WO2006116931A1 - A method for guaranteeing the safety of the storage network data and the system thereof - Google Patents

A method for guaranteeing the safety of the storage network data and the system thereof Download PDF

Info

Publication number
WO2006116931A1
WO2006116931A1 PCT/CN2006/000850 CN2006000850W WO2006116931A1 WO 2006116931 A1 WO2006116931 A1 WO 2006116931A1 CN 2006000850 W CN2006000850 W CN 2006000850W WO 2006116931 A1 WO2006116931 A1 WO 2006116931A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage
data
server
cluster
encryption
Prior art date
Application number
PCT/CN2006/000850
Other languages
French (fr)
Chinese (zh)
Inventor
Yaolong Zhu
Hui Xiong
Jie Yan
Original Assignee
Zhang, Jinkui
Zhou, Feng
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhang, Jinkui, Zhou, Feng filed Critical Zhang, Jinkui
Publication of WO2006116931A1 publication Critical patent/WO2006116931A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the method of the present invention provides a security management device for isolating commands and data between a server cluster and a storage device cluster, and the security management device performs data between the two.
  • Processing and security management is equivalent to setting up an intelligent security administrator for the data flow between the server cluster and the storage device cluster.
  • it can realize normal data processing between the server cluster and the storage device cluster.
  • Security measures can be taken in the security management device. For all data flows or special: security measures such as encryption processing, permission management restrictions, etc., data storage and user access under the condition of sharing storage devices for multiple users Provides security measures and safeguards.
  • the security management device simulates the working mode of the storage device and the server respectively, and the security management device can be set by using ordinary server hardware or embedded hardware platform, which can make the method of the invention simple and convenient. Access authorization and/or data encryption/decryption at the storage protocol layer for data processing and security management is fully compatible with existing storage systems, ie compatible with any hardware, operating system and applications.
  • Figure 3 is a flow chart of the user login of the present invention.
  • Figure 6 is a flow chart of the disconnection of the user of the present invention.
  • 1 invention storage network data security management device 2—storage device cluster; 3—server cluster; 4—storage network; 10—security platform of security management device; 20—software platform of security management device; 100—device-side hardware Protocol processing port; 110-server hardware protocol processing port; 120-hard encryption module; 130-key hardware interface; 200-device storage protocol module; 210-server storage protocol module; 220-encryption management module; Software encryption module; 240 - password management module; 250 - rights management module; 260 - encryption algorithm management module; m - key management module; 280 - configuration database.
  • the storage network data security management apparatus 1 is a schematic structural diagram of a storage network data security device of the present invention.
  • the storage network data security management apparatus 1 of the present invention connects the storage device cluster 2 and the server cluster 3 through the storage network 4, and is disposed on the command and data channels between the two to isolate data and commands.
  • the storage network data security management apparatus 1 includes a hardware platform 10 and a software platform 20, and performs data processing and data security management on data transmitted between the server cluster 3 and the storage device cluster 2.
  • the hardware platform 10 includes a device side hardware protocol processing port 100, a server side hardware protocol processing port 110, and a hard encryption module 120.
  • the server side hardware protocol processing port 110 is connected to the server cluster 3, and the device side hardware protocol processing port 100 is connected to the storage device cluster 2.
  • the device-side hardware protocol processing port 100 and the server-side hardware protocol processing port 110 are composed of an underlying hardware system and a processing storage protocol layer.
  • the device-side hardware protocol processing port 100 and the server-side hardware protocol processing port 110 can adopt the most commonly used Ethernet port and the Fibre Channel port.
  • the actual application can adopt the flexible software and hardware configuration mode to implement the functions of each protocol layer, or Take other types of hardware ports.
  • the key hardware interface 130 is responsible for reading the hard key, and may be any method such as the USB interface reading the USB key or the IC card reader interface reading the IC card.
  • Figure 6 is a flow chart of the disconnection of the user of the present invention. As shown in FIG. 6, to ensure data security, the present invention deletes the key from the configuration database 280 when the user disconnects. If the user has further requirements, the password for the user login can also be cleared.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method and a device for guaranteeing the safety of the storage network data set a safety management device on the data channel between the server cluster and the storage device cluster of the storage network. The safety management device isolates the transmitted commands and data between the server cluster and the storage device cluster and processes and manages the data safely for the transmitted orders and data between them. The method can realize the normal data process on one hand and can apply various safety measures to process all data streams or special data streams safely on the other hand to provide the safety measures and security to multi-user shared data storage and user access.

