JP2000148597A - Method for retaining/holding data, data storage unit and computer readable recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to protect data from illegal action. SOLUTION: Each sensor detects an access having no permission to a non- volatile storage device. At the time of detecting an access having no permission to the storage device, data in the storage device are deleted by overwriting a prescribed value on the data of the storage device so as not to recover the data. The storage device is registered in a registration authority and data stored in the storage device are authenticated.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a data storage system, and more particularly, to a data storage / retention technique for ensuring the integrity and security of a file.

[0002]

BACKGROUND OF THE INVENTION Most computer systems use any type of non-volatile storage to store and retain data.
storage). The non-volatile storage is to provide a storage medium capable of retaining its stored contents even when the power is turned off. In addition,
Common examples of non-volatile storage include floppy disks, hard disks, tapes, and the like.

[0003] Most types of non-volatile storage provide relatively high reliability, especially when redundant storage is used. In addition, the performance of the non-volatile storage greatly changes according to the type of the non-volatile storage. For example, hard disks conventionally have higher performance than floppy disks and tapes in terms of access speed. Also, the process used to store data in non-volatile storage is generally non-destructive (e.g., not destroying storage media and storing information), so most types of Non-volatile storage can be reused (eg, data can be written multiple times).

When data in a data file format is to be deleted from the nonvolatile storage, the directory information related to the data file is simply updated in the nonvolatile storage, and the data file itself is not changed. That is normal. For example, the process of deleting a data file on many computer systems is performed by deleting a file name from a file directory or a file allocation table. This creates a storage location that can be occupied by a data file used to store other data.

However, the data file still exists on the non-volatile storage, and the data file is in a recoverable state unless other data is overwritten on the data file. Therefore, this approach makes it difficult to know whether a particular copy of the data is the original (original) copy, and makes the data resistant to the act of acquiring data by a third party. I will.

Further, as another type of non-volatile storage, there is a type in which data is written only once but can be read out a required number of times. This type of non-volatile storage is typically WORM (write once, re
ad many) storage media. A common example of the WORM nonvolatile storage device is an optical disk. This type of storage medium is useful for archiving data that may be written only once and read multiple times, such as medical records or business records. Therefore, in the WORM nonvolatile storage device, since the data cannot be updated or overwritten, it is guaranteed that the copy of the specific data is the original copy (original).

[0007] However, WORM systems and conventional read / write (read / write) storage systems have the disadvantage of being unprotected against data changes. For some data users,
When using the data, there is no way to know whether the data is original (original) or has been modified by an unknown source. For example, in a disk storage subsystem, even unauthorized persons can remove a disk drive and change, steal, or copy information stored on the disk drive.

[0008] In addition, information stored in the storage system may become unsuitable for storage after a long period of time. Therefore, in some situations, it is preferable to provide a method for expiring old information (eg, deleting it from the storage system) and making it unavailable. An example of such information is a company record. This company record is destroyed, for example, after five years according to company policy.

Thus, based on the need to securely store and retain data and the limitations of conventional approaches, data storage that can provide relatively high assurance that a particular copy of data is the original. -Realization of a holding method is highly desired.

[0010]

SUMMARY OF THE INVENTION The need and objects set forth above and other needs and objects set forth in the following description are met by the present invention, which includes, as an aspect, a method for storing and retaining data. And realized. This data storage / holding method includes a step of storing data in a storage unit, and a tamper signal (tamper sig
nal), and when a tamper signal is detected, by overwriting a predetermined value to the data,
Erasing data stored in the storage unit.

According to another aspect of the invention, data is stored and stored.
A holding data storage unit is provided. The data storage unit includes a first non-volatile storage device and a processing unit communicably connected to the first non-volatile storage device, wherein the processing unit is configured to prevent fraud to the first non-volatile storage device. It is determined whether or not the data has been committed, and if it is determined that there has been an illegal act, the data is erased by overwriting the data with a predetermined value.

That is, in the data storage / holding method according to the first aspect, a step of storing data in a storage unit, a step of detecting a tamper signal indicating that unauthorized access has been made to the storage unit, Erasing the data stored in the storage unit by overwriting a predetermined value on the data when a tamper signal is detected.

According to a second aspect of the present invention, there is provided the data storage / holding method according to the first aspect, wherein the step of detecting the tamper signal is provided in the storage unit. And detecting a tamper signal from the sensor.

According to a third aspect of the present invention, in the data storage / holding method according to the first aspect, the step of overwriting the data with the predetermined value includes setting the predetermined value to 00H as the predetermined value. Is overwritten on the data.

According to a fourth aspect of the present invention, there is provided the data storing / holding method according to the third aspect, further comprising a step of deleting one or more file directory entries related to the data. It is a thing.

According to a fifth aspect of the present invention, in the data storage / holding method according to the first aspect, the storage unit includes at least one nonvolatile storage device including a copy of the data. And erasing a copy of the data stored in the one or more non-volatile storage devices.

According to a sixth aspect of the present invention, there is provided the data storage / holding method according to the first aspect, further comprising, when a power supply of the storage unit fails, the backup power supply. The method includes a step of supplying power to the storage unit and a step of prohibiting writing of data to the storage unit and reading of data from the storage unit.

According to a seventh aspect of the present invention, there is provided the data storage / holding method according to the sixth aspect, further comprising the step of storing the data in the storage unit after the power supply to the storage unit is restored. A step of permitting writing and reading of data from the storage unit.

Further, the data storage unit according to claim 8 is a data storage unit for storing and holding data, wherein the first non-volatile storage device including the stored data and the first non-volatile storage device A processing unit connected to communicate with the
Wherein the processing unit determines whether or not the data storage unit has been tampered with, and when it is determined that the data storage unit has been tampered with, erases the data by overwriting a predetermined value on the data. Is configured.

