CN108133155A - Data encryption storage method and device - Google Patents
Data encryption storage method and device Download PDFInfo
- Publication number
- CN108133155A CN108133155A CN201711483376.2A CN201711483376A CN108133155A CN 108133155 A CN108133155 A CN 108133155A CN 201711483376 A CN201711483376 A CN 201711483376A CN 108133155 A CN108133155 A CN 108133155A
- Authority
- CN
- China
- Prior art keywords
- data
- target user
- user
- storage
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
This disclosure relates to a kind of data encryption storage method and device, the method includes:Data write request and the data to be written that target user sends are received, are included at least in the data write request:The identity of the target user;According to the identity of the target user, the user group belonging to the target user is obtained;According to the user group belonging to the target user, the target storage domain of the data to be written is determined;It obtains and the corresponding encryption key in target storage domain;It will be in the data storage to the target storage domain to be written after the encryption keys.The memory space of the storage medium of storage device is divided into multiple storage regions by the disclosure, each storage region uses different encryption keys, and each storage region is directed to a user group, corresponding storage region is written in data by the user in each user group after corresponding encryption keys, can increase the safety of data storage.
Description
Technical field
This disclosure relates to field of computer technology, and in particular, to a kind of data encryption storage method and device.
Background technology
From encryption hard disk (SED) generally use hardware respectively during write-in and read operation encryption and decrypted user number
According to.Encryption and decryption are completed using media encryption key (MEK).MEK is usually the function of logical address (LBA),
In entire LBA spaces be subdivided into several LBA ranges (being known as data band or abbreviation band), wherein each band has unique MEK.
The hardware for supporting user data from encryption hard disk (SED) is quickly encrypted, and is greatly improved safety, but the relevant technologies
In from encryption hard disk (SED) to overall data using unique key carry out encryption and decryption, be unfavorable for data storage safety.
Invention content
To overcome the problems in correlation technique, the disclosure provides a kind of data encryption storage method and device.
To achieve these goals, in a first aspect, the disclosure provides a kind of data encryption storage method, including:
Data write request and the data to be written that target user sends are received, are at least wrapped in the data write request
It includes:The identity of the target user;
According to the identity of the target user, the user group belonging to the target user is obtained;
According to the user group belonging to the target user, the target storage domain of the data to be written is determined;
It obtains and the corresponding encryption key in target storage domain;
It will be in the data storage to the target storage domain to be written after the encryption keys.
Optionally, before the step of data write request sent in the reception target user and data to be written, institute
The method of stating further includes:
The registration request of the target user is received, the registration request includes including at least:The target user's
Identity;
It is target user's distributing user group according to the identity of the target user and default allocation rule.
Optionally, the method further includes:
The memory space of storage device is divided into one or more storage regions;
A storage region is distributed for each user group;
It establishes and stores user group and the mapping table of storage region.
Optionally, the user group according to belonging to the target user determines the target storage of the data to be written
The step of region, includes:
According to the mapping table, the storage region corresponding to the user group belonging to the target user is obtained;
Determine the size of the data to be written;
According to the size of the data to be written, in the storage region corresponding to the user group belonging to the target user
Determine the target storage domain.
Optionally, the method further includes:
The data read request that the target user sends is received, is included at least in the data read request:It is to be read
The storage region information of data and the identity of the target user;
According to the storage region information of the data to be read, the data to be read are obtained;According to the target user
Identity, to the target user carry out authentication;
When the target user authentication by when, obtain the user group belonging to the target user;
Data decryption key corresponding with the user group belonging to the target user is obtained, the data decryption key is used for
The data to be read are decrypted;
The data to be read and the data decryption key are returned into the target user.
Optionally, the method further includes:
The data read request that target user sends is received, is included at least in the data read request:It is described to be read
The storage region information of data and the identity of the target user;
When the storage region of the data to be read is the storage region of system level data, according to the target user's
Identity carries out authentication to the target user;
When the target user authentication by when, obtain the user group belonging to the target user;
Obtain data decryption key corresponding with the user group belonging to the target user;
Data to be read after data decryption key decryption are returned into the target user.
Second aspect provides a kind of data encryption storage device, including:
Write request receiving module is configured as receiving data write request and the data to be written that target user sends,
It is included at least in the data write request:The identity of the target user;
First user group acquisition module, is configured as the identity according to the target user, obtains the target and uses
User group belonging to family;
Target storage domain determining module is configured as according to the user group belonging to the target user, determines described treat
The target storage domain of data is written;
Encryption key acquisition module is configured as obtaining and the corresponding encryption key in target storage domain;
Memory module is encrypted, is configured as storing the data to be written after the encryption keys to described
In the domain of target storage.
Optionally, described device further includes:
First read requests receiving module is configured as receiving the data read request that the target user sends, described
It is included at least in data read request:The storage region information of data to be read and the identity of the target user;
Data acquisition module to be read, is configured as the storage region information according to the data to be read, described in acquisition
Data to be read;
First authentication module is configured as the identity according to the target user, and body is carried out to the target user
Part verification;
Second user group acquisition module, be configured as authentication in the target user by when, obtain the mesh
Mark the user group belonging to user;
First decruption key acquisition module is configured as obtaining data corresponding with the user group belonging to the target user
Decruption key, the data decryption key are used to that the data to be read to be decrypted;
First data return to module, are configured as returning to the data to be read and the data decryption key described
Target user.
