Summary of the invention
In order to solve the problems referred to above, the present invention provides a kind of express network encryption storage key management system, described key
Management system passes through four kinds of keys, uses the method protected step by step, treats encryption device and complete key management, specifically manage content
Including producing, distribute, store, back up, change, recover and destroying;
Further, described key management system includes equipment root key, equipment identities key, key-encrypting key and work
Make key;
Equipment root key, described equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, described equipment identities key is used for the machine authentication, for the Authentication code mistake of cluster device
Journey provides cryptoguard;
Key-encrypting key, described key-encrypting key is used for the realization encryption to working key in key distribution procedure
Protection;
Working key, described working key is for realizing the encipherment protection to service data information transmission;
Further, described equipment root key is divided into three parts of S1, S2, S3 by equipment after being generated, wherein S1 is solid when producing
Change in the safety chip within network storage encryption equipment;S2 is saved in component key1;S3 is saved in component key2;
Further, described equipment identities key is asymmetric cryptographic algorithm key, described asymmetric cryptographic algorithm key
Be one group of public private key-pair, wherein a length of 256 bits of private key, a length of 512 bits of PKI, described PKI by USB Key or
Configuration management interface is derived, and private key is saved in the safety chip in network storage encryption equipment;
Further, described key-encrypting key is the symmetric block ciphers algorithm secret key of length 128 bit, for collection
In group, sharing of working key carries out encryption and decryption protection, and described key-encrypting key is each network storage encryption in every time to cluster
When machine carries out Authentication code, the random number generation unit of promoter producing in real time and use after inspection, key has been distributed
After i.e. destroy, do not preserve;
Further, described working key is the symmetric block ciphers algorithm secret key of length 128 bit, for optical-fibre channel
Middle data in magnetic disk encryption and decryption in transmitting procedure, when changing working key, needs first the former encryption data in disk to be used
Store after re-using new working key encryption after the deciphering of former working key, then re-use new working key and replace former work
Key, described working key obtains and comes from safety chip, and described safety chip obtains two from two WNG9 randomizers
Individual random number, using the XOR result of two randoms number as the working key of LUN, after then using equipment root key to be encrypted
Store in data base;
Further, a kind of express network encryption storage key management method, described method includes;
1) key generates, and described equipment root key, equipment identities key and working key are by double in network storage encryption equipment
The noise maker of safety chip produces;
2) key is distributed, and described equipment root key is not distributed, and described equipment identities key is by each network storage encryption equipment
Generating, private key is not derived, and PKI generates the certificate request file of equipment after deriving from network storage encryption equipment, then to inject
Key is carrier, unified after KMC signs and issues is issued to each device node, and described working key is by KMC or close
Key produces end equipment and initiates, on the premise of authentication, by the way of digital envelope, through public key signature and described key
The protection distribution of encryption key;
3) key storage, described equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained at the network storage and adds
In close machine safety chip, other 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in use
In safety chip internal SRAM, power down is i.e. lost, described equipment identities key once generate just with equipment root key as key,
Use SM4 algorithm, be stored in after encryption in network storage encryption equipment in the internal FLASH of network storage encryption equipment safety chip,
During use, safety chip is by equipment identities secret key decryption to internal SRAM, and power down is i.e. lost;Described key-encrypting key is interim
Using, destroy immediately, do not preserve, described working key makes to preserve in two ways after generating;
4) key uses, and described key uses and includes: equipment root key uses and working key uses;
Described equipment root key use step:
411) subscriber authentication is passed through: user needs when authentication to insert two in five-minute period is spaced
USB Key;
412) at least two USB Key is by after authentication, and the root key component in component Key is read into the network storage
In the SRAM of encryption equipment safety chip;
413) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated and set
The plaintext of standby root key;
414) ad-hoc location of the SRAM of safety chip it is saved in after the recovery of equipment root key, until power down is lost;
415) after equipment root key has injected, component key extracts or continues to preserve;
Described working key use step:
421) by obtaining authority after operator's authentication;
422) manner of decryption is determined according to the appointment of user;
423) the working key ciphertext that will be stored in FLASH is read in SRAM;
424) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
425) ad-hoc location of SRAM it is saved in, until power down is lost;
426) reuse and need again to decipher;
5) cipher key backup:
51) segmentation of equipment root key is left in 2 usb key;