According to a ninth aspect of the present invention, the data storage unit according to the eighth aspect is further connected to the processing unit so as to be communicable with the processing unit, and detects one or more access to the data storage unit. A sensor, wherein the one or more sensors are configured to generate a tamper signal when detecting access to the data storage unit, and the processing unit further generates a predetermined value in accordance with the tamper signal. The data is erased from the first nonvolatile storage device by overwriting the data stored in the first nonvolatile storage device.

According to a tenth aspect of the present invention, in the data storage unit of the eighth aspect, the processing unit is further configured to overwrite 00H as the predetermined value on the data. Things.

The data storage unit according to claim 11 is the data storage unit according to claim 8, wherein the processing unit is further configured to erase one or more file directory entries related to the data. Is what it is.

In a twelfth aspect of the present invention, in the data storage unit of the eighth aspect, the data storage unit includes one or more nonvolatile storage devices including a copy of the data, and the processing unit further includes the one or more nonvolatile storage devices. The copy of the data stored in the nonvolatile storage device is erased.

According to a thirteenth aspect of the present invention, the data storage unit according to the eighth aspect is further configured to supply power to the data storage unit when a power failure occurs. It has first and second backup power supplies.

The data storage unit of claim 14 is the data storage unit of claim 8, further comprising a second non-volatile storage device communicably connected to the processing unit.
A copy of the data stored in the first non-volatile storage device is maintained in the second non-volatile storage device, and the processing unit further causes a failure in the first non-volatile storage device It is determined whether or not a failure has occurred, by overwriting a predetermined value on the data stored in the first nonvolatile storage device. The data is configured to be erased.

The data storage unit according to claim 15 is the data storage unit according to claim 8, further preventing data stored in the first nonvolatile storage device from being changed without permission. It has a secure interface.

[0027] A computer-readable recording medium according to claim 16 is a computer-readable recording medium having one or more sequences of one or more instructions for storing and holding data, The one or more sequences of instructions, when executed by one or more processors, indicate to the one or more processors a procedure for storing data in a storage unit and an unauthorized access to the storage unit. A command for executing a procedure for detecting a tamper signal, and a procedure for erasing the data stored in the storage unit by overwriting a predetermined value on the data when the tamper signal is detected. Including.

According to a seventeenth aspect of the present invention, in the computer readable recording medium according to the sixteenth aspect, the step of detecting the tamper signal is provided in one or more of the storage units. And a procedure for detecting a tamper signal from the sensor.

The computer-readable recording medium according to claim 18 is the computer-readable recording medium according to claim 16, wherein the step of overwriting the data with the predetermined value is performed by using 00H as the predetermined value. Is overwritten on the data.

The computer-readable recording medium according to claim 19 is the computer-readable recording medium according to claim 18, further comprising a step of deleting one or more file directory entries related to the data. It is a thing.

A computer-readable recording medium according to a twentieth aspect is the computer-readable recording medium according to the sixteenth aspect, wherein the storage unit includes one or more nonvolatile storage devices including a copy of the data. And erasing a copy of the data stored in the one or more non-volatile storage devices.

The computer-readable recording medium according to claim 21 is the computer-readable recording medium according to claim 16, further comprising: a backup power supply when the power supply of the storage unit fails. The method includes a procedure of supplying power to the storage unit, and a procedure of writing data to the storage unit and prohibiting reading data from the storage unit.

Further, the computer-readable recording medium according to claim 22 is the computer-readable recording medium according to claim 21, further comprising: after the power to the storage unit is restored, the data to the storage unit. And a procedure for permitting writing and reading of data from the storage unit.

[0034]

DETAILED DESCRIPTION OF THE INVENTION In the following, specific examples are set forth for the purpose of describing the invention so that the invention may be more fully understood. However, it will be apparent that the invention may be practiced without such specific embodiments. In some instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the invention.

[Outline] Here, an approach for storing and holding data and accessing the data will be described. In one aspect, data is stored in a storage unit and is erased after a predetermined time. In another aspect, data is erased if any misconduct has occurred with the storage unit. In yet another aspect, data is erased if any failure occurs in the non-volatile storage in the storage unit. Other approaches include hardware storage units that can permanently store and authenticate data.

That is, this approach is to build a device that has secure hardware and software interfaces and has its own operating system. This interface ensures that no data changes are allowed. Thus, in the present invention, the data is genuine (original)
Can be used in devices where it is important. Hereinafter, each of the above-described surfaces will be described in detail.

[Overview of System] FIG. 1 is a diagram showing a system 100 for storing data. In FIG. 1, one or more stations 102 are connected to one another via a network 104. Each station 102 comprises a computer, workstation, or other similar processing mechanism. For example, each station 102 can be configured as a general-purpose computer system of the type shown in FIG. 13 as one embodiment. The station 102 will be described later. Also, each station 102 can be considered to be equivalent to a client in a client / server environment. The use of the network 104 allows one station 102 to communicate with all other stations 102.

Also, one or more storage units 106
Is provided so that data can be saved and retained. The storage unit 106 may be connected to the network 104 via a link 108 and operate with other devices such as the station 102 connected to the network 104. As the link 108, any type of communication medium may be used as long as data can be exchanged between the storage unit 106 and another device. Examples of link 108 include a network connection, an Ethernet LAN or WAN connection, or any type of wireless transmission medium.

Further, instead of connecting the storage unit 106 to the network 104 via the link 108, the storage unit 106 is connected to the local link 11
2 may be used to directly connect to a specific station 102. Further, the storage unit 106 can be used in another configuration. For example, the storage unit 106 may be directly connected to a specific number of stations 102 to provide local storage to the specific station 102. . In addition, a link 11 at the station-to-storage device interface, for example, a SCSI interface.
2 may be configured.

In this configuration, each station 102
Can exchange information over the network 104 to store information in the storage unit 106 via the link 108 or retrieve and retrieve information from the storage unit 106.

The system 100 also includes a registration authority 110. The registration authority 110 is connected to the network 104 so as to be able to communicate, and executes a registration process of the storage unit 106 as described later in detail.