Description

一种保障存储网络数据安全的方法及装置  Method and device for guaranteeing storage network data security
技术领域 本发明涉及存储网络的安全技术,特别涉及一种保障存储网络数据安全 的方法及装置。 背景技术 计算机安全问题是计算机技术的热点之一, 采用的主要技术是各种加密 技术或防火墙技术。 但据有关方面的数据统计, 50 % ~ 80 %的攻击来源于网 络内部, 是位于防火墙内部的攻击, 这些攻击包括对存储数据的窃取。 目前 大部分数据是用明码的方式存储, 这些数据如被窃取, 将有可能对公司的经 济利益带来巨大的损失; 有些关键数据甚至关系到国家的利益和安全。 TECHNICAL FIELD The present invention relates to a security technology for a storage network, and more particularly to a method and apparatus for securing data of a storage network. BACKGROUND OF THE INVENTION Computer security is one of the hotspots of computer technology. The main technologies used are various encryption technologies or firewall technologies. However, according to statistics from relevant parties, 50% to 80% of attacks originate from within the network and are attacks inside the firewall. These attacks include the theft of stored data. At present, most of the data is stored in clear code. If the data is stolen, it will bring huge losses to the company's economic interests; some key data is even related to the interests and security of the country.
存储网络是数据存储发展的一个重要的趋势。存储网络的安全不同于通 常意义的网络安全, 它是位于通常的网络安全防火墙之下, 是为了预防内部 窃取而建立的安全技术。存储网络的安全也不等同于普通存储设备如单个硬 盘或单个阵列的安全, 存储网络是多用户共享的方式存储, 存储设备同时为 多个用户访问, 数据更易于被窃取; 总之, 存储网絡的安全问题是计算机系 统安全问题关键问题。 发明内容 本发明针对现有技术的不足, 提供一种保障存储网络数据安全的方法, 能在多用户共享的的条件下, 实现存储网络数据存储和用户访问的安全。 本 发明还提供该方法下的存储网络数据安全管理装置。  Storage networking is an important trend in the development of data storage. The security of the storage network is different from the usual network security. It is located under the usual network security firewall and is a security technology established to prevent internal theft. The security of the storage network is not the same as that of a common storage device such as a single hard disk or a single array. The storage network is stored in a multi-user shared mode. The storage device is accessed by multiple users at the same time, and the data is more easily stolen. In short, the storage network Security issues are a key issue in computer system security issues. SUMMARY OF THE INVENTION The present invention is directed to the deficiencies of the prior art, and provides a method for securing data of a storage network, which can realize storage network data storage and user access security under the condition of sharing by multiple users. The present invention also provides a storage network data security management apparatus under the method.
本发明保障存储网络数据安全的方法, 所述存储网络中连接有服务器集 群和存储设备集群, 其特征在于, 在存储网络中服务器集群和存储设备集群 之间的命令和数据通道上设置安全管理装置, 由所述安全管理装置对所述服 务器集群和存储设备集群之间传输的命令和数据进行隔离, 并由所述安全管 理装置对两者之间传输的命令和数据进行数据处理和实施数据安全管理。  The method for securing storage network data is as follows: a server cluster and a storage device cluster are connected to the storage network, and the security management device is set on a command and a data channel between the server cluster and the storage device cluster in the storage network. Separating commands and data transmitted between the server cluster and the storage device cluster by the security management device, and performing data processing and data security on the commands and data transmitted between the two by the security management device management.
本发明方法由于在服务器集群和存储设备集群之间设置了对命令和数 据进行隔离的安全管理装置, 并由所述安全管理装置对两者之间的数据进行 处理和安全管理,相当于对服务器集群和存储设备集群之间的数据流设置了 一位智能安全管理员,一方面能实现服务器集群和存储设备集群之间正常的 数据处理, 另一方面, 在安全管理装置内可以采取安全措施, 对于全部的数 据流或特殊的 :据流采取安全措施, 比如进行加密处理, 进行权限管理限制 等等, 为多用户共享存储设备条件下的数据存储和用户访问提供了安全措施 和保障。 The method of the present invention provides a security management device for isolating commands and data between a server cluster and a storage device cluster, and the security management device performs data between the two. Processing and security management is equivalent to setting up an intelligent security administrator for the data flow between the server cluster and the storage device cluster. On the one hand, it can realize normal data processing between the server cluster and the storage device cluster. On the other hand, Security measures can be taken in the security management device. For all data flows or special: security measures such as encryption processing, permission management restrictions, etc., data storage and user access under the condition of sharing storage devices for multiple users Provides security measures and safeguards.
进一步, 所述数据处理是由所述安全管理装置分别模拟存储设备和服务 器的工作模式来实现, 对所述服务器集群的 I/O命令, 所述安全管理装置模 拟存储设备的工作模式, 接收并响应所述命令; 对所述存储设备集群, 所述 安全管理装置模拟服务器的工作模式, 读写所述存储设备集群中的存储设 备, 并发送 I/O命令到所述存储设备集群的各个存储设备和 /或存储空间; 所述数据安全管理是由在所述安全管理装置内对存储通道的存储协议层进 行数据加密 /解密处理来实现。  Further, the data processing is implemented by the security management device simulating the working mode of the storage device and the server respectively. For the I/O command of the server cluster, the security management device simulates the working mode of the storage device, and receives and Responding to the command; for the storage device cluster, the security management device simulates a working mode of the server, reads and writes the storage device in the storage device cluster, and sends an I/O command to each storage of the storage device cluster The device and/or the storage space; the data security management is implemented by performing data encryption/decryption processing on a storage protocol layer of the storage channel in the security management device.
安全管理装置分别模拟存储设备和服务器的工作模式,可利用普通的服 务器硬件或嵌入式硬件平台来设置安全管理装置, 可使本发明方法实现简单 便捷。在存储协议层进行访问授权和 /或数据加密 /解密来实现数据处理和安 全管理, 能和现有的存储系统完全兼容, 即兼容任意硬件、 操作系统以及应 用程序。  The security management device simulates the working mode of the storage device and the server respectively, and the security management device can be set by using ordinary server hardware or embedded hardware platform, which can make the method of the invention simple and convenient. Access authorization and/or data encryption/decryption at the storage protocol layer for data processing and security management is fully compatible with existing storage systems, ie compatible with any hardware, operating system and applications.
