200849057 九、發明說明: 【發明所屬之技術領域】 ,尤其是指一種應用於 〇 本發明關於一種資料存取方法 資料儲存裝置的安全資料存取方法 【先前技術】 通訊4的革命性較,帶來了網路的快速成長和資 訊的加速數純,並對個人安全和隱私造成前所未有的威 脅。持續增加的敏感資訊正以電子種類方式循環,其包含 ,子郵件、傳真信息、電話通話内容、基金匯兒、貿易秘 :和其他個人紀錄。相同的技術進步已為人類帶來巨大的 益處’但同時也造成人們受到更多難以防守的和潛在危險 探。現已出現-些新應用在電腦儲存設備,且其中許 多是為了加強儲存於電腦儲存設備的資料的整體安全性的 需求。 。=1到圖3是根據Cheng等人的美國專利第6,880,054 :虎:女王儲存設備及其操作的簡要圖。如圖1所示,快閃 。己L體4疋被分割成數個不同的區段或地帶。簡而言之, 陕閃.己k體疋破分割成2個區段:區段工是用以設定軟體 序號,而區段?目丨3 則疋用以儲存使用者的資料。此外,每個 獨特的密碼。請參考圖其為—流程圖顯示最 、、使用者對於快閃記憶體4區段2密碼的初始化設定。為 5 200849057 了設定區段2的密碼’使用者將設備1()插人2()至電腦上 的USB連接埠,且在電腦和設備1〇之間建立通訊2卜使用 者之後執行驅動程式軟體,且該驅動程式軟體對於區段2 ,入-密碼安裝収模< 23。之後使用者輸人密碼28,該 密碼是他們期待用以防止對快閃記憶體4的區段2做未經 授榷的存取。輸人的密碼之後被加密29並儲存3()於快閃 記憶體4。 如圖2所示及同上所述,在最終使用者進行初始化密 碼設定程序後,當㈣者選取區段2以存取儲存於快閃記 憶體4的資料時(見圖3),則微控制器3將傳送一命令給電 腦要求46使騎輸人使驗區段2的密碼。#使用者輸入 密碼,則電腦會將密碼傳至微控制器3。微控制器3從快 閃記Μ 4取㈣段2的密碼、解密4 7密碼並將密碼盘使 用者輸人的密碼做比較。如果使用者輸人的密碼不正確的 话’則操作回到步驟46且電腦要求46使用者重新輸入密 石馬。如果使用者輸入的密碼正確的話,則使用者可存取快 的區段2’以讀取來自快閃記憶體4的資料和 允閃咖4。然而’只有在手動切換7是在 允々貝枓被寫入至快閃記憶體4 =一為了讀取來自快心 取二藉:,式的電_讀 寻处制於料^入命令, 6 200849057 微控制器3會從快閃記情 葙9 wa 匕體4取传49貧料並將其傳至驅動 從二動程個人電腦格式,並再輸出至電腦或 制3二i仔貝料以寫人該資料至快閃記憶體4。微控 i二Γ: 51是否完成讀取或寫入操作。如果沒完 成麵作,則回到步驟49。如果完成操作,則操作終止於52。 密石w j國專利第6,88M54號揭露了將使用者提供的 馬和儲存的密碼與限制存取快閃記憶體資料做比較的方 2 ’但壞處是密碼破解者最終透過多次的反覆嘗試來破解 在碼。此外’ -旦存有密碼的快閃記憶體4被破解或被去 除’則惡意的密碼破解者將可輕易地存取資料。因此,習 知技術不能保證儲存設備中資料的機密性。所以,需要有 一種安全資料存取方法,以避免私人資料相。跟二般不 同的是,例如:美國專利第6,88M54號的f料存取方法, 本發明勝於透過基於密碼所產生的加密金鑰來加強數位資 料的機密性,並進-步以加密金鑰來加密資料,以排除入 侵者有機會在經過多次的反覆嘗試後破解加密資料。 【發明内容】 鑑於習知技術受限於上述問題,因此本發明的目標是 提供一種使用於資料讀取/寫入設備的安全資料存^方 法0 200849057 且^、一 s明的硯點’ 一種使用於資料讀取/寫入設備 : 卜n a 記憶體的資料儲存裝置的資料存取 方法,該方法包括以下步驟:a)建立預設密碼;b)產生第 一加密金鑰’· c)以第—加密 知 在孟鑰來加狁資料;d)收到存取 要求後提不輸入密碼;)佶 χ e)以使用者輸入的密碼解碼儲存於 NAND快閃記憶體的標商 $ ’、,)欢一私碩以判斷使用者輸入 一:密金鑰是否可以對應;及g)當使用者輸入密 屮次粗冑孟鑰正確對應後’藉由解密金输來解密和輸 出 > 科。 …根據本案構想,解碼步驟包括把使用者輸入密碼轉譯 成弟一加密金鑰的步驟,以解碼標頭。 _本案構想,資料存取方法進—步包括,當使用者 輸入进碼和第—加密金鑰之間無法正確對應時,提示輸入 密碼的步驟。 +根據本案構想,自密碼轉譯的第-和第二加密金鑰可 藉由軟體或硬體達成。 根據本案構想,樣頭位於第一邏輯區。 ”根據本案構想,第-加密金輪和第二加密金餘可藉由 貧料頃取/寫入設備做修改。 =據本案構想’解密金輪可藉由資料讀取/寫入設備 做修改。 8 200849057 根據本案構想,第一加密金錄和第二加密金鎗個別具 有64位元、128位元、192位元、或256位元的長度。 根據本案構想,解密金鑰具有64位元、128位元、192 位元、或256位元的長度。200849057 IX. Description of the invention: [Technical field to which the invention pertains], in particular, a method for accessing a secure data access device for a data access method of the present invention. [Prior Art] A revolutionary comparison of communication 4 The rapid growth of the Internet and the accelerated acceleration of information have created an unprecedented threat to personal security and privacy. The ever-increasing amount of sensitive information is circulating in electronic categories, including sub-mail, fax messages, phone call content, fund transfer, trade secrets, and other personal records. The same technological advances have brought enormous benefits to mankind' but at the same time caused people to be more difficult to defend and potentially dangerous. Some new applications have emerged in computer storage devices, many of which are intended to enhance the overall security of the data stored on computer storage devices. . =1 to Figure 3 is a simplified diagram of the Tiger: Queen Storage Device and its operation according to U.S. Patent No. 6,880,054 to Cheng et al. As shown in Figure 1, flash quickly. The L-body 4 is divided into several different sections or zones. In short, Shan flashing has split into two sections: the section is used to set the software serial number, and the section? The target 3 is used to