1355597 九、發明說明: 【發明所屬之技術領域】 本發明關於一種資料存取方法,尤其是指一種應用於 資料儲存裝置的安全資料存取方法。 【先前技術】 通訊工具的革命性變更,帶來了網路的快速成長和資 訊的加速數位化,並對個人安全和隱私造成前所未有的威 脅。持續增加的敏感資訊正以電子種類方式循環,其包含 電子郵件、傳真信息、電話通話内容、基金匯兒、貿易秘 在和其他個人紀錄。相同的技術進步已為人類帶來巨大的 显處’但同時也造成人們受到更多難以防守的和潛在危險 ,窺探。現已出現-些新應用在電腦儲存設備,且其中許 多是為了加強儲存於電腦儲存設備的資料的整體安全性的 需求。 圖1到圖3 7C根據Cheng等人的美國專利第6,88〇,〇54 號之安全儲存設備及其操作的簡要圖。如圖i所示,快閃 記憶體4是被分割成數個不同的區段或地帶。簡而古之, 快閃記憶體是被分割成2個區段:區段丨是㈣設定軟體 而區段2則是用以儲存使用者的資料。此外,每個 區段有其㈣的密碼。請參考圖2,其為—流程圖顯示最 終使用者對於快閃記憶體4區段2密竭的初始化設定。為 1355597 I ΐ 1 了設定區段2的密碼,使用者料備1G插人2G至電腦上 的聰連接埠,且在電腦和設備之間建立通訊21。使用 者之後執行㈣程式軟體,且該㈣程錢料於區段2 輸入一密碼安裝設定模式23。之後使用者輪人密碼28,該 後碼疋他們期待用以防止對快閃記憶體4的區段2做未經 授權的存取。輸入的密碼之後被 記憶體4。 /Μ亚館存3〇於快閃 圖2所不及同上所述,在最終使用者進行初始化密 碼设定财後,當使时選取區段2以存取儲存於快閃記 憶體4的貧料時(見圖3),則微控制器3將傳送—命令給電 腦要求46使用者輪人使用於區段2的密竭。當使用者 密碼’則電腦會將密碼傳至微控制器3。微控制器3從快 閃記憶體4取㈣段2的密碼、解密47密碼並將密碼與使. 用者輸人的密碼做比較。如果使用者輪人的密碼不正確的 話,則操作_步驟46J_電腦要求46使用者重新輸入密 碼。如果使用者輸人的密碼正相話,則使用者可存取快 閃記憶體4的區段2 ’以讀取來自快閃記憶體4的資料和 寫入資料至快閃記憶體4。然而,只有在手動切換7是在 允許資料被寫人至快閃記憶體4的位置,資料才能被寫入 至快閃記憶體4。冑了讀取來自快閃記憶體4的資料或寫 入資料至J·夬閃。己隐體4 ’則須藉由USB格式的電腦將私讀 取或寫人命令傳至微控制器3。為回應於讀取或寫入命令, 1355597 . 、 ' - . * 微控制器3會從快閃記憶體4取得49資料並將其傳至驅動 ' 程式2以符合轉成50個人電腦格式,並再輸出至電腦或 ' 從驅動程式取得資料以寫入該資料至快閃記憶體4。微控 制器3之後再判斷51是否完成讀取或寫入操作。如果沒完 成操作,則回到步驟49。如果完成操作,則操作終止於52。 雖然美國專利第6,880,054號揭露了將使用者提供的' 密碼和儲存的密碼與限制存取快閃記憶體資料做比較的方 法,但壞處是密碼破解者最終透過多次的反覆嘗試來破解 密碼。,此外,一旦存有密碼的快閃記憶體4被破解或被去 除,則惡意的密碼破解者將可輕易地存取資料。因此,習 知技術不能保證儲存設備中貧料的機密性。所以’需要有 一種安全資料存取方法,以避免私人資料外洩。跟一般不 , 同的是,例如:美國專利第6,880,054號的資料存取方法, 本發明勝於透過基於密碼所產生的加密金鑰來加強數位資 料的機密性,並進一步以加密金鑰來加密資料,以排除入 侵者有機會在經過多次的反覆嘗試後破解加密資料。 【發明内容】 鑑於習知技術受限於上述問.題,因此本發明的目標是 提供一種使用於資料讀取/寫入設備的安全資料存取方 • , 盥且發明的觀點’ 一種使用於資料讀取/寫入設備 、有至少一 NAND快記 取方法,讓方法勺缸 存裝置的資料存 第 -L以下步驟:a)建立預設密碼;b)產生 取要求I提餘夕以第—加密金鑰來加”料,·到存 於密碼;Ο以使用者輸入的密碼解碼儲存 入密碼和第=隱體的標頭;Ό檢查標頭以判斷使用者輸 密碼和第_〜⑨金鑰是否可以對應;及狀使用者輸入 輪出資料。㊆金紅確對應後,藉由解密金鑰來解密和 根^案構想,解碼步驟包括把使用者輸入密碼轉譯 成第一加费金鑰的步驟,以解碼標頭。 輸想,資料存取方法進一步包括,當制者 密碼的步驟金鑰之間無法正確對應時,提示輸入 藉由==構想,自_譯的第—和第二加密金鎗可 稽田孝人體或硬體達成。 根據本案構想,標頭位於第一邏輯區。 根據本案構祁、,笛—+ 資料讀取/合"〇狁金鑰和第二加密金鑰可藉由 、、取/寫入設備做修改。 做修=本案構想’解密金鑰可藉由資料讀取/寫入設備 1355597 根據本案構想’第一加密金錄和第二加密金錄個別具 有64位元、128位元、192位元、或256位元的長度。 根據本案構想’解密金鑰具有64位元、128位元、192 位元、或256位元的長度。 • · . · · · 根據本案構想’根據先進加密標準(Advanced1355597 IX. Description of the Invention: [Technical Field] The present invention relates to a data access method, and more particularly to a secure data access method applied to a data storage device. [Prior Art] Revolutionary changes in communication tools have led to rapid growth of the Internet and accelerated digitization of information, posing an unprecedented threat to personal security and privacy. Increasingly sensitive information is circulating in an electronic format that includes email, fax messages, phone call content, fund transfers, trade secrets, and other personal records. The same technological advances have brought enormous manifestations to mankind' but at the same time caused people to be more difficult to defend and potentially dangerous, snooping. Some new applications have emerged in computer storage devices, many of which are intended to enhance the overall security of the data stored on computer storage devices. Fig. 1 to Fig. 3 7C are schematic diagrams of a safe storage device and its operation according to U.S. Patent No. 6,88, 〇, et al. As shown in Figure i, the flash memory 4 is divided into a number of different segments or zones. In a nutshell, the flash memory is divided into two segments: the segment is (4) the setting software and the segment 2 is used to store the user's