 or 2, wherein executing the lock operation command to unlock the command opcode or the feature identifier comprises:
and executing the lock operation command to delete the command operation code or the characteristic identifier from the nonvolatile memory of the solid state disk.
4. The method of claim 1, wherein the lock operation command comprises a data pointer, a first field, and a second field;
the data pointer points to a memory address for storing the information in the solid state disk, and the information is data transmitted to the solid state disk by the host;
the first field defining a size of the message;
the second field defines whether the message belongs to the command opcode or the feature identifier and defines whether the message is locked or unlocked.
5. The method as recited in claim 1, further comprising:
and in response to the solid state disk receiving the lock operation command sent by the host, clearing the random number.
6. The method of claim 1, wherein obtaining, by the solid state disk after receiving the lock operation command sent by the host, second integrity certification data based on the initial key, the random number, the vendor specific algorithm, and the message comprises:
after the solid state disk receives the lock operation command sent by the host, encrypting the random number based on the initial key and by utilizing the vendor specific algorithm to obtain a second secondary key, and performing HMAC calculation based on the message, the second secondary key and the vendor specific algorithm to obtain second integrity authentication data.
7. The method as recited in claim 1, further comprising:
and splicing the information with the first integrity data, and taking the spliced data as data to be transmitted.
8. The method of claim 1, wherein generating, by the solid state disk, the random number based on the get feature command sent by the host comprises:
and responding to the solid state disk to receive an acquisition characteristic command sent by the host, and generating a random number with a preset byte number by using an internal true random number generator, wherein the acquisition characteristic command is configured with a characteristic identifier for acquiring the random number.
9. A solid state disk command based locking system comprising:
the encryption module is configured to generate a random number based on an acquired characteristic command sent by a host by the solid state disk, return the random number to the host, and encrypt the random number by the host based on an initial key configured in the solid state disk and by utilizing a vendor specific algorithm to obtain a first secondary key;
the first computing module is configured to take a command operation code or a characteristic identifier corresponding to a lock operation command as a message, and perform HMAC computation based on the message, the first secondary key and the vendor specific algorithm to obtain first integrity certification data;
the second computing module is configured to obtain second integrity authentication data by the solid state disk based on the initial key, the random number, the vendor specific algorithm and the message after receiving the lock operation command sent by the host;
the judging module is configured to judge whether the first integrity data is equal to the second integrity data; and
and the execution module is configured to determine that the security authentication of the lock operation command is successful in response to the first integrity data being equal to the second integrity data, and execute the lock operation command to lock or unlock the command operation code or the feature identifier.
10. A computer readable storage medium, characterized in that computer program instructions are stored, which, when executed by a processor, implement the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310496107.9A CN116582255A (en) | 2023-04-27 | 2023-04-27 | Locking method, system and storage medium based on solid state disk command |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310496107.9A CN116582255A (en) | 2023-04-27 | 2023-04-27 | Locking method, system and storage medium based on solid state disk command |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116582255A true CN116582255A (en) | 2023-08-11 |
Family
ID=87544674
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310496107.9A Pending CN116582255A (en) | 2023-04-27 | 2023-04-27 | Locking method, system and storage medium based on solid state disk command |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116582255A (en) |
-
2023
- 2023-04-27 CN CN202310496107.9A patent/CN116582255A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021013245A1 (en) | Data key protection method and system, electronic device and storage medium | |
| JP6371919B2 (en) | Secure software authentication and verification | |
| KR102157560B1 (en) | System and method for verifying the integrity of electronic devices | |
| CN107004083B (en) | Device key protection | |
| US11240008B2 (en) | Key management method, security chip, service server and information system | |
| CN112784278B (en) | Trusted starting method, device and equipment of computer system | |
| CN110612517B (en) | Memory protection based on system state | |
| JP2014505943A (en) | System and method for tamper resistant boot processing | |
| WO2014026518A1 (en) | Software key updating method and device | |
| US10735190B1 (en) | Persistent TPM-based identifier and key pair | |
| EP2978158A1 (en) | Methods and architecture for encrypting and decrypting data | |
| JP2019057167A (en) | Computer program, device and determining method | |
| CN113239363A (en) | Firmware updating method, device, equipment, readable storage medium and memory system | |
| JP2022534677A (en) | Protecting online applications and web pages that use blockchain | |
| CN111726325B (en) | Method for determining state of network equipment, related equipment and system | |
| CN109891823B (en) | Method, system, and non-transitory computer readable medium for credential encryption | |
| JPWO2019142307A1 (en) | Semiconductor device, update data provision method, update data reception method and program | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| US10404719B2 (en) | Data verification method | |
| CN116582255A (en) | Locking method, system and storage medium based on solid state disk command | |
| CN114173327A (en) | Authentication method and terminal based on 5G industry private network | |
| CN113868628A (en) | Signature verification method and device, computer equipment and storage medium | |
| US20220035924A1 (en) | Service trust status | |
| CN111357003A (en) | Data protection in a pre-operating system environment | |
| CN114817909A (en) | Security defense method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |