WO2015014136A1 - General virtual data encryption storage system - Google Patents
General virtual data encryption storage system Download PDFInfo
- Publication number
- WO2015014136A1 WO2015014136A1 PCT/CN2014/076099 CN2014076099W WO2015014136A1 WO 2015014136 A1 WO2015014136 A1 WO 2015014136A1 CN 2014076099 W CN2014076099 W CN 2014076099W WO 2015014136 A1 WO2015014136 A1 WO 2015014136A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- storage system
- memory
- server
- virtual data
- Prior art date
Links
- 238000004891 communication Methods 0.000 claims description 14
- MIVWVMMAZAALNA-IJLUTSLNSA-N SCB2 Chemical compound CCCCCCC[C@@H](O)[C@H]1[C@H](CO)COC1=O MIVWVMMAZAALNA-IJLUTSLNSA-N 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000013500 data storage Methods 0.000 claims description 5
- MIVWVMMAZAALNA-UHFFFAOYSA-N SCB2 Natural products CCCCCCCC(O)C1C(CO)COC1=O MIVWVMMAZAALNA-UHFFFAOYSA-N 0.000 claims description 4
- 241001441724 Tetraodontidae Species 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 claims description 4
- 230000001133 acceleration Effects 0.000 claims description 3
- 230000003068 static effect Effects 0.000 claims description 3
- 239000013307 optical fiber Substances 0.000 claims description 2
- 238000013475 authorization Methods 0.000 abstract 1
- 230000009545 invasion Effects 0.000 abstract 1
- 238000013478 data encryption standard Methods 0.000 description 19
- 238000005516 engineering process Methods 0.000 description 13
- 239000000835 fiber Substances 0.000 description 9
- 238000000034 method Methods 0.000 description 8
- 238000012546 transfer Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 4
- 229920000638 styrene acrylonitrile Polymers 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- OTZZZISTDGMMMX-UHFFFAOYSA-N 2-(3,5-dimethylpyrazol-1-yl)-n,n-bis[2-(3,5-dimethylpyrazol-1-yl)ethyl]ethanamine Chemical compound N1=C(C)C=C(C)N1CCN(CCN1C(=CC(C)=N1)C)CCN1C(C)=CC(C)=N1 OTZZZISTDGMMMX-UHFFFAOYSA-N 0.000 description 1
- 235000004443 Ricinus communis Nutrition 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000001816 cooling Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Definitions
- the present invention relates to a data storage system, and more particularly to a storage system for encrypting data. Background technique
- the data exchange between the memory and the server is realized by the data switch.
- the data in the memory is kept in the plaintext state, so that the server can directly read through the data exchanger.
- the data in the memory is in a clear state, when it is said that an internal threat or an external intrusion, the third party can directly obtain all the information, making the confidentiality of the information particularly difficult. Therefore, a technology capable of solving the above problem is urgently needed. Program. Summary of the invention
- a universal virtual data encryption storage system includes a memory, a data switch and a server connected in sequence, wherein the data switch encrypts data in the memory by using an encryption algorithm, so that the data of the memory is kept in a ciphertext state;
- the data exchanger decrypts the requested data so that the requested data becomes a clear text state and is sent to the server.
- the data switch is both a virtual memory and a virtual server.
- the data switch exchanges data with the memory
- the data switch is a virtual server
- the data switch exchanges data with the server.
- the data switch is a virtual memory; because the data switch encrypts the data of the memory by using an encryption algorithm, only the data in the ciphertext state can be obtained from the internal or external, because the data belongs to the ciphertext state, Third parties cannot know the true content of the data, which greatly increases the confidentiality of the data.
- the core of the present invention is to implement a data encryption/decryption process using a data switch.
- this implementation can be implemented only by a software program, the focus of the present invention is not how to implement data encryption using a program, but The step of encrypting the data is applied to the data transmission. Therefore, the technical solution of the present invention is not limited to being implemented by a software program, but may also be directly implemented by a hardware device, such as an existing encryption hardware.
- the encryption algorithm is AES, DES, 3DES, RC2/RC4, IDEA, RSA or BLOWFISH in the public algorithm.
- the encryption algorithm is SSF33, SSF28 or SCB2 (SM1) in a non-public algorithm.
- the encryption algorithm is an encryption algorithm of an application key
- the key is automatically replaced according to the setting
- the data exchange re-encrypts the data of the memory according to the replaced key.
- the memory supports both random access and sequential access.
- the communication supported by the memory is FCP, FCoE, iSCSI, SCSI, SAS, NFS, CIFS, SMB, FTP, HTTP, or REST.