data. In addition, each section has its (4) password. Please refer to FIG. 2, which is a flowchart showing the initial setting of the flash memory 4 sector 2 exhaustion by the end user. For 1355597 I ΐ 1 Set the password for section 2, the user prepares 1G to plug 2G to the smart port on the computer, and establish communication 21 between the computer and the device. After the user executes (4) the program software, and the (four) money is required to input a password installation setting mode 23 in the section 2. The user then dials the password 28, which is expected to prevent unauthorized access to the sector 2 of the flash memory 4. The entered password is followed by memory 4. /Μ亚馆存3〇 flashing in Figure 2 is not the same as described above, after the end user performs the initial password setting, when the time zone is selected, the segment 2 is selected to access the poor material stored in the flash memory 4. At the time (see Figure 3), the microcontroller 3 will transmit a command to the computer requesting 46 users to use the segment 2 for exhaustion. When the user password ', the computer will pass the password to the microcontroller 3. The microcontroller 3 takes the (4) segment 2 password from the flash memory 4, decrypts the 47 password, and compares the password with the password that the user entered. If the user's password is incorrect, then operation _step 46J_ computer requires 46 the user to re-enter the password. If the password entered by the user is correct, the user can access the segment 2' of the flash memory 4 to read the data from the flash memory 4 and write the data to the flash memory 4. However, data can be written to the flash memory 4 only when the manual switch 7 is to allow the data to be written to the flash memory 4. Read the data from the flash memory 4 or write the data to J. The hidden body 4' must pass a private read or write command to the microcontroller 3 via a USB format computer. In response to a read or write command, 1355597 . , ' - . * Microcontroller 3 will retrieve 49 data from flash memory 4 and pass it to the driver 'program 2 to conform to the 50 PC format, and Then output to the computer or 'Get data from the driver to write the data to the flash memory 4. The micro controller 3 then judges 51 whether the read or write operation is completed. If the operation is not completed, return to step 49. If the operation is completed, the operation ends at 52. Although U.S. Patent No. 6,880,054 discloses a method of comparing a user's password and stored password with a limited access to flash memory data, the disadvantage is that the password cracker eventually cracks the password through repeated attempts. In addition, once the flash memory 4 with the password is cracked or removed, the malicious password cracker can easily access the data. Therefore, conventional techniques cannot guarantee the confidentiality of poor materials in storage devices. Therefore, there is a need for a secure data access method to avoid leakage of private data. In the same way, for example, the data access method of U.S. Patent No. 6,880,054, the present invention is better than enhancing the confidentiality of digital data through an encryption key generated based on a password, and further encrypting with an encryption key. Data to exclude intruders from having the opportunity to crack encrypted data after repeated attempts. SUMMARY