store the user's data. Also, each unique password. Please refer to the figure for the flow chart display, the user's initial setting for the flash memory 4 section 2 password. For 5 200849057, set the password for section 2 'The user inserts device 1 () into the USB port on the computer, and the driver is executed after the communication is established between the computer and the device 1 Software, and the driver software installs the mode < 23 for the zone 2 and the in-password. The user then enters a password 28 which they expect to be used to prevent unauthorised access to section 2 of flash memory 4. The entered password is then encrypted 29 and stored 3 () in flash memory 4. As shown in FIG. 2 and the above, after the end user performs the initial password setting procedure, when (4) selects the segment 2 to access the data stored in the flash memory 4 (see FIG. 3), the micro control The device 3 will transmit a command to the computer requesting 46 to enable the rider to verify the password of zone 2. #User input password, the computer will pass the password to the microcontroller 3. The microcontroller 3 compares the password of the (4) segment 2 from the flash memory 4, decrypts the 47 password, and compares the password entered by the password disk user. If the password entered by the user is incorrect, then the operation returns to step 46 and the computer requests 46 the user to re-enter the stone horse. If the password entered by the user is correct, the user can access the fast segment 2' to read the data from the flash memory 4 and the flash memory 4. However, 'only when the manual switch 7 is in the allowable memory is written to the flash memory 4 = one for the read from the fast heart to take the second borrow: the type of electric _ read seek system into the command, 6 200849057 Microcontroller 3 will take 49 poor materials from the flash 记 匕 4 4 and transfer it to the drive from the two-way personal computer format, and then output to the computer or system 3 or 2 The person has the data to the flash memory 4. Microcontroller i: 51 51 Whether to complete the read or write operation. If the face is not completed, return to step 49. If the operation is completed, the operation ends at 52. Mishi Wj National Patent No. 6,88M54 discloses the comparison between the user-supplied horse and the stored password and the restricted access flash memory data. 2 But the disadvantage is that the password cracker finally tries repeatedly through multiple attempts. To crack the code. In addition, if the flash memory 4 with the password is cracked or removed, the malicious password cracker will be able to easily access the data. Therefore, conventional techniques do not guarantee the confidentiality of data in storage devices. Therefore, there is a need for a secure data access method to avoid private data. The difference is that, for example, the f material access method of U.S. Patent No. 6,88M54, the present invention is better than enhancing the confidentiality of digital data through the encryption key generated by the password, and further encrypting the gold. The key is used to encrypt the data to eliminate the intruder's opportunity to crack the encrypted data after repeated attempts. SUMMARY OF THE INVENTION Since the prior art is limited to the above problems, it is an object of the present invention to provide a secure data storage method