52) equipment identities cipher key backup is after obtaining manager's identity authority, uses the equipment root in safety chip SRAM
Key, as key, uses SM4 algorithm, is stored in backup and is situated between after the equipment identities key encryption stored by network storage encryption equipment
In matter, PKI and private key are independently preserved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is that the equipment root key made in safety chip in SRAM does after obtaining manager's identity authority
For key, use SM4 algorithm, be stored in after encryption in USB key;
6) key is changed and is included that equipment root key is changed, equipment identities key changes and working key is changed;
Key recovery, described key recovery includes that the recovery of equipment root key, equipment identities key recovery and working key are extensive
Multiple;
Further, two kinds of store methods after described working key generates include;
31) with private key as key, use SM4 algorithm for encryption to be stored in the internal FLASH of network storage encryption equipment, need
Time decipher again in network storage encryption equipment CACHE;
32) it is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, uses again when needing
Equipment root key is deciphered in network storage encryption equipment CACHE;
Further, described cipher key backup specifically includes: equipment root key is changed;
Described cipher key backup specifically includes: equipment root key is changed:
611) replacing apparatus root key when initializing network storage encryption equipment for the first time;
612) public private key pair and all sensitive informations regenerate when being present in the SRAM of network storage encryption equipment and set
Standby root key, and regenerate 2 USB Key;
Equipment identities key is changed: user obtains after administrator right, by interface or order line generate a pair new
Public and private key pair, and override old public and private key pair, it is then led off new PKI and generates new certificate request file, through key
Administrative center is issued to each network storage encryption equipment with USB Key for carrier, the most also to new double secret key the most again after signing and issuing
Back up;
Working key is changed: disk Central Plains encryption data being backed up is clear data, re-uses new working key encryption
For carrying out disk storage after ciphertext data;
Further, described key is changed and is specifically included:
71) equipment root key recovers: manager is sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card
It is merged into the plaintext of equipment root key with the component in card after key components reading network storage encryption equipment internal memory;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage encryption by manager
Machine, safety chip uses equipment root key as decruption key, uses SM4 algorithm, ciphertext believed in network storage encryption equipment
Corresponding SRAM region is left in after breath deciphering;
73) working key recovers: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by manager
Full chip uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key;
Beneficial effects of the present invention is as follows:
1) the key management allocation plan divided according to LUN is used.Different LUN uses different data encrypting and deciphering keys,
Ensure that data in magnetic disk encryption is split by different LUN;Each network storage encryption equipment only has and oneself LUN encryption and decryption phase
The key of association, the security threat of a network storage encryption equipment only affects the peace of the business information being associated with this encryption equipment
Entirely, the safety of other user service informations of the whole network is unaffected;
2) using the key maintenance strategy concentrated, key management security is controlled.Use remote online key distribution mechanism, close
Key flexible configuration is convenient, can realize safe and reliable quickly the arranging and adjust of encryption system.
3) there is key and the ability of key parameter in remote destroying network storage encryption equipment, can be in case of emergency to net
Network storage encryption equipment is implemented to be effectively isolated, it is ensured that the safety of whole storage system;
4) core that the SM4 standard cipher algorithm selecting the approval of close office of state to use is encrypted as information encryption and decryption and storage protection
Heart carrier, and carry out system development work according to country's commercial cipher equipment preparation specification;
5) in the development of secrecy system, employing machine, the start certification of card separation, key and parameter storage encipherment protection,
Special purpose system algorithm chip, linux system kernel/specific drivers/special purpose system service management module/private key distribution
The safe practices such as management agreement so that secrecy system self has the strongest self-safety precautions, individual equipment out of control
Security of system will not be caused lethal damage.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, right
The present invention is explained in further detail.Should be appreciated that specific embodiment described herein is used only for explaining the present invention, and
It is not used in the restriction present invention.On the contrary, the present invention contain any be defined by the claims do in the spirit and scope of the present invention
Replacement, amendment, equivalent method and scheme.Further, in order to make the public that the present invention to be had a better understanding, below to this
During the details of invention describes, detailed describe some specific detail sections.Do not have these thin for a person skilled in the art
The description of joint part can also understand the present invention completely.