更进一步, 所述安全管理装置包括硬件平台和软件平台, 所述硬件平台 为普通的服务器硬件或嵌入式硬件, 并设置有分别与所述存储设备集群和服 务器集群在物理层和传输层上相连的设备端硬件协议处理端口和服务器端 硬件协议处理端口, 用于处理存储网络传输底层协议; 所述软件平台包括分 别与两个硬件协议处理端口相连的设备端存储协议模块、服务器端存储协议 模块及连于两者之间的加密管理模块,还包括一个与上述三个模块相连的配 置数据库,所述两个存储协议模块实现命令的收发和分析及存储网络数据的 收发, 所述加密管理模块根据命令的类型对数据进行加密 /解密处理, 所述 配置数据库存储和管理各类信息。 所述硬件平台还设置有密钥硬件接口; 所 述加密管理模块还设置有硬件加密模块和 /或软件加密模块; 所述软件平台 还设置有分别与配置数据库相连的用于实现访问授权管理和数据加密的口 令管理模块、 权限管理模块、 加密算法管理模块和密钥管理模块, 所述四个 模块的信息均传送给配置数据库。 上述技术措施可采用标准的存储网絡接口连接服务器集群和存储设备 集群, 可兼容目前大部份的存储网络协议, 如光纤通道(Fibre Channel ) 、 iSCSI、 附网存储(NAS ) , 基于对象的存储(0SD ) ; 上述技术方案还通过 单存储设备中各个存储空间的密钥和加密的独立配置, 即通过对存储设备集 群的各个存储设备 /存储空间分别管理, 赋予用户不同的密钥和算法, 实现 了多用户共享环境下的数据加密。 而用户登录口令、 加密密钥和网络管理员 分配空间权限相结合的管理方式, 使数据安全得到进一步的保障。 本发明方 法采用密钥设备分离的技术方案可以快速损毁密钥, 保障数据安全。 附图说明 图 1 是本发明装置结构示意图; Further, the security management device includes a hardware platform and a software platform, where the hardware platform is an ordinary server hardware or an embedded hardware, and is configured to be respectively connected to the storage device cluster and the server cluster on the physical layer and the transport layer. The device-side hardware protocol processing port and the server-side hardware protocol processing port are configured to process the storage network transmission underlying protocol; the software platform includes a device-side storage protocol module and a server-side storage protocol module respectively connected to the two hardware protocol processing ports respectively. And an encryption management module connected between the two, further comprising a configuration database connected to the three modules, wherein the two storage protocol modules implement transmission and reception of commands and analysis and storage and reception of storage network data, and the encryption management module The data is encrypted/decrypted according to the type of the command, and the configuration database stores and manages various types of information. The hardware platform is further provided with a key hardware interface; the encryption management module is further provided with a hardware encryption module and/or a software encryption module; and the software platform is further configured to be respectively connected with the configuration database for implementing access authorization management and The data encryption password management module, the rights management module, the encryption algorithm management module and the key management module, the information of the four modules are transmitted to the configuration database. The above technical measures can connect server clusters and storage device clusters with standard storage network interfaces, which are compatible with most current storage network protocols, such as Fibre Channel, iSCSI, attached network storage (NAS), and object-based storage. (0SD); The above technical solution also provides a different key and algorithm for the user by separately managing each storage device/storage space of the storage device cluster by using a key and an encrypted independent configuration of each storage space in the single storage device. Data encryption in a multi-user shared environment is implemented. The user login password, encryption key and network administrator's allocation of space permissions are combined to ensure data security. The method of the invention adopts the technical scheme of separating the key devices to quickly destroy the key and ensure data security. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic structural view of a device of the present invention;
图 2 是本发明初始化、 连接的流程图;  2 is a flow chart of initialization and connection of the present invention;
图 3是本发明用户登录的流程图;  Figure 3 is a flow chart of the user login of the present invention;
图 4 是本发明写数据的流程图;  4 is a flow chart of writing data according to the present invention;
图 5 是本发明读数据的流程图;  Figure 5 is a flow chart of reading data of the present invention;
图 6 是本发明断开用户的流程图。  Figure 6 is a flow chart of the disconnection of the user of the present invention.
图中标记列示如下:  The markers in the figure are listed below:
1一本发明存储网絡数据安全管理装置; 2—存储设备集群; 3—服务器 集群; 4—存储网络; 10—安全管理装置的硬件平台; 20—安全管理装置的 软件平台; 100—设备端硬件协议处理端口; 110—服务器端硬件协议处理端 口; 120—硬加密模块; 130—密钥硬件接口; 200—设备端存储协议模块; 210—服务器端存储协议模块; 220—加密管理模块; 230—软件加密模块; 240—口令管理模块; 250—权限管理模块; 260—加密算法管理模块; m— 密钥管理模块; 280—配置数据库。 具体实施方式 下面结合附图来详细说明本发明的具体技术方案。  1 invention storage network data security management device; 2—storage device cluster; 3—server cluster; 4—storage network; 10—security platform of security management device; 20—software platform of security management device; 100—device-side hardware Protocol processing port; 110-server hardware protocol processing port; 120-hard encryption module; 130-key hardware interface; 200-device storage protocol module; 210-server storage protocol module; 220-encryption management module; Software encryption module; 240 - password management module; 250 - rights management module; 260 - encryption algorithm management module; m - key management module; 280 - configuration database. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, specific technical solutions of the present invention will be described in detail with reference to the accompanying drawings.
图 1是本发明存储网络数据安全装置结构示意图。 如图 1所述, 本发明 存储网络数据安全管理装置 1通过存储网络 4连接存储设备集群 2和服务器 集群 3, 设置在两者之间的命令和数据通道上, 对数据和命令进行隔离。 存 储网络数据安全管理装置 1包括硬件平台 10和软件平台 20, 对服务器集群 3和存储设备集群 2之间传输的数据进行数据处理和实施数据安全管理。 硬件平台 10包括设备端硬件协议处理端口 100、服务器端硬件协议处理 端口 110和硬加密模块 120。 服务器端硬件协议处理端口 110连接到服务器 集群 3, 设备端硬件协议处理端口 100连接到存储设备集群 2。 所述设备端 硬件协议处理端口 100、 服务器端硬件协议处理端口 110由底层硬件系统和 处理存储协议层部分组成。 所述设备端硬件协议处理端口 100、 服务器端硬 件协议处理端口 110可采用最常用的以太网口和光纤通道口, 实际的应用可 采取灵活的软硬件配置方式实现各个协议层的功能,也可以采取其他类型的 硬件端口。 密钥硬件接口 130负责读取硬密钥, 可以是 USB接口读入 USB的 密钥或 IC卡读卡器接口读入 IC卡等任意方式。 