Optionally, described device further includes:
Second read requests receiving module is configured as receiving the data read request that target user sends, the data
It is included at least in read requests:The storage region information of the data to be read and the identity of the target user;
Second authentication module, the storage region being configured as in the data to be read are the storage region of system level data
When, according to the identity of the target user, authentication is carried out to the target user;
Third user group acquisition module, be configured as the authentication of the target user by when, obtain the mesh
Mark the user group belonging to user;
Second decruption key acquisition module is configured as obtaining data corresponding with the user group belonging to the target user
Decruption key;
Second data return to module, are configured as returning to the data to be read after data decryption key decryption
The target user.
The third aspect provides a kind of data encryption storage device, including:
Storage medium, the memory space of the storage medium are divided into one or more storage regions;
Processor;
Wherein, the processor is configured as receiving data write request and the data to be written that target user sends, institute
It states in data write request and includes at least:The identity of the target user;According to the identity of the target user, obtain
Take the user group belonging to the target user;According to the user group belonging to the target user, the data to be written are determined
Target storage domain;It obtains and the corresponding encryption key in target storage domain;It will be after the encryption keys
In the data storage to the target storage domain to be written.
Through the above technical solutions, the memory space of storage device is divided into multiple storage regions, each storage region
For a user group.Each storage region is stored after data are encrypted using different encryption keys.It is each as a result, to use
The user of family group can realize utilizes the corresponding storage region of affiliated encryption key write-in by data.Ciphertext in storage region
Data can export directly in the form of ciphertext data, be used by user with the corresponding decruption key of storage region to ciphertext number
According to being decrypted.In order to ensure the safety of digital independent, user can be by modes such as verifications, and storage region belonging to acquisition corresponds to
Decruption key, so as to which acquisition clear data be decrypted.Due to the user in each user group can only obtain with belonging to oneself
The corresponding decruption key of accessing zone, therefore, can each be obtained with the user in user group belonging to number in storage region
According to, and the data in the storage region outside unavailable extent of competence, it ensure that the safety of data storage.
Other feature and advantage of the disclosure will be described in detail in subsequent specific embodiment part.
Description of the drawings
Attached drawing is for providing further understanding of the disclosure, and a part for constitution instruction, with following tool
Body embodiment is used to explain the disclosure, but do not form the limitation to the disclosure together.In the accompanying drawings:
Fig. 1 is the storage device of one embodiment of the disclosure and the structure diagram of host.
Fig. 2 is the flow diagram of the data encryption storage method of one embodiment of the disclosure.
Fig. 3 is the flow diagram that is read out to the data stored in storage medium in an embodiment of the disclosure.
Fig. 4 is in another embodiment of the present disclosure, and the flow that the data stored in storage medium are read out is illustrated
Figure.
Fig. 5 is in the another embodiment of the disclosure, and the flow that the data stored in storage medium are read out is illustrated
Figure.
Fig. 6 is the schematic diagram that the data of different user groups are encrypted storage in one embodiment of the disclosure.
Fig. 7 is the schematic diagram that one embodiment of the disclosure is read out the data of encryption storage.
Fig. 8 is the block diagram of the data encryption storage device of one embodiment of the disclosure.
Fig. 9 is the block diagram according to a kind of device for data encryption storage method shown in an exemplary embodiment.
Specific embodiment
The specific embodiment of the disclosure is described in detail below in conjunction with attached drawing.It should be understood that this place is retouched
The specific embodiment stated is only used for describing and explaining the disclosure, is not limited to the disclosure.
It is the storage device of one embodiment of the disclosure and the structure diagram of host referring to Fig. 1.
The storage device 200 includes:Data-interface 201, storage control 202, encryption equipment 203, storage medium 204 are conciliate
Close device 205.
Wherein, data transmission of the data-interface 201 between storage device 200 and external system (for example, host 100) connects
Mouthful.Data-interface 201 can be used for the order or data that external system is sent being output to storage control 202.Data-interface 201
It can be additionally used in the data for storing storage medium 204 and/or specific response notice (held for example, being used to indicate storage control 202
Row or the notice for completing order) it is transferred to external system.
Encryption equipment 203 is deposited for being encrypted to data and encrypted data being output to storage medium 204
Storage.Encryption equipment 203 is encrypted input data using encryption key in encryption.In one embodiment, encryption key can
It is generated by encryption equipment 203 by random number generating algorithm.Encryption key can be made of the random number of 64,128 etc..Another
In a little embodiments, encryption key can be also generated and sent by external system to storage device, will be encrypted by storage control 202 close
It is used in key storage to the preset storage region of storage medium 204 for encryption equipment 203.