The invention will be further described with specific embodiment below in conjunction with the accompanying drawings, but not as a limitation of the invention.
Below for the most preferred embodiment of enumerating of the present invention:
As shown in Figure 1-2, the present invention is based on network storage encryption equipment, it is provided that a kind of express network encryption storage key management
System, it is characterised in that described key management system passes through four kinds of keys, uses the method protected step by step, treats encryption device
Completing key management, concrete management content includes producing, distribute, store, back up, change, recover and destroying, described key management
System includes equipment root key, equipment identities key, key-encrypting key and working key;
Equipment root key, described equipment root key is for realizing the storage encipherment protection to key parameter, key etc.;
Equipment identities key, described equipment identities key is used for the machine authentication, for the Authentication code mistake of cluster device
Journey provides cryptoguard;
Key-encrypting key, described key-encrypting key is used for the realization encryption to working key in key distribution procedure
Protection;
Working key, described working key is for realizing the encipherment protection to service data information transmission, described equipment root
Key is divided into three parts of S1, S2, S3 by equipment after being generated, wherein S1 is solidificated in the safety within network storage encryption equipment when producing
In chip;S2 is saved in component key1;S3 is saved in component key2, and described equipment identities key is asymmetric cryptographic algorithm
Key, described asymmetric cryptographic algorithm key is one group of public private key-pair, and wherein a length of 256 bits of private key, PKI is a length of
512 bits, described PKI is by USB Key or the derivation of configuration management interface, and private key is saved in the peace in network storage encryption equipment
In full chip, described key-encrypting key is the symmetric block ciphers algorithm secret key of length 128 bit, for working in cluster
Sharing of key carries out encryption and decryption protection, and described key-encrypting key each network storage encryption equipment in every time to cluster carries out close
When key is shared, the random number generation unit of promoter producing in real time and use after inspection, key is i.e. destroyed after having distributed,
Not preserving, described working key is the symmetric block ciphers algorithm secret key of length 128 bit, data in magnetic disk in optical-fibre channel
Encryption and decryption in transmitting procedure, when changing working key, needs first the former encryption data in disk to be used former working key
Store after re-using new working key encryption after deciphering, then re-use new working key and replace former working key, described
Working key obtains and comes from safety chip, and described safety chip obtains two randoms number from two WNG9 randomizers,
Using the XOR result of two randoms number as the working key of LUN, equipment root key is then used to store number after being encrypted
According in storehouse.