OF THE INVENTION Since the prior art is limited to the above problems, it is therefore an object of the present invention to provide a secure data accessor for use in a data reading/writing device, and an inventive concept. The data reading/writing device has at least one NAND fast recording method, and the data of the method spoon storage device is stored in the following steps: a) establishing a preset password; b) generating a request for the first time. The encryption key is added to the material, and the password is stored in the password; the password entered by the user is decoded and stored in the password and the header of the hidden body; Ό check the header to determine the user's password and the _~9 gold Whether the key can correspond to; and the user input the rounded data. After the seven gold red corresponds, the decryption key is used to decrypt and the root concept is conceived, and the decoding step includes translating the user input password into the first fee increase key. The step of decoding the header. The input method further includes, when the step key of the maker password is not correctly matched, the prompt input is by == conception, from the translation of the first and second Encrypted gold gun can be Ji Tianxiao human body or According to the concept of the case, the header is located in the first logical area. According to the configuration of the present invention, the flute-+ data reading/closing "〇狁 key and the second encryption key can be taken, fetched/written The device is modified. Do the repair = the concept of the case 'decryption key can be read/write device by data 1355597 According to the concept of the case, the first encrypted gold record and the second encrypted gold record have 64 bits, 128 bits, 192 individually. The length of the bit, or 256 bits. According to the case, the 'decryption key has a length of 64 bits, 128 bits, 192 bits, or 256 bits. · · · · · · According to the concept of the case 'according to advanced encryption Standard
Encryption Standard,AES)、資料加密標準(Data Encryption Standard, DES)、三重資料加密標準(Triple-DES)、和 RSA 加密法做資料加密。 根據本案構想,資料儲存裝置包括USB隨身碟 (Universal Serial Bus,USB)、SD卡(Smart Digital,SD)、MMC 卡(Multi Media Card,MMC)、CF卡(Compact Flash,CF)、 和USB快閃碟。 * > 依照本發明的另一觀點,一種使用於資料讀取/寫入 設備與具有至少一NAND快閃記憶體的資料儲存裝置的資 料存取方法,該方法包括以下步驟:收到資料存取要求後 提不輸入密喝;將使用者輪入密碼轉譯成,加密金鑰;以加 密金錄解喝儲存於NAND,fc閃記憶體的標頭;檢查標頭以 判斷使用者輪人密朴料加密金鑰是否正確對應;及當 使入“和預設密瑪正確對應後’藉由解密金錄來 解密和輪出資料❶ 根據本案構想,預設加密金鑰是依照預設密碼作轉譯。 1355597 .. . » 根據本案構想,資料存取方法進一步包括,當使用者 • 輸入密碼和預設加密金鑰無法正確對應時,提示_入密碼 • 的步驟。 根據本案構想,自密碼轉譯的加密金鑰和預設加密金 鑰可藉由軟體或硬體達成。 根據本案構想,標頭位於第一邏輯區。 根據本案構想,加密金鑰和預設加密金鑰可藉由資料 讀取/寫入設備做修改。 根據本案構想,其中解密金鑰可藉由資料讀取/寫入 » _ 設備做修改。 • 根據本案構想,加密金鑰和預設加密金鑰個別具有64 位元、128位元、192位元、或256位元的長度。 根據本案構想,根據先進加密標準(Advanced Encryption Standard, AES)、資料力σ 密標準(Data Encryption Standard, DES)、三重資料加密標準(Triple-DES)、和 RSA 加密法做資料加密。 根據本案構想,資料儲存裝置包括USB隨身碟、SD卡、 MMC卡、CF卡、和USB快閃碟。 【實施方式】. 本發明揭露一種應用於資料儲存裝置之資料存取方 法。熟悉此技藝者將在閱讀接下來實施方式和附帶圖式 1355597 後’更了解本岢明的上述目標和優點。本發 不發明不需被接下 來的實施例所限制。 請參考圖4,根據本發明說明一種資料儲存裝置的安全 機制。如圖4所示,資料儲存裝置丨包含:連接至資料=取 /寫入設備(未顯示)的介面20,該介面是用以資料之間 的緩衝和傳送;非揮發性記憶體21 ;用以儲存資料的快閃 記憶體22 ;加密單元23 ;及解密單元24 ,並於下文中加以 詳述以上元件。 非揮發性記憶體21中同時存有加密金鑰和解密金鑰。 母個金錄都疋在此技藝中使用已知技辦去加密和解密資料 的位元欄位。透過密碼演算法,上述金鑰以使用者提供的 密碼為基礎而產生,且該金鑰通常是一串數字的組合。藉 由應用金鑰的位元值至資料的位元值及引辱結合選取加密 演算法的邏輯操作,涵蓋先進加密標準(Advanced Encryption Standard,AES)、資料加密標準(Data Encryption Standard, DES)、三重資料加密標準(Triple-DES)、和 RSA 加密法(^^68卜81^11^1^(116111&11),加密單元23和解密單元24 可依照加密金鑰和解密金鑰來進行資料的加密和解密。