When needing to export the data after decrypting, decipher 205 is used for after the ciphertext data of encryption storage are decrypted
Output.Encryption key and decruption key are corresponding, after encryption keys, using with the corresponding solution of encryption key
Encrypted ciphertext data can be decrypted in key, obtain clear data.
Storage control 202 is used to control the read-write of data and calls the cryptographic operation of the completion data of encryption equipment 203,
Decipher 205 is called to complete data deciphering operation etc..
In the embodiment of the present disclosure, the data space of storage medium 204 is divided into one or more storage regions.It deposits
The quantity in storage area domain can be set according to demand, for example, being set as 6 or 8 etc..Each the least unit of storage region can be
512 bytes or 4096 bits (bit) etc..After storage region divides, the corresponding logical address of each storage region is recorded.At this
In disclosed embodiment, different storage regions is used to store the related data of different user groups, and is different storage regions
Different encryption keys is set.
In embodiment of the disclosure, it when the division of category group is carried out to user, can be determined according to the identity of user each
User group belonging to user.The identity of user can be any one of information such as Customs Assigned Number, user role, user name or
More persons.For example, the user that Customs Assigned Number is 1~10 is divided into user group 1, the user that Customs Assigned Number is 11~20 is divided into
User group 2;Or user of the user role for administrator is divided into user group 1, the user that user role is department a is divided
For user group 2, the user that user role is department b is divided into user group 3 etc..
In an embodiment of the disclosure, a user group is set as system-level user group, for depositing for user group distribution
Storage area domain, for the data of storage system grade, for example, hard disk bootstrap, with the relevant data of operating system, using journey
Relevant data of sequence etc..User in the user group is the user with administrator role, thus, it can be ensured that system data
Safety ensures the normal operation of system.
In order to enhance the safety of data storage, different memory blocks is distributed for different user groups for the embodiment of the present disclosure
Domain, and different storage regions uses different encryption keys so that the related data of user is encrypted store and arrive in user group
In corresponding storage region.
Referring to pair of the table 1 for the user of one embodiment of the disclosure, user group, storage region, encryption key and decruption key
It should be related to.Mapping table shown in table 1 can be stored in the default storage region of storage device 100, the default storage region
Can be the system memory block of storage medium 106 or the setting storage region of data storage area.In addition, the correspondence shown in table 1
Table can be also stored in the other memory spaces being connected with host.
Table 1
| User | User group | Storage region logical address | Encryption key | Decruption key |
| Customs Assigned Number is 1-10 | User group 1 | Logical address A~logical address B | Key 1 | Key 1 ' |
| Customs Assigned Number is 11-20 | User group 2 | Logical address C~logical address E | Key 2 | Key 2 ' |
| …… | …… | …… | …… |
In an embodiment of the disclosure, for user determine user group belonging to it can when user is being registered into
Row.When user sends registration request, the identity (for example, Customs Assigned Number, user name etc.) of user is provided.According to the body of user
Part mark and default allocation rule, can be user's distributing user group.Default allocation rule can be preset identity and user
The correspondence of group.
After the user group belonging to user is determined, according to pair of user group and storage region, encryption key and decruption key
It should be related to, you can determine storage region, encryption key and the decruption key corresponding to the user.Determine depositing corresponding to user
Behind storage area domain, user related data can be written to corresponding storage region or from corresponding storage region to related data into
Row is read.
It should be understood that in some embodiments, encryption key and decruption key in table 1 can not also be pre-set, and needing
It is generated when wanting according to random algorithm.According to rivest, shamir, adelman, then encryption key can be public key, and decruption key can be and public affairs
The corresponding private key of key.
It is the flow diagram of the data encryption storage method of one embodiment of the disclosure referring to Fig. 2.The data encryption stores
Method can be applied in the storage control 202 of storage device 200, include the following steps:
In the step s 21, data write request and the data to be written that target user sends are received, in data write request
It includes at least:The identity of target user.
In an embodiment of the disclosure, storage device 200 may be disposed in host (or other external equipments), with host
100 interface 102 is connected by data-interface 201, can be carried out data transmission between host 100 and storage device 200 as a result,.It treats
Write-in data are the storage stored by the needs sent from host 100 that data-interface 201 receives to storage device 200
Data in medium.
In step S22, according to the identity of target user, the user group belonging to target user is obtained.
As described above, the user group belonging to each user is determined when user is registered, as a result, according to target
The identity of user can obtain the user group belonging to target user.
In step S23, the user group according to belonging to target user determines the target storage domains of data to be written.
In embodiment of the disclosure, the memory space of storage device is divided into one or more storage regions, is every
A user group is assigned with a storage region, and establishes and store user group and the mapping table of storage region, as a result, root
The storage region corresponding to the user group belonging to target user can be got according to mapping table.
In one embodiment, it is first determined the size of data to be written, and according to the size of data to be written, in target
Target storage domain is determined in the storage region corresponding to user group belonging to user.It determines target storage domain, that is, determines
The logical address of data write-in.
In step s 24, it obtains and the corresponding encryption key in target storage domain.
