WO2019029393A1 - 一种存储数据加解密装置及方法 - Google Patents

一种存储数据加解密装置及方法 Download PDF

Info

Publication number
WO2019029393A1
WO2019029393A1 PCT/CN2018/097717 CN2018097717W WO2019029393A1 WO 2019029393 A1 WO2019029393 A1 WO 2019029393A1 CN 2018097717 W CN2018097717 W CN 2018097717W WO 2019029393 A1 WO2019029393 A1 WO 2019029393A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
encryption
decryption
key
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/097717
Other languages
English (en)
French (fr)
Chinese (zh)
Inventor
杨军
王洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou C Sky Microsystems Co Ltd
Original Assignee
Hangzhou C Sky Microsystems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou C Sky Microsystems Co Ltd filed Critical Hangzhou C Sky Microsystems Co Ltd
Priority to EP18842975.7A priority Critical patent/EP3667535B1/en
Priority to JP2020502218A priority patent/JP7222971B2/ja
Priority to US16/175,732 priority patent/US11030119B2/en
Publication of WO2019029393A1 publication Critical patent/WO2019029393A1/zh
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Definitions

  • the present invention relates to the field of computer equipment science and technology, and in particular, to a storage data encryption and decryption apparatus and method.
  • SoC system-on-chip
  • the storage data encryption and decryption apparatus and method provided by the present invention can solve the deficiencies of the prior art, and use different keys for encryption and decryption of data in different chips and different storage areas of the same chip to efficiently complete data storage and read and write operations.
  • the present invention provides a storage data encryption and decryption method, including:
  • Step 1 providing a true random number generator for generating a plurality of keys
  • Step two providing a data storage for storing data and a key storage for storing the key, and writing the key into the key storage;
  • Step 3 providing a data read/write interface module for reading and writing data, and providing a data encryption and decryption module for reading the key and performing an encryption and decryption operation;
  • Data written from the data read/write interface module is encrypted by the data encryption and decryption module and then written to the data memory, and data read from the data memory is decrypted by the data encryption and decryption module and then read. Out to the data read and write interface module.
  • step 3 further includes determining whether to separate data in the data storage:
  • the data storage area is not divided into the data storage, and the data of the entire data storage area is encrypted and decrypted.
  • the keys of each data storage area used for selectively performing encryption and decryption operations on the data of the plurality of data storage areas are different; and the data of the entire data storage area is encrypted and decrypted using unified Key.
  • the keys used for performing encryption and decryption operations on the same data storage area in the plurality of data storage areas of different chips are different; and data of the entire data storage area of the different chips is added.
  • the keys used for the decryption operation are different.
  • the encryption and decryption algorithm used by the data encryption and decryption module is completed in a single cycle.
  • the encryption and decryption algorithm used by the data encryption and decryption module includes an exclusive OR or a sequence rearrangement.
  • the data encryption and decryption module automatically acquires a key in the key storage by hardware when the system chip is started.
  • the data storage and the key storage are located on the same physical medium.
  • the above method further comprises that the key stored in the key storage can be cleared when the system is attacked.
  • the present invention provides an apparatus for storing data encryption and decryption using the above method, including:
  • a true random number generator for generating a plurality of keys
  • a memory bank including a data memory for storing data and a key memory for storing the plurality of keys
  • the memory read/write module includes a data read/write interface module for reading and writing data and a data encryption and decryption module for reading the plurality of keys and performing encryption and decryption operations on the data.
  • the storage data encryption and decryption apparatus and method provided by the embodiments of the present invention can complete encryption of data in different storage areas of different chips or the same chip in one clock cycle, and complete data storage and read and write operations safely and efficiently.
  • FIG. 1 is a schematic structural diagram of a storage data encryption and decryption apparatus according to an embodiment of the present invention
  • FIG. 2 is a flowchart of storing data encryption and decryption according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of steps of a method for storing and decrypting data according to an embodiment of the present invention.
  • FIG. 1 is a block diagram showing the structure of a storage data encryption and decryption apparatus according to an embodiment of the present invention.
  • the stored data encryption and decryption device includes a memory module, a memory bank, and a true random number generator.
  • the memory module is configured to support data and key reading and writing, and to perform encryption and decryption operations on data passing through the module
  • the memory group is used to support data and key storage functions
  • the real random number generator is used for Generate a key.
  • the memory read/write module is responsible for encrypting the write data and writing it to the memory bank, and decrypting the read data read from the memory bank.
  • the memory read/write module consists of a data read/write interface module and a data encryption and decryption module.
  • the data read/write interface module is used for reading and writing data
  • the data encryption and decryption module is used for encrypting and decrypting data.