A kind of express network encryption storage key management method, described method includes:
1) key generates, and described equipment root key, equipment identities key and working key are by double in network storage encryption equipment
The noise maker of safety chip produces;
2) key is distributed, and described equipment root key is not distributed, and described equipment identities key is by each network storage encryption equipment
Generating, private key is not derived, and PKI generates the certificate request file of equipment after deriving from network storage encryption equipment, then to inject
Key is carrier, unified after KMC signs and issues is issued to each device node, and described working key is by KMC or close
Key produces end equipment and initiates, on the premise of authentication, by the way of digital envelope, through public key signature and described key
The protection distribution of encryption key;
3) key storage, described equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained at the network storage and adds
In close machine safety chip, other 2 parts of encryptions are independently saved on 2 USB Key, and equipment root key is present in use
In safety chip internal SRAM, power down is i.e. lost, described equipment identities key once generate just with equipment root key as key,
Use SM4 algorithm, be stored in after encryption in network storage encryption equipment in the internal FLASH of network storage encryption equipment safety chip,
During use, safety chip is by equipment identities secret key decryption to internal SRAM, and power down is i.e. lost;Described key-encrypting key is interim
Using, destroy immediately, do not preserve, described working key makes to preserve in two ways after generating;
4) key uses, and described key uses and includes: equipment root key uses and working key uses;
Described equipment root key use step:
411) subscriber authentication is passed through: user needs when authentication to insert two in five-minute period is spaced
USB Key;
412) at least two USB Key is by after authentication, and the root key component in component Key is read into the network storage
In the SRAM of encryption equipment safety chip;
413) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated and set
The plaintext of standby root key;
414) ad-hoc location of the SRAM of safety chip it is saved in after the recovery of equipment root key, until power down is lost;
415) after equipment root key has injected, component key extracts or continues to preserve;
Described working key use step:
421) by obtaining authority after operator's authentication;
422) manner of decryption is determined according to the appointment of user;
423) the working key ciphertext that will be stored in FLASH is read in SRAM;
424) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
425) ad-hoc location of SRAM it is saved in, until power down is lost;
426) reuse and need again to decipher;
5) cipher key backup:
51) segmentation of equipment root key is left in 2 usb key;
52) equipment identities cipher key backup is after obtaining manager's identity authority, uses the equipment root in safety chip SRAM
Key, as key, uses SM4 algorithm, is stored in backup and is situated between after the equipment identities key encryption stored by network storage encryption equipment
In matter, PKI and private key are independently preserved by two backup mediums;
53) key-encrypting key is not backed up;
54) working key is that the equipment root key made in safety chip in SRAM does after obtaining manager's identity authority
For key, use SM4 algorithm, be stored in after encryption in USB key;
6) key is changed and is included that equipment root key is changed, equipment identities key changes and working key is changed;
7) key recovery, described key recovery includes the recovery of equipment root key, equipment identities key recovery and working key
Recover.
Two kinds of store methods after described working key generates include:
31) with private key as key, use SM4 algorithm for encryption to be stored in the internal FLASH of network storage encryption equipment, need
Time decipher again in network storage encryption equipment CACHE;
32) it is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, uses again when needing
Equipment root key is deciphered in network storage encryption equipment CACHE.
Described cipher key backup specifically includes: equipment root key is changed:
613) replacing apparatus root key when initializing network storage encryption equipment for the first time;
614) public private key pair and all sensitive informations regenerate when being present in the SRAM of network storage encryption equipment and set
Standby root key, and regenerate 2 USB Key;
Equipment identities key is changed: user obtains after administrator right, by interface or order line generate a pair new
Public and private key pair, and override old public and private key pair, it is then led off new PKI and generates new certificate request file, through key
Administrative center is issued to each network storage encryption equipment with USB Key for carrier, the most also to new double secret key the most again after signing and issuing
Back up;
Working key is changed: disk Central Plains encryption data being backed up is clear data, re-uses new working key encryption
For carrying out disk storage after ciphertext data, described key is changed and is specifically included:
71) equipment root key recovers: manager is sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card
It is merged into the plaintext of equipment root key with the component in card after key components reading network storage encryption equipment internal memory;
72) equipment identities key recovery: the cipher-text information stored in backup medium is read in network storage encryption by manager
Machine, safety chip uses equipment root key as decruption key, uses SM4 algorithm, ciphertext believed in network storage encryption equipment
Corresponding SRAM region is left in after breath deciphering;
73) working key recovers: the cipher-text information stored in backup medium is read in network storage encryption equipment, peace by manager
Full chip uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key.
Network storage encryption equipment mentioned in the present invention have employed standard cipher algorithm configuration, and (approval of close office of state uses
SM2, SM3, SM4 algorithm), the cryptographic key security system of three grades of key structures, network storage encryption equipment be 2U height frame
Formula equipment, main body is that data process FPGA and configuration management CPU, additionally, also include power module, blower module and monitoring mould
Block.Its hardware forms as shown in Figure 1.Key management system of the present invention devises business datum AES, digital signature
Algorithm, storage protection AES and key distribution AES.Wherein business datum AES uses SM4 algorithm to realize,
Block length is 128bit, and key length is 128bi t;Digital Signature Algorithm uses SM2, SM3 algorithm jointly to realize, public and private key
Length is respectively 512 and 256bit;Storage protection AES uses SM4 algorithm to realize, grouping algorithm key length 128bi
t;Key distribution AES uses SM2, SM3 and SM4 algorithm to realize, and public private key pair length is respectively 512 and 256bit, packet
A length of 128bit, key length is 128bit.Whole cryptographic key security system employs 4 kinds of keys:
Equipment root key (DRK): i.e. manage key, for the password storage protection of other key, every equipment in equipment
One.
