WO2021027526A1 - Data storage method, device, computer apparatus, and storage medium - Google Patents

Data storage method, device, computer apparatus, and storage medium Download PDF

Info

Publication number
WO2021027526A1
WO2021027526A1 PCT/CN2020/104462 CN2020104462W WO2021027526A1 WO 2021027526 A1 WO2021027526 A1 WO 2021027526A1 CN 2020104462 W CN2020104462 W CN 2020104462W WO 2021027526 A1 WO2021027526 A1 WO 2021027526A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage device
encrypted
storage
data
stored
Prior art date
Application number
PCT/CN2020/104462
Other languages
French (fr)
Chinese (zh)
Inventor
竹贝芬
李先强
罗影
王鹏
曾伟
周海涛
Original Assignee
江苏芯盛智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江苏芯盛智能科技有限公司 filed Critical 江苏芯盛智能科技有限公司
Publication of WO2021027526A1 publication Critical patent/WO2021027526A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • This application relates to the field of computer technology, in particular to a data storage method, device, computer equipment, and storage medium.
  • Storage refers to storing data on certain media in a reasonable, safe, and effective manner according to different application environments and ensuring effective access. Generally speaking, it can contain two meanings: on the one hand, it is temporary data Or a long-term physical medium; on the other hand, it is a way or behavior to ensure the complete and safe storage of data.
  • Storage can generally be realized through mobile storage devices.
  • mobile storage devices In the field of mobile storage devices, there are currently some encrypted mobile hard disks in the market and some SSD (Solid State Drive, solid state drive) disks.
  • SSD Solid State Drive, solid state drive
  • a dedicated encryption chip can be used for encryption, which additionally increases the complexity of the data storage process.
  • a data storage method includes:
  • the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the storage message carries the data to be stored and a storage instruction
  • the storage instruction is used to control the encrypted storage device to encrypt the data to be stored
  • the encrypted storage is stored in the encrypted storage device or the non-encrypted storage device.
  • sending the authorization key to the storage device of the encrypted storage device includes:
  • the authorization key is encrypted by the temporary key and sent to the encrypted storage device.
  • the method before the searching the Ukey corresponding to the encrypted storage device, the method further includes:
  • the encrypted storage device When the encrypted storage device is not in the state of being bound to the Ukey, search for Ukey that is not in the bound state, and exchange the CA certificate of the encrypted storage device and the Ukey that is not in the bound state to encrypt the
  • the storage device performs identity authentication with the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, generates a temporary key at random, and sends the temporary key to all Ukey bound to the encrypted storage device and the encrypted storage device.
  • the sending a storage message to the encrypted storage device includes:
  • a data storage method applied to an encrypted storage device including:
  • the storage device includes a current encrypted storage device or a non-encrypted storage device.
  • the method before acquiring the storage message sent by the server, the method further includes:
  • the authorization key is decrypted by the temporary key, and when the serial number in the authorization key is the same as the stored serial number, the authentication is determined to be passed, and the authentication passed signal is fed back to the server.
  • the encrypting the data to be stored according to the storage instruction includes:
  • the storage device specified by the storage instruction is a currently encrypted storage device, encrypt the data to be stored by using a preset I/O key;
  • the data to be stored is encrypted by the authority key.
  • a data storage device comprising:
  • a request obtaining module configured to obtain a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the device search module is used to search for the Ukey corresponding to the encrypted storage device
  • a key sending module configured to send a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
  • the data sending module is configured to send a storage message to the encrypted storage device, the storage message carries data to be stored and storage instructions, and the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and Storing the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device.
  • a data storage device comprising:
  • the key decryption module is used to receive the authority key sent by the server, and the authority key is generated by the corresponding Ukey;
  • a data receiving module configured to receive a storage message sent by the server, the storage message carrying data to be stored and storage instructions
  • a data encryption module configured to encrypt the data to be stored according to the storage instruction
  • the data storage module is configured to store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
  • a computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the following steps when executing the computer program:
  • the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the storage message carries the data to be stored and a storage instruction
  • the storage instruction is used to control the encrypted storage device to encrypt the data to be stored
  • the encrypted storage is stored in the encrypted storage device or the non-encrypted storage device.
  • a computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the following steps when executing the computer program:
  • the storage device includes a current encrypted storage device or a non-encrypted storage device.
  • a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the following steps are implemented:
  • the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the storage message carries the data to be stored and a storage instruction
  • the storage instruction is used to control the encrypted storage device to encrypt the data to be stored
  • the encrypted storage is stored in the encrypted storage device or the non-encrypted storage device.
  • a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the following steps are implemented:
  • the storage device includes a current encrypted storage device or a non-encrypted storage device.
  • the server first obtains the storage request, and then finds the Ukey corresponding to the encrypted storage device; sends the authorization key to the encrypted storage device, and sends the storage message to the encrypted storage device.
  • the storage data and the storage instruction are used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device.
  • the data storage method of this application encrypts data by controlling an encrypted storage device, and then saves it to an encrypted storage device or a non-encrypted storage device.
  • the encrypted storage process does not need to use a new storage chip, which can effectively reduce the complexity of encrypted storage and improve Storage efficiency of encrypted storage.
  • Figure 1 is an application environment diagram of a data storage method in an embodiment
  • Figure 2 is a schematic flowchart of a data storage method in an embodiment
  • FIG. 3 is a schematic diagram of a sub-flow of step S250 in FIG. 2 in an embodiment
  • FIG. 4 is a schematic flowchart of a data storage method in another embodiment
  • Figure 5 is a structural block diagram of a data storage device in an embodiment
  • Fig. 6 is an internal structure diagram of a computer device in an embodiment.
  • the data storage method provided by this application can be applied to the application environment shown in FIG. 1, where the storage management server 104 communicates with the terminal 102 and multiple storage devices 106 through the network.
  • the storage devices include encrypted storage devices and non- For encrypted storage devices, the storage management server 104 can receive the storage request including the data to be stored provided by the terminal 102, and find the Ukey corresponding to the encrypted storage device; then use the Ukey to generate a permission key corresponding to the storage device, and send the permission key to the encryption Storage device; then the storage management server 104 sends a storage message carrying the data to be stored and the storage instruction to the encrypted storage device; the encrypted storage device encrypts the data to be stored; and then stores the encrypted data to be stored according to the storage instruction to the storage device specified by the storage instruction , Storage devices include current encrypted storage devices or non-encrypted storage devices.
  • the terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, and tablet computers.
  • the data storage method of the present application is implemented by a storage management server, which specifically includes the following steps:
  • the storage request includes the requested storage device and the data to be stored.
  • the storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device.
  • a storage request refers to a request to the storage management server to store the data to be stored in the designated target storage device.
  • the storage request includes the requested storage device and the content that needs to be stored.
  • this storage request also implies the encryption of the data. The requirement is to encrypt the data to be stored before saving it to the target storage device.
  • the requested storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device. When the requested storage device only includes an encrypted storage device, it means that the storage request wishes to save the data to be stored in the encrypted storage device. When the requested storage device includes an encrypted storage device and a non-encrypted storage device, it means that the storage request hopes to encrypt the data to be stored by the encrypted storage device, and then save it to the non-encrypted storage device.
  • Ukey is a small storage device that is directly connected to the computer via USB (Universal Serial Bus), has a password verification function, and is reliable and high-speed.
  • Ukey is an extremely powerful supplement to the current network security system and is a network security product certified by the China Information Security Evaluation and Certification Center. Based on trusted computer and smart card technology, it brings ease of use, portability and the highest level of security to the use of Microsoft IE or Netscape Navigator for Web access, online transactions (shopping, payment), sending and receiving e-mails, online chats and friends and forms Users who perform operations such as signatures and file digital signatures ensure that the user's operations under ukey cannot be tampered with or denied.
  • the biggest feature of ukey is high security, strong technical specification consistency, good operating system compatibility, and flexible carrying and use.
  • Each encrypted storage device has a corresponding Ukey, and each Ukey is managed by the storage management server.
  • S250 Send the authority key to the encrypted storage device, where the authority key is the authority key corresponding to the encrypted storage device generated by Ukey.
  • the authorization key is used to activate the encrypted storage device.
  • the authorization key can also perform operations such as authentication and encryption.
  • the storage management server may generate a permission key for activating the storage device through the Ukey corresponding to the encrypted storage device, and then activate the encrypted storage device for encrypted storage by sending the permission key to the encrypted storage device.
  • the encrypted storage device when the encrypted storage device receives the authorization key sent by the storage management server, it will authenticate the authorization key. When it passes the authentication, it will feed back an authentication pass message to the storage management server, and the storage management server Through the authentication, the message is used to determine whether to perform subsequent actions.
  • S270 Send a storage message to an encrypted storage device, the storage message carries the data to be stored and a storage instruction, the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encrypted storage device or non-encrypted Storage device.
  • the storage instruction is generated according to the storage device corresponding to the storage request of the client.
  • the storage management server sends the authorization key, it will send a storage message containing the data to be stored and storage instructions to the encrypted storage device, and control the encrypted storage device through the storage instructions to encrypt and store the data to be stored.
  • the storage process can be encrypted first.
  • the storage device encrypts the data to be stored according to the storage instruction, and stores the encrypted data to be stored in an encrypted storage device or a non-encrypted storage device.
  • the specific storage location is determined by the storage instruction.
  • the encrypted storage device may be an SSD encrypted disk containing the remaining key space, and the non-encrypted storage device may be an SSD non-encrypted disk, and the storage management server manages it according to the serial number of each SSD disk.
  • the server first obtains the storage request, and then finds the Ukey corresponding to the encrypted storage device; sends the authorization key to the encrypted storage device, and sends the storage message to the encrypted storage device.
  • the storage message carries the data to be stored and the storage instruction.
  • the storage instruction It is used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device.
  • the data storage method of this application encrypts data by controlling an encrypted storage device, and then saves it to an encrypted storage device or a non-encrypted storage device.
  • the encrypted storage process does not need to use a new storage chip, which can effectively reduce the complexity of encrypted storage and improve Storage efficiency of encrypted storage.
  • step S250 includes:
  • S252 Determine the temporary key of the Ukey and the encrypted storage device, generate a random key through the Ukey, and generate an authority key according to the serial number and the random key of the encrypted storage device.
  • the storage management server first determines the temporary key agreed upon between Ukey and the encrypted storage device during this storage process, and then generates a random key through Ukey, encrypts the serial number and random key of the storage device through the temporary key, and generates an encrypted
  • the authorization key in one of the embodiments, can store the serial number of the storage device in its corresponding Ukey. After the authorization key is generated, the encrypted authorization key can be sent to the encrypted storage device to activate the storage process of the storage device.
  • the temporary key has timeliness and randomness. When the storage device is powered off, a new temporary key needs to be used for authentication. Ukey and the storage device can agree on a temporary key in advance to ensure the right key transmission process. Confidentiality and traceability.
  • the method before S230, the method further includes:
  • a temporary key is randomly generated, and the temporary key is sent to the Ukey bound to the encrypted storage device and the encrypted storage device.
  • the encrypted storage device When the encrypted storage device is not in the state of being bound with Ukey, find the Ukey that is not in the bound state, and exchange the CA certificate of the encrypted storage device and the Ukey that is not in the bound state to connect the encrypted storage device to the unbound state. Perform identity authentication, bind the encrypted storage device with the Ukey that is not in the bound state, randomly generate a temporary key, and send the temporary key to the encrypted storage device and the Ukey bound to the encrypted storage device.
  • the authentication can be directly completed and a temporary key is generated.
  • the binding work needs to be completed first Then generate a temporary key.
  • the binding process can be realized by exchanging the CA certificate.
  • the encrypted storage device and Ukey each have the CA certificate applied to the CA organization, and identity authentication can be completed by exchanging their respective certificates; the authority key is generated and stored by Ukey and injected into the SSD
  • the authorization key is encrypted with a key temporarily negotiated between SSD and Ukey and digitally signed. Improve the security of the data transmission process.
  • S270 includes:
  • the storage device When the storage device receives the authorization key sent by the storage management server, it will authenticate the authorization key. When it passes the authentication, it will feed back an authentication pass message to the storage management server.
  • the storage instruction can be generated according to the requested storage device, and then the storage message is generated according to the storage instruction and the data to be stored, and then the storage message is sent to the designated encrypted storage device.
  • the encrypted storage device can parse the storage message to obtain the data to be stored and the storage instruction , And then the storage device can store the data to be stored according to the storage instruction.
  • the present application also provides a data storage method, which is applied to an encrypted storage device, and the method includes:
  • S410 Receive the authority key sent by the server, where the authority key is generated by the corresponding Ukey.
  • S430 Receive a storage message sent by the server, where the storage message carries data to be stored and a storage instruction.
  • S450 Encrypt the data to be stored according to the storage instruction.
  • S470 Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, where the storage device includes a current encrypted storage device or a non-encrypted storage device.
  • the encrypted storage area may be an SSD encrypted disk containing the remaining key space, and the non-encrypted storage area is an SSD non-encrypted disk, and the storage management server manages it according to the serial number of each SSD disk.