Encryption key differs used by due to different storage regions, accordingly, it is determined that the targets of data to be written
After storage region, according to storage region and the correspondence of encryption key, can get with target storage domain it is corresponding plus
Key.In some embodiments, encryption key is pre-set, then is directly acquired corresponding with target storage domain
Encryption key.In further embodiments, encryption key can be to use and the corresponding preset algorithm in target storage domain
It generates in real time.
It in step s 25, will be in the encrypted data storage to target storage domain to be written of encrypted key.
After encryption key and target storage domain is determined, storage control 202 controls encryption equipment 203 to utilize encryption key
Data to be written are encrypted, encrypted ciphertext data are stored in the target storage domain of storage medium 204.
The memory space of the storage medium of storage device is divided into multiple storage regions by the embodiment of the present disclosure, each to store
Region uses different encryption keys, and each storage region is for a user group, and the user in each user group is by data
Corresponding storage region is written after corresponding encryption keys, the safety of data storage can be increased.
It should be understood that the data encryption storage method of the embodiment of the present disclosure can also be applied in the processor 101 of host 100,
Wherein, above-mentioned steps S21- steps S25 can be performed by the processor of host 100, and processor 101 gets the mesh of data to be written
After marking storage region and corresponding encryption key, be written into data, data to be written target storage domain and it is corresponding plus
Key is sent to storage device 200 by interface 102.Encryption equipment 203 is controlled by the storage control 202 of storage device 200
After data to be written are encrypted using encryption key, in the target storage domain for storing storage medium 204.
Referring to Fig. 3, in one embodiment of the disclosure, flow packet that the data stored in storage medium are read out
It includes:
In step S31, the data read request that target user sends is received, is included at least in data read request:It treats
Read the storage region information of data.
In step s 32, according to the storage region information of data to be read, data to be read are obtained.
User can realize the read operation to data as a result,.In one embodiment, in order to ensure the safety of digital independent
Property, when receiving data read request, user identity is verified, referring to Fig. 4, in step S41, receives target user
The data read request of transmission is included at least in data read request:The storage region information of data to be read and target user
Identity.
In step S42, according to the storage region information of data to be read, data to be read are obtained.
In step S43, according to the identity of target user, authentication is carried out to target user.
In step S44, when target user authentication by when, obtain target user belonging to user group.
In step S45, data decryption key corresponding with the user group belonging to target user, data decryption key are obtained
For data to be read to be decrypted.
In step S46, data to be read and data decryption key are returned into target user.
The data in corresponding storage region can be read in target user as a result, and data to be read can be returned in the form of ciphertext
To target user, target user can be decrypted data to be read according to the data decryption key of return.
Referring to Fig. 5, for reading system level data, in step s 51, receive the digital independent that target user sends and ask
It asks, is included at least in data read request:The storage region information of data to be read and the identity of target user.
In step S52, when the storage region of data to be read is the storage region of system level data, used according to target
The identity at family carries out authentication to target user.
In step S53, when target user authentication by when, obtain target user belonging to user group.
In step S54, data decryption key corresponding with the user group belonging to target user is obtained.
In step S55, the data to be read after data decryption key is decrypted are returned into target user.
As a result, when data to be read are system level data, 205 availability data of the decipher decryption of storage device 200
Data key returns after being decrypted, thus, it can be ensured that the safety of system data ensures the normal operation of system.
In some embodiments, it to the process of subscriber authentication, can also be performed by host.Host is receiving user's
During data read request, user identity is verified according to the identity of user.When subscriber authentication by when, Xiang Cun
It stores up 100 transmission data of equipment and reads instruction.Storage device 100 receives data read command, then according in data read command
Data to be read storage region information, from corresponding storage region obtain data after, host is returned to by data-interface.
In embodiment of the disclosure, storage device can directly return to ciphertext data to host, by host or associated user
Clear data is obtained after ciphertext data are decrypted using decruption key.It should be understood that decruption key and encryption key with use
Family group is corresponding, can be obtained according to the mapping table shown in above-mentioned table 1.After host computer decruption key obtains clear data,
Data can be shown, transmit operations such as (for example, being transferred to other electronic equipments by modes such as WIFI, bluetooths).It is and right
It is returned after system level data, storage device decryption, it is ensured that the normal operation of system.
Referring to Fig. 6, in the embodiment of the present disclosure, the memory space of storage device is divided into multiple storage regions, Mei Gecun
Storage area domain is directed to a user group.Each storage region is stored after data are encrypted using different encryption keys.As a result,
The user of each user group can realize utilizes the corresponding storage region of affiliated encryption key write-in by data.The number of user group
Amount can be configured according to actual demand.
Referring to Fig. 7, the ciphertext data in storage region can export directly in the form of ciphertext data, by user use with
Ciphertext data are decrypted in the corresponding decruption key of storage region.In order to ensure the safety of digital independent, user Ke Tong
Cross the modes such as verification, the corresponding decruption key of storage region belonging to acquisition, so as to which acquisition clear data be decrypted.Due to each
User in user group can only obtain with the corresponding decruption key of accessing zone belonging to oneself, therefore, each and user group
Interior user can obtain belonging to data in storage region, and data in the storage region outside unavailable extent of competence protect
The safety of data storage is demonstrate,proved.
