CN103425935A - Method and device for encrypting data of memory on basis of addresses - Google Patents
Method and device for encrypting data of memory on basis of addresses Download PDFInfo
- Publication number
- CN103425935A CN103425935A CN2012101497718A CN201210149771A CN103425935A CN 103425935 A CN103425935 A CN 103425935A CN 2012101497718 A CN2012101497718 A CN 2012101497718A CN 201210149771 A CN201210149771 A CN 201210149771A CN 103425935 A CN103425935 A CN 103425935A
- Authority
- CN
- China
- Prior art keywords
- data block
- address
- pad
- data
- count value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 230000009466 transformation Effects 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000003139 buffering effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 2
- 238000012163 sequencing technique Methods 0.000 description 2
- 101100012776 Escherichia coli (strain K12) feaB gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 101150114892 padA gene Proteins 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for encrypting data of a memory on the basis of addresses, and relates to data safety technologies. The technical scheme includes that the data stored in the memory are divided into data blocks, and the storage position of each data block in the memory is determined by the address corresponding to the data block; a block cipher algorithm of a counter mode is used as an encryption algorithm; the address of each data block is used as a count value to compute an encryption pad and a decryption pad which correspond to the data block; the address of the corresponding next data block is used as a count value when each current data block is stored, and an encryption pad of the next data block to be stored is computed and is buffered for standby application; the address of the corresponding next data block is used as a count value when each current data block is read, and a decryption pad of the next data block to be read is computed and is buffered for standby application. The method and the device have the advantage that the method and the device are efficient and feasible and are particularly used for storing the data blocks in the memory.
Description
Technical field
The present invention relates to Technology On Data Encryption, specifically to being stored in data block in storer, give the technology of encryption and decryption.
Background technology
With regard to Technology On Data Encryption, the very important point is the confidentiality (confidentiality) of the data that protection is stored, and stops the illegal understanding to data.For reaching this purpose, typically use the method for encryption, the data ciphertext is saved in storer, and is deciphered when sense data and again obtain data expressly.For the data of encrypting mass storage, typically use symmetric cryptographic algorithm.Because encrypt/decrypt is that the computation-intensive operation needs larger cost, the process of carrying out encrypt/decrypt can cause the delay of memory access and affect system performance; In addition, the management of the parameter relevant to encrypt/decrypt, the difficulty that sometimes also can cause system to realize.Therefore, design than existing method more efficiently, more easy capable encryption method, always useful.
Summary of the invention
The object of the present invention is to provide a kind of memory data encryption method and device based on address, for the data of storing in storer provide Confidentiality protection.
The present invention is achieved by the following technical solutions:
Memory data encryption method based on address is characterized in that:
The data of storing in storer are divided into data block, and the address corresponding by it, the position of each data block store in storer determines;
Use one not to be secret numerical value known to the assailant key as data encryption and deciphering;
The address of usage data piece, as count value, in conjunction with key, and calculates the corresponding encryption of this data block pad and deciphering pad;
While preserving current data block, use the address of next data block as count value, in conjunction with key, and calculate the encryption pad of next data block, cushion this encryptions pad to be ready for use on next data block be saved of encryption;
While reading current data block, use the address of next data block as count value, in conjunction with key, and calculate the deciphering pad of next data block, cushion this deciphering pad to be ready for use on next data block be read of deciphering.
The described memory data encryption method based on address is characterized in that:
The address of described usage data piece, as count value, is:
By the address of data block, the count value of directly using as the counter mode cryptographic algorithm.
The described memory data encryption method based on address is characterized in that:
The address of described usage data piece, as count value, is:
Address by data block, give functional transformation, the count value that the result of conversion is used as the counter mode cryptographic algorithm.
The described memory data encryption method based on address is characterized in that:
The address of described next data block of use, as count value, is:
By the address of next data block, the count value of directly using as the counter mode cryptographic algorithm.
The described memory data encryption method based on address is characterized in that:
The address of described next data block of use, as count value, is:
Address by next data block, give functional transformation, the count value that the result of conversion is used as the counter mode cryptographic algorithm.
The described memory data encryption method based on address is characterized in that:
The address of described data block is the ident value of the physical storage locations of data block in storer.
The described memory data encryption method based on address is characterized in that:
Described next data block, be according to the order of access, follows current data block closely and by accessed data block.