- the storage manner of the storage is module storage, object storage, archive storage, backup storage, DAS, NAS, SAN, tape, virtual storage or cloud storage.
- the data exchange protocol between the data switch and the memory and the server is different, and the data switch has a communication protocol conversion function for implementing communication protocol conversion between the memory and the server.
- the data switch is a software program, a hardware device or a combination of a software program and a hardware device.
- the data switch is connected to the memory and the server through a fiber optic connector or an electronic switch.
- the universal virtual data encryption storage system performs randomized reading and writing of the encrypted data by accessing the data address.
- the universal virtual data encryption said that the storage system encrypts and protects the static data storage data, and simultaneously encrypts and protects the dynamic data at the network layer.
- the universal virtual data encryption storage system automatically performs hardware or software acceleration processing on the related encryption/decryption processing on a software basis.
- the universal virtual data encryption storage system supports multi-point cluster deployment or distributed deployment.
- Figure 1 is a schematic view of the structure of the present invention
- FIG. 2 is a schematic diagram showing the functions of the data switch of the present invention.
- FIG. 3 is a schematic diagram showing the relationship between a server and a data switch of the present invention.
- FIG. 4 is a schematic diagram showing the relationship between a memory and a data switch of the present invention. detailed description
- the embodiment of the present invention includes a memory, a data switch, and a server.
- the data switch can be connected to the memory and the server through a fiber optic connector or an electronic switch, and the data switch in this embodiment uses the optical fiber.
- the connector is connected to the memory and the server respectively.
- the memory is stored in the form of module storage, object storage, archive storage, backup storage, DAS, NAS, SAN, tape, virtual storage or cloud storage.
- Each storage method has its own characteristics, such as DAS ( Direct-attached storage for open systems refers to the server host operating system for data read/write and storage maintenance management.
- Data backup and recovery requires server host resources (including CPU, system 10, etc.), data. The flow needs to be reflowed to the tape drive connected to the server.
- the data backup usually occupies 20-30% of the server host resources.
- NAS is a mechanism for realizing data storage by using special devices directly connected to the network medium.
- SAN storage area network
- the SAN network consists of the communication structure responsible for network connections, the management layer responsible for organizing connections, storage components, and computer systems to ensure the security and strength of data transmission.
- the above cloud storage method is a popular storage technology, and it also has various options, such as EMC Atmos, Caringo CAStor, OpenStack, RackSpace, Windows Azure Amazon AWS or Google, etc., users can choose according to their own needs; for example Windows Azure is Microsoft's cloud-based operating system, and the Azure Services Platform is the name of Microsoft's "software and services" technology.
- the main goal of Windows Azure is to provide developers with a platform to help developers run on cloud servers. Applications in data centers, the Web, and PCs, cloud computing developers can use Microsoft's global data center storage, computing power and network infrastructure services.
- the Azure Service Platform includes the following major components: Windows Azure; Microsoft SQL Database Services, Microsoft .Net Services; Live Say Service for Sharing, Storing, and Synchronizing Files; Microsoft SharePoint® for Microsoft Business.
- the communication protocol of the memory is not fixed and should be selected according to actual needs.
- FCP, FCoE, iSCSI, SCSI, SAS, NFS, CIFS, SMB, FTP, HT book TP and REST are all common communication protocols. The user can select according to their own needs, as follows:
- FCP is a Fibre Channel protocol.
- FCoE Fibre Channel over Ethernet, which belongs to Fibre Channel over Ethernet.
- FCoE The FCoE technology standard maps Fibre Channel to Ethernet and inserts Fibre Channel information into Ethernet packets, allowing Fibre Channel requests and data from server-SAN storage devices to be transported over Ethernet connections without the need for specialized fibers.
- the channel structure allows SAN data to be transmitted over Ethernet.
- FCoE allows LAN and FC SAN communications over a single communication cable. Converged networks can support LAN and SAN data types, reduce data center equipment and cable counts, and reduce power and cooling loads to a unified network. The points that need to be supported are also reduced, which helps to reduce the administrative burden. It protects customers' investments in existing FC-SANs (such as FC-SAN tools, employee training, built-in FC-SAN facilities and corresponding management infrastructure), providing an FC storage The agreement is the core I/O integration solution.
- the current FCoE technology standard proposal can use any speed network card, but requires the network card to support the 802.3x PAUSE mechanism.