Equipment identities secret key and private key (DSK): for the machine authentication and the cryptoguard to secret key remote distribution procedure,
Every equipment one.
Equipment identities public key (DPK): for the machine authentication and the cryptoguard to secret key remote distribution procedure,
Every equipment one.
Key-encrypting key (KEK): the encrypted transmission for key is protected, random number generator produce.
LUN block key (LBK): i.e. working key, session key.For cryptoguard (the SM4 calculation to disk storage data
Method) use, every LUN mono-.
The cryptographic key security system structure of encryption module and hierarchical relationship are as shown in Figure 3.
The major function of network storage encryption equipment is: complete the deciphering work that application server fetches data from RAID Read
Work, application server are to the encrypted work of disk array write data;Accept the unified management of KMC.Wherein key
The function of administrative center is as follows.
For guarantee network storage encryption equipment can all the time in the environment of safety and attack resistance reliable and stable, quickly and efficiently
Complete every cryptographic service task, be necessary for the overall safety angle from system, and take into account enterprise customer network information system
System characteristics of demand, to network storage encryption equipment cipher key configuration and use strategy etc. aspect carry out comprehensive, comprehensive design with
Implement.
In view of application with use environment, network storage encryption equipment employs the most perfect key structure, configuration
And Managed Solution.
Key management module of the present invention includes:
1) equipment root key
The symmetric cryptographic algorithm key of a length of 128, uses SM4 algorithm, stores FLASH in network storage encryption equipment
Equipment identities key, the sensitive data such as LUN working key be encrypted protection.Equipment root key is divided into three after being generated by equipment
Part S1, S2, S3, wherein S1 is solidificated in the safety chip within network storage encryption equipment when producing;S2 is saved in component
In key1;S3 is saved in component key2.If needing more new equipment root key, it is ensured that equipment identities key and all working
The sensitive informations such as key are all deciphered in network storage encryption equipment sram memory, then reuse new equipment root key encryption
After, then delete old root key principal component.
Table 1 key kind and purposes
2) equipment identities key
Asymmetric cryptographic algorithm key.The equipment identities key of network storage encryption equipment is one group of public private key-pair, a length of
Private key 256 bit, PKI 512 bit, use SM2 algorithm, share in working key remote cluster for the machine authentication
Time the encipherment protection of key-encrypting key.
The public private key-pair of equipment identities key is produced by equipment, and PKI can be led by USB Key or configuration management interface
Going out, private key can not go out network storage encryption equipment, can only be saved in the safety chip in network storage encryption equipment.The network storage adds
Close machine is separate, different with the identity key of its equipment.
3) key-encrypting key
The symmetric block ciphers algorithm secret key of a length of 128 bits.Use SM4 algorithm, for working key in cluster
Share and carry out encryption and decryption protection.
Key-encrypting key is time only in every time to cluster, each network storage encryption equipment carries out Authentication code, by promoter's
Random number generation unit produces in real time and uses after inspection, and key is i.e. destroyed after having distributed, do not preserved.
4) working key
The symmetric block ciphers algorithm secret key of a length of 128 bits, uses SM4 algorithm, disk number in optical-fibre channel
According to the encryption and decryption in transmitting procedure.Each LUN uses different working keys, and each sector also uses different work close
Key.Due to the special nature of storage encryption, working key can not at will be changed.When user needs to change working key, need elder generation
Store, the most just after re-using new working key encryption after former encryption data in disk is used the deciphering of former working key
New working key can be used to replace former working key.It is close that the working key table of network storage encryption equipment can store 1024 work
The ciphertext of key.