1 is a schematic structural diagram of a storage network data security device of the present invention. As shown in FIG. 1, the storage network data security management apparatus 1 of the present invention connects the storage device cluster 2 and the server cluster 3 through the storage network 4, and is disposed on the command and data channels between the two to isolate data and commands. The storage network data security management apparatus 1 includes a hardware platform 10 and a software platform 20, and performs data processing and data security management on data transmitted between the server cluster 3 and the storage device cluster 2. The hardware platform 10 includes a device side hardware protocol processing port 100, a server side hardware protocol processing port 110, and a hard encryption module 120. The server side hardware protocol processing port 110 is connected to the server cluster 3, and the device side hardware protocol processing port 100 is connected to the storage device cluster 2. The device-side hardware protocol processing port 100 and the server-side hardware protocol processing port 110 are composed of an underlying hardware system and a processing storage protocol layer. The device-side hardware protocol processing port 100 and the server-side hardware protocol processing port 110 can adopt the most commonly used Ethernet port and the Fibre Channel port. The actual application can adopt the flexible software and hardware configuration mode to implement the functions of each protocol layer, or Take other types of hardware ports. The key hardware interface 130 is responsible for reading the hard key, and may be any method such as the USB interface reading the USB key or the IC card reader interface reading the IC card.
硬件平台 10可以由普通的服务器硬件或自行研发的嵌入式硬件平台组 成。 除所述的硬件协议处理端口和密钥硬件接口外, 硬件的其他部分与普通 的硬件平台架构一样, 包括中央处理器、 控制程序或固件运行用的内存、 存 储控制程序或固件的外存储器、 外部扩展总线等。  The hardware platform 10 can be composed of ordinary server hardware or an embedded hardware platform developed by itself. Except for the hardware protocol processing port and key hardware interface, the other parts of the hardware are the same as the common hardware platform architecture, including the central processor, the memory for running the control program or firmware, the external memory of the storage control program or firmware, External expansion bus, etc.
软件平台 20包括设备端存储协议模块 200、服务器端存储协议模块 210、 加密管理模块 220, 软件加密模块 230、 口令管理模块 240、 权限管理模块 250、 加密算法管理模块 260、 密钥管理模块 270、 配置数据库 280。  The software platform 20 includes a device-side storage protocol module 200, a server-side storage protocol module 210, an encryption management module 220, a software encryption module 230, a password management module 240, a rights management module 250, an encryption algorithm management module 260, and a key management module 270. The configuration database 280.
设备端存储协议模块 200连接设备端硬件协议处理端口 100, 模拟服务 器的工作模式, 读写存储设备集群 2。 具体地, 设备端存储协议模块 200发 送高层存储设备 I /0命令到所述存储设备集群 2的各个存储设备 /存储空间, 得到其地址、标志、状态和容量,并不断扫描监控存储设备集群状态的变化, 并将上述信息存入配置数据库 280。 所述的服务器端存储协议模块 210连接 服务器端硬件协议处理端口 110, 模拟存储设备的工作模式, 对服务器集群 3的读写 I/O命令进行响应。 具体地, 服务器端存储协议模块 210从配置数 据库 280中获得存储设备集群 2存储设备 /存储空间的信息, 由这些信息接 收并响应从服务器集群 3来的高层存储设备命令。  The device-side storage protocol module 200 connects to the device-side hardware protocol processing port 100, simulates the working mode of the server, and reads and writes the storage device cluster. Specifically, the device-side storage protocol module 200 sends a high-level storage device I / 0 command to each storage device / storage space of the storage device cluster 2 to obtain its address, flag, status, and capacity, and continuously scans and monitors the storage device cluster status. The changes are stored in the configuration database 280. The server-side storage protocol module 210 is connected to the server-side hardware protocol processing port 110, simulates the working mode of the storage device, and responds to the read/write I/O command of the server cluster 3. Specifically, the server-side storage protocol module 210 obtains information of the storage device cluster 2 storage device/storage space from the configuration database 280, and receives and responds to the high-level storage device commands from the server cluster 3.
这一技术方案使服务器集群 3到存储设备集群 1之间的命令和数据传输 被隔离, 而由本发明模拟服务器和存储设备的工作模式来处理数据和命令。 该技术方案实际上设定两个区域: 服务器集群 3 和服务器端存储协议模块 210区域, 在该区域中, 服务器集群 3只能看到本发明存储网络数据安全管 理装置; 存储设备集群 2和设备端存储协议模块 200区域, 在该区域中, 本 发明存储网络数据安全装置只能看到存储设备集群 2。 因此, 服务器集群 2 只能通过本发明存储网络数据安全安全管理装置才能访问到存储设备集群 2。 This technical solution isolates the command and data transfers between the server cluster 3 and the storage device cluster 1 while the data and commands are processed by the mode of operation of the emulation server and storage device of the present invention. The technical solution actually sets two areas: a server cluster 3 and a server side storage protocol module 210 area, in which the server cluster 3 can only see the storage network data security management device of the present invention; the storage device cluster 2 and the device The end storage protocol module 200 area, in which the storage network data security device of the present invention can only see the storage device cluster 2. Therefore, the server cluster 2 can only access the storage device cluster through the storage network data security security management device of the present invention. 2.
本实施例的数据安全管理是通过设置访问授权管理和 /或加密来实现 的, 优选的方案是同时进行访问授权管理和加密处理, 具体实施过程如下: 口令管理模块 240是用户(服务器集群 3 )对存储设备 /存储空间进行访问时 登录的限制, 由用户和管理员交互完成, 用户信息在管理员认可的情况下传 送给配置数据库 280; 权限管理模块 250是用户 (服务器集群 3 )对存储设 备 /存储空间存取权限的控制, 由用户和网络管理员共同完成, 用户信息、 用户所在服务器信息和用户所分配存储设备 /存储空间信息等由管理员传送 给配置数据库 280; 加密算法管理模块 260可以存放多种加密算法, 这些算 法以硬件(通过硬加密模块 120 )或软件方式(通过软件加密模块 230 ) 实 现。 用户选择加密算法, 传送给配置数据库 280; 密钥管理模块 270管理数 据加密密钥, 密钥可以是用户输入的软密钥, 也可以是从所述的密钥硬件接 口 130读入硬密钥, 密钥管理模块 270把密钥传送给配置数据库 280。 在收 到服务器集群的读写命令时, 配置数据库 280读取上述信息, 根据用户所在 服务器信息、 密钥信息、 加密算法信息对读写数据进行加密 /解密处理。  