for a data reading/writing device 0 200849057 and a singular point For data reading/writing device: data access method of data storage device of memory, the method comprises the steps of: a) establishing a preset password; b) generating a first encryption key '·c) The first-encryption knows that the key is added by the key; d) the password is not input after receiving the access request;) e) decoding the logo stored in the NAND flash memory by the user-entered password $', ,) Huanyi a private master to judge the user input one: whether the secret key can correspond; and g) when the user enters the key password, the rough key is correctly corresponding, 'decryption and output by decrypting the gold input> . ... According to the present concept, the decoding step includes the step of translating the user input password into a cipher-encryption key to decode the header. _ In this case, the data access method further includes the step of prompting for a password when the user input code and the first-encryption key do not correspond correctly. + According to the concept of the present case, the first and second encryption keys translated from the password can be achieved by software or hardware. According to the concept of the present case, the sample is located in the first logical area. According to the concept of the case, the first-encryption gold wheel and the second encryption gold can be modified by the poor material acquisition/writing device. = According to the concept of the case, the decryption gold wheel can be modified by the data reading/writing device. According to the present concept, the first encrypted gold record and the second encrypted gold gun have a length of 64 bits, 128 bits, 192 bits, or 256 bits. According to the present concept, the decryption key has 64 bits, 128. The length of a bit, 192 bits, or 256 bits.
根據本案構想,根據先進加密標準(Advanced Encryption Standard,AES)、資料加密標準(Data Encryption Standard,DES)、三重資料加密標準(Triple-DES)、和RSA 加密法做資料加密。 根據本案構想,資料儲存裝置包括USB隨身碟 (Universal Serial Bus,USB)、SD卡(Smart Digital,SD)、MMC 卡(Multi Media Card,MMC)、CF卡(Compact Flash,CF)、 和USB快閃碟。 依照本發明的另一觀點,一種使用於資料讀取/寫入 設備具有至少一 NAND快閃記憶體的資料儲存裝置的資料 存取方法’該方法包括以下步驟:收到資料存取要求後提 τ輸入密碼;將使用者輸入密碼轉譯成加密金鑰;以加密 金餘解碼儲存於NAND快閃記憶體的標頭;檢查標頭以判 斷使用者輪入密碼和預設加密金鑰是否正確對應;及當使 用者輪入密碼和預設密碼正確對應後,藉由解密金鑰來解 密和輸出資料。 &據本案構想,預設加密金鑰是依照預設密碼作轉譯。 9 200849057 根據本案構想,資料存取方法進一步包括,當使用者 輸入密碼和預設加密金鑰無法正確對應時,提示輸入密碼 的步驟。 根據本案構想,自密碼轉譯的加密金鑰和預設加密金 鑰可藉由軟體或硬體達成。 根據本案構想,標頭位於第一邏輯區。 根據本案構想,加密金鑰和預設加密金鑰可藉由資料 讀取/寫入設備做修改。 根據本案構想,其中解密金鑰可藉由資料讀取/寫入 設備做修改。 根據本案構想,加密金鑰和預設加密金鑰個別具有64 位元、128位元、192位元、或256位元的長度。 根據本案構想,根據先進加密標準(Advanced Encryption Standard, AES)、資料加密標準(Data Encryption Standard,DES)、三重資料加密標準(Triple-DES)、和 RSA 加密法做資料加密。 根據本案構想,資料儲存裝置包括USB隨身碟、SD卡、 MMC卡、CF卡、和USB快閃碟。 【實施方式】 本發明揭露一種應用於資料儲存裝置及其資料存取方 法。熟悉此技藝者將在閲讀接下來實施方式和附帶圖式 200849057 後’更了解本發明的上述目標和優點。本發明不需被接下 來的實施例所限制。 請參考圖4,根據本發明說明一種資料儲存裝置的安全 機制。如圖4所示,資料儲存裝置1包含··連接至資料讀取 /寫入設備(未顯示)的介面20,該介面是用以資料之間 的緩衝和傳送;非揮發性記憶體21 ;用以儲存資料的快閃 記憶體22 ;加密單元23 ;及解密單元24,並於下文中加以 詳述以上元件。 非揮發性記憶體21中同時存有加密金鑰和解密金鑰。 每個金鑰都是在此技藝中使用已知技術去加密和解密資料 的位元欄位。透過密碼演算法,上述金鍮以使用者提供的 密碼為基礎而產生,且該金鑰通常是一串數字的組合。藉 由應用金鑰的位元值至資料的位元值及引導結合選取加密 演算法的邏輯操作,涵蓋先進加密標準(Advanced Encryption Standard,AES)、資料加密標準(Data Encryption Standard,DES)、三重資料加密標準(Triple-DES)、和 RSA 加密法(Rivest-Shamir-Adleman),加密單元23和解密單元24 可依照加密金錄和解密金錄來進行資料的加密和解密。當 然,兩種金鑰皆可藉由讀取/寫入設備做修改。在此實施 例中,兩種金鑰是「對稱的」(加密和解密都使用相同金 鑰),但在其他實施例中,兩種金鑰可以是「非對稱的」(加 密和解密金鑰不相同)。