[Storage Unit] FIG. 2 is a block diagram showing the storage unit 106. As shown in FIG. 2, storage unit 106 includes one or more non-volatile storage devices 200 and 202. Here, as one embodiment, two nonvolatile storage devices 200 and 202 are prepared to provide redundant storage of data. However, the present invention provides a specific number of non-volatile storage devices 200, 2
02 (in other words, the number of nonvolatile storage devices is not limited to two as indicated by reference numerals 200 and 202). Here, data is written to both non-volatile storage devices 200 and 202, as shown in FIG.

Therefore, as shown in FIG. 4, when one of the non-volatile storage devices 200 and 202 becomes unavailable due to, for example, a failure, data is transferred to the other non-volatile storage device 200 or 202.
Is written to. Note that the nonvolatile storage device 2
Any type of 00 and 202 may be used, such as one or more magnetic or optical disks, tapes, or the ability to retain stored data even when power is turned off. And other types of non-volatile storage.

Also, the storage unit 106
Includes one or more sensors shown as S1 to S4, which makes it possible to detect unauthorized access to the storage unit 106. These sensors S1 to S4
Is a device that detects, for example, an act of intruding into the storage unit 106, an act of accessing the storage unit 106 without authority, or an act of tampering or disabling the storage unit 106 without authority.

Specifically, the sensors S1 to S4 are mechanical,
It is an electric / mechanical or electric device, and signals according to the detected event (corresponding to the tamper signal of the present invention)
Is generated. For example, as one embodiment, each of the sensors S1 to S4 is
A micro switch that opens or closes when the cover is opened. In addition, each sensor S
1 to S4 are connected to the processing unit 204 via the link 208.
Connected to.

The storage unit 106 includes a processing unit 204, and the processing unit 204
8 controls the flow of data to the storage unit 106 and the flow of data from the storage unit 106, and executes other processing functions. Further, the processing unit 204 controls the operation of the nonvolatile storage devices 200 and 202. The controlling operations include an operation of writing data to the nonvolatile storage devices 200 and 202 via the link 206 and an operation of reading data from the nonvolatile storage devices 200 and 202.

The processing unit 204 includes the sensor S1
To S4 so as to be able to communicate via a link 208. Note that links 206 and 208 are
The processing unit 204 and the non-volatile storage device 200
And 202, and data can be exchanged between the processing unit 204 and the sensors S1 to S4.

Further, the storage unit 106 optionally includes backup power supplies 210 and 212, and includes the storage unit 106 and its components, ie, the non-volatile storage devices 200 and 20.
2. Power can be supplied to the processing unit 204 and the sensors S1 to S4. Theoretically, backup power supplies 210 and 212 are implemented so that in the event of a power shortage, backup power supplies 210 and 2
12 can supply sufficient power for the operation of the storage unit 106.

For example, the backup power supplies 210 and 212 may be replaced by batteries or uninterruptible power supplies.
power supply; UPS). One of the backup power supplies 210 and 212 is connected to an on-board battery (onboard battery) for supplying backup power to the processing unit 204.
battery).

[Processing Unit] FIG.
FIG. The processing unit 204
The communication interface 300 is included. The communication interface 300 controls, buffers, and regulates communication between the processing unit 204 and other devices outside of the storage unit 106 via the link 108. As the communication interface 300, for example, an I / O controller such as SCSI, IEEE 1394, or Ethernet controller can be used.

The processing unit 204 includes a sensor controller 302. This sensor controller 3
Reference numeral 02 denotes an interface between the sensors S1 to S4 and the processing unit 204 via the link 208, and enables communication between the sensors S1 to S4 and the processing unit 204. As the sensor controller 302, for example, an analog I / O interface can be used.

The processing unit 204 is connected to the link 20
6, the non-volatile storage devices 200 and 2
Non-volatile storage controller 304 that controls
Contains. This nonvolatile storage controller 3
04 is, for example, a disk controller. Also,
Processing unit 204 includes a processor 306 that controls the operation of processing unit 204 and its components described herein. This processor 306 is, for example, a microprocessor.

Further, the processing unit 204 includes a volatile memory 308 such as a RAM, and the volatile memory 308 stores data and instructions of the processor 306. Further, the processing unit 204 is, for example, RO
Non-volatile memory 310, such as M, PROM, EPROM, flash memory or other types of memory.

Communication interface 300, sensor controller 302, nonvolatile storage controller 30
4, the processor 306, the volatile memory 308, and the non-volatile memory 310 are connected so as to be able to communicate with each other via a link 312, so that communication can be performed between these components. Examples of the link 312 include a communication bus or a combination of an address bus and a data bus.

The processing unit 204 is a real-time operating system (OS) such as UNIX.
It is preferable to operate under the control of. One or more stored programs operate under the OS and manage the operations and processes of the storage unit 106 as further described herein.

[Non-Volatile Storage] FIG. 6 is a diagram showing the contents of the non-volatile storage devices 200 and 202. Each nonvolatile storage device 200 and 2
02 contains or stores the storage ID information 400. The storage ID information 400 is for uniquely (uniquely) identifying the nonvolatile storage devices 200 and 202. For example, the storage ID information 400 indicates that the nonvolatile storage device 20
It may include unique serial numbers of 0 and 202. Also, the storage ID information 400
Specifies the information obtained during the registration process of the storage unit 106, that is, the information used to authenticate the storage unit 106. The process of registering the storage unit 106 will be described later in detail.

The nonvolatile storage device 200
And 202 include directory information 402.
The directory information 402 contains data 4 stored on the nonvolatile storage devices 200 and 202.
04 is specified. According to one embodiment, the data 404 includes a plurality of data files, and the directory information 402
And a plurality of directory entries 500 corresponding to the information about the data file and specifying the information. No file-oriented storage system is required. Data 404 may be any type of stored information, and directory information 402
Any metadata may be used as long as the metadata describes the information No. 4.