Memory data encryption device based on address is characterized in that:
Comprise data block ACE and data block store parts;
The data block ACE is connected in the data block store parts;
The data of storing in the data block store parts are divided into data block, and the address corresponding by it, the position of each data block store in the data block store parts determines;
The data block ACE is used one not to be secret numerical value known to the assailant key as data encryption and deciphering;
The data block ACE adopts the counter mode of block cipher, and the address of usage data piece, as count value, in conjunction with key, and calculates the corresponding encryption of this data block pad and deciphering pad;
When preserving current data block, the data block ACE is used the address of next data block as count value, in conjunction with key, and calculates the encryption pad of next data block, cushion this encryption pad in the data block ACE, used in order to encrypt the data block be saved next time;
When reading current data block, the data block ACE is used the address of next data block as count value, in conjunction with key, and calculates the deciphering pad of next data block, cushion this deciphering pad in the data block ACE, the data block next time be read in order to deciphering is used.
The beneficial effect that the present invention has is: (1) can not implement under online situation of attacking the assailant, and data protection has enough securities; (2) owing to encrypting pad and deciphering pad and can be prepared in advance, data encryption delay and decryption latency are effectively hidden, thereby have good performance; (3), without complicated management and extra Parameter storage, be easy to realize; (4) change of indiffusion data bit, influence surface is not to the loss balancing algorithm based on redundancy of nonvolatile memory, thus the serviceable life that is conducive to improve nonvolatile memory.
Embodiment
Below the present invention is elaborated.Described embodiment is implemented take technical solution of the present invention under prerequisite, has provided detailed embodiment and concrete operating process; But protection scope of the present invention is not limited to following embodiment.
Without loss of generality, establish:
Memory MEM has
kIndividual data block DBlock, wherein, the
i(
iValue is
0 ~ k-1) individual data block is designated as DBlock
i The memory location of data block in MEM is the address by data block
AddressDetermine, wherein, DBlock
i Address be
Address i
That be connected in MEM is ACE MCONTROLLER, and MCONTROLLER, according to address value and read-write control command, writes MEM by data block or data block is read by MEM; For the protected data confidentiality, the data block write need be implemented to encrypt by MCONTROLLER, and the data block of reading need be implemented deciphering by MCONTROLLER; MCONTROLLER adopts the counter mode of block cipher as concrete adopted cryptographic algorithm; The counter mode cryptographic algorithm is accepted key and count value as input, produces
padAs output, then, by inciting somebody to action
padObtain the ciphertext of data with XOR (XOR, Exclusive OR) operation expressly of data, otherwise or obtain data with data ciphertext phase xor operation expressly;
For completing required function, MCONTROLLER should possess the cipher engine of counter mode, and the impact damper with certain capacity cushions
padClaim that the cipher engine of MCONTROLLER is that CIPHER, key are
SKey, count value is
Counter, data are expressly
Plaintext, the data ciphertext is
Ciphertext, the buffering
padImpact damper be PadBuffer, and take subscript mean further segmentation (as, with DBlock
i Corresponding
padBe designated as
pad i ).
For current time
TExecution by address is
Address i Data block DBlock
i Write MEM, MCONTROLLER carries out following steps:
Write step 1. searches and DBlock from PabBuffer
i Corresponding
pad i
Hit, skip to " writing step 3 "
Writing step 2. generates and DBlock
i Corresponding
pad i
<a>?
Counter i ?=?Func?(
address i )
<b>?CIPHER?(
SKey,?
Counter i )?=?
pad i
Write step 3. and encrypt DBlock
i And write MEM
<a>?
Ciphertext?of?DBlock
i ?=?
pad i ?XOR?(
Plaintext?of?DBlock
i )
<b>?Write?(
Ciphertext?of?DBlock
i )?to?MEM
Write step 4. and use the address of next data block
Address I+1 Generate
pad I+1 , and buffering is to be ready for use on next constantly
T+1Encryption of blocks of data operation
<a>?
Counter i+1 ?=?Func?(
address i+1 )
<b>?CIPHER?(
SKey,?
Counter i+1 )?=?
pad i+1
<c>?Buffer?
pad i+1 ?into?PadBuffer
That the write operation of continuous a plurality of data blocks repeats is above-mentioned " write step 1~write step 4 ".