  • the storage device has a corresponding relationship with each Ukey managed by the storage management server.
  • the storage management server can generate a corresponding authority key through the corresponding Ukey, and activate the current encrypted storage device through the authority key.
  • the encrypted storage device receives the authorization key sent by the storage management server, stores the authorization key in the encrypted storage area, then activates the encrypted storage process, and then obtains the storage message sent by the storage management server, and obtains storage instructions and data to be stored by parsing the storage message After obtaining the data to be stored, the storage device formulated according to the storage instruction encrypts the data to be stored, and then saves the encrypted data to be stored to the storage device specified by the storage instruction to complete the data encryption work.
  • the storage device first receives the authorization key sent by the server; receives the storage message sent by the server, the storage message carries the data to be stored and the storage instruction; encrypts the data to be stored according to the storage instruction; stores the encrypted data to be stored according to the storage instruction Data to the storage device specified by the storage instruction, the storage device includes the current encrypted storage device or the non-encrypted storage device.
  • the data storage method of this application encrypts the data by encrypting the storage device, and then saves it to the encrypted storage device or non-encrypted storage area.
  • the encrypted storage process does not need to use a new storage chip, which can effectively reduce the complexity of encrypted storage. Improve the storage efficiency of encrypted storage.
  • S430 includes:
  • the authorization key is decrypted by the temporary key.
  • the authentication is determined to be passed, and the authentication passed signal is fed back to the server.
  • Ukey and the storage device will pre-appoint a random temporary key.
  • the key is generated by the storage management server and sent to Ukey and the storage device respectively.
  • the two parties need to negotiate again Generate a new temporary key.
  • the temporary key can be used to decrypt the encrypted and transmitted authorization key. If the decryption is successful and the storage device serial number carried in the authorization key is stored in the storage device If they are consistent, the encrypted storage function is activated and encrypted storage starts. Encrypting data with a temporary key can further ensure the security of the storage process.
  • S450 includes:
  • the data to be stored is encrypted by the preset I/O key
  • the data to be stored is encrypted by the permission key.
  • the storage device specified by the user can be an encrypted storage device or a non-encrypted storage device.
  • the storage device specified by the user that is, when the storage device specified by the storage instruction is the current encrypted storage device, the I/O secret inside the current encrypted storage device The key is used to encrypt the data to be stored, and then save it to the current encrypted storage device.
  • the storage device specified by the storage instruction is another non-encrypted storage device, the data to be stored can be encrypted by the permission key, and Save it to a non-encrypted storage device.
  • corresponding decryption can also be performed according to the corresponding key to improve the security of the data storage and retrieval process.
  • the data storage method of the present application includes: obtaining a storage request.
  • the storage request includes the requested storage device and the data to be stored.
  • the storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device.
  • the encrypted storage device receives the authority key sent by the server. Determine the temporary key corresponding to the current storage process; decrypt the authorization key with the temporary key, and when the serial number in the authorization key is the same as the stored serial number, it is determined to pass the authentication, and the authentication pass signal is fed back to the server.
  • the storage management server receives the authentication pass message fed back by the encrypted storage device, and sends the storage message to the encrypted storage device.
  • the storage message carries the data to be stored and the storage instruction.
  • the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and to encrypt the encrypted storage device.
  • the data to be stored is stored in an encrypted storage device or a non-encrypted storage device.
  • the encrypted storage device obtains the storage message sent by the server, and the storage message carries the data to be stored and the storage instruction; when the storage device specified by the storage instruction is the current encrypted storage device, the data to be stored is encrypted by the preset I/O key; when the storage instruction When the designated storage device is a non-encrypted storage device, the data to be stored is encrypted by the permission key.
  • the present application also provides a data storage device, which includes:
  • the request obtaining module 210 is configured to obtain a storage request.
  • the storage request includes the requested storage device and the data to be stored.
  • the storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the device search module 230 is used to search for the Ukey corresponding to the encrypted storage device
  • the key sending module 250 is used to send the authority key to the encrypted storage device, and the authority key is the authority key corresponding to the encrypted storage device generated by Ukey;
  • the data sending module 270 is used to send a storage message to an encrypted storage device, the storage message carries the data to be stored and a storage instruction, and the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encryption Storage device or non-encrypted storage device.
  • the key sending module 250 is used to determine the temporary key of the Ukey and the encrypted storage device, generate a random key through the Ukey, and generate the authorization key according to the serial number of the encrypted storage device and the random key; The temporary key encrypts the authority key and sends it to the encrypted storage device.
  • it further includes a temporary key generation module, which is used to determine whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of being bound to Ukey, randomly generate Temporary key, and send the temporary key to the Ukey that is bound to the encrypted storage device and the encrypted storage device; when the encrypted storage device is not in the state of binding with the Ukey, find the Ukey that is not in the bound state, and exchange the encrypted storage
  • the CA certificate of the device and the Ukey that is not in the bound state authenticates the encrypted storage device and the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, and randomly generates a temporary key, and Send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device.
  • the data sending module 270 is configured to generate a storage instruction according to the requested storage device when the authentication pass message fed back by the encrypted storage device is received; generate a storage message according to the data to be stored and the storage instruction; store the message Send to encrypted storage device.
  • This application also provides another data storage device, which includes:
  • the key decryption module is used to receive the authorization key sent by the server, and the authorization key is generated by the corresponding Ukey;
  • the data receiving module is used to receive the storage message sent by the server, and the storage message carries the data to be stored and storage instructions;
  • the data encryption module is used to encrypt the data to be stored according to the storage instruction
  • the data storage module is used to store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes the current encrypted storage device or the non-encrypted storage device.
  • the comparison authentication module is used to determine the temporary key corresponding to the current storage process; the authorization key is decrypted by the temporary key, and when the serial number in the authorization key is the same as the stored serial number, it is determined to pass Authentication, feedback the authentication pass signal to the server.
  • the data encryption module is used to encrypt the data to be stored by the preset I/O key when the storage device specified by the storage instruction is the current encrypted storage device; when the storage device specified by the storage instruction is non-encrypted storage When the device is used, the data to be stored is encrypted by the permission key.
  • Each module in the above-mentioned data storage device can be implemented in whole or in part by software, hardware, and a combination thereof.
  • the foregoing modules may be embedded in the form of hardware or independent of the processor in the computer device, or may be stored in the memory of the computer device in the form of software, so that the processor can call and execute the operations corresponding to the foregoing modules.
  • a computer device is provided.
  • the computer device may be a server, and its internal structure diagram may be as shown in FIG. 6.
  • the computer equipment includes a processor, a memory, and a network interface connected through a system bus.
  • the processor of the computer device is used to provide calculation and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium and an internal memory.
  • the non-volatile storage medium stores an operating system and computer programs.
  • the internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection.
  • the computer program is executed by the processor to realize a data storage method.
  • FIG. 6 is only a block diagram of part of the structure related to the solution of the present application, and does not constitute a limitation on the computer device to which the solution of the present application is applied.
  • the specific computer device may Including more or less parts than shown in the figure, or combining some parts, or having a different part arrangement.
  • a computer device including a memory and a processor, and a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
  • the storage request includes the requested storage device and the data to be stored.
  • the storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the authorization key is the authorization key corresponding to the encrypted storage device generated by Ukey;
  • the storage message carries the data to be stored and storage instructions.
  • the storage instructions are used to control the encrypted storage device to encrypt the data to be stored and store the encrypted data to be stored in the encrypted storage device or non-encrypted storage device .
  • the processor further implements the following steps when executing the computer program: determining the temporary key of the Ukey and the encrypted storage device, generating a random key through Ukey, and generating the authorization secret based on the serial number of the encrypted storage device and the random key. Key; the authorization key is encrypted by the temporary key and sent to the encrypted storage device.
  • the processor further implements the following steps when executing the computer program: judging whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of being bound to Ukey, randomly generate Temporary key, and send the temporary key to the Ukey that is bound to the encrypted storage device and the encrypted storage device; when the encrypted storage device is not in the state of binding with the Ukey, find the Ukey that is not in the bound state, and exchange the encrypted storage
  • the CA certificate of the device and the Ukey that is not in the bound state authenticates the encrypted storage device and the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, and randomly generates a temporary key, and Send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device.
  • the processor further implements the following steps when executing the computer program: when receiving the authentication pass message fed back by the encrypted storage device, generate a storage instruction according to the requested storage device;
  • a storage message is generated; the storage message is sent to the encrypted storage device.
  • a computer device including a memory and a processor, and a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
  • the authorization key is generated by the corresponding Ukey
  • the storage message carries the data to be stored and the storage instruction
  • the storage device includes the current encrypted storage device or the non-encrypted storage device.
  • the processor further implements the following steps when executing the computer program: determining the temporary key corresponding to the current storage process; decrypting the authorization key through the temporary key, when the serial number in the authorization key and the stored serial number At the same time, it is determined that the authentication is passed, and the authentication passed signal is returned to the server.
  • the processor further implements the following steps when executing the computer program: when the storage device specified by the storage instruction is the current encrypted storage device, encrypt the data to be stored by the preset I/O key; when the storage specified by the storage instruction When the device is a non-encrypted storage device, the data to be stored is encrypted by the permission key.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
  • the storage request includes the requested storage device and the data to be stored.
  • the storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
  • the authorization key is the authorization key corresponding to the encrypted storage device generated by Ukey;
  • the storage message carries the data to be stored and storage instructions.
  • the storage instructions are used to control the encrypted storage device to encrypt the data to be stored and store the encrypted data to be stored in the encrypted storage device or non-encrypted storage device .
  • the following steps are also implemented: determining the temporary key between Ukey and the encrypted storage device, generating a random key through Ukey, and according to the serial number and random password of the encrypted storage device stored in Ukey Key to generate the authorization key; the authorization key is encrypted by the temporary key and sent to the encrypted storage device.
  • the following steps are also implemented: determine whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of being bound to Ukey, randomly Generate a temporary key, and send the temporary key to the Ukey that is bound to the encrypted storage device and the encrypted storage device; when the encrypted storage device is not in the state of binding with the Ukey, find the Ukey that is not in the state of binding, and encrypt by exchange
  • the CA certificate of the storage device and the Ukey that is not in the bound state authenticates the encrypted storage device and the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, and randomly generates a temporary key. And send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device.
  • the following steps are further implemented: when the authentication pass message fed back by the encrypted storage device is received, a storage instruction is generated according to the requested storage device;
  • a storage message is generated; the storage message is sent to the encrypted storage device.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
  • the authorization key is generated by the corresponding Ukey
  • the storage message carries the data to be stored and the storage instruction
  • the storage device includes the current encrypted storage device or the non-encrypted storage device.
  • the following steps are also implemented: determining the temporary key corresponding to the current storage process; decrypting the authorization key by the temporary key, when the serial number in the authorization key is compared with the stored sequence When the number is the same, it is determined that the authentication is passed, and the authentication passed signal is fed back to the server.
  • the following steps are also implemented: when the storage device specified by the storage instruction is the current encrypted storage device, encrypt the data to be stored by the preset I/O key; when the storage instruction specifies When the storage device is a non-encrypted storage device, the data to be stored is encrypted by the permission key.
  • Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory may include random access memory (RAM) or external cache memory.
  • RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Channel (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced SDRAM
  • SLDRAM synchronous chain Channel
  • memory bus Radbus direct RAM
  • RDRAM direct memory bus dynamic RAM
  • RDRAM memory bus dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to a data storage method, a device, a computer apparatus, and a storage medium. The method comprises: a server first acquiring a storage request, and searching for a Ukey corresponding to an encrypted storage apparatus; and sending an authorization key to the encrypted storage apparatus, and sending a storage message to the encrypted storage apparatus, wherein the storage message carries data to be stored and a storage instruction, and the storage instruction is used to control the encrypted storage apparatus to encrypt the data to be stored, and store the encrypted data in the encrypted storage apparatus or a non-encrypted storage apparatus. The data storage method of the present application encrypts data by controlling the encrypted storage apparatus, and then stores the data in the encrypted storage apparatus or a non-encrypted storage apparatus, thereby eliminating the need to use a new storage chip in an encryption storage process, reducing complexity of encrypted storage, and increasing storage efficiency of encrypted storage.