雖然64位元、196位元、或256位元 11 200849057 金输可用以貫施在本發明,然而在此實施例中,將以每個 金鑰皆在128位元準位做加密和解密來作為例子。此外,快 閃記憶體22包含··含有基本輸入/輪出系統參數塊(BI〇sAccording to the concept of the case, data encryption is performed according to Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard (Triple-DES), and RSA encryption. According to the concept of the present case, the data storage device includes a USB flash drive (USB), an SD card (Smart Digital, SD), an MMC card (Multi Media Card, MMC), a CF card (Compact Flash, CF), and a USB flash drive. Flash disc. According to another aspect of the present invention, a data access method for a data storage device having at least one NAND flash memory for a data reading/writing device includes the following steps: receiving a data access request τ input password; translate the user input password into an encryption key; decode the header stored in the NAND flash memory with the encrypted gold residue; check the header to determine whether the user's turn-in password and the preset encryption key correspond correctly And when the user's turn-in password and the preset password correspond correctly, the data is decrypted and outputted by decrypting the key. & According to the concept of the case, the default encryption key is translated according to the default password. 9 200849057 According to the concept of the present invention, the data access method further includes the step of prompting for a password when the user input password and the preset encryption key do not correspond correctly. According to the concept of the present invention, the encryption key and the default encryption key translated from the password can be achieved by software or hardware. According to the concept of the present case, the header is located in the first logical area. According to the present concept, the encryption key and the preset encryption key can be modified by the data read/write device. According to the present concept, the decryption key can be modified by the data read/write device. According to the present concept, the encryption key and the preset encryption key individually have a length of 64 bits, 128 bits, 192 bits, or 256 bits. According to the concept of the case, data encryption is performed according to Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard (Triple-DES), and RSA encryption. According to the concept of the present invention, the data storage device includes a USB flash drive, an SD card, an MMC card, a CF card, and a USB flash drive. [Embodiment] The present invention discloses a data storage device and a data access method thereof. Those skilled in the art will appreciate the above objects and advantages of the present invention after reading the following embodiments and the accompanying drawings 200849057. The invention is not limited by the following embodiments. Referring to Figure 4, a security mechanism for a data storage device is illustrated in accordance with the present invention. As shown in FIG. 4, the data storage device 1 includes an interface 20 connected to a data reading/writing device (not shown) for buffering and transferring data; non-volatile memory 21; The flash memory 22 for storing data; the encryption unit 23; and the decryption unit 24, and the above elements are detailed below. The non-volatile memory 21 has both an encryption key and a decryption key. Each key is a bit field in this technique that uses