FIG. 9 is a diagram showing the contents of a directory entry 500 in one embodiment. The directory entry 500 includes the name of the corresponding data file (File Name 502), the creation date of the corresponding data file (Creation Date) 50
4), the date when the expiration date of the corresponding data file expires (expiration date (Expiration Date) 506) and other file management information 508 that can be changed according to a specific application. The other file management information is, for example, the type of a file related to an application or the like.

The directory entry 500 includes a description of replication information (replication information) 510. The copy information 510 indicates the source of the data file related to the file with the file name 502 by indicating one or more directory entries 512 (R1, R2,..., RN). Each directory entry 512 contains the complete history of parent data by storage ID information, replication date, and storage ID directory path. The file name 502 of the data is not changed from the original (original).
The data of the expiration date 506 is also copied.

As used herein, "expiration date" means a time, day, or date when related data is invalidated or unusable. Information in the nonvolatile storage devices 200 and 202 is managed by the OS.

[Erasing After Expiration Date] In one embodiment, the nonvolatile storage devices 200 and 20
The data stored in 2 is deleted after a specific period has elapsed. This process is performed on specific data, which means that different data may be stored on the non-volatile storage device 200 over different time periods.
And 202 may be present. Further, different expiration dates may be applied to different data. Further, some data may not be erased, that is, may exist on the nonvolatile storage devices 200 and 202 indefinitely.

In FIGS. 6, 9 and 10, the directory entry 500 included in the directory information 402 is examined to determine whether the expiration date 506 has expired. This process is performed by comparing the expiration date 506 of a particular directory entry 500 with the current date. Further, instead of holding the expiration date 506 in each directory entry 500, a "holding period (" time to keep ")" is held in each directory entry 500, and the creation date 504 and the "holding period" The expiration date may be determined based on both. Also, an alternative approach is to have an agent that traverses all entries in all directories and checks the expiration date of the entry and the system time and date. If the expiration date has passed, the agent deletes the corresponding entry.

FIG. 10 is a flowchart showing a preferred method for erasing data. In step S520, the current date / time value is obtained. For example,
The processing unit 204 requests and obtains a date / time value by calling operating system functions that control the operation of the processing unit 204. Alternatively, the processing unit 204 may include a clock that can be directly queried by the processor 306. Note that the current date / time value indicates the current date, date, or time for executing the method shown in FIG. Also, the current date / time value is
PU register, working storage area (scratchpad memory ar
ea) or preferably stored in a temporary storage location such as main memory for later use.

Subsequently, in step S522, one directory entry 500 is selected and processed. In one embodiment, step S522 includes a process of serially polling all directory entries 500 in nonvolatile storage devices 200 and 202 (serial polling). Step S522
Are heuristics such as LRU (least-recently-used) algorithms, probabilities or statistics.
A process for selecting a directory entry 500 based on a heuristic process may be included.

Then, in step S524, the current directory entry (current directory entry)
y) It is determined whether to erase the data represented by 500. In one embodiment, step S524
Includes a process of testing whether the current date / time value obtained in step S520 is equal to or greater than the value of the expiration date 506 stored in the current directory entry 500. If the current date / time value is greater than or equal to the expiration date 506, the current directory entry 500 will be deleted.

When it is determined that specific data is to be deleted,
As shown in step S526, data related to the current directory entry 500 is deleted from the data 404. Then, the control proceeds to step S534.
When the specific data is deleted, the directory entry 500 is also deleted as shown in step S534. Since the deleted copy of the specific data includes the same expiration date and the expiration date is checked, all the copies of the specific data are also deleted from the data 404.

According to one embodiment, step S
At steps 526 and S534, the data is deleted from the data 404 and the corresponding directory entry 5 is deleted.
00 is deleted from the directory information 402 by adding a predetermined value to the data and the directory entry 500.
Is performed by overwriting the An example of the predetermined value that is deemed appropriate is 00H, but another value may be used as the predetermined value.

One conventional approach was to simply erase a directory entry without erasing the data itself, so that it was possible to recover the erased data. On the other hand, when the data is overwritten, the recovery becomes more difficult. Therefore, it is considered that the data is more securely erased by overwriting the data with a predetermined value. When data is erased from the data 404 by overwriting a predetermined value and the corresponding directory entry 500 is erased from the directory information 402, the overwritten area is used to store other data. Will be.

In an alternative embodiment, overwriting is performed using different predetermined values for different data. For example, it is assumed that the expiration date 506 of a specific data file existing on the nonvolatile storage device 200 indicates that the specific data file is to be deleted. It is also assumed that a copy of the specific data file is held on the nonvolatile storage device 202. In this case, a particular data file on the non-volatile storage device 200 is overwritten with a first predetermined value, while a copy of that particular data file on the non-volatile storage device 202 is overwritten with a first predetermined value. A second predetermined value different from the value is overwritten. Also, the corresponding directory entry 500
In order to overwrite, a different predetermined value may be used.

In one embodiment, the process of FIG. In particular, processor 306 may perform this process by executing one or more instructions held in volatile memory 308 and nonvolatile memory 310.
On the other hand, another process outside the storage unit 106 or a process for checking each directory entry 500 in the directory information 402 may be executed by the station 102 connected to the network 104 or the like. In such a case, the other process or station 102 will
In this case, the storage unit 106 may be inquired to obtain the directory information 402.

In the above description, the storage ID information 400, the directory information 402, and the data 404 are described and illustrated as being held together on the nonvolatile storage devices 200 and 202. May be stored in another storage location separately from the others. For example, part or all of the directory information 402 may be stored in the volatile memory 30 of the processing unit 204.
8, it is possible to reduce the time required to determine the data file that needs to be deleted from the data 404.

[Erasing After Failure Occurs in Non-Volatile Storage Device] According to another embodiment, if any failure occurs in one of the non-volatile storage devices 200 and 202, all data included in the data 404 are deleted. All directory entries 500 included in the data and directory information 402 are erased as described above. Then, the other nonvolatile storage device 200
Or 202 is the first storage device (primary st
orage device) and continue to be used.