The data security management in this embodiment is implemented by setting access authorization management and/or encryption. The preferred solution is to perform access authorization management and encryption processing at the same time. The specific implementation process is as follows: The password management module 240 is a user (server cluster 3). The limitation of login when accessing the storage device/storage space is completed by the user and the administrator, and the user information is transmitted to the configuration database 280 if the administrator approves; the rights management module 250 is the user (server cluster 3) to the storage device. The control of the storage space access authority is completed by the user and the network administrator, and the user information, the server information of the user, and the storage device/storage space information allocated by the user are transmitted by the administrator to the configuration database 280; the encryption algorithm management module 260 A variety of encryption algorithms can be stored, implemented in hardware (through hard encryption module 120) or software (through software encryption module 230). The user selects an encryption algorithm and transmits it to the configuration database 280; the key management module 270 manages the data encryption key, which may be a soft key input by the user, or may read the hard key from the key hardware interface 130. The key management module 270 transmits the key to the configuration database 280. When receiving the read/write command of the server cluster, the configuration database 280 reads the above information, and performs encryption/decryption processing on the read/write data according to the server information, the key information, and the encryption algorithm information of the user.
配置数据库 280管理所有的存储信息、 用户信息、 加密算法信息、 密钥 信息等。 当用户和管理员配合输入一组配置信息后, 配置 #t据库把上述四种 信息作为一个数组存入。用户在以后的每次登录时,设备端存储协议模块 200 将检查用户、 登录口令是否有效, 并从配置数据库 280中取出给用户所分配 空间信息, 报告给用户。 用户在读写上述空间时, 设备端存储协议模块 200 将根据密钥信息和加密算法信息通过硬件或软件方式对数据进行加密 /解密 处理。  The configuration database 280 manages all storage information, user information, encryption algorithm information, key information, and the like. After the user and the administrator cooperate to input a set of configuration information, the configuration #t database stores the above four kinds of information as an array. At each subsequent login, the device-side storage protocol module 200 checks whether the user and the login password are valid, and retrieves the allocated space information from the configuration database 280 to the user for reporting to the user. When the user reads and writes the above space, the device side storage protocol module 200 encrypts/decrypts the data by hardware or software according to the key information and the encryption algorithm information.
图 2是本发明初始化、 连接的流程图。 如图 2中(a)所示, 连接存储设 备集群 2的设备端硬件协议处理端口 100和设备端存储协议模块 200模拟服 务器工作方式。 这种方式下, 本发明存储网络数据安全管理装置 1主动发送 高层存储设备命令给存储设备集群 2,得到存储设备集群 1各存储设备 /存储 空间的地址、 标志、 状态、 以及容量。 由于存储网络中会存在新设备加入、 原有设备断开、读写过程中出现错误等情况, 本发明存储网络数据安全管理 装置 1设定了定时扫描方案, 循环检测存储设备集群 2中各存储设备 /存储 空间的状态, 更新配置数据库 280。  2 is a flow chart of initialization and connection of the present invention. As shown in (a) of FIG. 2, the device-side hardware protocol processing port 100 and the device-side storage protocol module 200 connected to the storage device cluster 2 simulate the working mode of the server. In this manner, the storage network data security management device 1 of the present invention actively sends a high-level storage device command to the storage device cluster 2 to obtain the address, flag, status, and capacity of each storage device/storage space of the storage device cluster 1. The storage network data security management apparatus 1 of the present invention sets a timing scanning scheme, and cyclically detects each storage in the storage device cluster 2, due to the presence of a new device, a disconnection of the original device, and an error in the process of reading and writing. The status of the device/storage space is updated with the configuration database 280.
如图 2中(b)所示,连接服务器集群 3的服务器端硬件协议处理端口 110 和服务器端存储协议处理模块 210模拟存储设备工作方式,接收和响应从服 务器集群 3来的高层存储设备命令, 如读取存储器属性命令、 读状态命令、 读取容量命令、 读写命令等。 所有的存储设备 /存储空间的状态参数取自配 置数据库 280。 As shown in FIG. 2(b), the server-side hardware protocol processing port 110 and the server-side storage protocol processing module 210 connected to the server cluster 3 simulate the storage device working mode, receive and respond to the service. High-level storage device commands from the server cluster 3, such as read memory attribute commands, read status commands, read capacity commands, read and write commands, and the like. All storage device/storage state parameters are taken from configuration database 280.
图 3是本发明用户登录的流程图。如图 3所示,当用户需要存储空间时, 向网络管理员发出申请, 网络管理员确认用户可以使用存储资源后, 将用户 信息、 服务器信息以及分配用户的存储空间信息存入配置数据库 280; 用户 决定登陆口令、 加密算法、 密钥, 也存入配置数据库 280。  Figure 3 is a flow chart of the user login of the present invention. As shown in Figure 3, when the user needs storage space, the network administrator is issued an application, the network administrator confirms that the user can use the storage resource, the user information, the server information and the storage user's storage space information is stored in the configuration database 280; The user determines the login password, encryption algorithm, and key, and also stores it in the configuration database 280.
用户利用登录口令登录到本发明的存储网络数据安全装置 1 , 本发明检 索配置数据库 280, 确认用户名、 口令和服务器有效, 才允许用户登录。  The user logs in to the storage network data security device 1 of the present invention by using the login password. The present invention retrieves the configuration database 280 and confirms that the user name, password, and server are valid, and allows the user to log in.
上述口令和密钥与网络管理员隔离, 网络管理员只知道有口令和密钥存 在, 而不知道内容。 即网絡管理员只有分配存储设备 /存储空间的权利, 而 没有访问存储设备 /存储空间的权利。  The above password and key are isolated from the network administrator. The network administrator only knows that there is a password and a key, but does not know the content. That is, the network administrator has the right to allocate storage devices/storage space without access to storage devices/storage space.
图 4是本发明写数据的流程图。 如图 4所示, 本发明收到写命令后, 从 配置数据库 280中取出加密算法和密钥, 利用硬件或软件方式对写数据进行 加密, 写入相应的存储设备 /存储空间。  4 is a flow chart of writing data of the present invention. As shown in FIG. 4, after receiving the write command, the present invention takes the encryption algorithm and the key from the configuration database 280, encrypts the write data by hardware or software, and writes the corresponding storage device/storage space.
图 5是本发明读数据的流程图。 如图 5所示, 本发明收到读命令后, 从 相应的存储设备 /存储空间中读取数据, 然后根据从配置数据库 280 中取出 加密算法和密钥, 利用硬件或软件方式对读数据进行解密, 把数据返回到服 务器。  Figure 5 is a flow chart of the read data of the present invention. As shown in FIG. 5, after receiving the read command, the present invention reads data from the corresponding storage device/storage space, and then extracts the read data by hardware or software according to the encryption algorithm and the key extracted from the configuration database 280. Decrypt, return the data to the server.