known techniques to encrypt and decrypt data. Through the cryptographic algorithm, the above-mentioned key is generated based on the password provided by the user, and the key is usually a combination of numbers. By applying the bit value of the key to the bit value of the data and guiding the logical operation of the encryption algorithm, the Advanced Encryption Standard (AES), Data Encryption Standard (DES), triple The data encryption standard (Triple-DES), and the RSA encryption method (Rivest-Shamir-Adleman), the encryption unit 23 and the decryption unit 24 can perform encryption and decryption of data in accordance with the encryption record and the decryption record. Of course, both keys can be modified by the read/write device. In this embodiment, the two keys are "symmetric" (both encryption and decryption use the same key), but in other embodiments, the two keys can be "asymmetric" (encryption and decryption keys) Not the same). Although 64-bit, 196-bit, or 256-bit 11 200849057 gold can be used in the present invention, in this embodiment, each key is encrypted and decrypted at a 128-bit level. as an example. In addition, the flash memory 22 contains a basic input/round-out system parameter block (BI〇s
Parameter Block,BPB)的標頭部分221。bpb是用以描述磁 碟谷S的槽案糸統格式。具有BPB的典型播宰李統包含;j:當 案配置表(File Allocation Table,FAT) 16,和FAT32。BPB保 有重要的檔案系統參數’使得Bl〇S(Basic Input 〇utput System)可藉由使用這些參數而存取儲存於磁碟的資料。在 BPB中有一8位元組的攔位是用以辨別檔案系統類別;及一 字串是用以在該欄位的前3位元組,而該攔位必須是在此實 施例中的FAT ;以上兩者是用以核對檔案系統為正確的FAT 檔案系統。在其他實施例中,使用於BPB欄位的特定字串 可以類似方式找出NTFS或其他非FAT檔案系統。 根據本發明,内建於快閃記憶體22中的儲存裝置丨具有 在加密和解密資料的操作中,分別具有與加密單元23和解 洽、早元24的爭向通。當解欲知作早於傳送加密資料至解 密單元24時,在加密操作後,快閃記憶體22是專用以接收 來自加密單元23的加密資料。加密單元23利用非揮發性記 憶體21的加密金鑰作為資料加密。同理,解密單元24利用 非揮發性記憶體21的解密金鑰作為資料解密。 在圖5中,其根據本發明说明一種使用於資料館存裝置 的資料存取方法的較隹實施例。在此實施例中,本發明的 12 200849057 資料儲存裝置和讀取/寫入設備是同時具備的。其它實施 例可能使用額外的或不同的工具來進行操作。The header portion 221 of the Parameter Block, BPB). Bpb is a slot format used to describe the disk valley S. A typical broadcaster with BPB contains; j: File Allocation Table (FAT) 16, and FAT32. BPB maintains important file system parameters' so that the Bas InputS (Basic Input 〇utput System) can access the data stored on the disk by using these parameters. There is an 8-bit block in the BPB to identify the file system category; and a string is used in the first 3 bytes of the field, and the block must be the FAT in this embodiment. The above two are used to check the file system as the correct FAT file system. In other embodiments, a particular string used in the BPB field can be found in a similar manner to NTFS or other non-FAT file systems. According to the present invention, the storage device built into the flash memory 22 has an operation for encrypting and decrypting data, and has a contention with the encryption unit 23 and the early element 24, respectively. When the solution is to be transmitted earlier than the transmission of the encrypted data to the decryption unit 24, after the encryption operation, the flash memory 22 is dedicated to receive the encrypted material from the encryption unit 23. The encryption unit 23 encrypts the data using the encryption key of the non-volatile memory 21. Similarly, the decryption unit 24 decrypts the data using the decryption key of the non-volatile memory 21. In Fig. 5, a more detailed embodiment of a data access method for use in a repository device is illustrated in accordance with the present invention. In this embodiment, the 12 200849057 data storage device and the read/write device of the present invention are simultaneously provided. Other embodiments may use additional or different tools to operate.