One example of a situation in which a failure occurs is that when both non-volatile storage devices 200 and 202 are being updated, media corruption prevents one of the non-volatile storage devices 200 and 202 from being updated. Such is the case. Since the non-volatile storage devices 200 and 202 provide redundant storage, deleting data from the failed non-volatile storage device 200 or 202 allows the non-volatile storage devices 200 and 202
Do not contain different (and possibly valid) data.

FIG. 11 is a flowchart showing a preferred method for erasing data from a nonvolatile storage device when a failure occurs in the nonvolatile storage device. In step S540, it is detected that some failure has occurred in the nonvolatile storage device. For example, step S540
Power-up routine or bootstrap loader routine
(Routine) may include a step of detecting that a power supply abnormality or other failure has occurred.

In one embodiment, each of the nonvolatile storage devices 200 and 202 stores a marker value (marker val).
ue) has a dedicated storage location. This marker value is a predetermined value indicating that the nonvolatile storage devices 200 and 202 have been shut down without any problem. When the nonvolatile storage devices 200 and 202 are shut down without any problem, a predetermined marker value is stored in a dedicated storage location.

On the other hand, the nonvolatile storage device 20
When 0,202 is activated, a predetermined marker value is checked and a different value is overwritten. Thus, if an unexpected failure (e.g., abnormal termination) occurs, the dedicated storage location will not contain the marker value, thereby causing the non-volatile storage device 20
It is detected that a fault has occurred at 0,202.

When the occurrence of a certain failure is detected, a plurality of directory entries 500 are determined in step S542.
, The next directory entry 500 is selected. In one embodiment, step S542 includes serially polling all directory entries 500 in nonvolatile storage devices 200,202. Also, step S542 is performed in the LR
Heuristic processes such as U-least-recently-used algorithms, probabilities or statistics
tic process) based on directory entry 500
May be included.

Then, in step S544, all the data associated with the current directory entry 500 is erased, for example, by overwriting the data with a predetermined value. And step S
At 552, the current directory entry 50
0 is erased, for example, by overwriting it with a predetermined value. If necessary, the directory itself is deleted.

Subsequently, in step S554, it is determined whether or not another directory entry 500 exists in the directory information 402 of the nonvolatile storage devices 200 and 202. If it is determined that the directory entry exists, steps S542 to S552 are repeatedly executed for each of the further directory entries 500.

At optional step S556, another non-volatile storage device 200 or 202 is designated as the primary storage device of storage unit 106. Such designation means that storage unit 106 will continue read / write operations to non-failing non-volatile storage device 200 or 202. In this way, the storage unit 106 remains usable, but the failed nonvolatile storage device 200 or 202 in the storage unit 106 is made unusable.

When data in the failed nonvolatile storage device 200 or 202 is erased, the failed nonvolatile storage device 200 or 20
2 may be reinitialized. When the failed nonvolatile storage device 200 or 202 is successfully re-initialized, the data stored in the failed nonvolatile storage device 200 or 202 is restored to the recovered nonvolatile storage device 200 or 202. Can be copied. If the failed non-volatile storage device 200 or 202 could not be successfully re-initialized, the non-failed non-volatile storage device 200 or 202
May be copied to the non-volatile storage device of another storage unit 106.

Since the likelihood of simultaneous failure of the non-volatile storage devices 200 and 202 is very low, the use of redundant non-volatile storage devices 200 and 202 can provide very high data reliability. it can. To provide additional data reliability, redundant nonvolatile storage devices 200 and 2
Other storage units 10 each including
6 can also be used to provide further redundancy.

[Tamper protection] According to one embodiment, the storage unit 106 is protected from fraud. The sensors S1 to S4 are connected to the link 20
8 and is monitored by the processing unit 204 to detect fraudulent activity on the storage unit 106. The selection and placement of the sensors S1-S4 is determined by the requirements of the particular application, but generally involves breaking seals, opening sealed partitions, and other storage units 106.
It is designed to detect unauthorized access to the storage unit 106, for example, by forcibly entering the storage unit 106.

The sensors S1 to S4 are connected to the storage unit 1
When detecting an unauthorized access to 06, the sensors S1 to S4 input a tamper signal (tamper signal; that is, a signal indicating that fraud to the storage unit 106 has been detected) to the processing unit 204. In response to the tamper signal, the processing unit 204 sends the storage ID information 400 and the directory information 402
And the data 404 are erased. This prevents the data stored in the storage unit 106 from being used without permission.

FIG. 12 is a flowchart showing a preferred method for erasing the storage contents of the non-volatile storage devices 200 and 202 when the storage unit 106 has been tampered with. In step S560, a disturbance to the storage unit 106, such as improper operation on the storage unit 106, intrusion into the storage unit 106, opening of the storage unit 106, and the like, is detected. For example,
Step S560 may include detecting that one or more sensors S1-S4 have been activated or are generating a detection signal.

If an illegal act is detected, step S5
At 62, the next directory entry 500 is selected from the plurality of directory entries 500.
In one embodiment, step S562 includes serially polling all directory entries 500 of non-volatile storage devices 200,202. Step S562 is performed, for example, in LR
The method may include selecting a directory entry based on a heuristic process such as a U-least-recently-used algorithm, probability or statistics.

Subsequently, in step S 564, all data related to the current directory entry 500 is erased, for example, by overwriting the data with a predetermined value. In step S572, the current directory entry 500 is deleted by overwriting a predetermined value, for example. If necessary, the directory itself is deleted.

Then, in step S574, it is determined whether or not further directory entry 500 exists in directory information 402 of nonvolatile storage devices 200 and 202. If it is determined that there is another directory entry 500, steps S562 to S572 are performed for each directory entry 500.
The process up to is repeated.

In one embodiment, step S562
Alternatively, another step may include generating a warning to an authorized person to indicate that a fraud has occurred and that an erase operation has been performed. For example, in step S562, processing unit 204 may generate a message for a given station 102 to notify that station 102 that a fraud has been detected and an erase operation is in progress.