Description

数据存储方法、装置、计算机设备以及存储介质Data storage method, device, computer equipment and storage medium 技术领域Technical field
本申请涉及计算机技术领域,特别是涉及一种数据存储方法、装置、计算机设备以及存储介质。This application relates to the field of computer technology, in particular to a data storage method, device, computer equipment, and storage medium.
背景技术Background technique
存储是指根据不同的应用环境通过采取合理、安全、有效的方式将数据保存到某些介质上并能保证有效的访问,总的来讲可以包含两个方面的含义:一方面它是数据临时或长期驻留的物理媒介;另一方面,它是保证数据完整安全存放的方式或行为。Storage refers to storing data on certain media in a reasonable, safe, and effective manner according to different application environments and ensuring effective access. Generally speaking, it can contain two meanings: on the one hand, it is temporary data Or a long-term physical medium; on the other hand, it is a way or behavior to ensure the complete and safe storage of data.
存储一般可以通过移动存储设备来实现,在移动存储设备领域,目前市场有部分加密的移动硬盘,也有部分SSD(Solid State Drive,固态驱动器)盘。Storage can generally be realized through mobile storage devices. In the field of mobile storage devices, there are currently some encrypted mobile hard disks in the market and some SSD (Solid State Drive, solid state drive) disks.
目前对于有加密需求的非加密移动存储设备,可以使用专用的加密芯片进行加密,又额外提高了数据存储过程的复杂度。At present, for non-encrypted mobile storage devices with encryption requirements, a dedicated encryption chip can be used for encryption, which additionally increases the complexity of the data storage process.
发明内容Summary of the invention
基于此,有必要针对现有技术使用专用的加密芯片进行加密,额外提高了数据存储过程复杂度的问题,提供一种可以降低数据加密存储过程复杂度的数据存储方法、装置、计算机设备以及存储介质。Based on this, it is necessary to use a dedicated encryption chip for encryption in the existing technology, which additionally increases the complexity of the data storage process, and provides a data storage method, device, computer equipment and storage that can reduce the complexity of the data encryption storage process medium.
一种数据存储方法,所述方法包括:A data storage method, the method includes:
获取存储请求,所述存储请求包括请求的存储设备以及待存储数据,所述存储设备包括加密存储设备或加密存储设备和非加密存储设备;Obtaining a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
查找所述加密存储设备对应Ukey;Find the Ukey corresponding to the encrypted storage device;
将权限密钥发送至所述加密存储设备,所述权限密钥为通过所述Ukey生成的与所述加密存储设备对应的权限密钥;Sending a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
发送存储消息至所述加密存储设备,所述存储消息携带待存储数据以及存储指令,所述存储指令用于控制所述加密存储设备对所述待存储数据进行加密, 并将加密后的所述待存储数据存储至所述加密存储设备或所述非加密存储设备。Send a storage message to the encrypted storage device, the storage message carries the data to be stored and a storage instruction, the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and the encrypted storage The data to be stored is stored in the encrypted storage device or the non-encrypted storage device.
在其中一个实施例中,将权限密钥发送至所述加密存储设备存储设备之前包括:In one of the embodiments, sending the authorization key to the storage device of the encrypted storage device includes:
确定所述Ukey与所述加密存储设备的临时密钥,通过所述Ukey生成随机密钥,根据所述加密存储设备的序列号以及所述随机密钥,生成权限密钥;Determine the temporary key of the Ukey and the encrypted storage device, generate a random key through the Ukey, and generate an authority key according to the serial number of the encrypted storage device and the random key;
通过所述临时密钥将所述权限密钥加密后发送至所述加密存储设备。The authorization key is encrypted by the temporary key and sent to the encrypted storage device.
在其中一个实施例中,所述查找所述加密存储设备对应Ukey之前还包括:In one of the embodiments, before the searching the Ukey corresponding to the encrypted storage device, the method further includes:
根据所述加密存储设备的电子签名信息判定所述加密存储设备是否与Ukey绑定;Judging whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device;
当所述加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将所述临时密钥发送至所述加密存储设备与所述加密存储设备绑定的Ukey;When the encrypted storage device is in a state bound to Ukey, randomly generate a temporary key, and send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device;
当所述加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换所述加密存储设备与所述未处于绑定状态的Ukey的CA证书,对所述加密存储设备与所述未处于绑定状态的Ukey进行身份认证,绑定所述加密存储设备与所述未处于绑定状态的Ukey,随机生成临时密钥,并将所述临时密钥发送至所述加密存储设备与所述加密存储设备绑定的Ukey。When the encrypted storage device is not in the state of being bound to the Ukey, search for Ukey that is not in the bound state, and exchange the CA certificate of the encrypted storage device and the Ukey that is not in the bound state to encrypt the The storage device performs identity authentication with the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, generates a temporary key at random, and sends the temporary key to all Ukey bound to the encrypted storage device and the encrypted storage device.
在其中一个实施例中,所述发送存储消息至所述加密存储设备包括:In one of the embodiments, the sending a storage message to the encrypted storage device includes:
当接收到所述加密存储设备反馈的认证通过消息时,根据所述请求的存储设备生成存储指令;When receiving an authentication pass message fed back by the encrypted storage device, generate a storage instruction according to the requested storage device;
根据待存储数据以及所述存储指令,生成存储消息;Generate a storage message according to the data to be stored and the storage instruction;
将所述存储消息发送至所述加密存储设备。Send the storage message to the encrypted storage device.
一种数据存储方法,应用于加密存储设备,所述方法包括:A data storage method applied to an encrypted storage device, the method including:
接收服务器发送的权限密钥,所述权限密钥由对应的Ukey生成;Receiving the authority key sent by the server, where the authority key is generated by the corresponding Ukey;
接收所述服务器发送的存储消息,所述存储消息携带待存储数据以及存储指令;Receiving a storage message sent by the server, the storage message carrying data to be stored and storage instructions;
根据所述存储指令加密所述待存储数据;Encrypt the data to be stored according to the storage instruction;
根据所述存储指令存储加密后的所述待存储数据至所述存储指令指定的存储设备,所述存储设备包括当前加密存储设备或非加密存储设备。Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
在其中一个实施例中,所述获取所述服务器发送的存储消息之前,还包括:In one of the embodiments, before acquiring the storage message sent by the server, the method further includes:
确定与当前存储进程对应的临时密钥;Determine the temporary key corresponding to the current storage process;
通过所述临时密钥解密所述权限密钥,当所述权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至所述服务器。The authorization key is decrypted by the temporary key, and when the serial number in the authorization key is the same as the stored serial number, the authentication is determined to be passed, and the authentication passed signal is fed back to the server.
在其中一个实施例中,所述根据所述存储指令加密所述待存储数据包括:In one of the embodiments, the encrypting the data to be stored according to the storage instruction includes:
当所述存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密所述待存储数据;When the storage device specified by the storage instruction is a currently encrypted storage device, encrypt the data to be stored by using a preset I/O key;
当所述存储指令指定的存储设备为非加密存储设备时,通过所述权限密钥加密所述待存储数据。When the storage device specified by the storage instruction is a non-encrypted storage device, the data to be stored is encrypted by the authority key.
一种数据存储装置,所述装置包括:A data storage device, the device comprising:
请求获取模块,用于获取存储请求,所述存储请求包括请求的存储设备以及待存储数据,所述存储设备包括加密存储设备或加密存储设备和非加密存储设备;A request obtaining module, configured to obtain a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
设备查找模块,用于查找所述加密存储设备对应Ukey;The device search module is used to search for the Ukey corresponding to the encrypted storage device;
密钥发送模块,用于将权限密钥发送至所述加密存储设备,所述权限密钥为通过所述Ukey生成的与所述加密存储设备对应的权限密钥;A key sending module, configured to send a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
数据发送模块,用于发送存储消息至所述加密存储设备,所述存储消息携带待存储数据以及存储指令,所述存储指令用于控制所述加密存储设备对所述待存储数据进行加密,并将加密后的所述待存储数据存储至所述加密存储设备或所述非加密存储设备。The data sending module is configured to send a storage message to the encrypted storage device, the storage message carries data to be stored and storage instructions, and the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and Storing the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device.
一种数据存储装置,所述装置包括:A data storage device, the device comprising:
密钥解密模块,用于接收服务器发送的权限密钥,所述权限密钥由对应的Ukey生成;The key decryption module is used to receive the authority key sent by the server, and the authority key is generated by the corresponding Ukey;
数据接收模块,用于接收所述服务器发送的存储消息,所述存储消息携带待存储数据以及存储指令;A data receiving module, configured to receive a storage message sent by the server, the storage message carrying data to be stored and storage instructions;
数据加密模块,用于根据所述存储指令加密所述待存储数据;A data encryption module, configured to encrypt the data to be stored according to the storage instruction;
数据存储模块,用于根据所述存储指令存储加密后的所述待存储数据至所述存储指令指定的存储设备,所述存储设备包括当前加密存储设备或非加密存 储设备。The data storage module is configured to store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器执行所述计算机程序时实现以下步骤:A computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the following steps when executing the computer program:
获取存储请求,所述存储请求包括请求的存储设备以及待存储数据,所述存储设备包括加密存储设备或加密存储设备和非加密存储设备;Obtaining a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
查找所述加密存储设备对应Ukey;Find the Ukey corresponding to the encrypted storage device;
将权限密钥发送至所述加密存储设备,所述权限密钥为通过所述Ukey生成的与所述加密存储设备对应的权限密钥;Sending a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
发送存储消息至所述加密存储设备,所述存储消息携带待存储数据以及存储指令,所述存储指令用于控制所述加密存储设备对所述待存储数据进行加密,并将加密后的所述待存储数据存储至所述加密存储设备或所述非加密存储设备。Send a storage message to the encrypted storage device, the storage message carries the data to be stored and a storage instruction, the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and the encrypted storage The data to be stored is stored in the encrypted storage device or the non-encrypted storage device.
一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器执行所述计算机程序时实现以下步骤:A computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the following steps when executing the computer program:
接收服务器发送的权限密钥,所述权限密钥由对应的Ukey生成;Receiving the authority key sent by the server, where the authority key is generated by the corresponding Ukey;
接收所述服务器发送的存储消息,所述存储消息携带待存储数据以及存储指令;Receiving a storage message sent by the server, the storage message carrying data to be stored and storage instructions;
根据所述存储指令加密所述待存储数据;Encrypt the data to be stored according to the storage instruction;
根据所述存储指令存储加密后的所述待存储数据至所述存储指令指定的存储设备,所述存储设备包括当前加密存储设备或非加密存储设备。Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现以下步骤:A computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the following steps are implemented:
获取存储请求,所述存储请求包括请求的存储设备以及待存储数据,所述存储设备包括加密存储设备或加密存储设备和非加密存储设备;Obtaining a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
查找所述加密存储设备对应Ukey;Find the Ukey corresponding to the encrypted storage device;
将权限密钥发送至所述加密存储设备,所述权限密钥为通过所述Ukey生成的与所述加密存储设备对应的权限密钥;Sending a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
发送存储消息至所述加密存储设备,所述存储消息携带待存储数据以及存储指令,所述存储指令用于控制所述加密存储设备对所述待存储数据进行加密, 并将加密后的所述待存储数据存储至所述加密存储设备或所述非加密存储设备。Send a storage message to the encrypted storage device, the storage message carries the data to be stored and a storage instruction, the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and the encrypted storage The data to be stored is stored in the encrypted storage device or the non-encrypted storage device.
一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现以下步骤:A computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the following steps are implemented:
接收服务器发送的权限密钥,所述权限密钥由对应的Ukey生成;Receiving the authority key sent by the server, where the authority key is generated by the corresponding Ukey;
接收所述服务器发送的存储消息,所述存储消息携带待存储数据以及存储指令;Receiving a storage message sent by the server, the storage message carrying data to be stored and storage instructions;
根据所述存储指令加密所述待存储数据;Encrypt the data to be stored according to the storage instruction;
根据所述存储指令存储加密后的所述待存储数据至所述存储指令指定的存储设备,所述存储设备包括当前加密存储设备或非加密存储设备。Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
上述数据存储方法、装置、计算机设备以及存储介质,服务器首先获取存储请求,而后查找加密存储设备对应Ukey;并将权限密钥发送至加密存储设备,发送存储消息至加密存储设备,存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。本申请的数据存储方法通过控制加密存储设备对数据进行加密,而后将其保存至加密存储设备或非加密存储设备,加密存储过程无需使用新的存储芯片,能有效降低加密存储的复杂度,提高加密存储的存储效率。For the above data storage methods, devices, computer equipment, and storage media, the server first obtains the storage request, and then finds the Ukey corresponding to the encrypted storage device; sends the authorization key to the encrypted storage device, and sends the storage message to the encrypted storage device. The storage data and the storage instruction are used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device. The data storage method of this application encrypts data by controlling an encrypted storage device, and then saves it to an encrypted storage device or a non-encrypted storage device. The encrypted storage process does not need to use a new storage chip, which can effectively reduce the complexity of encrypted storage and improve Storage efficiency of encrypted storage.
附图说明Description of the drawings
图1为一个实施例中数据存储方法的应用环境图;Figure 1 is an application environment diagram of a data storage method in an embodiment;
图2为一个实施例中数据存储方法的流程示意图;Figure 2 is a schematic flowchart of a data storage method in an embodiment;
图3为一个实施例中图2的步骤S250的子流程示意图;FIG. 3 is a schematic diagram of a sub-flow of step S250 in FIG. 2 in an embodiment;
图4为另一个实施例中数据存储方法的流程示意图;4 is a schematic flowchart of a data storage method in another embodiment;
图5为一个实施例中数据存储装置的结构框图;Figure 5 is a structural block diagram of a data storage device in an embodiment;
图6为一个实施例中计算机设备的内部结构图。Fig. 6 is an internal structure diagram of a computer device in an embodiment.
具体实施方式detailed description
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实 施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solutions, and advantages of this application clearer, the following further describes this application in detail with reference to the drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the application, and not used to limit the application.
本申请提供的数据存储方法,可以应用于如图1所示的应用环境中,其中,存储管理服务器104通过网络与终端102以及多个存储设备106进行通信,存储设备包括了加密存储设备和非加密存储设备,存储管理服务器104可以接收终端102提供的包括待存储数据的存储请求,并查找加密存储设备对应Ukey;而后通过Ukey生成与存储设备对应的权限密钥,将权限密钥发送至加密存储设备;而后存储管理服务器104发送携带待存储数据以及存储指令的存储消息至加密存储设备;加密存储设备加密待存储数据;而后根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。终端102可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑。The data storage method provided by this application can be applied to the application environment shown in FIG. 1, where the storage management server 104 communicates with the terminal 102 and multiple storage devices 106 through the network. The storage devices include encrypted storage devices and non- For encrypted storage devices, the storage management server 104 can receive the storage request including the data to be stored provided by the terminal 102, and find the Ukey corresponding to the encrypted storage device; then use the Ukey to generate a permission key corresponding to the storage device, and send the permission key to the encryption Storage device; then the storage management server 104 sends a storage message carrying the data to be stored and the storage instruction to the encrypted storage device; the encrypted storage device encrypts the data to be stored; and then stores the encrypted data to be stored according to the storage instruction to the storage device specified by the storage instruction , Storage devices include current encrypted storage devices or non-encrypted storage devices. The terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, and tablet computers.