當 然,兩種金錄皆可藉由讀取/寫入設備做修改。在此實施 例中,兩種金鑰是「對稱的」(加密和解密都使用相同金 鑰),但在其他實施例中,兩種金鑰可以是「非對稱的」(加 密和解密金鑰不相同)。雖然64位元、196位元、或256位元 11 1355597 金錄可用以實施在本發明,然而在此實施例中,將以每個 金鑰皆在128位元準位做加密和解密來作為例子。此外,快 閃記憶體22包含:含有基本輸入/輪出系統參數塊(BI〇s Parameter Block,BPB)的標頭部分221。BPB是用以描述磁 碟容量的檔案系統格式。具有BPB的典型檔案系統包含檔 案配置表(File Allocation Table, FAT) 16,和 FAT32。BPB保 有重要的檔案系統參數,使得BIOS(Basic Input OutputEncryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard (Triple-DES), and RSA encryption for data encryption. According to the concept of the present case, the data storage device includes a USB flash drive (USB), an SD card (Smart Digital, SD), an MMC card (Multi Media Card, MMC), a CF card (Compact Flash, CF), and a USB flash drive. Flash disc. *> According to another aspect of the present invention, a data access method for a data reading/writing device and a data storage device having at least one NAND flash memory, the method comprising the steps of: receiving data After receiving the request, do not enter the secret drink; translate the user's turn-in password into an encryption key; use the encrypted gold to record and store the header stored in the NAND, fc flash memory; check the header to determine the user's round key Whether the plain encryption key corresponds correctly; and when the "correspond to the default Mimar" is correctly made, the decryption record is used to decrypt and rotate the data. According to the concept of the case, the default encryption key is based on the default password. Translation: 1355597 .. . » According to the concept of the case, the data access method further includes the step of prompting the password to be entered when the user • the input password and the preset encryption key do not correspond correctly. According to the concept of the case, the self-password translation The encryption key and the default encryption key can be achieved by software or hardware. According to the present concept, the header is located in the first logical area. According to the present concept, the encryption key and the preset encryption key According to the concept of the case, the decryption key can be modified by the data read/write » _ device. • According to the concept of the case, the encryption key and the preset encryption key are individually It has a length of 64 bits, 128 bits, 192 bits, or 256 bits. According to the concept of the case, according to Advanced Encryption Standard (AES), Data Encryption Standard (DES), triple Data encryption standard (Triple-DES), and RSA encryption method for data encryption. According to the concept of the case, the data storage device includes a USB flash drive, an SD card, an MMC card, a CF card, and a USB flash drive. [Embodiment]. The invention discloses a data access method applied to a data storage device. Those skilled in the art will understand the above objects and advantages of the present invention after reading the following embodiments and the accompanying drawings 1355597. The present invention does not need to be invented. The following embodiments are limited. Referring to Figure 4, a security mechanism of a data storage device is illustrated in accordance with the present invention. As shown in Figure 4, the data storage device includes: To data = interface 20 of the fetch/write device (not shown) for buffering and transferring between data; non-volatile memory 