  • the data read/write interface module outputs the unencrypted write data to the data encryption/decryption module, and inputs the decrypted read data from the data encryption/decryption module.
  • the data encryption and decryption module can use a single-cycle encryption and decryption algorithm, which can be limited to XOR, sequence rearrangement, etc., and the data encryption and decryption module using the encryption and decryption algorithm does not affect data access efficiency. .
  • a memory bank consists of a data memory and a key memory.
  • the data storage is used to store data
  • the key storage is used to store keys.
  • data storage and key storage include, but are not limited to, deployed on the same physical storage medium to facilitate efficient storage implementation.
  • the data in the data storage may be divided into multiple data storage areas, and different storage areas may be encrypted and decrypted by using different keys, and each storage area may also select whether to perform encryption and decryption, but the data of the same storage area. You can only use the same key for encryption and decryption.
  • the keys used in the same data storage area of different chips are also different; the keys used for encrypting and decrypting the data of the entire data storage area of different chips are different.
  • the key memory stores a plurality of keys for encrypting and decrypting data of a specific data storage area.
  • the true random number generator is responsible for generating a key for providing data encryption and decryption modules and encrypting and decrypting the data.
  • the data encryption and decryption module in the memory read/write module outputs the true random number generated by the true random number generator as a key to the key storage of the memory group, and outputs the data pair to the data using the key pair in the key memory.
  • the write data in the memory is encrypted, and the input read data is decrypted.
  • the data encryption and decryption module automatically acquires the key in the key storage of the memory group when the chip is started, and encrypts and decrypts all the data that has passed through the memory reading and writing module, and the key acquisition method is performed by hardware.
  • the memory read/write module needs to be accessed after the data encryption/decryption module completes the key acquisition, and the advance access request cannot respond.
  • FIG. 2 is a flow chart showing the encryption and decryption of stored data according to an embodiment of the present invention.
  • the system is started, the true random number generator generates a plurality of keys, and then the data encryption and decryption module writes the key generated by the true random number generator to the key memory. Determining whether to separate data in the data storage, if the determination is yes, logically dividing the data storage into a plurality of data storage areas, selectively encrypting and decrypting data of each data storage area, and adopting different keys; If the determination is no, the data storage area is not divided into the data storage, and the data is encrypted and decrypted by using the unified key to the entire data storage area.
  • the data passing through the storage area read/write module is encrypted and decrypted.
  • the data read/write interface module transmits unencrypted write data to the data encryption/decryption module, and the data encryption and decryption module encrypts the data.
  • the storage and data storage on the other hand, the data storage transfers the un-decrypted read data to the data encryption/decryption module, and after decrypting by the data encryption/decryption module, transmits the decrypted read data to the data read/write interface module. Then, it is judged whether the system is attacked.
  • the data encryption and decryption module clears the key in the key storage, thereby preventing the data in the memory from being attacked and acquired; if the system is not attacked, it continues to determine whether the system is closed. If the judgment is yes, the system is started; if it is not, the data that has passed through the memory read/write module is further encrypted and decrypted.
  • FIG. 3 is a schematic diagram showing the steps of a method for encrypting and decrypting data according to an embodiment of the present invention.
  • S31 provides a true random number generator for generating a plurality of keys
  • S32 represents a data memory for storing data and a key memory for storing keys, and writing the key to the key memory
  • S33 indicates that a data read/write interface module for reading and writing data is provided, and a data encryption and decryption module for reading a key and performing encryption and decryption operations is provided; data written from the data read/write interface module is performed by the data encryption and decryption module.
  • the data is written to the data memory, and the data read from the data memory is decrypted by the data encryption and decryption module and then read out to the data read/write interface module.
  • the storage data encryption and decryption apparatus and method provided by the invention divides the data memory into a plurality of storage areas in the same chip, each storage area adopts a specific key, and in different chips, the storage area of the same address With different keys, data security is guaranteed.
  • the encrypted data in the memory can be decrypted correctly by erasing the key in the key storage, which has strong anti-attack capability and can effectively complete data storage and read and write operations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Storage Device Security (AREA)
PCT/CN2018/097717 2017-08-08 2018-07-30 一种存储数据加解密装置及方法 Ceased WO2019029393A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP18842975.7A EP3667535B1 (en) 2017-08-08 2018-07-30 Storage data encryption and decryption device and method
JP2020502218A JP7222971B2 (ja) 2017-08-08 2018-07-30 記憶データの暗号化及び復号の機器及び方法
US16/175,732 US11030119B2 (en) 2017-08-08 2018-10-30 Storage data encryption and decryption apparatus and method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710671465.3 2017-08-08
CN201710671465.3A CN107516047A (zh) 2017-08-08 2017-08-08 一种存储数据加解密装置及方法