Referring to Fig. 8, correspondingly, the embodiment of the present disclosure also provides a kind of data encryption storage device, data encryption storage
Device 800 includes:
Write request receiving module 801 is configured as receiving data write request and the number to be written that target user sends
According to being included at least in data write request:The identity of target user;
First user group acquisition module 802 is configured as the identity according to target user, obtains belonging to target user
User group;
Target storage domain determining module 803 is configured as, according to the user group belonging to target user, determining number to be written
According to target storage domain;
Encryption key acquisition module 804 is configured as obtaining and the corresponding encryption key in target storage domain;
Memory module 805 is encrypted, is configured as storing the encrypted data storage to be written of encrypted key to target
In region.
In one embodiment, device 800 further includes:
First read requests receiving module is configured as receiving the data read request that target user sends, digital independent
It is included at least in request:The storage region information of data to be read and the identity of target user;
Data acquisition module to be read is configured as the storage region information according to data to be read, obtains access of continuing
According to;
First authentication module is configured as the identity according to target user, and authentication is carried out to target user;
Second user group acquisition module, be configured as authentication in target user by when, obtain target user institute
The user group of category;
First decruption key acquisition module is configured as obtaining data deciphering corresponding with the user group belonging to target user
Key, data decryption key are used to that data to be read to be decrypted;
First data return to module, are configured as data to be read and data decryption key returning to target user.
In one embodiment, device further includes:
Second read requests receiving module is configured as receiving the data read request that target user sends, digital independent
It is included at least in request:The storage region information of data to be read and the identity of target user.
Second authentication module is configured as when the storage region of data to be read is the storage region of system level data,
According to the identity of target user, authentication is carried out to target user.
Third user group acquisition module, be configured as the authentication of target user by when, obtain target user institute
The user group of category.
Second decruption key acquisition module is configured as obtaining data deciphering corresponding with the user group belonging to target user
Key.
Second data return to module, are configured as the data to be read after data decryption key is decrypted returning to target
User.
About the device in above-described embodiment, wherein modules perform the concrete mode of operation in related this method
Embodiment in be described in detail, explanation will be not set forth in detail herein.
Fig. 9 be according to a kind of block diagram of device 900 for data encryption storage method shown in an exemplary embodiment,
The device 900 can be server, desktop computer etc..As shown in the figure, the device 900 can include:Processor 901, storage
Equipment 902, multimedia component 903, input/output (I/O) interface 904 and communication component 905.Wherein, storage device 902
Structure can be identical with the structure of storage device 200 shown in FIG. 1, including storage control, encryption equipment, storage medium etc.,
In, storage medium is divided into one or more storage regions, is respectively used to the data of the user of encryption storage different user groups.
Wherein, processor 901 is used to control the integrated operation of the device 900, to complete above-mentioned data encryption storage side
All or part of step in method;Or processor 901 controls the storage control of storage device 902 to add to complete above-mentioned data
All or part of step in close storage method.
Storage device 902 is additionally operable to storage program area, various types of data to support the operation in the device 900,
The instruction of any application program or method that can for example include for being operated on the device 900 of these data, Yi Jiying
With the relevant data of program.
Multimedia component 903 can include screen and audio component.Wherein screen for example can be touch screen, audio component
For output and/or input audio signal.For example, audio component can include a microphone, microphone is used to receive outside
Audio signal.The received audio signal can be further stored in storage device 902 or be sent by communication component 905.
Audio component further includes at least one loud speaker, for exports audio signal.I/O interfaces 904 are processor 901 and other interfaces
There is provided interface between module, other above-mentioned interface modules can be keyboard, mouse, button etc..These buttons can virtually be pressed
Button or entity button.Communication component 905 is used to carry out wired or wireless communication between the device 900 and other equipment.Wirelessly
Communication, such as Wi-Fi, bluetooth, near-field communication (Near Field Communication, abbreviation NFC), 2G, 3G or 4G or it
One or more of combination, therefore the corresponding communication component 905 can include:Wi-Fi module, bluetooth module, NFC
Module.
In one exemplary embodiment, device 900 can be by one or more application application-specific integrated circuit
(Application Specific Integrated Circuit, abbreviation ASIC), digital signal processor (Digital
Signal Processor, abbreviation DSP), digital signal processing appts (Digital Signal Processing Device,
Abbreviation DSPD), programmable logic device (Programmable Logic Device, abbreviation PLD), field programmable gate array
(Field Programmable Gate Array, abbreviation FPGA), controller, microcontroller, microprocessor or other electronics member
Part is realized, for performing above-mentioned data encryption storage method.
In a further exemplary embodiment, a kind of computer program product, the computer program product packet are additionally provided
Containing the computer program that can be performed by programmable device, the computer program has to work as to be held by the programmable device
For performing the code section of above-mentioned data encryption storage method during row.