- FCoE is for 10G Ethernet, and its application has the advantage of greatly reducing the number of network interfaces on the server while maintaining the original service (while reducing the number of cables, saving switch ports and the number of control points that administrators need to manage) ), which reduces power consumption and brings convenience to management. It also increases the availability of the system.
- FCoE is becoming a reality with enhanced 10Gb Ethernet technology, commonly referred to as Data Center Bridging (DCB) or Converged Enhanced Ethernet (CEE), using tunneling protocols such as FCiP and iFCP transmits long-distance FC communication, but FCoE is a Layer 2 encapsulation protocol, which essentially uses the Ethernet physical transport protocol to transmit FC data.
- DCB Data Center Bridging
- CEE Converged Enhanced Ethernet
- iSCSI technology is developed by IBM Corporation, is a hardware device can be used in the IP protocol
- the upper layer runs the SCSI instruction set, which enables the implementation of the SCSI protocol over IP networks to enable routing on high-speed Gigabit Ethernet.
- iSCSI technology is a new storage technology that combines existing SCSI interfaces with Ethernet technology to enable servers to exchange data with storage devices that use IP networks.
- SCSI is a small computer system interface (English: Small Computer System Interface; shorthand: SCSI), a system-level interface between the computer and the smart device (hard disk, floppy drive, optical drive, printer, scanner, etc.) Processor standard.
- SCSI is an intelligent, universal interface standard. It is the interface standard between various computers and external devices.
- NFS NFS is a shorthand for Network File System, namely the network file system.
- the network file system is one of the file systems supported by FreeBSD, also known as NFS.
- NFS allows a system to share directories with others on the network and file. By using NFS, users and programs can access files on remote systems as if they were local files.
- CIFS is a newly proposed protocol that allows programs to access files on remote Internet computers and request services from this computer.
- CIFS uses the client/server model.
- the client book program requests the server program on the server to serve it.
- the server gets the request and returns a response.
- CIFS is a public or open version of the SMB protocol and is used by Microsoft.
- the SMB protocol is now a protocol for server file access and printing on a local area network.
- CIFS runs at a high level, unlike the TCP/IP protocol.
- CIFS can be thought of as an implementation of application protocols such as file transfer protocols and hypertext transfer protocols.
- CIFS can achieve the following functions:
- File names can use any character set, not limited to character sets designed for English or Western European languages.
- CIFS In general, CIFS gives users better control over files than FTP. It provides a potentially more straightforward server interface, which is better than a browser using the HTTP protocol. The most typical application of CIFS is that Windows users can find other hosts on the network and access shared folders from "My Network Places".
- CIFS is an open standard and has been submitted to the IETF as an Internet application standard.
- SMB Server Message Block
- FTP is a file transfer protocol (abbreviation: FTP) is a set of standard protocols for file transfer on the network. It belongs to the application layer of the network transport protocol.
- FTP is an 8-bit client-server protocol that can manipulate any type of file without further processing, just like MIME or Unicode.
- FTP has a very high latency, which means that the time between the start of the request and the first receipt of the demand data can be very long; and from time to time some lengthy login processes must be performed.
- HTTP HyperText Transfer Protocol
- http:// HyperText Transfer Protocol
- REST refers to a set of architectural constraints and principles. The application or design that satisfies these constraints and principles is RESTfuL
- REST defines a set of architectural principles by which system resources-centric Web services can be designed, including how clients written in different languages can process and transfer resource state over HTTP.
- the server refers to a software and hardware platform running under different operating systems, such as Linu X , Unix, Window, Mac OS, Android OS400 or Mainframe/zOS, etc., and the server can have various applications, such as a file system and a database. , data warehouse, file management system, big data analysis system, enterprise resource management, customer relationship management, mail system, web server, application server and middleware.
- the data switch of the present invention is both a virtual memory book and a virtual server.
- the data switch when the data switch exchanges data with the memory, the data switch is a virtual server, as shown in FIG.
- the data switch is a virtual memory; because the data switch encrypts the data of the memory by using an encryption algorithm, it can only obtain the ciphertext state from internal or external.
- the data because the data is in the ciphertext state, the third party can not know the true content of the data, thus greatly improving the confidentiality of the data.
- the above encryption algorithm has various options, which may be AES, DES, 3DES, RC2/RC4, IDEA, RSA or BLOWFISH in the open algorithm, or SSF33, SSF28 or SCB2 (SM1) in the non-public algorithm. They are all well known and are as follows:
- AES is the Advanced Encryption Standard in cryptography, also known as Rijndael. It is a block encryption standard adopted by the US federal government. This standard is used to replace the original DES, has been analyzed by many parties and is widely used in various industries around the world. After more than five years of rigorous selection, the Advanced Encryption Standard was published by the National Institute of Standards and Technology (NIST) on FIPS PUB 197 on November 26, 2001, and became an effective standard on May 26, 2002. Since 2006, advanced encryption standards have become one of the most popular algorithms in symmetric key encryption.