21; flash memory 22 for storing data; encryption unit 23 And the decryption unit 24, and the above components are detailed in the following. The non-volatile memory 21 has both an encryption key and a decryption key. The parent gold record is used in this technique using known techniques. The bit field of the encrypted and decrypted data. The key is generated based on the password provided by the user through a cryptographic algorithm, and the key is usually a combination of numbers. By applying the key value of the key The logical operation of the encryption algorithm is combined with the bit value of the data and the humiliation, covering Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple Data Encryption Standard (Triple-DES). And the RSA encryption method (^^68) 81^11^1^(116111&11), the encryption unit 23 and the decryption unit 24 can perform encryption and decryption of the data in accordance with the encryption key and the decryption key. Of course, both types of gold records can be modified by reading/writing devices. In this embodiment, the two keys are "symmetric" (both encryption and decryption use the same key), but in other embodiments, the two keys can be "asymmetric" (encryption and decryption keys) Not the same). Although 64-bit, 196-bit, or 256-bit 11 1355597 gold records can be used to implement the present invention, in this embodiment, each key is encrypted and decrypted at a 128-bit level. example. In addition, the flash memory 22 includes a header portion 221 containing a basic input/round-out parameter block (BPB). BPB is a file system format used to describe the capacity of a disk. A typical file system with BPB includes a File Allocation Table (FAT) 16, and FAT32. BPB maintains important file system parameters, making BIOS (Basic Input Output)
System)可藉由使用這些參數而存取儲存於礤碟的資料。在 BPB中有一8位元組的攔位是用以辨別橋牵 . ' 乘糸統類別;及一 字串是用以在該攔位的前3位元組,而該栩〜 Λ爛位必須是在此實 施例中的FAT;以上㈣是用以核對姆系统為正碟的FA 樓案系統。在其他實施例中’使用於铜位的特—〜串 可以類似方式找出:NTFS或其他非FAT檔幸名 希糸統。 根據本發明,内建於快濶記憶體22中的儲存裝置1具有 在加密和解密資料的操作中’分別具有與力户0 密單元24的單向通訊。在加密操作後, ^ m 一 + 吸閃記憶體22是專 揮發性記憶體21的加密金鑰作為資料加密 、元24利用非揮發性記憶體21的解密金鑰作為 在圖5中,其根據本發明說明一種使用 的資料存取方法的較佳實施例。在此實施例 用以接收來自加密單元23的加密資料。力。密單元Μ利用非 同理,解密單 資料解密。 於資料儲存裝置 中》本發明的 12 1355597 資料儲存裝置和讀取/寫入設備是同時具備的。其它實施 例可能使用額外的或不同的工具來進行操作。 資料儲存裝置1,如USB快閃碟,是透過介面20連接至 讀取/寫入設備用以傳送資料。如圖5的步驟S30所示,輸 入密碼後,透過讀取/寫入設備傳送資料以啟動本資料存 取方法的後續執行步驟。在此實施例中,已知的演算 法一AES,是作為執行資料加密之用,因此在加密和解密 時僅使用單一金鑰。也就是說,加密金鑰和解密金鑰是「對 稱的」(加密和解密時皆使用同一金鑰)。在其他實施例中, I . 兩種金鑰可以是「非對稱的」(加密金鑰和解密:合鑰是不同 的)。因此,如圖5的步驟S31所示,依照特定的運算規則可 將使用者键入的密碼轉換成金鑰,例如將6個字元(48位元) 的密碼,藉由增加額外80位元的金鑰長度進一步轉譯成128 位元的第一加密金鑰並儲存於非揮發性記憶體21。雖然64 位元金錄、196位元金鑰、或256位元金錄可用以執行資料 存取方法,然而在此實施例中,每種金鑰以128位元為標準 產生。如圖5妁步驟S32所示,在透過介面20從資料讀取/ 寫入設備傳送加密資料至快閃記憶體22之前,加密單元23 採用一已知加密演算法,例如:128位元AES,連同非揮發 性記憶體21之第一加密金鑰,然後將純文字檔資料轉換成 亂碼,意即,已加密的資料。除AES之外·,還可透過RSA 加密法(Rivest-Shamir-Adleman,RSA)、資料加密標準(Data 13 1355597System) can access the data stored on the disc by using these parameters. In BPB, there is an 8-bit block that is used to identify the bridge. The 'multiplier class'; and a string is used in the first 3 bytes of the block, and the 栩~ Λ bits must It is the FAT in this embodiment; the above (4) is the FA building system for checking that the m system is a positive disk. In other embodiments, the special-to-string used in the copper position can be found in a similar manner: NTFS or other non-FAT files are well-known. According to the present invention, the storage device 1 