In a further exemplary embodiment, a kind of non-transitory computer-readable storage medium including instructing is additionally provided
Matter, such as the storage device 902 including instruction, above-metioned instruction can be by the processor 901 of device 900 or depositing for storage device 902
Storage controller performs to complete above-mentioned data encryption storage method.Illustratively, the non-transitorycomputer readable storage medium
Can be ROM, random access memory (Random Access Memory, abbreviation RAM), CD-ROM, tape, floppy disk and light number
According to storage device etc..
Any process described otherwise above or method description can be by flow chart or in embodiment of the disclosure
It is interpreted as, represents the code for including the executable instruction of one or more the step of being used to implement specific logical function or process
Module, segment or part, and the range of disclosure embodiment includes other realization, wherein can not press it is shown or
The sequence of discussion, including according to involved function by it is basic simultaneously in the way of or in the opposite order, to perform function, this should
Those skilled in the art understand described in embodiment of the disclosure.
The preferred embodiment of the disclosure is described in detail above in association with attached drawing, still, the disclosure is not limited to above-mentioned reality
The detail in mode is applied, in the range of the technology design of the disclosure, a variety of letters can be carried out to the technical solution of the disclosure
Monotropic type, these simple variants belong to the protection domain of the disclosure.
It is further to note that specific technical features described in the above specific embodiments, in not lance
In the case of shield, it can be combined by any suitable means.In order to avoid unnecessary repetition, the disclosure to it is various can
The combination of energy no longer separately illustrates.
In addition, arbitrary combination can also be carried out between a variety of different embodiments of the disclosure, as long as it is without prejudice to originally
Disclosed thought should equally be considered as disclosure disclosure of that.
Claims (10)
1. a kind of data encryption storage method, which is characterized in that including:
Data write request and the data to be written that target user sends are received, are included at least in the data write request:Institute
State the identity of target user;
According to the identity of the target user, the user group belonging to the target user is obtained;
According to the user group belonging to the target user, the target storage domain of the data to be written is determined;
It obtains and the corresponding encryption key in target storage domain;
It will be in the data storage to the target storage domain to be written after the encryption keys.
2. the according to the method described in claim 1, it is characterized in that, data write request sent in the reception target user
Before the step of data to be written, the method further includes:
The registration request of the target user is received, the registration request includes including at least:The identity of the target user
Mark;
It is target user's distributing user group according to the identity of the target user and default allocation rule.
3. according to the method described in claim 2, it is characterized in that, the method further includes:
The memory space of storage device is divided into one or more storage regions;
A storage region is distributed for each user group;
It establishes and stores user group and the mapping table of storage region.
4. according to the method described in claim 3, it is characterized in that, the user group according to belonging to the target user, really
The step of target storage domain of the fixed data to be written, includes:
According to the mapping table, the storage region corresponding to the user group belonging to the target user is obtained;
Determine the size of the data to be written;
According to the size of the data to be written, determined in the storage region corresponding to the user group belonging to the target user
The target storage domain.
5. according to the method described in claim 1, it is characterized in that, the method further includes:
The data read request that the target user sends is received, is included at least in the data read request:Data to be read
Storage region information and the target user identity;
According to the storage region information of the data to be read, the data to be read are obtained;According to the body of the target user
Part mark carries out authentication to the target user;
When the target user authentication by when, obtain the user group belonging to the target user;
Data decryption key corresponding with the user group belonging to the target user is obtained, the data decryption key is used for institute
Data to be read are stated to be decrypted;
The data to be read and the data decryption key are returned into the target user.
6. according to the method described in claim 1, it is characterized in that, the method further includes:
The data read request that target user sends is received, is included at least in the data read request:The data to be read
Storage region information and the target user identity;
When the storage region of the data to be read is the storage region of system level data, according to the identity of the target user
Mark carries out authentication to the target user;
When the target user authentication by when, obtain the user group belonging to the target user;
Obtain data decryption key corresponding with the user group belonging to the target user;
Data to be read after data decryption key decryption are returned into the target user.
7. a kind of data encryption storage device, which is characterized in that including:
Write request receiving module is configured as receiving data write request and the data to be written that target user sends, described
It is included at least in data write request:The identity of the target user;
First user group acquisition module, is configured as the identity according to the target user, obtains the target user institute
The user group of category;
Target storage domain determining module is configured as according to the user group belonging to the target user, is determined described to be written
The target storage domain of data;
Encryption key acquisition module is configured as obtaining and the corresponding encryption key in target storage domain;
Memory module is encrypted, is configured as the data storage to be written after the encryption keys to the target
In storage region.
8. device according to claim 7, which is characterized in that described device further includes:
First read requests receiving module is configured as receiving the data read request that the target user sends, the data
It is included at least in read requests:The storage region information of data to be read and the identity of the target user;
Data acquisition module to be read is configured as the storage region information according to the data to be read, continues described in acquisition
Access evidence;
First authentication module is configured as the identity according to the target user, and carrying out identity to the target user tests
Card;
Second user group acquisition module, be configured as authentication in the target user by when, obtain the target and use
User group belonging to family;
First decruption key acquisition module is configured as obtaining data deciphering corresponding with the user group belonging to the target user
Key, the data decryption key are used to that the data to be read to be decrypted;
First data return to module, are configured as the data to be read and the data decryption key returning to the target
User.