如图2所示,在其中一个实施例中,本申请的数据存储方法,通过存储管理服务器实现,具体包括以下步骤:As shown in Figure 2, in one of the embodiments, the data storage method of the present application is implemented by a storage management server, which specifically includes the following steps:
S210,获取存储请求,存储请求包括请求的存储设备以及待存储数据,存储设备包括加密存储设备或加密存储设备和非加密存储设备。S210: Obtain a storage request. The storage request includes the requested storage device and the data to be stored. The storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device.
存储请求是指向存储管理服务器请求将待存储数据存储到制定的目标存储设备的请求,存储请求包括了请求的存储设备以及所需要存储的内容,此外,此存储请求还隐含了对数据加密的要求,即将待存储数据加密后再保存至目标存储设备。请求的存储设备包括了加密存储设备或加密存储设备和非加密存储设备,当请求的存储设备仅包括加密存储设备时,即表明该存储请求希望将待存储数据保存至该加密存储设备。当请求的存储设备包括加密存储设备和非加密存储设备时,即表明该存储请求希望通过加密存储设备对待存储数据进行加密,而后将其保存至该非加密存储设备。A storage request refers to a request to the storage management server to store the data to be stored in the designated target storage device. The storage request includes the requested storage device and the content that needs to be stored. In addition, this storage request also implies the encryption of the data. The requirement is to encrypt the data to be stored before saving it to the target storage device. The requested storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device. When the requested storage device only includes an encrypted storage device, it means that the storage request wishes to save the data to be stored in the encrypted storage device. When the requested storage device includes an encrypted storage device and a non-encrypted storage device, it means that the storage request hopes to encrypt the data to be stored by the encrypted storage device, and then save it to the non-encrypted storage device.
S230,查找加密存储设备对应Ukey。S230: Find the Ukey corresponding to the encrypted storage device.
Ukey是一种通过USB(Universal Serial Bus,通用串行总线接口)直接与计算机相连、具有密码验证功能、可靠高速的小型存储设备。Ukey是对现行的网络安全体系是一个极为有力的补充,通过中国信息安全测评认证中心认证的网络 安全产品。基于可信计算机及智能卡技术把易用性,便携性和最高级别的安全性带给了使用Microsoft IE或Netscape Navigator进行Web访问,在线交易(购物,付款),收发电子邮件,在线聊天交友及表单签名,文件数字签名等操作的用户,保证用户在ukey下的操作不可篡改,抵赖。ukey最大的特点就是安全性高,技术规范一致性强,操作系统兼容性好,携带使用灵活。每个加密存储设备都有与其对应的Ukey,而各个Ukey由存储管理服务器进行管理。Ukey is a small storage device that is directly connected to the computer via USB (Universal Serial Bus), has a password verification function, and is reliable and high-speed. Ukey is an extremely powerful supplement to the current network security system and is a network security product certified by the China Information Security Evaluation and Certification Center. Based on trusted computer and smart card technology, it brings ease of use, portability and the highest level of security to the use of Microsoft IE or Netscape Navigator for Web access, online transactions (shopping, payment), sending and receiving e-mails, online chats and friends and forms Users who perform operations such as signatures and file digital signatures ensure that the user's operations under ukey cannot be tampered with or denied. The biggest feature of ukey is high security, strong technical specification consistency, good operating system compatibility, and flexible carrying and use. Each encrypted storage device has a corresponding Ukey, and each Ukey is managed by the storage management server.
S250,将权限密钥发送至加密存储设备,权限密钥为通过Ukey生成的与加密存储设备对应的权限密钥。S250: Send the authority key to the encrypted storage device, where the authority key is the authority key corresponding to the encrypted storage device generated by Ukey.
权限密钥用于激活加密存储设备,此外权限秘钥还可以进行认证以及加密等操作。存储管理服务器可以通过与加密存储设备对应的Ukey来生成激活存储设备的权限密钥,而后通过将权限密钥发送给加密存储设备来激活加密存储设备进行加密存储。在其中一个实施例中,当加密存储设备接收到存储管理服务器发送的权限密钥时,会对权限密钥进行认证,当通过认证时,会向存储管理服务器反馈一个认证通过消息,存储管理服务器通过认证通过消息来判断是否进行后续动作。The authorization key is used to activate the encrypted storage device. In addition, the authorization key can also perform operations such as authentication and encryption. The storage management server may generate a permission key for activating the storage device through the Ukey corresponding to the encrypted storage device, and then activate the encrypted storage device for encrypted storage by sending the permission key to the encrypted storage device. In one of the embodiments, when the encrypted storage device receives the authorization key sent by the storage management server, it will authenticate the authorization key. When it passes the authentication, it will feed back an authentication pass message to the storage management server, and the storage management server Through the authentication, the message is used to determine whether to perform subsequent actions.
S270,发送存储消息至加密存储设备,存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。S270: Send a storage message to an encrypted storage device, the storage message carries the data to be stored and a storage instruction, the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encrypted storage device or non-encrypted Storage device.
存储指令根据用户端的存储请求对应的存储设备来生成。当存储管理服务器发送完权限密钥之后,会将包含待存储数据与存储指令的存储消息发送至加密存储设备,通过存储指令控制加密存储设备来对待存储数据进行加密存储,存储过程具体可以先是加密存储设备根据存储指令对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。具体存储位置由存储指令制定。其中加密存储设备可以是一个包含有剩余密钥空间的SSD加密盘,而非加密存储设备则是一个SSD非加密盘,存储管理服务器依据各个SSD盘的序列号对其进行管理。The storage instruction is generated according to the storage device corresponding to the storage request of the client. After the storage management server sends the authorization key, it will send a storage message containing the data to be stored and storage instructions to the encrypted storage device, and control the encrypted storage device through the storage instructions to encrypt and store the data to be stored. The storage process can be encrypted first. The storage device encrypts the data to be stored according to the storage instruction, and stores the encrypted data to be stored in an encrypted storage device or a non-encrypted storage device. The specific storage location is determined by the storage instruction. The encrypted storage device may be an SSD encrypted disk containing the remaining key space, and the non-encrypted storage device may be an SSD non-encrypted disk, and the storage management server manages it according to the serial number of each SSD disk.
上述数据存储方法,服务器首先获取存储请求,而后查找加密存储设备对应Ukey;并将权限密钥发送至加密存储设备,发送存储消息至加密存储设备, 存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。本申请的数据存储方法通过控制加密存储设备对数据进行加密,而后将其保存至加密存储设备或非加密存储设备,加密存储过程无需使用新的存储芯片,能有效降低加密存储的复杂度,提高加密存储的存储效率。In the above data storage method, the server first obtains the storage request, and then finds the Ukey corresponding to the encrypted storage device; sends the authorization key to the encrypted storage device, and sends the storage message to the encrypted storage device. The storage message carries the data to be stored and the storage instruction. The storage instruction It is used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device. The data storage method of this application encrypts data by controlling an encrypted storage device, and then saves it to an encrypted storage device or a non-encrypted storage device. The encrypted storage process does not need to use a new storage chip, which can effectively reduce the complexity of encrypted storage and improve Storage efficiency of encrypted storage.
如图3所示,在其中一个实施例中,步骤S250包括:As shown in FIG. 3, in one of the embodiments, step S250 includes:
S252,确定Ukey与加密存储设备的临时密钥,通过Ukey生成随机密钥,根据加密存储设备的序列号以及随机密钥,生成权限密钥。S252: Determine the temporary key of the Ukey and the encrypted storage device, generate a random key through the Ukey, and generate an authority key according to the serial number and the random key of the encrypted storage device.
S254,通过临时密钥将权限密钥加密后发送至加密存储设备。S254: The authorization key is encrypted by the temporary key and sent to the encrypted storage device.
存储管理服务器首先确定Ukey与加密存储设备在本次存储过程中约定的临时密钥,而后通过Ukey产生随机密钥,通过临时密钥将存储设备的序列号以及随机密钥加密,生成加密后的权限密钥,在其中一个实施例中,可以将存储设备的序列号存储在其对应的Ukey内。在生成权限秘钥后可以将该加密后的权限密钥发送至加密存储设备,激活存储设备的存储进程。该临时密钥具有时效性以及随机性,当存储设备断电之后,需要使用新的临时密钥进行认证,Ukey与存储设备可以提前约定一个临时密钥,用于保证权限密钥传输过程中的保密性以及可溯源性。The storage management server first determines the temporary key agreed upon between Ukey and the encrypted storage device during this storage process, and then generates a random key through Ukey, encrypts the serial number and random key of the storage device through the temporary key, and generates an encrypted The authorization key, in one of the embodiments, can store the serial number of the storage device in its corresponding Ukey. After the authorization key is generated, the encrypted authorization key can be sent to the encrypted storage device to activate the storage process of the storage device. The temporary key has timeliness and randomness. When the storage device is powered off, a new temporary key needs to be used for authentication. Ukey and the storage device can agree on a temporary key in advance to ensure the right key transmission process. Confidentiality and traceability.
在其中一个实施例中,S230之前还包括:In one of the embodiments, before S230, the method further includes:
根据加密存储设备的电子签名信息判定加密存储设备是否与Ukey绑定。Determine whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device.
当加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey。When the encrypted storage device is in a state bound to the Ukey, a temporary key is randomly generated, and the temporary key is sent to the Ukey bound to the encrypted storage device and the encrypted storage device.
当加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换加密存储设备与未处于绑定状态的Ukey的CA证书,对加密存储设备与未处于绑定状态的Ukey进行身份认证,绑定加密存储设备与未处于绑定状态的Ukey,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey。When the encrypted storage device is not in the state of being bound with Ukey, find the Ukey that is not in the bound state, and exchange the CA certificate of the encrypted storage device and the Ukey that is not in the bound state to connect the encrypted storage device to the unbound state. Perform identity authentication, bind the encrypted storage device with the Ukey that is not in the bound state, randomly generate a temporary key, and send the temporary key to the encrypted storage device and the Ukey bound to the encrypted storage device.
首先需要判定是否与Ukey与用户指定的加密存储设备绑定,当存在与加密存储设备绑定的Ukey时,可以直接完成认证,并生成临时密钥,当不存在时, 需要先完成绑定工作再生成临时密钥。而绑定的过程,可以通过交换CA证书来实现,加密存储设备和Ukey各自拥有向CA机构申请的CA证书,可以通过交换各自的证书完成身份认证;权限密钥由Ukey生成存储并注入到SSD中,权限密钥传输中采用SSD和Ukey临时协商的密钥对权限密钥加密并进行数字签名。提高数据传输过程的安全性。First, it is necessary to determine whether the Ukey is bound to the encrypted storage device specified by the user. When there is a Ukey bound to the encrypted storage device, the authentication can be directly completed and a temporary key is generated. When it does not exist, the binding work needs to be completed first Then generate a temporary key. The binding process can be realized by exchanging the CA certificate. The encrypted storage device and Ukey each have the CA certificate applied to the CA organization, and identity authentication can be completed by exchanging their respective certificates; the authority key is generated and stored by Ukey and injected into the SSD In the transmission of the authorization key, the authorization key is encrypted with a key temporarily negotiated between SSD and Ukey and digitally signed. Improve the security of the data transmission process.
在其中一个实施例中,S270包括:In one of the embodiments, S270 includes:
当接收到加密存储设备反馈的认证通过消息时,根据请求的存储设备生成存储指令;When receiving the authentication pass message fed back by the encrypted storage device, generate a storage instruction according to the requested storage device;
根据待存储数据以及存储指令,生成存储消息;Generate storage messages according to the data to be stored and storage instructions;
将存储消息发送至加密存储设备。Send storage messages to encrypted storage devices.
当存储设备接收到存储管理服务器发送的权限密钥时,会对权限密钥进行认证,当通过认证时,会向存储管理服务器反馈一个认证通过消息,当存储管理服务器接收到认证通过消息时,可以根据请求的存储设备生成存储指令,而后根据存储指令与待存储数据生成存储消息,而后将存储消息发送给到指定的加密存储设备,加密存储设备可以解析存储消息,获得待存储数据以及存储指令,而后存储设备可以根据存储指令来存储待存储数据。通过对权限秘钥的认证,可以提高数据加密存储过程的安全性。When the storage device receives the authorization key sent by the storage management server, it will authenticate the authorization key. When it passes the authentication, it will feed back an authentication pass message to the storage management server. When the storage management server receives the authentication pass message, The storage instruction can be generated according to the requested storage device, and then the storage message is generated according to the storage instruction and the data to be stored, and then the storage message is sent to the designated encrypted storage device. The encrypted storage device can parse the storage message to obtain the data to be stored and the storage instruction , And then the storage device can store the data to be stored according to the storage instruction. Through the authentication of the authority secret key, the security of the data encryption storage process can be improved.
如图4所示,本申请还提供了一种数据存储方法,该数据存储方法应用于加密存储设备,方法包括:As shown in Figure 4, the present application also provides a data storage method, which is applied to an encrypted storage device, and the method includes:
S410,接收服务器发送的权限密钥,权限密钥由对应的Ukey生成。S410: Receive the authority key sent by the server, where the authority key is generated by the corresponding Ukey.
S430,接收服务器发送的存储消息,存储消息携带待存储数据以及存储指令。S430: Receive a storage message sent by the server, where the storage message carries data to be stored and a storage instruction.
S450,根据存储指令加密待存储数据。S450: Encrypt the data to be stored according to the storage instruction.
S470,根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。S470: Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, where the storage device includes a current encrypted storage device or a non-encrypted storage device.