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/175,732 Continuation US11030119B2 (en) 2017-08-08 2018-10-30 Storage data encryption and decryption apparatus and method

Publications (1)

Publication Number Publication Date
WO2019029393A1 true WO2019029393A1 (zh) 2019-02-14

Family

ID=60722978

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/097717 Ceased WO2019029393A1 (zh) 2017-08-08 2018-07-30 一种存储数据加解密装置及方法

Country Status (5)

Country Link
US (1) US11030119B2 (enExample)
EP (1) EP3667535B1 (enExample)
JP (1) JP7222971B2 (enExample)
CN (1) CN107516047A (enExample)
WO (1) WO2019029393A1 (enExample)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11030119B2 (en) 2017-08-08 2021-06-08 C-Sky Microsystems Co., Ltd. Storage data encryption and decryption apparatus and method
CN114006695A (zh) * 2021-10-28 2022-02-01 杭州海康威视数字技术股份有限公司 硬盘数据保护方法、装置、可信平台芯片及电子设备

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107590402A (zh) * 2017-09-26 2018-01-16 杭州中天微系统有限公司 一种存储数据加解密装置及方法
US11550927B2 (en) 2017-09-26 2023-01-10 C-Sky Microsystems Co., Ltd. Storage data encryption/decryption apparatus and method
CN108197482A (zh) * 2017-12-27 2018-06-22 致象尔微电子科技(上海)有限公司 一种内存数据加密解密方法及装置
CN109840434A (zh) * 2019-01-24 2019-06-04 山东华芯半导体有限公司 一种基于国密芯片的安全存储方法
US10868679B1 (en) * 2019-07-25 2020-12-15 Cypress Semiconductor Corporation Nonvolatile memory device with regions having separately programmable secure access features and related methods and systems
CN110837649A (zh) * 2019-10-23 2020-02-25 特瓦特能源科技有限公司 一种数据加密方法及系统
KR20220093664A (ko) 2020-12-28 2022-07-05 삼성전자주식회사 크립토 장치, 그것을 갖는 집적 회로 및 컴퓨팅 장치, 및 그것의 쓰기 방법

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201054140Y (zh) * 2007-04-27 2008-04-30 北京华大恒泰科技有限责任公司 信息安全控制芯片
CN104918243A (zh) * 2015-06-15 2015-09-16 上海交通大学 基于量子真随机数的移动终端保密系统及方法
CN107516047A (zh) * 2017-08-08 2017-12-26 杭州中天微系统有限公司 一种存储数据加解密装置及方法