For current time
TExecution is read address from MEM
iData block DBlock
i , MCONTROLLER carries out following steps:
Read step 1. searches and DBlock from PabBuffer
i Corresponding
pad i
Hit, skip to " reading step 3 "
Reading step 2. generates and DBlock
i Corresponding
pad i
<a>?
Counter i ?=?Func?(
address i )
<b>?CIPHER?(
SKey,?
Counter i )?=?
pad i
Read step 3. and read DBlock from MEM
i And deciphering
<b>?Read?(
Ciphertext?of?DBlock
i )?from?MEM
<b>?
Plaintext?of?DBlock
i ?=?
pad i ?XOR?(
Ciphertext?of?DBlock
i )
Read step 4. and use the address of next data block
Address I+1 Generate
pad I+1 , and buffering is to be ready for use on next constantly
T+1The data block decryption oprerations
<a>?
Counter i+1 ?=?Func?(
address i+1 )
<b>?CIPHER?(
SKey,?
Counter i+1 )?=?
pad i+1
<c>?Buffer?
pad i+1 ?into?PadBuffer
That the read operation of continuous a plurality of data blocks repeats is above-mentioned " read step 1~read step 4 ".
Write step and the annotation of reading step:
Note 1. function " Func " can be taked any type of conversion, as long as meet different inputs, produces different output, for example, can be the uni-directional hash conversion; The simplest situation, function " Func " is exactly that order output equals input; For example in " reading step 2 " "
Counter i =Func (
Address i ) " be "
Counter i =
Address i ".
Note 2.
Address i With
Address I+1 Mean current data block and follow current data block closely and the address of accessed next data block, the occurrence of address depends on the address form of presentation of storer; For instance, the total volume of supposing storer is 1M-Byte(M: million, hundred ten thousand; Byte: byte), data block is of a size of 64-Byte, so, and address
Address i With
Address I+1 Code length be all 20 (with scale-of-two, weighing), and
Address I+1 Ratio
Address i Differing 64(weighs with the decimal system); For example, the 0th data block
Address 0 Be
00000H(
HRepresent sexadecimal), so, next data block of the 0th data block, the 1st data block namely, its address
Address 1 Be
00040H, next data block of the 1st data block, the 2nd data block namely, its address
Address 2 Be
00080H, the rest may be inferred by analogy.
Note 3. " writing step 4 " do not need on time sequencing to wait for that " writing step 2 " and " writing step 3 " completes; " write step 4 " should " writing step 2 " and " writing step 3 " the term of execution in just start start to carry out, in order to be ready for as soon as possible, encrypt next time
padFor this reason, CIPHER should possess two physically engines independently, can either be alternately also can be concomitantly respectively based on
Address i With
Address I+1 Generate for current time
TWith next moment
T+1Deciphering
pad.
Note 4. " reading step 4 " do not need on time sequencing to wait for that " reading step 2 " and " reading step 3 " completes; " read step 4 " should " reading step 2 " and " reading step 3 " the term of execution in just start start to carry out, in order to be ready for as soon as possible deciphering next time
padFor this reason, CIPHER should possess two physically engines independently, can either be alternately also can be concomitantly respectively based on
Address i With
Address I+1 Generate for current time
TWith next moment
T+1Deciphering
pad.
Based on above description, can find out:
(1) security. usually, counter mode should not generate and encrypt pad by constant or count value that repeat.Scheme proposed by the invention, although will use at place, same address the count value repeated, for the attack situation of non-online form, is safe enough.For example, a notebook computer, adopt the solution of the present invention to encrypt its PCM(phase transition storage, Phase-Change Memory) main memory, and be set to automatically eliminate encryption key after shutdown, again after start, automatically enable new encryption key; If this notebook computer victim after shutdown is stolen, so, because the assailant does not know encryption key, remain in the content in non-volatile PCM main memory, can't be owing to having used fixing address value as the count value of encrypting pad, and make the assailant can know the content of the PCM main memory of this computer before stolen.
(2) performance. because great majority are encrypted pad and deciphering pad always has an opportunity to prepare in advance or partly prepares in advance, therefore, the access delay caused by encryption and decryption will effectively be hidden, thus the system performance of significantly improving.
(3) management. directly obtain the required count value of counter encryption mode based on address, system is managed count value (as storage, buffering) without any need for complicated measure; And the management of these complexity is the obstacles that adopt the count value of other form to have to face.