built in the cache memory 22 has a one-way communication with the power unit 0 unit 24 in the operation of encrypting and decrypting data. After the encryption operation, the ^ m + snubber memory 22 is the encryption key of the volatility memory 21 as the data encryption, and the meta 24 uses the decryption key of the non-volatile memory 21 as in FIG. 5, which is based on The present invention describes a preferred embodiment of a data access method used. This embodiment is for receiving encrypted material from the encryption unit 23. force. The secret unit uses the same reason to decrypt the single data decryption. In the data storage device, the 12 1355597 data storage device and the reading/writing device of the present invention are simultaneously provided. Other embodiments may use additional or different tools to operate. The data storage device 1, such as a USB flash drive, is connected to the read/write device via the interface 20 for transmitting data. As shown in step S30 of Fig. 5, after the password is input, the data is transmitted through the read/write device to initiate subsequent execution steps of the data access method. In this embodiment, the known algorithm AES is used to perform data encryption, so only a single key is used for encryption and decryption. That is, the encryption key and the decryption key are "symmetric" (both the same key is used for both encryption and decryption). In other embodiments, I. The two keys may be "asymmetric" (encryption key and decryption: the keys are different). Therefore, as shown in step S31 of FIG. 5, the password typed by the user can be converted into a key according to a specific operation rule, for example, a password of 6 characters (48 bits) by adding an extra 80-bit gold. The key length is further translated into a 128-bit first encryption key and stored in non-volatile memory 21. Although a 64-bit gold record, a 196-bit key, or a 256-bit record can be used to perform the data access method, in this embodiment, each key is generated on a 128-bit standard. As shown in step S32 of FIG. 5, before transmitting the encrypted data from the data reading/writing device to the flash memory 22 through the interface 20, the encryption unit 23 employs a known encryption algorithm, for example, 128-bit AES. Together with the first encryption key of the non-volatile memory 21, the plain text file data is then converted into garbled characters, that is, the encrypted data. In addition to AES, it can also pass RSA encryption (Rivest-Shamir-Adleman, RSA), data encryption standard (Data 13 1355597
Encryption Standard, DES)、三重資料加密標準(Triple-DES) 等方法加密資料。 ' 同上所述,從圖5的步驟S33開始是解密時的操作,而 步驟S30到S32是加密時的操作步驟。為了管理資料存取, 重新輸入密碼是為了要解密儲存於快閃記憶體22的加密資 料。如圖5的步驟S34所示,在步驟S33中要求存取資料之 後,在讀取/寫入設備上會出現複選框提示密碼的重新輸 入。未經授權的入侵者將無法讀取受加密保護的資料。為 了解密加密資料和透過介面20讀出並輸出至資料讀取/寫 入設備,解密金鑰需要相對應於第一加密金鑰。步驟S35 到步驟S36是說明將重新輸入的密碼轉譯成第二加密金鑰 並用以解碼標頭2 21的過程。在標頭2 21中有一 8位元組欄位 在第一邏輯區(LBA0)的BPB,以辨別其檔案系統類別,意 * - 即,在此實施例中的FAT字串。在步驟S37和步驟S38,在 解碼後,以標頭221來檢查判斷可否找出在前3位元組中的 “FAT”字串。在步驟S38,如果第一加密金鑰和重新輸入密 碼所轉譯的金鑰確認相同時(即正確對應),代表在第一邏 輯’區的BPB—的8位元組攔位會以正確的金鑰成功地完成加 密資料亂碼轉明碼的解密動作,故能在該欄位的前3位元組 找出正,解碼的“FAT”字串。 否則,當使用者鍵入的密碼所轉譯金鑰與加密金鑰不 同時,資料仍會以錯誤的金鑰完成解密動作,但其因金錄 14 1355597 不正確,加密資料錯誤解碼後的資料仍為無法識別的亂 碼,故無法由錯誤解碼所產生的資料中找出“FAT”的字串, 此時步驟S38會回到步驟S34,且如果金鑰比對不正確,則 在讀取/寫入設備上會再出現複選框提示輸入密碼。當 “FAT”的字串在標頭221的BPB欄位被找出,則代表達到安 全許可的特定標準。因此,步驟S33的資料存取要求是允許 1 的,且取得解密金鑰後解密在解密單元24的加密資料。