資料儲存裝置1,如USB快閃碟,是透過介面20連接至 讀取/寫入設備用以傳送資料。如圖5的步驟S30所示,輸 入密碼後,透過讀取/寫入設備傳送資料以啟動本資料存 取方法的後續執行步驟。在此實施例中,已知的演算 法一AES,是作為執行資料加密之用,因此在加密和解密 時僅使用單一金錄。也就是說,加密金餘和解密金鑰是「對 稱的」(加密和解密時皆使用同一金鑰)。在其他實施例中, 兩種金鑰可以是「非對稱的」(加密金鑰和解密金鑰是不同 的)。因此,如圖5的步驟S31所示,依照特定的運算規則可 將使用者鍵入的密碼轉換成金输,例如將6個字元(48位元) 的密碼,藉由增加額外80位元的金鑰長度進一步轉譯成128 位元的第一加密金鑰並儲存於非揮發性記憶體21。雖然64 位元金鑰、196位元金鑰、或256位元金鑰可用以執行資料 存取方法,然而在此實施例中,每種金鑰以128位元為標準 產生。如圖5的步驟S32所示,在透過介面20從資料讀取/ 寫入設備傳送加密資料至快閃記憶體22之前,加密單元23 採甩一已知加密演算法,例如:128位元AES,連同非揮發 性記憶體21之第一加密金鑰,然後將純文字檔資料轉換成 亂碼,意即,已加密的資料。除AES之外,還可透過RSA 加密法(Rivest-Shamir-Adleman,RSA)、資料加密標率(Data 13 200849057The data storage device 1, such as a USB flash drive, is connected to the read/write device via the interface 20 for transmitting data. As shown in step S30 of Fig. 5, after the password is input, the data is transmitted through the read/write device to initiate subsequent execution steps of the data access method. In this embodiment, the known algorithm AES is used to perform data encryption, so only a single record is used for encryption and decryption. In other words, the encryption key and the decryption key are “symmetric” (both the same key is used for both encryption and decryption). In other embodiments, the two keys may be "asymmetric" (the encryption key and the decryption key are different). Therefore, as shown in step S31 of FIG. 5, the password entered by the user can be converted into a gold input according to a specific operation rule, for example, a password of 6 characters (48 bits) by adding an extra 80-bit gold. The key length is further translated into a 128-bit first encryption key and stored in non-volatile memory 21. Although a 64-bit key, a 196-bit key, or a 256-bit key can be used to perform the data access method, in this embodiment, each key is generated on a 128-bit standard. As shown in step S32 of FIG. 5, before the encrypted data is transferred from the data reading/writing device to the flash memory 22 through the interface 20, the encryption unit 23 picks up a known encryption algorithm, for example, 128-bit AES. , together with the first encryption key of the non-volatile memory 21, and then convert the plain text file data into garbled characters, that is, the encrypted data. In addition to AES, RSA encryption (Rivest-Shamir-Adleman, RSA), data encryption rate (Data 13 200849057)
Encryption Standard,DES)、三重資料加密標準(Triple_DES) 等方法加密資料。 同上所述,從圖5的步驟S33開始是解密時的操作,而 步驟S30到S32是加密時的操作步驟。為了管理資料存取, 重新輸入密碼是為了要解密儲存於快閃記憶體22的加密資 料。如圖5的步驟S34所示,在步驟S33中要求存取資料之 後,在讀取/寫入設備上會出現複選框提示密碼的重新輸 入。未經授權的入侵者將無法讀取受加密保護的資料。為 了解密加密資料和透過介面20讀出並輸出至資料讀取/寫 入設備,解密金鑰需要相對應於第一加密金鑰。步驟S35 到步驟S36是說明將重新輸入的密碼轉譯成第二加密金鑰 並用以解碼標頭221的過程。在標頭221中有一8位元組欄位 在第一邏輯區(LBA0)的BPB,以辨別其檔案系統類別,意 即,在此實施例中的FAT字串。在步驟S37和步驟S38,在 解碼後,以標頭221來檢查判斷可否找出在前3位元組中的 “FAT”字串。在步驟S38,如果第一加密金鑰和重新輸入密 碼所轉譯的金鑰確認相同時(即正確對應),代表在第一邏 輯區的BPB的8位元組欄位會以正確的金鑰成功地完成加 密資料亂碼轉明碼的的解密動作,故能在該欄位的前3位元 組找出正確解碼的“FAT”字串。 否則,當使用者鍵入的密碼所轉譯金鑰與加密金鑰不 同時,資料仍會以錯誤的金矯完成解密動作,位共因金鍮 14 200849057 不正確,加密資料錯誤解碼後的資料仍為無法識別的亂 碼,故無法由錯誤解碼所產生的資料中找出“FAT”的字串, 此時步驟S38會回到步驟S34,且如果金鑰比對不正確,則 在讀取/寫入設備上會再出現複選框提示輸入密碼。當 “FAT”的字串在標頭221的BPB欄位被找出,則代表達到安 全許可的特定標準。因此,步驟S33的資料存取要求是允許 的,且取得解密金鑰後解密在解密單元24的加密資料。如 圖5的步驟S39所示,最後,資料復原至其原始未加密狀態, 並透過介面20呈現在讀取/寫入設備上。