According to another embodiment, in the event of a power failure (for example, a power failure), backup power supplies 210 and 2
12 is a storage unit 1 including sensors S1 to S4
06 is powered. However, the non-volatile storage devices 200 and 202 operate in a power save mode. When operating in the power save mode, normal write and read operations on the non-volatile storage devices 200 and 202 are prohibited to conserve power. When power is restored, write and read operations to non-volatile storage devices 200 and 202 will continue.

However, even when the storage unit 106 is operating in the power save mode, if the sensors S1 to S4 detect unauthorized access to the storage unit 106, all available The storage ID information 4 from the non-volatile storage devices 200 and 202 is
00, directory information 402 and data 404 are deleted. Thus, simply the storage unit 106
It is impossible to avoid executing the erase process only by turning off the power supply of the power supply.

[Registration of Storage Unit] According to one embodiment, the storage unit 106 registers the registration authority 1 to authenticate the storage unit 106.
Registered at 10. According to this approach, each storage unit 106 is registered with the registration authority 110 by providing the registration authority 110 with a unique storage unit identifier value. In response, a registration identifier value is provided by the registration authority 110 and the non-volatile storage devices 200 and 20
2 is stored in the storage ID information 400.

In this manner, the storage unit 106
Is registered, the station 102 requests the registration identifier value of the particular storage unit 106, and confirms that the registration identifier value is valid with the registration authority 110, thereby causing the particular storage unit 106 to register with the registration authority value. 110 can be confirmed. This ensures that the data stored in a particular storage unit 106 is original (original) and authentic.

FIG. 7 shows a registration identifier value 420 having a header segment 422, a device maker segment 424, and a serial number segment 426.
It is a figure showing the suitable example of.

The header segment 422 specifies the registration authority 110. For example, the header segment 422 may include the registration authority 1 in the context of the storage unit 106 or OS.
Contains a predetermined value uniquely associated with 10. The device maker segment 424 uniquely specifies the maker or brand name of the storage unit 106. This device maker segment 42
4 may be a manufacturer name or a code number that uniquely identifies a specific manufacturer. Also, the serial number
The segment 426 includes the serial number of the storage unit 106.

FIG. 8 is an explanatory diagram of the database 111. Database 111 includes at least one table 460 having one or more rows 462. Each row 4
62 corresponds to one storage unit 106. Table 460 includes columns 46 for storing manufacturer or brand name values, serial number values, and assignment date values.
4 to 468. In the value of each allocation date, a row corresponding to a certain storage unit 106 is stored in the table 460.
It specifies the date added to.

[Originality of Data] In some situations, by preventing certain data from being changed or deleted, the storage unit 1
It may be preferable to preserve the originality and uniqueness of that certain data stored at 06. In this way, the storage unit 106 can "guarantee" to an external process or device that certain data has not changed since it was first written.

In one embodiment, an audit trail is generated when copying data from one device to another. As shown in FIG. 9, each copy entry (R1, R2,..., RN) has a copy date of 5
14 and source information including storage ID information 516 and directory entry 512. In order to copy data from the source device to the destination device, a copy command is issued to the destination device along with file information and the specifications of the source device.

Then, the destination device issues a special read command to the source device, so that it is possible to prevent data from being changed when the data is transferred from the source device to the destination device. As such, the data is encrypted.

Thus, according to one embodiment, an approach is provided to ensure that certain data stored in the storage unit 106 is written only once and never changed. The certain data may be read-only and can be read an unlimited number of times. This approach targets specific data and does not require that all stored data be kept as read-only data.

In one embodiment, read-only data is stored in non-volatile storage devices 200 and 202.
After that, the directory entry 500 associated with the read-only data is updated to indicate that the associated data is read-only data and will never be overwritten or modified. The update works by declaring that the stored data is unique and immutable to other devices and processes. For example, after the read-only data is written to the non-volatile storage devices 200 and 202, the other file management information 508 of the directory entry 500 associated with the read-only data is changed because the associated data is read-only. Updated to indicate that nothing has happened.

Thereafter, the nonvolatile storage device 20
If the data at 0 and 202 will be changed,
The directory entry 500 associated with the data is examined to determine whether the particular data is read-only. If not read-only,
The associated data is changed as described herein. On the other hand, if it is read-only, the associated data and directory entry 500 will not be changed.

Another way to guarantee originality is to limit the write commands that can be executed on a particular non-volatile storage device. For example, in the context of a situation where a file stored on a non-volatile storage device is held as being an authenticated file to assure originality, the non-volatile storage device has a special status for writing. It may be requested. Without a special write status, the write command will fail if the same file name exists on the non-volatile storage device.

This approach can be applied to any of the approaches described herein, including erasure processing based on expiration dates, erasure processing based on fraudulent activities, and erasure processing based on the occurrence of failures. This approach provides a way to ensure the validity of the stored data, thereby increasing the reliability of the stored data, for example, the data as legal evidence . Also, the content and uniqueness of the data are guaranteed.

[Overview of Computer System] FIG.
Is a block diagram illustrating a computer system that can be used to implement aspects of the present invention, for example, illustrating an alternative embodiment of the processing unit 204. The processing unit 204 has a bus 602 for information communication.
Alternatively, including other communication mechanisms, the processor 604 is connected to the bus 602 for processing information. The processing unit 204 also includes a main memory 606, such as a random access memory (RAM) or other dynamic storage device, where the main memory 606 is a bus for storing information and instructions executed by the processor 604. 602.

The main memory 606 may be used to store temporary variables or other intermediate information during execution of instructions executed by the processor 604.
Further, processing unit 204 includes a read-only memory (ROM) 608 or other static storage device connected to bus 602 for storing static information and instructions for processor 604. The storage device 610 is, for example, a magnetic disk or an optical disk, and is connected to the bus 602 so that information and instructions can be stored.