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7133845B1 (en) * 1995-02-13 2006-11-07 Intertrust Technologies Corp. System and methods for secure transaction management and electronic rights protection
IL161027A0 (en) * 2001-09-28 2004-08-31 High Density Devices As Method and device for encryption/decryption of data on mass storage device
US7607024B2 (en) * 2003-08-01 2009-10-20 Koninklijke Phillips Electronics N.V. Record carrier comprising encryption indication information
US7613915B2 (en) * 2006-11-09 2009-11-03 BroadOn Communications Corp Method for programming on-chip non-volatile memory in a secure processor, and a device so programmed
JP5000599B2 (ja) * 2008-07-29 2012-08-15 株式会社日立製作所 ストレージ装置及びストレージ装置におけるデータ処理方法
US8194858B2 (en) * 2009-02-19 2012-06-05 Physical Optics Corporation Chaotic cipher system and method for secure communication
CN101582109A (zh) * 2009-06-10 2009-11-18 成都市华为赛门铁克科技有限公司 数据加密方法及装置、数据解密方法及装置、固态硬盘
US8468368B2 (en) * 2009-12-29 2013-06-18 Cleversafe, Inc. Data encryption parameter dispersal
US8885821B2 (en) * 2010-01-28 2014-11-11 Cleversafe, Inc. Sequencing encoded data slices
CN102346820A (zh) * 2010-07-30 2012-02-08 深圳芯邦科技股份有限公司 一种保密数据存储方法及装置
JP5779434B2 (ja) * 2011-07-15 2015-09-16 株式会社ソシオネクスト セキュリティ装置及びセキュリティシステム
FR2980285B1 (fr) * 2011-09-15 2013-11-15 Maxim Integrated Products Systemes et procedes de gestion de cles cryptographiques dans un microcontroleur securise
KR101878682B1 (ko) * 2011-11-14 2018-07-18 삼성전자주식회사 컨텐츠를 보호하기 위한 방법 및 저장 매체
US8848906B2 (en) * 2011-11-28 2014-09-30 Cleversafe, Inc. Encrypting data for storage in a dispersed storage network
US9584359B2 (en) * 2011-12-12 2017-02-28 International Business Machines Corporation Distributed storage and computing of interim data
US9674155B2 (en) * 2011-12-12 2017-06-06 International Business Machines Corporation Encrypting segmented data in a distributed computing system
US9009567B2 (en) * 2011-12-12 2015-04-14 Cleversafe, Inc. Encrypting distributed computing data
US8873747B2 (en) * 2012-09-25 2014-10-28 Apple Inc. Key management using security enclave processor
JP2014089652A (ja) 2012-10-31 2014-05-15 Toshiba Corp 情報処理装置
EP3170087B1 (en) * 2014-07-16 2019-05-01 BAE SYSTEMS Information and Electronic Systems Integration Inc. Flash memory device for storing sensitive information and other data
CN106599717B (zh) 2016-12-01 2019-09-06 杭州中天微系统有限公司 数据处理器
CN106775971B (zh) 2016-12-02 2020-01-31 杭州中天微系统有限公司 数据处理装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201054140Y (zh) * 2007-04-27 2008-04-30 北京华大恒泰科技有限责任公司 信息安全控制芯片
CN104918243A (zh) * 2015-06-15 2015-09-16 上海交通大学 基于量子真随机数的移动终端保密系统及方法
CN107516047A (zh) * 2017-08-08 2017-12-26 杭州中天微系统有限公司 一种存储数据加解密装置及方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3667535A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11030119B2 (en) 2017-08-08 2021-06-08 C-Sky Microsystems Co., Ltd. Storage data encryption and decryption apparatus and method
CN114006695A (zh) * 2021-10-28 2022-02-01 杭州海康威视数字技术股份有限公司 硬盘数据保护方法、装置、可信平台芯片及电子设备
CN114006695B (zh) * 2021-10-28 2024-02-02 杭州海康威视数字技术股份有限公司 硬盘数据保护方法、装置、可信平台芯片及电子设备

Also Published As

Publication number Publication date
JP2020529758A (ja) 2020-10-08
US20190073319A1 (en) 2019-03-07
EP3667535A1 (en) 2020-06-17
US11030119B2 (en) 2021-06-08
EP3667535B1 (en) 2024-03-27
JP7222971B2 (ja) 2023-02-15
CN107516047A (zh) 2017-12-26
EP3667535A4 (en) 2021-04-28

Similar Documents

Publication Publication Date Title
WO2019029393A1 (zh) 一种存储数据加解密装置及方法
JP7225220B2 (ja) 記憶データ暗号化/復号化装置及び方法
US9135450B2 (en) Systems and methods for protecting symmetric encryption keys
US9811478B2 (en) Self-encrypting flash drive
US8516271B2 (en) Securing non-volatile memory regions
CN103106372B (zh) 用于Android系统的轻量级隐私数据加密方法及系统
CN102073808B (zh) 一种通过sata接口加密存储的方法和加密卡
US8539250B2 (en) Secure, two-stage storage system
JP2003198534A (ja) データ暗号化装置及びその方法
KR20110032249A (ko) 암호키 선택장치를 구비하는 스토리지 시스템 및 암호 키 선택방법
CN107408192A (zh) 保护存储器
CN116886356B (zh) 一种芯片级透明文件加密存储系统、方法及设备
CN108139984A (zh) 安全子系统
TW200947202A (en) System and method for providing secure access to system memory
TW201346637A (zh) 用於提供記憶體機密性、完整性及重播保護的低負擔密碼方法及裝置
CN107908574A (zh) 固态盘数据存储的安全保护方法
Sassani et al. Evaluating encryption algorithms for sensitive data using different storage devices
CN106612247A (zh) 一种数据处理方法及存储网关
CN105335663A (zh) 一种基于双像文件的加密文件系统
CN113220415B (zh) 面向kata容器持久化数据保护方法及装置
TW200846972A (en) Method for generating and using a key for encryption and decryption in a computer device
US11550927B2 (en) Storage data encryption/decryption apparatus and method
CN104951407A (zh) 一种可加密u盘及其加密方法
CN107784202A (zh) 利用加密存储技术防止获取原始代码的方法及系统
CN108171086A (zh) 一种基于硬件加密卡的硬盘分区加密方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18842975

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020502218

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018842975

Country of ref document: EP

Effective date: 20200309