(4) be of value to the serviceable life of improving the non-volatility memorizers such as PCM. for same address, owing to encrypting pad, be constant (at key constant work period in), current time data block ciphertext is than previous moment data block ciphertext, the position only be modified is different, and can, owing to encrypting " snowslide " effect, not cause a large amount of positions not identical.Obviously, such cipher mode can not hinder some loss balancing algorithm based on redundancy, thus the serviceable life that contributes to improve the non-volatility memorizers such as PCM.
The present invention is not limited to the above-mentioned specifically described form that realizes, but is applicable to all method and apparatus according to the obtainable protected storage data confidentiality of content of the present invention, and does not need the ability of other invention character and obtainable version.Therefore, the present invention is applicable to the widest scope consistent with feature with principle as described herein.
Claims (8)
1. the memory data encryption method based on address is characterized in that:
The data of storing in storer are divided into data block, and the address corresponding by it, the position of each data block store in storer determines;
Use one not to be secret numerical value known to the assailant key as data encryption and deciphering;
The address of usage data piece, as count value, in conjunction with key, and calculates the corresponding encryption of this data block pad and deciphering pad;
While preserving current data block, use the address of next data block as count value, in conjunction with key, and calculate the encryption pad of next data block, cushion this encryptions pad to be ready for use on next data block be saved of encryption;
While reading current data block, use the address of next data block as count value, in conjunction with key, and calculate the deciphering pad of next data block, cushion this deciphering pad to be ready for use on next data block be read of deciphering.
2. the memory data encryption method based on address according to claim 1 is characterized in that:
The address of described usage data piece, as count value, is:
By the address of data block, the count value of directly using as the counter mode cryptographic algorithm.
3. the memory data encryption method based on address according to claim 1 is characterized in that:
The address of described usage data piece, as count value, is:
Address by data block, give functional transformation, the count value that the result of conversion is used as the counter mode cryptographic algorithm.
4. the memory data encryption method based on address according to claim 1 is characterized in that:
The address of described next data block of use, as count value, is:
By the address of next data block, the count value of directly using as the counter mode cryptographic algorithm.
5. the memory data encryption method based on address according to claim 1 is characterized in that:
The address of described next data block of use, as count value, is:
Address by next data block, give functional transformation, the count value that the result of conversion is used as the counter mode cryptographic algorithm.
6. the memory data encryption method based on address according to claim 1 is characterized in that:
The address of described data block is the ident value of the physical storage locations of data block in storer.
7. the memory data encryption method based on address according to claim 1 is characterized in that:
Described next data block, be according to the order of access, follows current data block closely and by accessed data block.
8. the memory data encryption device based on address is characterized in that:
Comprise data block ACE and data block store device parts;
The data block ACE is connected in data block store device parts;
The data of storing in data block store device parts are divided into data block, and the address corresponding by it, the position of each data block store in data block store device parts determines;
The data block ACE is used one not to be secret numerical value known to the assailant key as data encryption and deciphering;
The data block ACE adopts the counter mode of block cipher, and the address of usage data piece, as count value, in conjunction with key, and calculates the corresponding encryption of this data block pad and deciphering pad;
When preserving current data block, the data block ACE is used the address of next data block as count value, in conjunction with key, and calculates the encryption pad of next data block, cushion this encryption pad in the data block ACE, used in order to encrypt the data block be saved next time;