Network storage encryption equipment working key is by oneself generating and can also inject by noting close key, and user is adding disk
During array LUN information, encryption equipment calls the key of safety chip and obtains interface, and safety chip is from two WNG9 randomizers
Obtain two randoms number, using the XOR result of two randoms number as the working key of LUN, then use equipment root key to carry out
Return to encryption equipment after encryption, finally store in data base.
2 hierarchical relationships
The hierarchical relationship of the key structure that network storage encryption equipment uses is as shown in Figure 2.
Network storage encryption equipment key takes the mode protected step by step:
1) using Secret splitting mode to back up and restorer root key, the mode that is physically present of equipment root key is segmentation
Becoming 3 parts, 1 part is saved in network storage encryption equipment safety chip, and 1 part is saved in component key1, and 1 part is saved in component key2
On.When normally working, equipment root key exists only in the SRAM of safety chip in plain text, and power down is i.e. lost, and reloads equipment root
Key needs to insert correct component key;
2) in equipment identities key is present in network storage encryption equipment in the FLASH of safety chip.When needs use equipment
During identity key, from the FLASH of safety chip, reading and saving is in the SRAM of safety chip, and power down is i.e. lost;
3) when working key is shared, working key is encrypted by key-encrypting key, meanwhile, uses equipment identities key
PKI to key-encrypting key encrypt, then together with the ciphertext of working key, in the way of digital envelope, be distributed to cluster
Interior network storage encryption equipment.
Working key is present in the FLASH of network storage encryption equipment with ciphertext form, reads close during use from FLASH
Literary composition, using equipment root key as secret key decryption, uses being configured in the SRAM of FPGA in plain text after deciphering, and power down is i.e. lost.
Configuration design
In network storage encryption equipment, cipher key configuration briefly describes as shown in table 2.
Wherein, equipment identities public and private key, root key press network storage encryption equipment separate configurations, add with other network storage
Close machine is different;Working key presses LUN configuration, and every LUN is different.
Managed Solution
The key management of the network storage encryption equipment side such as (include producing, distribute, store, back up, change, recover, destruction)
Case is as shown in table 4.
Table 3 key management
Key generates
Equipment root key, equipment identities key and working key are the keys of protection data, its at random etc. general property to closing weight
Wanting, it is ensured that its randomness, nonrepeatability and unpredictability, we mainly use by safety double in network storage encryption equipment
The noise maker of chip produces the scheme of key, and after statistical test is qualified, is just used for generating various key.
Equipment root key generates when network storage encryption equipment makes USB key, each from two WNG9 noise makers
Take 3 16 byte randoms number and carry out after XOR 3 components as equipment root key, be temporarily stored in the SRAM of safety chip, connect
And need to make 2 USB Key, 1 component exists in the FLASH of the interior safety chip of card, and 2 components are respectively present 2 USB
On Key, this is the unique non-volatile carrier of equipment root key.A root has been generated close before network storage encryption equipment dispatches from the factory
Key, as the root key that dispatches from the factory, is saved in 3 positions after segmentation;User, be by 2 when using network storage encryption equipment for the first time
Individual USB Key obtains administrator right, again generates an equipment root key, and wipes 2 the USB Key dispatched from the factory, more again
Generate the splitting factor preserving new equipment root key in 2 USB Key.The root key that dispatches from the factory lost efficacy immediately.
Equipment identities key is in network storage encryption equipment, in the safety chip by the certification of Password Management office of country
SM2 algorithm produces;Equipment identities key uses and is stored in the FLASH of safety chip in network storage encryption equipment after root key encryption
In, PKI can be derived, and PKI is used for generating the certificate request of this equipment after deriving, after KMC signs and issues under unification
It is dealt into each device node.
Key-encrypting key and working key are produced by network storage encryption equipment, and by producing by KMC, concrete condition needs
To be determined by Application Design.The generation of key can must use after passing through randomness test, Repeatability checking.