其中加密存储区可以是一个包含有剩余密钥空间的SSD加密盘,而非加密存储区则是一个SSD非加密盘,存储管理服务器依据各个SSD盘的序列号对其进行管理。存储设备与存储管理服务器管理的各个Ukey存在对应关系,存储管 理服务器可以通过对应的Ukey来生成对应权限密钥,并通过权限密钥来激活当前的加密存储设备。加密存储设备接收存储管理服务器发送的权限密钥,将权限密钥存储至加密存储区,而后激活加密存储进程,而后获取存储管理服务器发送的存储消息,通过解析存储消息获得存储指令和待存储数据,当获取到待存储数据后,根据存储指令制定的存储设备对待存储数据进行加密后,将加密后的待存储数据保存至存储指令指定的存储设,完成数据加密工作。The encrypted storage area may be an SSD encrypted disk containing the remaining key space, and the non-encrypted storage area is an SSD non-encrypted disk, and the storage management server manages it according to the serial number of each SSD disk. The storage device has a corresponding relationship with each Ukey managed by the storage management server. The storage management server can generate a corresponding authority key through the corresponding Ukey, and activate the current encrypted storage device through the authority key. The encrypted storage device receives the authorization key sent by the storage management server, stores the authorization key in the encrypted storage area, then activates the encrypted storage process, and then obtains the storage message sent by the storage management server, and obtains storage instructions and data to be stored by parsing the storage message After obtaining the data to be stored, the storage device formulated according to the storage instruction encrypts the data to be stored, and then saves the encrypted data to be stored to the storage device specified by the storage instruction to complete the data encryption work.
上述数据存储方法,存储设备首先接收服务器发送的权限密钥;接收服务器发送的存储消息,存储消息携带待存储数据以及存储指令;根据存储指令加密待存储数据;根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。本申请的数据存储方法通过加密存储设备的来对数据进行加密,而后将其保存到加密存储设备或者是非加密存储区,加密存储过程无需使用新的存储芯片,能有效降低加密存储的复杂度,提高加密存储的存储效率。In the above data storage method, the storage device first receives the authorization key sent by the server; receives the storage message sent by the server, the storage message carries the data to be stored and the storage instruction; encrypts the data to be stored according to the storage instruction; stores the encrypted data to be stored according to the storage instruction Data to the storage device specified by the storage instruction, the storage device includes the current encrypted storage device or the non-encrypted storage device. The data storage method of this application encrypts the data by encrypting the storage device, and then saves it to the encrypted storage device or non-encrypted storage area. The encrypted storage process does not need to use a new storage chip, which can effectively reduce the complexity of encrypted storage. Improve the storage efficiency of encrypted storage.
在其中一个实施例中,S430之前包括:In one of the embodiments, S430 includes:
确定与当前存储进程对应的临时密钥;Determine the temporary key corresponding to the current storage process;
通过临时密钥解密权限密钥,当权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至服务器。The authorization key is decrypted by the temporary key. When the serial number in the authorization key is the same as the stored serial number, the authentication is determined to be passed, and the authentication passed signal is fed back to the server.
每次存储过程中,Ukey与存储设备都会预先约定一个随机的临时密钥,该密钥由存储管理服务器生成,分别发送至Ukey与存储设备,当存储设备上电重新激活时,双方需要再次协商生成一个新的临时密钥。将Ukey中的权限密钥加密传输到存储设备中后,可以通过该临时密钥将加密传输的权限密钥解密,若解密成功且权限密钥中携带的存储设备序列号与存储设备中存储的一致,则加密存储功能被激活,开始进行加密存储。通过临时密钥对数据进行加密,可以进一步保证存储过程过的安全性。During each storage process, Ukey and the storage device will pre-appoint a random temporary key. The key is generated by the storage management server and sent to Ukey and the storage device respectively. When the storage device is powered on and reactivated, the two parties need to negotiate again Generate a new temporary key. After the authorization key in Ukey is encrypted and transmitted to the storage device, the temporary key can be used to decrypt the encrypted and transmitted authorization key. If the decryption is successful and the storage device serial number carried in the authorization key is stored in the storage device If they are consistent, the encrypted storage function is activated and encrypted storage starts. Encrypting data with a temporary key can further ensure the security of the storage process.
在其中一个实施例中,S450包括:In one of the embodiments, S450 includes:
当存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密待存储数据;When the storage device specified by the storage instruction is the current encrypted storage device, the data to be stored is encrypted by the preset I/O key;
当存储指令指定的存储设备为非加密存储设备时,通过权限密钥加密待存 储数据。When the storage device specified by the storage instruction is a non-encrypted storage device, the data to be stored is encrypted by the permission key.
用户指定的存储设备可以为加密存储设备或者非加密存储设备,当用户指定的存储设备,即当存储指令指定的存储设备为当前加密存储设备时,可以通过当前加密存储设备内部的I/O密钥来对待存储数据进行加密,而后将其保存至当前的加密存储设备内,而当存储指令指定的存储设备为其他的非加密存储设备时,可以通过权限密钥来对待存储数据进行加密,并将其保存至非加密存储设备内。保证加密存储的有效性,同时在解密数据时,也可以根据对应密钥进行相应的解密,提高数据存储与取用过程的安全性。The storage device specified by the user can be an encrypted storage device or a non-encrypted storage device. When the storage device specified by the user, that is, when the storage device specified by the storage instruction is the current encrypted storage device, the I/O secret inside the current encrypted storage device The key is used to encrypt the data to be stored, and then save it to the current encrypted storage device. When the storage device specified by the storage instruction is another non-encrypted storage device, the data to be stored can be encrypted by the permission key, and Save it to a non-encrypted storage device. To ensure the effectiveness of encrypted storage, while decrypting data, corresponding decryption can also be performed according to the corresponding key to improve the security of the data storage and retrieval process.
在其中一个实施例中,本申请的数据存储方法包括:获取存储请求,存储请求包括请求的存储设备以及待存储数据,存储设备包括加密存储设备或加密存储设备和非加密存储设备。根据加密存储设备的电子签名信息判定加密存储设备是否与Ukey绑定;当加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey;当加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换加密存储设备与未处于绑定状态的Ukey的CA证书,对加密存储设备与未处于绑定状态的Ukey进行身份认证,绑定加密存储设备与未处于绑定状态的Ukey,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey。查找加密存储设备对应Ukey;确定Ukey与加密存储设备的临时密钥,通过Ukey生成随机密钥,根据加密存储设备的序列号以及随机密钥,生成权限密钥;通过临时密钥将权限密钥加密后发送至加密存储设备。加密存储设备接收服务器发送的权限密钥。确定与当前存储进程对应的临时密钥;通过临时密钥解密权限密钥,当权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至服务器。存储管理服务器接收加密存储设备反馈的认证通过消息,发送存储消息至加密存储设备,存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。加密存储设备获取服务器发送的存储消息,存储消息携带待存储数据以及存储指令;当存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密待存储数据;当 存储指令指定的存储设备为非加密存储设备时,通过权限密钥加密待存储数据。根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。In one of the embodiments, the data storage method of the present application includes: obtaining a storage request. The storage request includes the requested storage device and the data to be stored. The storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device. Determine whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of binding with Ukey, a temporary key is randomly generated, and the temporary key is sent to the encrypted storage device and encrypted storage Ukey bound to the device; when the encrypted storage device is not in the state of being bound to the Ukey, find the Ukey that is not in the bound state, and exchange the CA certificate of the encrypted storage device and the Ukey that is not in the bound state to the encrypted storage device Perform identity authentication with the Ukey that is not in the bound state, bind the encrypted storage device and the Ukey that is not in the bound state, randomly generate a temporary key, and send the temporary key to the encrypted storage device and the Ukey bound to the encrypted storage device . Find the Ukey corresponding to the encrypted storage device; determine the temporary key between the Ukey and the encrypted storage device, generate a random key through Ukey, and generate the authorization key according to the serial number and random key of the encrypted storage device; use the temporary key to convert the authorization key After being encrypted, it is sent to the encrypted storage device. The encrypted storage device receives the authority key sent by the server. Determine the temporary key corresponding to the current storage process; decrypt the authorization key with the temporary key, and when the serial number in the authorization key is the same as the stored serial number, it is determined to pass the authentication, and the authentication pass signal is fed back to the server. The storage management server receives the authentication pass message fed back by the encrypted storage device, and sends the storage message to the encrypted storage device. The storage message carries the data to be stored and the storage instruction. The storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and to encrypt the encrypted storage device. The data to be stored is stored in an encrypted storage device or a non-encrypted storage device. The encrypted storage device obtains the storage message sent by the server, and the storage message carries the data to be stored and the storage instruction; when the storage device specified by the storage instruction is the current encrypted storage device, the data to be stored is encrypted by the preset I/O key; when the storage instruction When the designated storage device is a non-encrypted storage device, the data to be stored is encrypted by the permission key. Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes the current encrypted storage device or the non-encrypted storage device.
应该理解的是,虽然图2-4的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,图2-4中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flowcharts of FIGS. 2-4 are displayed in sequence as indicated by the arrows, these steps are not necessarily executed in sequence in the order indicated by the arrows. Unless specifically stated in this article, the execution of these steps is not strictly limited in order, and these steps can be executed in other orders. Moreover, at least some of the steps in Figures 2-4 may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily executed at the same time, but can be executed at different times. These sub-steps or stages The execution order of is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.
如图5所示,本申请还提供一种数据存储装置,装置包括:As shown in Figure 5, the present application also provides a data storage device, which includes:
请求获取模块210,用于获取存储请求,存储请求包括请求的存储设备以及待存储数据,存储设备包括加密存储设备或加密存储设备和非加密存储设备;The request obtaining module 210 is configured to obtain a storage request. The storage request includes the requested storage device and the data to be stored. The storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
设备查找模块230,用于查找加密存储设备对应Ukey;The device search module 230 is used to search for the Ukey corresponding to the encrypted storage device;
密钥发送模块250,用于将权限密钥发送至加密存储设备,权限密钥为通过Ukey生成的与加密存储设备对应的权限密钥;The key sending module 250 is used to send the authority key to the encrypted storage device, and the authority key is the authority key corresponding to the encrypted storage device generated by Ukey;
数据发送模块270,用于发送存储消息至加密存储设备,存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。The data sending module 270 is used to send a storage message to an encrypted storage device, the storage message carries the data to be stored and a storage instruction, and the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and store the encrypted data to be stored in the encryption Storage device or non-encrypted storage device.
在其中一个实施例中,密钥发送模块250用于确定Ukey与加密存储设备的临时密钥,通过Ukey生成随机密钥,根据加密存储设备的序列号以及随机密钥,生成权限密钥;通过临时密钥将权限密钥加密后发送至加密存储设备。In one of the embodiments, the key sending module 250 is used to determine the temporary key of the Ukey and the encrypted storage device, generate a random key through the Ukey, and generate the authorization key according to the serial number of the encrypted storage device and the random key; The temporary key encrypts the authority key and sends it to the encrypted storage device.
在其中一个实施例中,还包括临时密钥生成模块,用于根据加密存储设备的电子签名信息判定加密存储设备是否与Ukey绑定;当加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey;当加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换加密存储设备与未处于绑定状态的Ukey的CA证书,对加密存储设备与未处于绑定状态的Ukey进行身份认证,绑定加 密存储设备与未处于绑定状态的Ukey,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey。In one of the embodiments, it further includes a temporary key generation module, which is used to determine whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of being bound to Ukey, randomly generate Temporary key, and send the temporary key to the Ukey that is bound to the encrypted storage device and the encrypted storage device; when the encrypted storage device is not in the state of binding with the Ukey, find the Ukey that is not in the bound state, and exchange the encrypted storage The CA certificate of the device and the Ukey that is not in the bound state authenticates the encrypted storage device and the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, and randomly generates a temporary key, and Send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device.
在其中一个实施例中,数据发送模块270用于当接收到加密存储设备反馈的认证通过消息时,根据请求的存储设备生成存储指令;根据待存储数据以及存储指令,生成存储消息;将存储消息发送至加密存储设备。In one of the embodiments, the data sending module 270 is configured to generate a storage instruction according to the requested storage device when the authentication pass message fed back by the encrypted storage device is received; generate a storage message according to the data to be stored and the storage instruction; store the message Send to encrypted storage device.
本申请还提供另一种数据存储装置,装置包括:This application also provides another data storage device, which includes:
密钥解密模块,用于接收服务器发送的权限密钥,权限密钥由对应的Ukey生成;The key decryption module is used to receive the authorization key sent by the server, and the authorization key is generated by the corresponding Ukey;
数据接收模块,用于接收服务器发送的存储消息,存储消息携带待存储数据以及存储指令;The data receiving module is used to receive the storage message sent by the server, and the storage message carries the data to be stored and storage instructions;
数据加密模块,用于根据存储指令加密待存储数据;The data encryption module is used to encrypt the data to be stored according to the storage instruction;
数据存储模块,用于根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。The data storage module is used to store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes the current encrypted storage device or the non-encrypted storage device.