如 圖5的步驟S39所示,最後,資料復原至其原始未加密狀態, 並透過介面20呈現在讀取/寫入設備上。即使快閃記憶體 22被破解、或從儲存裝置1去除後再結合另一儲存裝置,在 缺少正確的解密金鑰下,加密資料依然是加密的狀態。 當然,上述加密和解密操作可藉由軟體或硬體任一完 成。在其他實施例中,密碼可在製造商端被預先建立,之 後使用者可在讀取/寫入設備上修改密碼。本發明的特性 是特別適用於USB隨身碟、SD卡、MMC卡、CF卡、及USB' 快閃碟的應用。此外,載有資料如何處理資訊的快閃記憶 體的標頭是藉由FAT格式做分割。 總而言之,本發明揭露一種應用於資料儲存裝置的資 料存取方法,以避免機密資訊落入不適當的人手裡,尤其 是在高度商業競爭中的產業間諜。不同於習知技術,即使 已輸入不正確的密碼,在密碼被證實前,受加密保護的資 料是釋放在第一位置。本發明進一步利用記錄在標頭的檔 15 1355597 案從屬資訊,意即第一邏輯區,以加強資料的保護和完整 性。此外,密碼可進一步被轉譯成具有64位元、128位元、 196位元、或256位元長度的加密金鑰。如果密碼被證實是 不正確或無效,那代表比對不正確。因此,即使在長時間 的破解計算和反覆嘗試中找出可能的金鑰後,資料還是在 加密狀態,且未經授權的人是無法讀取的,以防止加密金 鑰被破解而造成資料外洩。只有在輸入的密碼符合以標頭 的資訊為基礎的加密金鑰後,加密資料始可被成功解密為 未加密資料。本發明保證儲存於記憶體的暫存資料維持是 機密的,且防止惡意金鑰輸入者破解金鑰,進而排除習知 技術潛在的安全漏洞,並藉此提高數位内容的整體安全性。 縱使本發明已由上述之實施例詳細敘述而可由熟悉本 技藝之人士任施匠思而為諸般修飾,然皆不脫如附申請專 利範圍所欲保護者。 16 1355597 【圖式簡單說明】 圖1是根據習知技術說明資料儲存設備的簡要方塊圖· 圖2是根據習知技術說明最終使用者使用資料儲 備的流程圖; '子叹 圖3是說明.習知操作資料儲存設備的流程圖; 圖4是根據本發明說明資料儲存t置的簡要圖;及 圖5是根據本發明說明控制資料存取的流程圖。 【主要元件符號說明】 1 資料儲存裝置 22 快閃記憶體 20 介面 μ 23 加密單元 21 非揮發性記憶體 24 解密單元 221 標頭 17Encryption Standard, DES), Triple Data Encryption Standard (Triple-DES) and other methods to encrypt data. As described above, the operation at the time of decryption is started from step S33 of Fig. 5, and the steps S30 to S32 are the operation steps at the time of encryption. In order to manage data access, the password is re-entered in order to decrypt the encrypted data stored in the flash memory 22. As shown in step S34 of Fig. 5, after the access to the data is requested in step S33, a check box prompting the re-input of the password appears on the read/write device. Unauthorized intruders will not be able to read encrypted protected data. In order to understand the secret encrypted data and read out through the interface 20 and output to the data reading/writing device, the decryption key needs to correspond to the first encryption key. Steps S35 through S36 are procedures for explaining the translation of the re-entered password into the second encryption key and used to decode the header 21. In the header 2 21 there is an 8-bit field in the BPB of the first logical area (LBA0) to discriminate its file system category, meaning - that is, the FAT string in this embodiment. In step S37 and step S38, after decoding, it is checked by the header 221 whether or not the "FAT" string in the first three bytes can be found. In step S38, if the first encryption key and the key translated by the re-entered password are confirmed to be the same (ie, correctly corresponding), the 8-bit block representing the BPB in the first logical 'region will be the correct gold. The key successfully completes the decryption action of the encrypted data garbled code, so the positive and decoded "FAT" string can be found in the first 3 bytes of the field. Otherwise, when the translation key of the password typed by the user is different from the encryption key, the data will still be decrypted by the wrong key, but the data is incorrect because the gold record 14 1355597 is incorrect. Unrecognized garbled characters, so the string of "FAT" cannot be found in the data generated by the error decoding. At this time, step S38 returns to step S34, and if the key comparison is incorrect, it is read/write. A check box will appear on the device to prompt for a password. When the string "FAT" is found in the BPB field of header 221, it represents a specific criterion for achieving a security license. Therefore, the material access request of step