When reading current data block, the data block ACE is used the address of next data block as count value, in conjunction with key, and calculates the deciphering pad of next data block, cushion this deciphering pad in the data block ACE, the data block next time be read in order to deciphering is used.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101497718A CN103425935A (en) | 2012-05-16 | 2012-05-16 | Method and device for encrypting data of memory on basis of addresses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101497718A CN103425935A (en) | 2012-05-16 | 2012-05-16 | Method and device for encrypting data of memory on basis of addresses |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103425935A true CN103425935A (en) | 2013-12-04 |
Family
ID=49650656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101497718A Pending CN103425935A (en) | 2012-05-16 | 2012-05-16 | Method and device for encrypting data of memory on basis of addresses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103425935A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1541349A (en) * | 2000-09-15 | 2004-10-27 | �ʼҷ����ֵ�������˾ | Protect by data chunk address as encryption key |
| CN1836220A (en) * | 2003-06-25 | 2006-09-20 | 英特尔公司 | An apparatus and method for memory encryption with reduced decryption latency |
| US20070107064A1 (en) * | 2002-01-11 | 2007-05-10 | Sony Corporation | Recording method, recording apparatus, reproducing method and reproducing apparatus |
| CN101211319A (en) * | 2006-12-31 | 2008-07-02 | 深圳市朗科科技有限公司 | Program file protection method for memory and protection device |
| US8036377B1 (en) * | 2006-12-12 | 2011-10-11 | Marvell International Ltd. | Method and apparatus of high speed encryption and decryption |
| US20120005720A1 (en) * | 2010-07-01 | 2012-01-05 | International Business Machines Corporation | Categorization Of Privacy Data And Data Flow Detection With Rules Engine To Detect Privacy Breaches |
| CN102355352A (en) * | 2011-07-24 | 2012-02-15 | 哈尔滨工程大学 | Data confidentiality and integrity protection method |
-
2012
- 2012-05-16 CN CN2012101497718A patent/CN103425935A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1541349A (en) * | 2000-09-15 | 2004-10-27 | �ʼҷ����ֵ�������˾ | Protect by data chunk address as encryption key |
| US20070107064A1 (en) * | 2002-01-11 | 2007-05-10 | Sony Corporation | Recording method, recording apparatus, reproducing method and reproducing apparatus |
| CN1836220A (en) * | 2003-06-25 | 2006-09-20 | 英特尔公司 | An apparatus and method for memory encryption with reduced decryption latency |
| US8036377B1 (en) * | 2006-12-12 | 2011-10-11 | Marvell International Ltd. | Method and apparatus of high speed encryption and decryption |
| CN101211319A (en) * | 2006-12-31 | 2008-07-02 | 深圳市朗科科技有限公司 | Program file protection method for memory and protection device |
| US20120005720A1 (en) * | 2010-07-01 | 2012-01-05 | International Business Machines Corporation | Categorization Of Privacy Data And Data Flow Detection With Rules Engine To Detect Privacy Breaches |
| CN102355352A (en) * | 2011-07-24 | 2012-02-15 | 哈尔滨工程大学 | Data confidentiality and integrity protection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101808095B (en) | Encryption copy organization method under distributed storage environment | |
| EP3355232B1 (en) | Input/output data encryption | |
| CN103440209B (en) | A kind of solid state hard disc data encryption/decryption method and solid state hard disk system | |
| US9811478B2 (en) | Self-encrypting flash drive | |
| JP7225220B2 (en) | Storage data encryption/decryption device and method | |
| JP7222971B2 (en) | Apparatus and method for encryption and decryption of stored data | |
| CN102750233B (en) | Encryption and storage confidential data | |
| KR20110129932A (en) | Key Recovery Mechanisms for Cryptographic Systems | |
| JP2003198534A (en) | Apparatus for encrypting data and method thereof | |
| US9323943B2 (en) | Decrypt and encrypt data of storage device | |
| CN109522758B (en) | Hard disk data management method and hard disk | |
| KR20150026915A (en) | Virtual bands concentration for self encrypting drives | |
| CN103258172A (en) | Off-chip Nor Flash bus interface hardware encryption device | |
| CN112887077B (en) | SSD main control chip random cache confidentiality method and circuit | |
| CN102541762A (en) | Data protector for external memory and data protection method | |
| CN104463020B (en) | The method of memory data integrity protection | |
| CN102567689A (en) | Phase-change storage unit based non-volatile internal storage data confidentiality protecting method | |
| Wang et al. | A novel data secure deletion scheme for mobile devices | |
| Liu et al. | An energy-efficient encryption mechanism for NVM-based main memory in mobile systems | |
| CN101127013A (en) | Enciphered mobile storage apparatus and its data access method | |
| CN110457924A (en) | Storing data guard method and device | |
| CN213876729U (en) | Random cache secret circuit of SSD main control chip | |
| Hong et al. | Dynamic encryption key design and management for memory data encryption in embedded systems | |
| CN203086489U (en) | Decoding circuit for FPGA encrypted data flow | |
| CN103425935A (en) | Method and device for encrypting data of memory on basis of addresses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131204 |
|
| WD01 | Invention patent application deemed withdrawn after publication |