Key is distributed
Equipment root key generates when network storage encryption equipment makes USB key, it is not necessary to distribution.Equipment identities key by
Each network storage encryption equipment generates, and private key can not be derived, and PKI generates the card of equipment after deriving from network storage encryption equipment
Book demand file, then thinks that injection key is carrier, and after KMC signs and issues, unification is issued to each device node.
The distribution of working key is produced end equipment by KMC or key and initiates, on the premise of authentication, by the side of digital envelope
Formula, the protection through public key signature and key-encrypting key is distributed.
Key stores
Equipment root key, through over-segmentation, obtains 3 parts of different pieces, and 1 part is maintained in network storage encryption equipment safety chip,
On other 2 parts of encrypting storing to 2 USB Key, it is desirable to these 2 USB Key independently preserve.Equipment root key in use
Being present in safety chip internal SRAM, power down is i.e. lost.
Equipment identities key, once generating with regard to using equipment root key as key, uses SM4 algorithm, encrypts in the network storage
Machine is stored in after encryption in the internal FLASH of network storage encryption equipment safety chip.During use, safety chip is close by equipment identities
Key is deciphered in internal SRAM, and power down is i.e. lost.
Key-encrypting key uses temporarily, destroys immediately, does not preserves.
Working key uses two kinds of optional modes of user to preserve after generating:
With private key as key, SM4 algorithm for encryption is used to be stored in the internal FLASH of network storage encryption equipment, when needing
Decipher again in network storage encryption equipment CACHE.
It is stored in the internal FLASH of network storage encryption equipment with the equipment root key encryption of encrypted card, again with setting when needing
Standby root key is deciphered in network storage encryption equipment CACHE.
Key uses
Equipment root key use step:
1) it is first necessary to pass through subscriber authentication: user needs when authentication to insert in five-minute period is spaced
Two USB Key;
2) at least two USB Key is by after authentication, and the root key component in component Key can be read into the network storage
In the SRAM of encryption equipment safety chip;
3) add a root key component within network storage encryption equipment, add computing through mould 2, be calculated equipment
The plaintext of root key;
4) ad-hoc location of the SRAM of safety chip is remained stored in after the recovery of equipment root key, until power down is lost;Under
Secondary use needs refill;
5) after equipment root key has injected, component key can extract, and continues to preserve;
The use step of equipment identities key:
1) two USB Key are used to pass through authentication, it is thus achieved that authority;
2) will be stored in the SRAM that the equipment identities key in the FLASH of safety chip reads safety chip;
3) ad-hoc location of the SRAM of safety chip it is saved in after the reading of equipment identities key, until power down is lost;Next time
Use needs re-read;
4) after equipment identities key authentication completes, component Key can extract, and continues to preserve.
The use step of working key:
1) by obtaining authority after operator's authentication;
2) which kind of manner of decryption is used according to the appointment of user;
3) the working key ciphertext that will be stored in FLASH is read in SRAM;
4) with equipment root key as key, use SM4 algorithm, or obtain the plaintext of working key with private key deciphering;
5) ad-hoc location of SRAM it is saved in, until power down is lost;Next time uses to be needed again to decipher.
Cipher key backup
The backup of network storage encryption equipment is primarily referred to as in backup network storage encryption equipment for storing key and protectiveness number
According to FLASH in key message.The back-up job sustainability to maintaining operation system is extremely important, network storage encryption equipment
Support other medium (usbkey) backup of internal information.The backup of network storage encryption equipment must be by the pipe of network storage encryption equipment
Reason person is carried out under system maintenance pattern, and backup medium should be responsible for keeping by special messenger.
The storage form of root key is that segmentation is left in 2 usb key, does not has other to back up.
Equipment identities cipher key backup needs, after obtaining manager's identity authority, to use the equipment root in safety chip SRAM
Key, as key, uses SM4 algorithm, is stored in backup and is situated between after the equipment identities key encryption stored by network storage encryption equipment
In matter.When requiring to back up, PKI and private key independently preserve by two backup mediums.
Key-encrypting key is not backed up.