The processing unit 204 is, for example, C
A display 612 for displaying information to a computer user such as an RT may be connected through the bus 602. An input device 614 including alphanumeric and other keys is connected to the bus
04 and information and command selection can be transmitted. Another type of user input device is a cursor control 616, such as a mouse, trackball, or cursor directional key, which sends directional information and command selections to the processor 604 and also controls the movement of the cursor on the display 612. Control. Such input devices generally allow specifying a position in a plane by having two degrees of freedom in two axes, a first axis (eg, x) and a second axis (eg, y). It was done.

The present invention relates to a technique for storing and holding data using the storage unit 106. In one embodiment, processing unit 2 responds to processor 604 executing one or more sequences of one or more instructions stored in main memory 606.
04 executes a process of storing and holding data. Such instructions may be read into main memory 606 from another computer-readable medium, such as storage device 610. By executing the sequences of instructions contained in main memory 606, processor 604 performs the steps of the process described herein.

The sequence of instructions contained in main memory 606 may be executed using one or more processors in a multi-processing configuration. In an alternative embodiment, the present invention can be implemented by using hard-wired circuits instead of or in combination with software instructions. Therefore, each embodiment of the present invention is not limited to a specific combination of hardware and software. Instructions can be configured as software agents, processes, subroutines, or programs.

As used herein, the term “computer-readable medium” refers to any medium that participates in providing instructions to processor 604 for execution.
Such a medium may take many forms, including non-volatile media, volatile media, and transmission media. However, it is not limited to such a form. For example, the non-volatile medium is the storage device 6
10 including an optical or magnetic disk.

The volatile medium is the main memory 606.
Dynamic memory such as Further, the transmission medium includes a coaxial cable, a copper wire, and an optical fiber, and includes wires forming the bus 602. Note that the transmission medium can take a form such as a sound wave or a light wave generated during radio wave and infrared communication.

The general form of a computer-readable medium includes, for example, a floppy disk, a flexible disk, a hard disk, a magnetic tape or any other magnetic medium, a CD-ROM or any other optical medium, a punch card, and a paper tape. Or any other physical medium with a pattern of holes, RAM, PROM
And EPROM, FLASH-EPROM, any other memory chip or cartridge, a carrier described below, or any other medium on which a computer can perform a read operation.

Various forms of computer readable media are required to hold one or more sequences of one or more instructions for execution on processor 604. For example, the instructions may be initially stored on a magnetic disk of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line by using a modem. A modem within processing unit 204 can receive the data over a telephone line and use an infrared transmitter to convert the data to an infrared signal.

An infrared detector connected to the bus 602 receives data carried by an infrared signal and
02. Bus 602 carries data to main memory 606, from which processor 604 reads and executes instructions. The instructions received in main memory 606 may optionally be stored on storage device 610 either before or after execution by processor 604.

The processing unit 204 includes a bus 602
And a communication interface 618 connected to the Communication interface 618 includes a network link 620 connected to local network 622.
Provide a two-way data communication coupling. For example, if the communication interface 618 is
grated Services Digital Network) It may be configured with a card or a modem to provide a data communication connection to a corresponding type of telephone line.

As another example, the communication interface 61
8 may be configured with a local area network (LAN) card to provide a data communication connection to a compatible LAN. Also, a wireless link may be implemented. In any implementation, communication interface 618 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.

[0117] Network link 620 generally provides data communication through one or more networks to other data devices. For example, network link 620 provides a connection via local network 622 to a host computer 624 or data equipment managed by an Internet Service Provider (ISP) 626. ISP 626,
It currently provides data communication services over a worldwide packet data communication network commonly referred to as the "Internet" 628.

Both the local network 622 and the Internet 628 carry digital data streams using electrical, electromagnetic or optical signals. Signals passing through various networks,
And signals on network link 620 and via communication interface 618 carry digital data to processing unit 204 or
To carry digital data, and is an exemplary form for a carrier that carries information.

The processing unit 204 can send messages containing program codes and receive data containing program codes through one or more networks, network links 620 and communication interfaces 618. In the example of the Internet, server 630 includes Internet 628, ISP 626, local network 622 and communication interface 6
Through 18 it is also possible to transmit the code of the requested application program. The application downloaded in this manner executes processing for saving and holding data as described herein.

The received code may be executed by processor 604 when data is received and / or stored in storage device 610 or other non-volatile storage for later execution. Thus, the processing unit 204 may acquire the application code in the form of a carrier wave.

The approach described herein offers several advantages over conventional approaches for storing and retaining data. In particular, by employing an approach of erasing the data from the storage unit 106 by overwriting the data with a predetermined value,
Making recovery of that data more difficult. Monitoring for fraud protects the storage unit 106 from unauthorized access. By registering the storage unit 106 using the registration authority 110, the data stored in the storage unit 106 is authenticated.

Further, an approach for maintaining the originality of data is that certain data is stored in the storage unit 1.
When read from 06, it is guaranteed that the data has been written only once and has not been modified. Similarly, when data is erased from the storage unit 106, the data designated as read-only data
6 will not be erased.

[Modification] As described above, the present invention has been described based on the specific embodiment. It is apparent, however, that various design changes may be made to the present invention without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded as illustrative only and are not intended to limit the invention.

[0124]

As described above, according to the data storage / holding method, the data storage unit and the computer-readable recording medium of the present invention, at least the effect that data can be protected from fraudulent acts. Obtainable.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a system for storing and holding data.

FIG. 2 is a block diagram showing a storage unit included in the system of FIG.

FIG. 3 is a block diagram showing a part of the storage unit of FIG. 2;

FIG. 4 is a block diagram showing a part of the storage unit of FIG. 2;

FIG. 5 is a block diagram illustrating a processing unit included in the storage unit of FIGS. 2 to 4;

FIG. 6 is a block diagram showing contents of a nonvolatile storage device included in the storage units of FIGS. 2 to 4;

FIG. 7 is an explanatory diagram showing registration identifier values.

FIG. 8 is an explanatory diagram showing a table of a database of a registered authority.

FIG. 9 is an explanatory diagram showing contents of a directory entry included in the nonvolatile storage device of FIG. 6;

FIG. 10 is a flowchart illustrating an erasing process based on an expiration date.