9. device according to claim 7, which is characterized in that described device further includes:
Second read requests receiving module is configured as receiving the data read request that target user sends, the digital independent
It is included at least in request:The storage region information of the data to be read and the identity of the target user;
Second authentication module is configured as when the storage region of the data to be read is the storage region of system level data,
According to the identity of the target user, authentication is carried out to the target user;
Third user group acquisition module, be configured as the authentication of the target user by when, obtain the target and use
User group belonging to family;
Second decruption key acquisition module is configured as obtaining data deciphering corresponding with the user group belonging to the target user
Key;
Second data return to module, are configured as returning to the data to be read after data decryption key decryption described
Target user.
10. a kind of data encryption storage device, which is characterized in that including:
Storage medium, the memory space of the storage medium are divided into one or more storage regions;
Processor;
Wherein, the processor is configured as receiving data write request and the data to be written that target user sends, the number
According to being included at least in write request:The identity of the target user;According to the identity of the target user, institute is obtained
State the user group belonging to target user;According to the user group belonging to the target user, the target of the data to be written is determined
Storage region;It obtains and the corresponding encryption key in target storage domain;Described in after the encryption keys
In data storage to the target storage domain to be written.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711483376.2A CN108133155A (en) | 2017-12-29 | 2017-12-29 | Data encryption storage method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711483376.2A CN108133155A (en) | 2017-12-29 | 2017-12-29 | Data encryption storage method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108133155A true CN108133155A (en) | 2018-06-08 |
Family
ID=62394118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711483376.2A Pending CN108133155A (en) | 2017-12-29 | 2017-12-29 | Data encryption storage method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108133155A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581764A (en) * | 2019-09-16 | 2019-12-17 | 杭州华澜微电子股份有限公司 | hard disk partition encryption and decryption system, method and device |
| CN110602132A (en) * | 2019-09-24 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Data encryption and decryption processing method |
| CN110958296A (en) * | 2019-10-29 | 2020-04-03 | 深圳市科华恒盛科技有限公司 | Charging pile cluster communication system and method and charging pile |
| CN111159740A (en) * | 2019-12-29 | 2020-05-15 | 浪潮电子信息产业股份有限公司 | Data encryption access method, device, equipment and readable storage medium |
| WO2021027526A1 (en) * | 2019-08-14 | 2021-02-18 | 江苏芯盛智能科技有限公司 | Data storage method, device, computer apparatus, and storage medium |
| CN112685778A (en) * | 2020-12-31 | 2021-04-20 | 北京聚云科技有限公司 | Data storage method and device |
| CN112711764A (en) * | 2020-12-30 | 2021-04-27 | 南方电网科学研究院有限责任公司 | Data reading and writing method and device and electronic equipment |
| CN113821455A (en) * | 2021-09-24 | 2021-12-21 | 展讯通信(上海)有限公司 | Memory partition flash method and device, sending and writing equipment and chip |
| CN113923005A (en) * | 2021-09-30 | 2022-01-11 | 惠州Tcl移动通信有限公司 | Method and system for writing data |
| WO2022100675A1 (en) * | 2020-11-11 | 2022-05-19 | 中兴通讯股份有限公司 | Data encryption and data decryption methods, apparatus, storage medium, and electronic apparatus |
| CN115001813A (en) * | 2022-05-31 | 2022-09-02 | 山西西电信息技术研究院有限公司 | Information security method, system, equipment and medium |
| CN115130138A (en) * | 2022-08-30 | 2022-09-30 | 江西五十铃汽车有限公司 | Data security protection method, system, storage medium and equipment |
| WO2024119918A1 (en) * | 2022-12-07 | 2024-06-13 | 成都海光集成电路设计有限公司 | Key management method, data protection method, system, chip, and computer device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050025316A1 (en) * | 2003-07-31 | 2005-02-03 | Pelly Jason Charles | Access control for digital content |
| CN101488110A (en) * | 2008-12-30 | 2009-07-22 | 成都市华为赛门铁克科技有限公司 | Memory encryption method, apparatus and system |
| CN103546474A (en) * | 2013-10-28 | 2014-01-29 | 中国软件与技术服务股份有限公司 | Method and system for data obstruction and privilege control |
| CN105760764A (en) * | 2014-12-18 | 2016-07-13 | 中兴通讯股份有限公司 | Encryption and decryption methods and devices for embedded storage device file and terminal |
-
2017
- 2017-12-29 CN CN201711483376.2A patent/CN108133155A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050025316A1 (en) * | 2003-07-31 | 2005-02-03 | Pelly Jason Charles | Access control for digital content |
| CN101488110A (en) * | 2008-12-30 | 2009-07-22 | 成都市华为赛门铁克科技有限公司 | Memory encryption method, apparatus and system |