在其中一个实施例中,对比认证模块用于确定与当前存储进程对应的临时密钥;通过临时密钥解密权限密钥,当权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至服务器。In one of the embodiments, the comparison authentication module is used to determine the temporary key corresponding to the current storage process; the authorization key is decrypted by the temporary key, and when the serial number in the authorization key is the same as the stored serial number, it is determined to pass Authentication, feedback the authentication pass signal to the server.
在其中一个实施例中,数据加密模块用于当存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密待存储数据;当存储指令指定的存储设备为非加密存储设备时,通过权限密钥加密待存储数据。In one of the embodiments, the data encryption module is used to encrypt the data to be stored by the preset I/O key when the storage device specified by the storage instruction is the current encrypted storage device; when the storage device specified by the storage instruction is non-encrypted storage When the device is used, the data to be stored is encrypted by the permission key.
关于数据存储装置的具体限定可以参见上文中对于数据存储方法的限定,在此不再赘述。上述数据存储装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific definition of the data storage device, please refer to the above definition of the data storage method, which will not be repeated here. Each module in the above-mentioned data storage device can be implemented in whole or in part by software, hardware, and a combination thereof. The foregoing modules may be embedded in the form of hardware or independent of the processor in the computer device, or may be stored in the memory of the computer device in the form of software, so that the processor can call and execute the operations corresponding to the foregoing modules.
在一个实施例中,提供了一种计算机设备,该计算机设备可以是服务器,其内部结构图可以如图6所示。该计算机设备包括通过系统总线连接的处理器、存储器和网络接口。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介 质存储有操作系统和计算机程序。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种数据存储方法。In one embodiment, a computer device is provided. The computer device may be a server, and its internal structure diagram may be as shown in FIG. 6. The computer equipment includes a processor, a memory, and a network interface connected through a system bus. Among them, the processor of the computer device is used to provide calculation and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used to communicate with an external terminal through a network connection. The computer program is executed by the processor to realize a data storage method.
本领域技术人员可以理解,图6中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 6 is only a block diagram of part of the structure related to the solution of the present application, and does not constitute a limitation on the computer device to which the solution of the present application is applied. The specific computer device may Including more or less parts than shown in the figure, or combining some parts, or having a different part arrangement.
在一个实施例中,提供了一种计算机设备,包括存储器和处理器,存储器中存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a computer device is provided, including a memory and a processor, and a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
获取存储请求,存储请求包括请求的存储设备以及待存储数据,存储设备包括加密存储设备或加密存储设备和非加密存储设备;Obtain a storage request. The storage request includes the requested storage device and the data to be stored. The storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
查找加密存储设备对应Ukey;Find the Ukey corresponding to the encrypted storage device;
将权限密钥发送至加密存储设备,权限密钥为通过Ukey生成的与加密存储设备对应的权限密钥;Send the authorization key to the encrypted storage device, the authorization key is the authorization key corresponding to the encrypted storage device generated by Ukey;
发送存储消息至加密存储设备,存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。Send a storage message to an encrypted storage device. The storage message carries the data to be stored and storage instructions. The storage instructions are used to control the encrypted storage device to encrypt the data to be stored and store the encrypted data to be stored in the encrypted storage device or non-encrypted storage device .
在一个实施例中,处理器执行计算机程序时还实现以下步骤:确定Ukey与加密存储设备的临时密钥,通过Ukey生成随机密钥,根据加密存储设备的序列号以及随机密钥,生成权限密钥;通过临时密钥将权限密钥加密后发送至加密存储设备。In one embodiment, the processor further implements the following steps when executing the computer program: determining the temporary key of the Ukey and the encrypted storage device, generating a random key through Ukey, and generating the authorization secret based on the serial number of the encrypted storage device and the random key. Key; the authorization key is encrypted by the temporary key and sent to the encrypted storage device.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:根据加密存储设备的电子签名信息判定加密存储设备是否与Ukey绑定;当加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey;当加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换加密存储设备与未处于绑定状态的Ukey的CA证书,对加密存储设备与未处于绑定状态的Ukey进行身份认证,绑定加密存储设备与未处于绑定状态的Ukey,随机生成临时密钥,并将临时密钥发送 至加密存储设备与加密存储设备绑定的Ukey。In one embodiment, the processor further implements the following steps when executing the computer program: judging whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of being bound to Ukey, randomly generate Temporary key, and send the temporary key to the Ukey that is bound to the encrypted storage device and the encrypted storage device; when the encrypted storage device is not in the state of binding with the Ukey, find the Ukey that is not in the bound state, and exchange the encrypted storage The CA certificate of the device and the Ukey that is not in the bound state authenticates the encrypted storage device and the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, and randomly generates a temporary key, and Send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:当接收到加密存储设备反馈的认证通过消息时,根据请求的存储设备生成存储指令;In an embodiment, the processor further implements the following steps when executing the computer program: when receiving the authentication pass message fed back by the encrypted storage device, generate a storage instruction according to the requested storage device;
根据待存储数据以及存储指令,生成存储消息;将存储消息发送至加密存储设备。According to the data to be stored and the storage instruction, a storage message is generated; the storage message is sent to the encrypted storage device.
在一个实施例中,提供了一种计算机设备,包括存储器和处理器,存储器中存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a computer device is provided, including a memory and a processor, and a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
接收服务器发送的权限密钥,权限密钥由对应的Ukey生成;Receive the authorization key sent by the server, the authorization key is generated by the corresponding Ukey;
接收服务器发送的存储消息,存储消息携带待存储数据以及存储指令;Receive the storage message sent by the server, the storage message carries the data to be stored and the storage instruction;
根据存储指令加密待存储数据;Encrypt the data to be stored according to the storage instruction;
根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes the current encrypted storage device or the non-encrypted storage device.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:确定与当前存储进程对应的临时密钥;通过临时密钥解密权限密钥,当权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至服务器。In one embodiment, the processor further implements the following steps when executing the computer program: determining the temporary key corresponding to the current storage process; decrypting the authorization key through the temporary key, when the serial number in the authorization key and the stored serial number At the same time, it is determined that the authentication is passed, and the authentication passed signal is returned to the server.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:当存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密待存储数据;当存储指令指定的存储设备为非加密存储设备时,通过权限密钥加密待存储数据。In one embodiment, the processor further implements the following steps when executing the computer program: when the storage device specified by the storage instruction is the current encrypted storage device, encrypt the data to be stored by the preset I/O key; when the storage specified by the storage instruction When the device is a non-encrypted storage device, the data to be stored is encrypted by the permission key.
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
获取存储请求,存储请求包括请求的存储设备以及待存储数据,存储设备包括加密存储设备或加密存储设备和非加密存储设备;Obtain a storage request. The storage request includes the requested storage device and the data to be stored. The storage device includes an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
查找加密存储设备对应Ukey;Find the Ukey corresponding to the encrypted storage device;
将权限密钥发送至加密存储设备,权限密钥为通过Ukey生成的与加密存储设备对应的权限密钥;Send the authorization key to the encrypted storage device, the authorization key is the authorization key corresponding to the encrypted storage device generated by Ukey;
发送存储消息至加密存储设备,存储消息携带待存储数据以及存储指令,存储指令用于控制加密存储设备对待存储数据进行加密,并将加密后的待存储数据存储至加密存储设备或非加密存储设备。Send a storage message to an encrypted storage device. The storage message carries the data to be stored and storage instructions. The storage instructions are used to control the encrypted storage device to encrypt the data to be stored and store the encrypted data to be stored in the encrypted storage device or non-encrypted storage device .
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:确定Ukey与加密存储设备的临时密钥,通过Ukey生成随机密钥,根据Ukey内存储的加密存储设备的序列号以及随机密钥,生成权限密钥;通过临时密钥将权限密钥加密后发送至加密存储设备。In one embodiment, when the computer program is executed by the processor, the following steps are also implemented: determining the temporary key between Ukey and the encrypted storage device, generating a random key through Ukey, and according to the serial number and random password of the encrypted storage device stored in Ukey Key to generate the authorization key; the authorization key is encrypted by the temporary key and sent to the encrypted storage device.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:根据加密存储设备的电子签名信息判定加密存储设备是否与Ukey绑定;当加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey;当加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换加密存储设备与未处于绑定状态的Ukey的CA证书,对加密存储设备与未处于绑定状态的Ukey进行身份认证,绑定加密存储设备与未处于绑定状态的Ukey,随机生成临时密钥,并将临时密钥发送至加密存储设备与加密存储设备绑定的Ukey。In one embodiment, when the computer program is executed by the processor, the following steps are also implemented: determine whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device; when the encrypted storage device is in the state of being bound to Ukey, randomly Generate a temporary key, and send the temporary key to the Ukey that is bound to the encrypted storage device and the encrypted storage device; when the encrypted storage device is not in the state of binding with the Ukey, find the Ukey that is not in the state of binding, and encrypt by exchange The CA certificate of the storage device and the Ukey that is not in the bound state authenticates the encrypted storage device and the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, and randomly generates a temporary key. And send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:当接收到加密存储设备反馈的认证通过消息时,根据请求的存储设备生成存储指令;In one embodiment, when the computer program is executed by the processor, the following steps are further implemented: when the authentication pass message fed back by the encrypted storage device is received, a storage instruction is generated according to the requested storage device;
根据待存储数据以及存储指令,生成存储消息;将存储消息发送至加密存储设备。According to the data to be stored and the storage instruction, a storage message is generated; the storage message is sent to the encrypted storage device.
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
接收服务器发送的权限密钥,权限密钥由对应的Ukey生成;Receive the authorization key sent by the server, the authorization key is generated by the corresponding Ukey;
接收服务器发送的存储消息,存储消息携带待存储数据以及存储指令;Receive the storage message sent by the server, the storage message carries the data to be stored and the storage instruction;
根据存储指令加密待存储数据;Encrypt the data to be stored according to the storage instruction;
根据存储指令存储加密后的待存储数据至存储指令指定的存储设备,存储设备包括当前加密存储设备或非加密存储设备。Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes the current encrypted storage device or the non-encrypted storage device.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:确定与当前存储进程对应的临时密钥;通过临时密钥解密权限密钥,当权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至服务器。In one embodiment, when the computer program is executed by the processor, the following steps are also implemented: determining the temporary key corresponding to the current storage process; decrypting the authorization key by the temporary key, when the serial number in the authorization key is compared with the stored sequence When the number is the same, it is determined that the authentication is passed, and the authentication passed signal is fed back to the server.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:当存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密待存储数据; 当存储指令指定的存储设备为非加密存储设备时,通过权限密钥加密待存储数据。In one embodiment, when the computer program is executed by the processor, the following steps are also implemented: when the storage device specified by the storage instruction is the current encrypted storage device, encrypt the data to be stored by the preset I/O key; when the storage instruction specifies When the storage device is a non-encrypted storage device, the data to be stored is encrypted by the permission key.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by a computer program instructing relevant hardware, and the computer program can be stored in a non-volatile computer readable storage medium. When the computer program is executed, it may include the processes of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other media used in the embodiments provided in this application may include non-volatile and/or volatile memory. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. As an illustration and not a limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Channel (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. In order to make the description concise, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, they should It is considered as the range described in this specification.
以上实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above examples only express several implementation manners of the present application, and the description is relatively specific and detailed, but it should not be understood as a limitation on the scope of the invention patent. It should be pointed out that for those of ordinary skill in the art, without departing from the concept of this application, several modifications and improvements can be made, and these all fall within the protection scope of this application. Therefore, the scope of protection of the patent of this application shall be subject to the appended claims.