图 6是本发明断开用户的流程图。 如图 6所示, 为切实保障数据安全, 在用户断开连接时, 本发明从配置数据库 280中删除密钥。 如用户有进一步 的需求, 用户登录的口令也可以清除。  Figure 6 is a flow chart of the disconnection of the user of the present invention. As shown in FIG. 6, to ensure data security, the present invention deletes the key from the configuration database 280 when the user disconnects. If the user has further requirements, the password for the user login can also be cleared.
以上对本发明的具体实施方式进行了说明, 但不限于此, 也不以任何形 式对本发明做出限制。 应当指出, 对本领域技术人员来说, 依据本发明的指 导思想还可以做出很多相关的变形和改进,但这些均将落入本发明的保护范 围。  The specific embodiments of the present invention have been described above, but are not limited thereto, and the present invention is not limited in any form. It should be noted that many related variations and modifications can be made by those skilled in the art in light of the teachings of the present invention, but these will fall within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种保障存储网络数据安全的方法, 所述存储网络中连接有服务器 集群和存储设备集群, 其特征在于, 在存储网络中服务器集群和存储设备集 群之间的数据通道上设置安全管理装置, 由所述安全管理装置对所述服务器 集群和存储设备集群之间传输的命令和数据进行隔离, 并由所述安全管理装 置对两者之间传输的命令和数据进行数据处理和实施数据安全管理。 A method for securing data of a storage network, wherein the storage network is connected with a server cluster and a storage device cluster, wherein the security management device is set on a data channel between the server cluster and the storage device cluster in the storage network. Separating commands and data transmitted between the server cluster and the storage device cluster by the security management device, and performing data processing and data security on the commands and data transmitted between the two by the security management device management.
2、 根据权利要求 1所述的保障存储网络数据安全的方法, 其特征在于 所述数据处理是由所述安全管理装置分别模拟存储设备和服务器的工作模 式来实现, 对所述服务器集群的 I/O命令, 所述安全管理装置模拟存储设备 的工作模式, 接收并响应所述命令; 对所述存储设备集群, 所述安全管理装 置模拟服务器的工作模式,读写所述存储设备集群中的存储设备,并发送 I/O 命令到所述存储设备集群的各个存储设备和 /或存储空间; 所述数据安全管 理是在所述安全管理装置内的存储通道的存储协议层进行访问授权和 /或数 据加密 /解密处理来实现。  2. The method for securing data security of a storage network according to claim 1, wherein the data processing is implemented by the security management device simulating a working mode of the storage device and the server respectively, and the I of the server cluster. /O command, the security management device simulates an operating mode of the storage device, and receives and responds to the command; for the storage device cluster, the security management device simulates a working mode of the server, reads and writes in the cluster of the storage device Storing devices and transmitting I/O commands to respective storage devices and/or storage spaces of the storage device cluster; the data security management is to perform access authorization on a storage protocol layer of a storage channel in the security management device and/or Or data encryption/decryption processing to achieve.
3、 根据权利要求 1或 2所述的保障存储网络数据安全的方法, 其特征 在于所述安全管理装置包括硬件平台和软件平台 , 所述硬件平台为普通的服 务器硬件或嵌入式硬件, 并设置有分别与所述存储设备集群和服务器集群在 物理层和传输层上相连的设备端硬件协议处理端口和服务器端硬件协议处 理端口, 用于处理存储网络传输底层协议; 所述软件平台包括分别与两个硬 件协议处理端口相连的设备端存储协议模块、服务器端存储协议模块及连于 两者之间的加密管理模块, 还包括一个与上述三个模块相连的配置数据库, 所述两个存储协议模块实现命令的 »| 和分析及存储网络数据的收发,所述 加密管理模块 ^^据命令的类型对数据进行加密 /解密处理, 所述配置数据库 存储和管理各类信息。  The method for securing data security of a storage network according to claim 1 or 2, wherein the security management device comprises a hardware platform and a software platform, and the hardware platform is an ordinary server hardware or an embedded hardware, and is configured. a device-side hardware protocol processing port and a server-side hardware protocol processing port respectively connected to the storage device cluster and the server cluster at a physical layer and a transport layer, and configured to process a storage network transmission underlying protocol; the software platform includes The device storage protocol module, the server storage protocol module and the encryption management module connected between the two hardware protocol processing ports further comprise a configuration database connected to the three modules, and the two storage protocols The module implements the »| and the analysis and storage of the network data, the encryption management module encrypts/decrypts the data according to the type of the command, and the configuration database stores and manages various types of information.
4、 根据权利要求 3所述的保障存储网络数据安全的方法, 其特征在于 所述硬件平台还设置有密钥硬件接口; 所述加密管理模块还设置有硬件加密 模块和 /或软件加密模块; 所述软件平台还设置有分别与配置数据库相连的 用于实现访问授权管理和 /或数据加密的口令管理模块、 权限管理模块、 加 密算法管理模块和密钥管理模块, 所述四个模块的信息均传送给配置数据 库。  The method for securing data security of a storage network according to claim 3, wherein the hardware platform is further provided with a key hardware interface; the encryption management module is further provided with a hardware encryption module and/or a software encryption module; The software platform is further provided with a password management module, a rights management module, an encryption algorithm management module and a key management module, which are respectively connected to the configuration database for implementing access authorization management and/or data encryption, and information of the four modules. Both are passed to the configuration database.
5、 根据权利要求 4所述的保障存储网络数据安全的方法, 其特征在于 所述模拟服务器的工作模式是通过设备端存储协议模块与设备端硬件协议 处理端口实现的,设备端存储协议模块发送命令到所述存储设备集群的各个 存储设备 /存储空间, 得到其地址、 标志、 状态和容量等属性, 并不断扫描 监控存储设备集群状态的变化进行数据更新, 同时将上述信息存入配置数据 库; 所述模拟存储设备的工作模式是由服务器端存储协议模块和服务器端硬 件协议处理端口实现的, 所述服务器端存储协议模块从配置数据库中获得存 储设备集群存储设备 /存储空间的信息, 由这些信息接收并响应从服务器集 群来的命令; 对于命令中的读数据和写数据命令, 则需要通过加密管理模块 根据配置数据库内的加密算法和密钥进行加密 /解密处理后才能对存储设备 集群中的存储设备 /存储空间进行读和写操作。 The method for securing data security of a storage network according to claim 4, wherein the working mode of the simulation server is through a device-side storage protocol module and a device-side hardware protocol. After the processing port is implemented, the device-side storage protocol module sends a command to each storage device/storage space of the storage device cluster to obtain attributes such as address, flag, status, and capacity, and continuously scans and monitors the change of the cluster state of the storage device to perform data. Updating, and storing the foregoing information in the configuration database; the working mode of the simulated storage device is implemented by the server-side storage protocol module and the server-side hardware protocol processing port, and the server-side storage protocol module obtains the storage device from the configuration database. The information of the cluster storage device/storage space, which is received by the information and responds to the command from the server cluster; for the read data and the write data command in the command, the encryption management module needs to perform the encryption algorithm and the key in the configuration database. The storage/storage space in the storage device cluster can be read and written after encryption/decryption processing.