S33 is permitted 1, and the encrypted data at the decryption unit 24 is decrypted after the decryption key is obtained. As shown in step S39 of Fig. 5, finally, the data is restored to its original unencrypted state and presented on the read/write device through interface 20. Even if the flash memory 22 is cracked, or removed from the storage device 1 and then combined with another storage device, the encrypted data is still encrypted in the absence of the correct decryption key. Of course, the above encryption and decryption operations can be performed by either software or hardware. In other embodiments, the password can be pre-established at the manufacturer's end, after which the user can change the password on the read/write device. The features of the present invention are particularly applicable to USB flash drives, SD cards, MMC cards, CF cards, and USB flash drives. In addition, the header of the flash memory containing information on how the information is processed is segmented by the FAT format. In summary, the present invention discloses a method of accessing data to a data storage device to prevent confidential information from falling into the wrong hands, especially in industrial spies with high commercial competition. Unlike conventional techniques, even if an incorrect password has been entered, the encrypted protected material is released in the first location before the password is verified. The present invention further utilizes the subordinate information recorded in the header file 15 1355597, which means the first logical area to enhance the protection and integrity of the data. In addition, the password can be further translated into an encryption key having a length of 64 bits, 128 bits, 196 bits, or 256 bits. If the password is confirmed to be incorrect or invalid, it means the alignment is incorrect. Therefore, even after finding the possible key in the long-term crack calculation and repeated attempts, the data is still encrypted, and the unauthorized person cannot read it, so as to prevent the encryption key from being cracked and causing the data to be deleted. vent. Encrypted data can be successfully decrypted into unencrypted data only after the entered password matches the encryption key based on the header information. The present invention ensures that the temporary data stored in the memory is kept confidential and prevents the malicious key input from cracking the key, thereby eliminating potential security vulnerabilities of the prior art and thereby improving the overall security of the digital content. The present invention has been described in detail by the above-described embodiments, and may be modified by those skilled in the art, without departing from the scope of the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic block diagram of a data storage device according to a prior art. FIG. 2 is a flow chart illustrating an end user usage data reserve according to the prior art; A flow chart of a conventional operational data storage device; FIG. 4 is a schematic diagram illustrating a data storage t setting in accordance with the present invention; and FIG. 5 is a flow chart illustrating control data access in accordance with the present invention. [Main component symbol description] 1 Data storage device 22 Flash memory 20 interface μ 23 Encryption unit 21 Non-volatile memory 24 Decryption unit 221 Header 17