Claims (11)

  1. 一种数据存储方法,所述方法包括:A data storage method, the method includes:
    获取存储请求,所述存储请求包括请求的存储设备以及待存储数据,所述存储设备包括加密存储设备或加密存储设备和非加密存储设备;Obtaining a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
    查找所述加密存储设备对应Ukey;Find the Ukey corresponding to the encrypted storage device;
    将权限密钥发送至所述加密存储设备,所述权限密钥为通过所述Ukey生成的与所述加密存储设备对应的权限密钥;Sending a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
    发送存储消息至所述加密存储设备,所述存储消息携带待存储数据以及存储指令,所述存储指令用于控制所述加密存储设备对所述待存储数据进行加密,并将加密后的所述待存储数据存储至所述加密存储设备或所述非加密存储设备。Send a storage message to the encrypted storage device, the storage message carries the data to be stored and a storage instruction, the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and the encrypted storage The data to be stored is stored in the encrypted storage device or the non-encrypted storage device.
  2. 根据权利要求1所述的方法,其特征在于,将权限密钥发送至所述加密存储设备之前包括:The method according to claim 1, wherein before sending the authorization key to the encrypted storage device, it comprises:
    确定所述Ukey与所述加密存储设备的临时密钥,通过所述Ukey生成随机密钥,根据所述加密存储设备的序列号以及所述随机密钥,生成权限密钥;Determine the temporary key of the Ukey and the encrypted storage device, generate a random key through the Ukey, and generate an authority key according to the serial number of the encrypted storage device and the random key;
    通过所述临时密钥将所述权限密钥加密后发送至所述加密存储设备。The authorization key is encrypted by the temporary key and sent to the encrypted storage device.
  3. 根据权利要求1所述的方法,其特征在于,所述查找所述加密存储设备对应Ukey之前还包括:The method according to claim 1, wherein before said searching the Ukey corresponding to the encrypted storage device, the method further comprises:
    根据所述加密存储设备的电子签名信息判定所述加密存储设备是否与Ukey绑定;Judging whether the encrypted storage device is bound to Ukey according to the electronic signature information of the encrypted storage device;
    当所述加密存储设备处于与Ukey绑定的状态时,随机生成临时密钥,并将所述临时密钥发送至所述加密存储设备与所述加密存储设备绑定的Ukey;When the encrypted storage device is in a state bound to Ukey, randomly generate a temporary key, and send the temporary key to the Ukey bound to the encrypted storage device and the encrypted storage device;
    当所述加密存储设备不处于与Ukey绑定的状态时,查找未处于绑定状态的Ukey,通过交换所述加密存储设备与所述未处于绑定状态的Ukey的CA证书,对所述加密存储设备与所述未处于绑定状态的Ukey进行身份认证,绑定所述加密存储设备与所述未处于绑定状态的Ukey,随机生成临时密钥,并将所述临时密钥发送至所述加密存储设备与所述加密存储设备绑定的Ukey。When the encrypted storage device is not in the state of being bound to the Ukey, search for Ukey that is not in the bound state, and exchange the CA certificate of the encrypted storage device and the Ukey that is not in the bound state to encrypt the The storage device performs identity authentication with the Ukey that is not in the bound state, binds the encrypted storage device and the Ukey that is not in the bound state, generates a temporary key at random, and sends the temporary key to all Ukey bound to the encrypted storage device and the encrypted storage device.
  4. 根据权利要求1所述的方法,其特征在于,所述发送存储消息至所述加密存储设备包括:The method according to claim 1, wherein the sending a storage message to the encrypted storage device comprises:
    当接收到所述加密存储设备反馈的认证通过消息时,根据所述请求的存储 设备生成存储指令;When receiving an authentication pass message fed back by the encrypted storage device, generate a storage instruction according to the requested storage device;
    根据待存储数据以及所述存储指令,生成存储消息;Generate a storage message according to the data to be stored and the storage instruction;
    将所述存储消息发送至所述加密存储设备。Send the storage message to the encrypted storage device.
  5. 一种数据存储方法,应用于加密存储设备,所述方法包括:A data storage method applied to an encrypted storage device, the method including:
    接收服务器发送的权限密钥,所述权限密钥由对应的Ukey生成;Receiving the authority key sent by the server, where the authority key is generated by the corresponding Ukey;
    接收所述服务器发送的存储消息,所述存储消息携带待存储数据以及存储指令;Receiving a storage message sent by the server, the storage message carrying data to be stored and storage instructions;
    根据所述存储指令加密所述待存储数据;Encrypt the data to be stored according to the storage instruction;
    根据所述存储指令存储加密后的所述待存储数据至所述存储指令指定的存储设备,所述存储设备包括当前加密存储设备或非加密存储设备。Store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
  6. 根据权利要求5所述的方法,其特征在于,所述获取所述服务器发送的存储消息之前,还包括:The method according to claim 5, wherein before said obtaining the stored message sent by the server, the method further comprises:
    确定与当前存储进程对应的临时密钥;Determine the temporary key corresponding to the current storage process;
    通过所述临时密钥解密所述权限密钥,当所述权限密钥内序列号与已存的序列号相同时,判定通过认证,反馈认证通过信号至所述服务器。The authorization key is decrypted by the temporary key, and when the serial number in the authorization key is the same as the stored serial number, the authentication is determined to be passed, and the authentication passed signal is fed back to the server.
  7. 根据权利要求5所述的方法,其特征在于,所述根据所述存储指令加密所述待存储数据包括:The method according to claim 5, wherein the encrypting the data to be stored according to the storage instruction comprises:
    当所述存储指令指定的存储设备为当前加密存储设备时,通过预设I/O密钥加密所述待存储数据;When the storage device specified by the storage instruction is a currently encrypted storage device, encrypt the data to be stored by using a preset I/O key;
    当所述存储指令指定的存储设备为非加密存储设备时,通过所述权限密钥加密所述待存储数据。When the storage device specified by the storage instruction is a non-encrypted storage device, the data to be stored is encrypted by the authority key.
  8. 一种数据存储装置,其特征在于,所述装置包括:A data storage device, characterized in that the device comprises:
    请求获取模块,用于获取存储请求,所述存储请求包括请求的存储设备以及待存储数据,所述存储设备包括加密存储设备或加密存储设备和非加密存储设备;A request obtaining module, configured to obtain a storage request, the storage request including the requested storage device and the data to be stored, the storage device including an encrypted storage device or an encrypted storage device and a non-encrypted storage device;
    设备查找模块,用于查找所述加密存储设备对应Ukey;The device search module is used to search for the Ukey corresponding to the encrypted storage device;
    密钥发送模块,用于将权限密钥发送至所述加密存储设备,所述权限密钥为通过所述Ukey生成的与所述加密存储设备对应的权限密钥;A key sending module, configured to send a permission key to the encrypted storage device, where the permission key is a permission key corresponding to the encrypted storage device generated by the Ukey;
    数据发送模块,用于发送存储消息至所述加密存储设备,所述存储消息携带待存储数据以及存储指令,所述存储指令用于控制所述加密存储设备对所述待存储数据进行加密,并将加密后的所述待存储数据存储至所述加密存储设备或所述非加密存储设备。The data sending module is configured to send a storage message to the encrypted storage device, the storage message carries data to be stored and storage instructions, and the storage instruction is used to control the encrypted storage device to encrypt the data to be stored, and Storing the encrypted data to be stored in the encrypted storage device or the non-encrypted storage device.
  9. 一种数据存储装置,其特征在于,所述装置包括:A data storage device, characterized in that the device comprises:
    密钥解密模块,用于接收服务器发送的权限密钥,所述权限密钥由对应的Ukey生成;The key decryption module is used to receive the authority key sent by the server, and the authority key is generated by the corresponding Ukey;
    数据接收模块,用于接收所述服务器发送的存储消息,所述存储消息携带待存储数据以及存储指令;A data receiving module, configured to receive a storage message sent by the server, the storage message carrying data to be stored and storage instructions;
    数据加密模块,用于根据所述存储指令加密所述待存储数据;A data encryption module, configured to encrypt the data to be stored according to the storage instruction;
    数据存储模块,用于根据所述存储指令存储加密后的所述待存储数据至所述存储指令指定的存储设备,所述存储设备包括当前加密存储设备或非加密存储设备。The data storage module is configured to store the encrypted data to be stored in the storage device specified by the storage instruction according to the storage instruction, and the storage device includes a current encrypted storage device or a non-encrypted storage device.
  10. 一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1至4或5至7中任一项所述方法的步骤。A computer device, comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the method of any one of claims 1 to 4 or 5 to 7 when the computer program is executed A step of.
  11. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1至4或5至7中任一项所述的方法的步骤。A computer-readable storage medium with a computer program stored thereon, wherein the computer program implements the steps of the method according to any one of claims 1 to 4 or 5 to 7 when the computer program is executed by a processor.
PCT/CN2020/104462 2019-08-14 2020-07-24 Data storage method, device, computer apparatus, and storage medium WO2021027526A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910747571.4A CN110619237B (en) 2019-08-14 2019-08-14 Data storage method and device, computer equipment and storage medium
CN201910747571.4 2019-08-14