6、 根据权利要求 4所述的保障存储网络数据安全的方法, 其特征在于 访问授权管理和数据加密 /解密是这样实现的: 口令管理模块设置用户对存 储设备 /存储空间进行访问时登录的限制, 并设置成由用户和管理员交互完 成, 所产生的用户信息在管理员认可的情况下传送给配置数据库; 权限管理 模块设置了用户对存储设备 /存储空间存取权限的控制, 且设置成由用户和 网络管理员共同完成, 由此产生的用户信息、 用户所在服务器信息和用户所 分配存储设备 /存储空间信息等由管理员传送给配置数据库; 加密算法管理 模块存放有多种加密算法, 这些算法通过硬件加密模块或软件加密模块实 现, 用户选择加密算法, 传送给配置数据库; 密钥管理模块管理数据加密密 钥, 密钥可以是用户输入的软密钥, 也可以是从所述的密钥硬件接口读入的 硬密钥, 密钥管理模块把密钥传送给配置数据库, 在收到服务器集群的读写 命令时, 配置数据库读取上述信息, 根据用户所在服务器信息、 密钥信息、 加密算法信息对读写数据进行加密 /解密处理。  6. The method for securing storage network data according to claim 4, wherein the access authorization management and the data encryption/decryption are implemented as follows: The password management module sets a restriction on the login when the user accesses the storage device/storage space. And set to be completed by the user and the administrator, and the generated user information is transmitted to the configuration database when the administrator approves; the rights management module sets the user's control over the access authority of the storage device/storage space, and is set to Completed by the user and the network administrator, the generated user information, the server information of the user, and the storage device/storage space information allocated by the user are transmitted by the administrator to the configuration database; the encryption algorithm management module stores multiple encryption algorithms. The algorithms are implemented by a hardware encryption module or a software encryption module, and the user selects an encryption algorithm and transmits the data to the configuration database; the key management module manages the data encryption key, and the key may be a soft key input by the user, or may be from the Key hardware interface read in The hard key, the key management module transmits the key to the configuration database. When receiving the read/write command of the server cluster, the configuration database reads the above information, and reads and writes according to the server information, the key information, and the encryption algorithm information of the user. The data is encrypted/decrypted.
7、 一种存储网络数据安全管理装置, 所述存储网絡中连接有服务器集 群和存储设备集群, 其特征在于, 所述存储网络数据安全管理装置设置在存 储网络中服务器集群和存储设备集群之间的命令和数据通道上, 由硬件平台 和软件平台组成,对服务器集群和存储设备集群之间传输的命令和数据进行 数据处理和实施数据安全管理。  A storage network data security management device, wherein the storage network is connected with a server cluster and a storage device cluster, wherein the storage network data security management device is disposed between the server cluster and the storage device cluster in the storage network. The command and data channels are composed of a hardware platform and a software platform, and perform data processing and data security management on commands and data transmitted between the server cluster and the storage device cluster.
8、 根据权利要求 7所述的存储网絡数据安全管理装置, 其特征在于所 述硬件平台为普通的服务器硬件或嵌入式硬件 , 并设置有分别与所述存储设 备集群和服务器集群在物理层和传输层上相连的设备端硬件协议处理端口 和服务器端硬件协议处理端口, 用于处理存储网络传输底层协议; 所述软件 平台包括分别与两个硬件协议处理端口相连的设备端存储协议模块、服务器 端存储协议模块及连于两者之间的加密管理模块,还包括一个与上述三个模 块相连的配置数据库, 所述两个存储协议模块实现命令的收发和分析及存储 网络数据的收发, 所述加密管理模块根据命令的类型对数据进行加密 /解密 处理, 所述配置数据库存储和管理各类信息。 8. The storage network data security management apparatus according to claim 7, wherein the hardware platform is an ordinary server hardware or an embedded hardware, and is disposed at a physical layer and respectively with the storage device cluster and the server cluster. a device-side hardware protocol processing port and a server-side hardware protocol processing port connected to the transport layer for processing a storage network transmission underlying protocol; the software platform includes a device-side storage protocol module and a server respectively connected to two hardware protocol processing ports The end storage protocol module and the encryption management module connected between the two further comprise a configuration database connected to the three modules, wherein the two storage protocol modules implement command transmission and analysis and storage and storage network data transmission and reception. The encryption management module encrypts/decrypts data according to the type of the command, and the configuration database stores and manages various types of information.
9、 根据权利要求 8所述的存储网络数据安全管理装置, 其特征在于所 述硬件平台还设置有密钥硬件接口; 所述加密管理模块还设置有硬件加密模 块和 /或软件加密模块; 所述软件平台还设置有分别与配置数据库相连的用 于实现访问授权管理和数据加密 /解密的口令管理模块、 权限管理模块、 加 密算法管理模块和密钥管理模块, 所述四个模块的信息均传送给配置数据 库。  The storage network data security management device according to claim 8, wherein the hardware platform is further provided with a key hardware interface; the encryption management module is further provided with a hardware encryption module and/or a software encryption module; The software platform is further provided with a password management module, a rights management module, an encryption algorithm management module and a key management module respectively connected to the configuration database for implementing access authorization management and data encryption/decryption, and the information of the four modules is Transfer to the configuration database.
PCT/CN2006/000850 2005-04-29 2006-04-29 A method for guaranteeing the safety of the storage network data and the system thereof WO2006116931A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2005100116672A CN100385860C (en) 2005-04-29 2005-04-29 Method and device for safety of storaged network data
CN200510011667.2 2005-04-29