FIG. 11 is a flowchart illustrating an erasing process based on the occurrence of a failure.

FIG. 12 is a flowchart illustrating an erasure process based on fraud.

FIG. 13 is a block diagram of a computer system capable of realizing an embodiment of the present invention.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 system 102 station 104 network 106 storage unit 108, 112, 206, 208, 312 link 110 registration authority 111 database 200, 202 non-volatile storage device 204 processing unit 210, 212 backup power supply 300 communication interface 302 sensor controller 304 non-volatile storage controller 306 Processor 308 Volatile memory 310 Nonvolatile memory 400, 516 Storage ID information 402 Directory information 404 Data 420 Registration identifier value 422 Header segment 424 Device maker segment 426 Serial number segment 460 Table 462 Row 464-468 Column 500 , 512 directories Entry 502 file name 504 creation date 506 expiration date 508 other file management information 510 copy information 512 directory entry 514 copy date 602 bus 604 processor 606 main memory 608 ROM 610 storage device 612 display 614 input device 616 cursor control 618 communication interface 620 network Link 622 Local network 624 Host computer 626 ISP 628 Internet 630 Server S1-S4 Sensor

Claims (22)

[Claims] A step of storing data in a storage unit; a step of detecting a tamper signal indicating that there is unauthorized access to the storage unit; and a step of setting a predetermined value when the tamper signal is detected. Erasing the data stored in the storage unit by overwriting the data. 2. The data storage according to claim 1, wherein the step of detecting the tamper signal includes a step of detecting a tamper signal from one or more sensors provided in the storage unit. -Holding method. 3. The method according to claim 1, wherein the step of overwriting the data with the predetermined value includes the step of overwriting the data with 00H as the predetermined value. . 4. The method according to claim 3, further comprising the step of deleting one or more file directory entries associated with the data. 5. The storage unit includes one or more non-volatile storage devices including a copy of the data, and further stores a copy of the data stored in the one or more non-volatile storage devices. 2. The method according to claim 1, further comprising an erasing step. 6. When a power supply of the storage unit fails, supplying power to the storage unit from a backup power supply, writing data to the storage unit and transferring data from the storage unit. 2. The data storage / holding method according to claim 1, further comprising a step of prohibiting reading and a step of executing. 7. The method according to claim 6, further comprising the step of permitting writing of data to said storage unit and reading of data from said storage unit after power supply to said storage unit is restored. How to save and retain data. 8. A data storage unit for storing and holding data, wherein the data storage unit can communicate with a first nonvolatile storage device including stored data and the first nonvolatile storage device. And a processing unit connected as described above, wherein the processing unit determines whether or not the data storage unit has been tampered with. A data storage unit, wherein the data storage unit is configured to erase the data. 9. The system further comprises one or more sensors communicatively connected to the processing unit for detecting access to the data storage unit, wherein the one or more sensors detect access to the data storage unit. The processing unit is further configured to generate a tamper signal, wherein the processing unit further overwrites the data stored in the first nonvolatile storage device with a predetermined value in response to the tamper signal. ,
The data storage unit according to claim 8, wherein the data storage unit is configured to erase the data from the first nonvolatile storage device. 10. The data storage unit according to claim 8, wherein the processing unit is further configured to overwrite the data with 00H as the predetermined value. 11. The data storage unit according to claim 8, wherein the processing unit is further configured to erase one or more file directory entries associated with the data. 12. The data storage unit comprises one or more non-volatile storage devices containing a copy of the data, and the processing unit further comprises: a storage device for storing the data stored in the one or more non-volatile storage devices. 9. The data storage unit according to claim 8, wherein the data storage unit is configured to erase a copy. 13. The power supply according to claim 8, further comprising a first and a second backup power supply configured to supply power to the data storage unit when a power supply failure occurs. Data storage unit as described. 14. The system further comprising a second non-volatile storage device communicably connected to the processing unit, wherein the copy of the data stored in the first non-volatile storage device is the second non-volatile storage device. The processing unit is further stored in a nonvolatile storage device, and the processing unit further determines whether a failure has occurred in the first nonvolatile storage device, and when determining that a failure has occurred, sets the predetermined value to the predetermined value. The method of claim 8, wherein the data is erased from the first nonvolatile storage device by overwriting the data stored in the first nonvolatile storage device. Data storage unit. 15. The data storage unit according to claim 8, further comprising a secure interface for preventing data stored in the first nonvolatile storage device from being changed without permission. . 16. A computer readable storage medium having one or more sequences of one or more instructions for storing and retaining data, wherein the one or more sequences of the one or more instructions comprise one or more processors. Storing, in the one or more processors, data in a storage unit; detecting a tamper signal indicating that there has been unauthorized access to the storage unit; and A step of overwriting a predetermined value on the data to erase the data stored in the storage unit, and a command to execute the following. . 17. The computer-readable computer according to claim 16, wherein the step of detecting a tamper signal includes a step of detecting a tamper signal from one or more sensors provided in the storage unit. Recording medium. 18. The computer-readable recording medium according to claim 16, wherein the step of overwriting the data with the predetermined value includes the step of overwriting the data with 00H as the predetermined value. . 19. The computer-readable medium according to claim 18, further comprising the step of deleting one or more file directory entries associated with the data. 20. The storage unit comprises one or more non-volatile storage devices containing a copy of the data, and further comprising: erasing a copy of the data stored in the one or more non-volatile storage devices. 17. The computer-readable recording medium according to claim 16, comprising: 21. A procedure for supplying power to the storage unit from a backup power supply when a failure occurs in the power supply of the storage unit, writing data to the storage unit and transferring data from the storage unit. 17. The computer-readable recording medium according to claim 16, comprising: a step of prohibiting reading; and a step of executing: 22. The method according to claim 21, further comprising a step of permitting writing of data to the storage unit and reading of data from the storage unit after power supply to the storage unit is restored. Computer readable recording medium.