即使快閃記憶體 22被破解、或從儲存裝置1去除後再結合另一儲存裝置,在 缺少正確的解密金鑰下,加密資料依然是加密的狀態。 當然,上述加密和解密操作可藉由軟體或硬體任一完 成。在其他實施例中,密碼可在製造商端被預先建立,之 後使用者可在讀取/寫入設備上修改密碼。本發明的特性 是特別適用於USB隨身碟、SD卡、MMC卡、CF卡、及USB 快閃碟的應用。此外,載有資料如何處理資訊的快閃記憶 體的標頭是藉由FAT格式做分割。 總而言之,本發明揭露一種應用於資料儲存裝置的資 料存取方法,以避免機密資訊落入不適當的人手裡,尤其 是在高度商業競爭中的產業間諜。不同於習知技術,即使 已輸入不正確的密碼,在密碼被證實前,受加密保護的資 料是釋放在第一位置。本發明進一歩利用記錄在標碩的檔 15 200849057 案從屬資訊,意即第一邏輯區,以加強資料的保護和完整 性。此外,密碼可進一步被轉譯成具有64位元、128位元、 196位元、或256位元長度的加密金錄。如果密碼被證實是 不正確或無效,那代表比對不正確。因此,即使在長時間 的破解計算和反覆嘗試中找出可能的金鑰後,資料還是在 加密狀態,且未經授權的人是無法讀取的,以防止加密金 鑰被破解而造成資料外洩。只有在輸入的密碼符合以標頭 的資訊為基礎的加密金鑰後,加密資料始可被成功解密為 未加密資料。本發明保證儲存於記憶體的暫存資料維持是 機密的,且防止惡意金鑰輸入者破解金鑰,進而排除習知 技術潛在的安全漏洞,並藉此提高數位内容的整體安全性。 縱使本發明已由上述之實施例詳細敘述而可由熟悉本 技藝之人士任施匠思而為諸般修飾,然皆不脫如附申請專 利範圍所欲保護者。 16 200849057 【圖式簡單說明】 圖1是根據習知技術說明資料儲存設備的簡要方塊圖;Encryption Standard, DES), Triple Data Encryption Standard (Triple_DES) and other methods to encrypt data. As described above, the operation at the time of decryption is started from step S33 of Fig. 5, and the steps S30 to S32 are the operation steps at the time of encryption. In order to manage data access, the password is re-entered in order to decrypt the encrypted data stored in the flash memory 22. As shown in step S34 of Fig. 5, after the access to the data is requested in step S33, a check box prompting the re-input of the password appears on the read/write device. Unauthorized intruders will not be able to read encrypted protected data. In order to understand the secret encrypted data and read out through the interface 20 and output to the data reading/writing device, the decryption key needs to correspond to the first encryption key. Steps S35 through S36 are procedures for explaining the translation of the re-entered password into the second encryption key and used to decode the header 221. In the header 221 there is an 8-bit field in the BPB of the first logical area (LBA0) to identify its file system class, i.e., the FAT string in this embodiment. In step S37 and step S38, after decoding, it is checked by the header 221 whether or not the "FAT" string in the first three bytes can be found. In step S38, if the first encryption key and the key translated by the re-entered password are confirmed to be the same (ie, correctly corresponding), the 8-bit field representing the BPB in the first logical area succeeds with the correct key. The decryption action of the encrypted data garbled code is completed, so that the correctly decoded "FAT" string can be found in the first 3 bytes of the field. Otherwise, when the key translated by the password entered by the user is different from the encryption key, the data will still be decrypted by the wrong gold correction. The bit error is incorrect. The data after the encrypted data is decoded incorrectly is still Unrecognized garbled characters, so the string of "FAT" cannot be found in the data generated by the error decoding. At this time, step S38 returns to step S34, and if the key comparison is incorrect, it is read/write. A check box will appear on the device to prompt for a password. When the string "FAT" is found in the BPB field of header 221, it represents a specific criterion for achieving a security license. Therefore, the material access request of step S33 is permitted, and the encrypted data at the decryption unit 24 is decrypted after the decryption key is obtained. As shown in step S39 of Fig. 5, finally, the data is restored to its original