| CN103546474A (en) * | 2013-10-28 | 2014-01-29 | 中国软件与技术服务股份有限公司 | Method and system for data obstruction and privilege control |
| CN105760764A (en) * | 2014-12-18 | 2016-07-13 | 中兴通讯股份有限公司 | Encryption and decryption methods and devices for embedded storage device file and terminal |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021027526A1 (en) * | 2019-08-14 | 2021-02-18 | 江苏芯盛智能科技有限公司 | Data storage method, device, computer apparatus, and storage medium |
| CN110581764A (en) * | 2019-09-16 | 2019-12-17 | 杭州华澜微电子股份有限公司 | hard disk partition encryption and decryption system, method and device |
| CN110602132A (en) * | 2019-09-24 | 2019-12-20 | 苏州浪潮智能科技有限公司 | Data encryption and decryption processing method |
| CN110958296A (en) * | 2019-10-29 | 2020-04-03 | 深圳市科华恒盛科技有限公司 | Charging pile cluster communication system and method and charging pile |
| CN111159740A (en) * | 2019-12-29 | 2020-05-15 | 浪潮电子信息产业股份有限公司 | Data encryption access method, device, equipment and readable storage medium |
| WO2022100675A1 (en) * | 2020-11-11 | 2022-05-19 | 中兴通讯股份有限公司 | Data encryption and data decryption methods, apparatus, storage medium, and electronic apparatus |
| CN112711764A (en) * | 2020-12-30 | 2021-04-27 | 南方电网科学研究院有限责任公司 | Data reading and writing method and device and electronic equipment |
| CN112685778A (en) * | 2020-12-31 | 2021-04-20 | 北京聚云科技有限公司 | Data storage method and device |
| CN113821455A (en) * | 2021-09-24 | 2021-12-21 | 展讯通信(上海)有限公司 | Memory partition flash method and device, sending and writing equipment and chip |
| CN113923005A (en) * | 2021-09-30 | 2022-01-11 | 惠州Tcl移动通信有限公司 | Method and system for writing data |
| CN113923005B (en) * | 2021-09-30 | 2024-04-09 | 惠州Tcl移动通信有限公司 | Method and system for writing data |
| CN115001813A (en) * | 2022-05-31 | 2022-09-02 | 山西西电信息技术研究院有限公司 | Information security method, system, equipment and medium |
| CN115001813B (en) * | 2022-05-31 | 2023-11-10 | 山西西电信息技术研究院有限公司 | Information security method, system, equipment and medium |
| CN115130138A (en) * | 2022-08-30 | 2022-09-30 | 江西五十铃汽车有限公司 | Data security protection method, system, storage medium and equipment |
| WO2024119918A1 (en) * | 2022-12-07 | 2024-06-13 | 成都海光集成电路设计有限公司 | Key management method, data protection method, system, chip, and computer device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108133155A (en) | Data encryption storage method and device | |
| KR101567902B1 (en) | Multi-issuer secure element partition architecture for nfc enabled devices | |
| KR100791432B1 (en) | Providing a user device with a set of access codes | |
| US9769654B2 (en) | Method of implementing a right over a content | |
| US9372987B1 (en) | Apparatus and method for masking a real user controlling synthetic identities | |
| CN107666479A (en) | Information encrypting and decrypting method, apparatus, computer equipment and storage medium | |
| CN104639538A (en) | Identity card information obtaining method and system | |
| CN103905188B (en) | Utilize the method and intelligent cipher key equipment of intelligent cipher key equipment generation dynamic password | |
| CN102546176A (en) | Supporting DNS security in a multi-master environment | |
| KR101745706B1 (en) | Apparatus and method for authentication based on biometric information | |
| CN107948170B (en) | Interface request parameter encryption method, device, equipment and readable storage medium | |
| CN106452770A (en) | Data encryption method and apparatus, data decryption method and apparatus, and system | |
| JP2014006691A (en) | Device authentication method and system | |
| CN111680326A (en) | Data processing method and device | |
| JP4597784B2 (en) | Data processing device | |
| US9154481B1 (en) | Decryption of a protected resource on a cryptographic device using wireless communication | |
| US8798261B2 (en) | Data protection using distributed security key | |
| CN108846296B (en) | Data encryption method and device, computer equipment and readable storage medium | |
| JP6666511B1 (en) | Apparatus, method and program for evacuating cryptocurrency | |
| CN107493281A (en) | encryption communication method and device | |
| US20150310230A1 (en) | Cryptographic processing apparatus, cryptographic processing system, and cryptographic processing method | |
| CN110059473A (en) | Using account logon method, device, computer equipment and computer storage medium | |
| CN108921550B (en) | Management method and device of digital currency wallet, electronic equipment and storage medium | |
| JP6223907B2 (en) | One-stop application system, one-stop application method and program | |
| KR102118476B1 (en) | Device and method to process password input from user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20190812 Address after: 518067 Dongjiaotou Workshop D24/F-02, Houhai Avenue, Shekou Street, Nanshan District, Shenzhen City, Guangdong Province Applicant after: Shenzhen Yi Lian Information System Co., Ltd. Address before: 100176 Beijing City, Daxing District branch of Beijing economic and Technological Development Zone, fourteen Street No. 99 building 33 building D No. 2226 Applicant before: Beijing legend core technology Co., Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180608 |
|
| RJ01 | Rejection of invention patent application after publication |