Publications (1)

Publication Number Publication Date
WO2021027526A1 true WO2021027526A1 (en) 2021-02-18

Family

ID=68921893

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/104462 WO2021027526A1 (en) 2019-08-14 2020-07-24 Data storage method, device, computer apparatus, and storage medium

Country Status (2)

Country Link
CN (1) CN110619237B (en)
WO (1) WO2021027526A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110619237B (en) * 2019-08-14 2022-08-26 江苏芯盛智能科技有限公司 Data storage method and device, computer equipment and storage medium
CN112654989B (en) * 2020-03-18 2022-01-28 华为技术有限公司 Data storage method, data access method, related device and equipment
CN112804494A (en) * 2021-01-13 2021-05-14 广州穗能通能源科技有限责任公司 Power construction site monitoring method and system and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101312453A (en) * 2007-05-21 2008-11-26 联想(北京)有限公司 User terminal, method for login network service system, method for binding and debinding
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
CN206348799U (en) * 2016-09-19 2017-07-21 爱国者安全科技(北京)有限公司 Encrypt storage device and safe storage system
US20170244698A1 (en) * 2016-02-23 2017-08-24 Assured Information Security, Inc. Authentication processing for a plurality of self-encrypting storage devices
CN108133155A (en) * 2017-12-29 2018-06-08 北京联想核芯科技有限公司 Data encryption storage method and device
CN110619237A (en) * 2019-08-14 2019-12-27 江苏芯盛智能科技有限公司 Data storage method and device, computer equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104252375B (en) * 2013-06-25 2017-07-28 国际商业机器公司 Method and system for sharing USB Key positioned at multiple virtual machines of different main frames
CN104951409B (en) * 2015-06-12 2019-03-08 中国科学院信息工程研究所 A kind of hardware based full disk encryption system and encryption method
CN109711207B (en) * 2018-12-29 2020-10-30 杭州宏杉科技股份有限公司 Data encryption method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101312453A (en) * 2007-05-21 2008-11-26 联想(北京)有限公司 User terminal, method for login network service system, method for binding and debinding
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
US20170244698A1 (en) * 2016-02-23 2017-08-24 Assured Information Security, Inc. Authentication processing for a plurality of self-encrypting storage devices
CN206348799U (en) * 2016-09-19 2017-07-21 爱国者安全科技(北京)有限公司 Encrypt storage device and safe storage system
CN108133155A (en) * 2017-12-29 2018-06-08 北京联想核芯科技有限公司 Data encryption storage method and device
CN110619237A (en) * 2019-08-14 2019-12-27 江苏芯盛智能科技有限公司 Data storage method and device, computer equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
GAN QUAN , ZHENG JUNHUI: "Document Encryption Transmission System Design Based on PKI", COMPUTER & DIGITAL ENGINEERING, vol. 42, no. 7, 31 July 2014 (2014-07-31), pages 1242 - 1247, XP055781243, ISSN: 1672-9722, DOI: 10.3969/j.issn.1672-9722.2014.07.031 *

Also Published As

Publication number Publication date
CN110619237A (en) 2019-12-27
CN110619237B (en) 2022-08-26

Similar Documents

Publication Publication Date Title
CN109144961B (en) Authorization file sharing method and device
KR102600545B1 (en) System access using a mobile device
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
WO2021027526A1 (en) Data storage method, device, computer apparatus, and storage medium
US10142107B2 (en) Token binding using trust module protected keys
WO2018076761A1 (en) Block chain-based transaction permission control method and system, electronic device, and storage medium
US8181266B2 (en) Method for moving a rights object between devices and a method and device for using a content object based on the moving method and device
WO2019136959A1 (en) Data processing method and device, computer device and storage medium
CN105144189A (en) Secure cloud database platform
CN110868291B (en) Data encryption transmission method, device, system and storage medium
CN105653986B (en) A kind of data guard method and device based on microSD card
US10320777B2 (en) Access to data stored in a cloud
CN104200176A (en) System and method for carrying out transparent encryption and decryption on file in intelligent mobile terminal
US20080114958A1 (en) Apparatuses for binding content to a separate memory device
WO2020253105A1 (en) Authorization management method, system, apparatus, and computer readable storage medium
US20080115211A1 (en) Methods for binding content to a separate memory device
TWI724684B (en) Method, system and device for performing cryptographic operations subject to identity verification
WO2012075904A1 (en) Method, device and system for verifying binding data card and mobile host
CN114070614A (en) Identity authentication method, device, equipment, storage medium and computer program product
CN112954000A (en) Privacy information management method and system based on block chain and IPFS technology
KR20220039779A (en) Enhanced security encryption and decryption system
CN111431922A (en) Internet of things data encryption transmission method and system
CN114329541A (en) Data encryption method, device, equipment and storage medium
WO2023246509A1 (en) Gene data processing method and apparatus, device and medium
CN110659522B (en) Storage medium security authentication method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20852779

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20852779

Country of ref document: EP

Kind code of ref document: A1