Working key is the key of deciphering data in magnetic disk, it is necessary to select backup, the most currently used working key
Destroyed or file corruption, the data in magnetic disk of user will be unable to recover.Need during backup after obtaining manager's identity authority, make
In safety chip, the equipment root key in SRAM is as key, uses SM4 algorithm, is stored in USB key after encryption.
Key can schedule backup or irregularly back up as required.
Key is changed
Equipment root key generates when network storage encryption equipment produces, and once write, the external world can not read;User is for the first time
Need to regenerate equipment root key when initializing network storage encryption equipment, and equipment root key when displacing factory;May be used later
To be changed without.If needing more exchange device root key, it is ensured that public private key pair and all sensitive informations are present in the network storage
In the SRAM of encryption equipment, then regenerate equipment root key, and regenerate 2 USB Key.
Equipment identities key, after exceeding the use time, is manually changed by user, i.e. user first obtains administrator right, logical
Cross interface or a pair new public and private key pair of order line regeneration, and override old public and private key pair, be then led off new public affairs
Key generates new certificate request file, is issued to each network storage with USB Key for carrier after KMC signs and issues
Encryption equipment.Also need to new double secret key is re-started backup operation simultaneously.
Working key is manually updated by user, and needing the backup of disk Central Plains encryption data before renewal is clear data, so
After to re-use new working key encryption be to carry out disk storage after ciphertext data.
Key recovery
Restorer root key: manager needs to be sequentially inserted into 2 USB Key, and safety chip is by the root on USB key card
It is merged into the plaintext of equipment root key with the component in card after key components reading network storage encryption equipment internal memory.
Restorer identity key: the cipher-text information stored in backup medium is read in network storage encryption equipment by manager,
Safety chip uses equipment root key as decruption key, uses SM4 algorithm, by cipher-text information solution in network storage encryption equipment
Corresponding SRAM region is left in for use after close.
Resume work key: the cipher-text information that manager will store in backup medium reads in network storage encryption equipment, safety
Chip uses equipment root key as decruption key, uses SM4 algorithm, re-downloads working key the most renewable.
Except the cryptographic algorithm using state close office to specify, configure multistage key, implement non-parametric segmentation in addition to, the network storage is encrypted
Machine is also devised with multiple safety protection mechanism, it is ensured that communication data and the safety of system self.
The encryption and decryption point of network storage encryption equipment is embedded in the FC data between inintial and target of storage system
On frame, the transmission in a link of all of FC Frame can be implemented effective Confidentiality protection.
Use the key management allocation plan divided according to LUN.Different LUN uses different data encrypting and deciphering keys, really
Protect data in magnetic disk encryption to split by different LUN;Each network storage encryption equipment only has relevant to oneself LUN encryption and decryption
The key of connection, the security threat of a network storage encryption equipment only affects the safety of the business information being associated with this encryption equipment,
The safety of other user service informations of the whole network is unaffected.
Using the key maintenance strategy concentrated, key management security is controlled.Use remote online key distribution mechanism, key
Flexible configuration is convenient, can realize safe and reliable quickly the arranging and adjust of encryption system.
There is key and the ability of key parameter in remote destroying network storage encryption equipment, can be in case of emergency to network
Storage encryption equipment is implemented to be effectively isolated, it is ensured that the safety of whole storage system.Select the SM4 standard cipher that the approval of close office of state uses
The core carrier that algorithm is encrypted as information encryption and decryption and storage protection, and open according to country's commercial cipher equipment preparation specification
Exhibition system development work.In the development of secrecy system, use start certification, key and parameter storage encryption that machine, card separate
Protection, special purpose system algorithm chip, security customization linux system kernel/specific drivers/special purpose system Service Management mould
The safe practices such as block/private key distribution management agreement so that secrecy system self has the strongest self-safety precautions,
Security of system will not be caused lethal damage by the out of control of individual equipment.
Embodiment described above, the simply one of the present invention more preferably detailed description of the invention, those skilled in the art
The usual variations and alternatives that member is carried out in the range of technical solution of the present invention all should comprise within the scope of the present invention.