Publications (1)

Publication Number Publication Date
WO2006116931A1 true WO2006116931A1 (en) 2006-11-09

Family

ID=35353226

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/000850 WO2006116931A1 (en) 2005-04-29 2006-04-29 A method for guaranteeing the safety of the storage network data and the system thereof

Country Status (2)

Country Link
CN (1) CN100385860C (en)
WO (1) WO2006116931A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025503A (en) * 2010-11-04 2011-04-20 北京曙光天演信息技术有限公司 Data security implementation method in cluster environment and high-security cluster
CN115378646A (en) * 2022-07-14 2022-11-22 刘书凯 Network security monitoring system for computer communication

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101877783B (en) * 2009-11-06 2012-01-25 北京邦诺存储科技有限公司 Network video recorder clustering video monitoring system and method
CN102244649B (en) * 2010-05-12 2015-06-10 杭州华三通信技术有限公司 Data transmission method among secure networks and data processors
CN102420820B (en) 2011-11-28 2016-06-08 杭州华三通信技术有限公司 Partition method in a kind of group system and device
CN102761538B (en) * 2012-04-27 2014-10-22 南大傲拓科技江苏有限公司 Design management method for communication shared field applied to various communication interface gateways
CN104243510B (en) * 2013-06-07 2018-08-14 中国科学院声学研究所 A kind of secure network storage system and method
CN104579689B (en) * 2015-01-20 2018-02-13 中城智慧科技有限公司 A kind of soft cipher key system and implementation method
CN108667867B (en) 2017-03-29 2021-05-18 华为技术有限公司 Data storage method and device
CN111259227B (en) * 2020-01-16 2023-11-10 北京旷视科技有限公司 Method and apparatus for sharing a targeted search service among multiple search clusters
CN112348513A (en) * 2020-09-09 2021-02-09 中诚区块链研究院(南京)有限公司 Can provide multiple encryption mode transaction block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003158538A (en) * 2001-11-22 2003-05-30 Anritsu Corp Gateway and access method employing the same
US20040078599A1 (en) * 2001-03-01 2004-04-22 Storeage Networking Technologies Storage area network (san) security
US20040088574A1 (en) * 2002-10-31 2004-05-06 Brocade Communications Systems, Inc. Method and apparatus for encryption or compression devices inside a storage area network fabric

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6172988B1 (en) * 1996-01-31 2001-01-09 Tiernan Communications, Inc. Method for universal messaging and multiplexing of video, audio, and data streams
US6292657B1 (en) * 1998-07-13 2001-09-18 Openwave Systems Inc. Method and architecture for managing a fleet of mobile stations over wireless data networks
US7546360B2 (en) * 2002-06-06 2009-06-09 Cadence Design Systems, Inc. Isolated working chamber associated with a secure inter-company collaboration environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040078599A1 (en) * 2001-03-01 2004-04-22 Storeage Networking Technologies Storage area network (san) security
JP2003158538A (en) * 2001-11-22 2003-05-30 Anritsu Corp Gateway and access method employing the same
US20040088574A1 (en) * 2002-10-31 2004-05-06 Brocade Communications Systems, Inc. Method and apparatus for encryption or compression devices inside a storage area network fabric

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025503A (en) * 2010-11-04 2011-04-20 北京曙光天演信息技术有限公司 Data security implementation method in cluster environment and high-security cluster
CN115378646A (en) * 2022-07-14 2022-11-22 刘书凯 Network security monitoring system for computer communication

Also Published As

Publication number Publication date
CN1694415A (en) 2005-11-09
CN100385860C (en) 2008-04-30

Similar Documents

Publication Publication Date Title
WO2006116931A1 (en) A method for guaranteeing the safety of the storage network data and the system thereof
CN110176987B (en) Method, device, equipment and computer storage medium for equipment authentication
CN106549750B (en) With the method implemented by computer and use its system and computer program product
US9578034B2 (en) Trusted peripheral device for a host in a shared electronic environment
US6907457B2 (en) Architecture for access to embedded files using a SAN intermediate device
US8335915B2 (en) Encryption based security system for network storage
US6971016B1 (en) Authenticated access to storage area network
US7320071B1 (en) Secure universal serial bus
US7917751B2 (en) Distributed filesystem network security extension
JP3922886B2 (en) Data processing system and method for remotely restoring a basic password
US20080022120A1 (en) System, Method and Computer Program Product for Secure Access Control to a Storage Device
TWI620093B (en) Method and apparatus for securing computer mass storage data
US20100153703A1 (en) Storage security using cryptographic splitting
US8719923B1 (en) Method and system for managing security operations of a storage server using an authenticated storage module
US20150244778A1 (en) Assembling of Isolated Remote Data
WO2015196890A1 (en) Security access control method for hard disk, and hard disk
CN1551003A (en) Dynamic substitution of usb-data for on-the-fly encryption and decryption
US7461135B2 (en) Computer and access control method in a computer
JP4087149B2 (en) Disk device sharing system and computer
EP1388061A2 (en) Encryption based security system for network storage
CN105279453A (en) Separate storage management-supporting file partition hiding system and method thereof
US7493429B2 (en) Communication of information via a side-band channel, and use of same to verify positional relationship
US8291176B2 (en) Protection domain groups to isolate access to memory windows
KR101115358B1 (en) The smart working computer including the monitor and the broadcasting system
CN102665055A (en) Equipment and method for IO remote mapping

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

NENP Non-entry into the national phase

Ref country code: RU

WWW Wipo information: withdrawn in national office

Country of ref document: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06722423

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 6722423

Country of ref document: EP