unencrypted state and presented on the read/write device through interface 20. Even if the flash memory 22 is cracked, or removed from the storage device 1 and then combined with another storage device, the encrypted data is still encrypted in the absence of the correct decryption key. Of course, the above encryption and decryption operations can be performed by either software or hardware. In other embodiments, the password can be pre-established at the manufacturer's end, after which the user can change the password on the read/write device. The features of the present invention are particularly applicable to USB flash drives, SD cards, MMC cards, CF cards, and USB flash drives. In addition, the header of the flash memory containing information on how the information is processed is segmented by the FAT format. In summary, the present invention discloses a method of accessing data to a data storage device to prevent confidential information from falling into the wrong hands, especially in industrial spies with high commercial competition. Unlike conventional techniques, even if an incorrect password has been entered, the encrypted protected material is released in the first location before the password is verified. The present invention further utilizes the subordinate information recorded in the document 15 200849057, which means the first logical area to enhance the protection and integrity of the data. In addition, the password can be further translated into a cryptographic record with a length of 64 bits, 128 bits, 196 bits, or 256 bits. If the password is confirmed to be incorrect or invalid, it means the alignment is incorrect. Therefore, even after finding the possible key in the long-term crack calculation and repeated attempts, the data is still encrypted, and the unauthorized person cannot read it, so as to prevent the encryption key from being cracked and causing the data to be deleted. vent. Encrypted data can be successfully decrypted into unencrypted data only after the entered password matches the encryption key based on the header information. The present invention ensures that the temporary data stored in the memory is kept confidential and prevents the malicious key input from cracking the key, thereby eliminating potential security vulnerabilities of the prior art and thereby improving the overall security of the digital content. The present invention has been described in detail by the above-described embodiments, and may be modified by those skilled in the art, without departing from the scope of the appended claims. 16 200849057 [Simplified illustration of the drawings] FIG. 1 is a schematic block diagram of a data storage device according to a prior art;
圖2是根據習知技術說明最終使用者使用資 備的流程圖; 圖3是說明習知操作資料儲存設備的流程圖; 圖4是根據本發明說明資料儲存裝置的簡要圖· 圖5疋根據本發明說明控制資料存取的流程圖。 【 ‘主要元件符號說明】 1 資料儲存裝置 22 快閃記憶體 20 介面 23 加密單元 21 非揮發性記憶體 24 解密單元 221 標頭 172 is a flow chart illustrating the use of resources by the end user according to the prior art; FIG. 3 is a flow chart illustrating a conventional operational data storage device; FIG. 4 is a schematic diagram illustrating a data storage device according to the present invention. The present invention illustrates a flow chart for controlling data access. [ 'Key component symbol description 】 1 Data storage device 22 Flash memory 20 Interface 23 Encryption unit 21 Non-volatile memory 24 Decryption unit 221 Header 17