- DES also known as Data Encryption Algorithm (DEA) is a symmetric encryption algorithm, probably the most widely used key system, especially in the security of financial data protection, the original development of DES is embedded hardware middle.
- ATM Automated Teller Machine
- ATM uses DES. It comes from IBM's research work, and IBM has patented it for several years, but after it expired in 1983, it is in the public domain, allowing for royalty-free use under certain conditions. In 1977, it was formally adopted by the US government.
- 3DES (or Triple DES) is a generic term for block ciphers (TDEA, Triple Data Encryption Algorithm). It is equivalent to applying three DES encryption algorithms to each data block. Due to the enhancement of computer computing power, the key length of the original DES password becomes easy to be brute force cracked; 3DES is designed to mention For a relatively simple method, to avoid similar attacks by increasing the key length of DES, instead of designing a new block cipher algorithm.
- RC2 is a traditional symmetric block cipher algorithm designed by the famous cryptographer Ron Rivest, which can be used as a suggested alternative algorithm for DES algorithm. Its input and output are both 64 bits. The length of the key is variable from 1 byte to 128 bytes. This algorithm is designed to be easily implemented on a 16-bit microprocessor. On a normal 16-bit computer, the RC2 encryption algorithm can execute twice as fast as the DES algorithm.
- the RC4 encryption algorithm the number one in the RSA trio, was designed by Ron Rivest in 1987 as a variable-length stream encryption algorithm cluster. It is called a cluster because the S-box length of its core part can be arbitrary, but it is generally 256 bytes. The algorithm can achieve speeds up to 10 times faster than DES encryption and has a very high level of nonlinearity.
- RC4 was originally used to protect trade secrets. But in September 1994, its algorithm was released on the Internet, and there was no longer any trade secret. RC4 is also called ARC4 (Alleged RC4 - the so-called RC4), because RSA has never officially released this algorithm.
- IDEA is a Swiss young Chinese scholar to study and Jia and book cryptographer J. Massey in 1990. It was officially announced in 1990 and will be enhanced in the future.
- This algorithm is developed on the basis of the DES algorithm, similar to triple DES, and DES-like, IDEA is also a symmetric key algorithm.
- IDEA was also developed because of the shortcomings of DES having a key that is too short. IDEA's key is 128 bits, and such a long key should be secure for years to come.
- the IDEA algorithm is also a block encryption algorithm that designs a series of encryption rounds, each using a subkey generated from a complete encryption key.
- the difference with DES is that it is as fast as software implementation and hardware implementation.
- IDEA is also a major contender for the AES algorithm standard, and its security has been proven at the International Password Conference. In PGP (pretty good privacy), the IDEA algorithm is adopted.
- the RSA public key encryption algorithm was developed in 1977 by Ron Rivest, Adi Shamirh, and Len Adleman (Massachusetts Institute of Technology, USA). RSA is named after the name of the three of them. RSA is currently the most influential public key encryption algorithm that is resistant to all known password attacks to date and has been recommended by ISO as a public key data encryption standard. The RSA algorithm is based on a very simple theory of number theory: It is very easy to multiply two large prime numbers, but at that time it is extremely difficult to factorize the product, so the product can be exposed as an encryption key.
- BlowFish is an easy-to-use file and folder encryption software, just drag the file or folder to the encrypted document with the mouse.
- SSF33, SSF28, SCB2 are concealed and undisclosed commercial algorithms of China National Cryptographic Bureau. They are only allowed to be used in domestic civil and commercial applications.
- the system can be set to replace the key periodically or irregularly. After the key is replaced, the data in the memory is encrypted according to the new key to enhance the data. Safety, avoid Free third parties have sufficient time to decipher the encrypted data.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a general virtual data encryption storage system. A data exchanger is disposed between a memory and a server, so that data exchange between the memory and the server is implemented by using the data exchanger; data of the memory is encrypted by the data exchanger by means of an encryption algorithm, so that the data of the memory is kept in a ciphertext state; when the server requests obtaining data, requested data are decrypted by the data exchanger, so that the requested data is changed to be in a plaintext state and the data is sent to the server; because the plaintext data of the memory is encrypted by the data exchanger by means of the encryption algorithm, on the premise of no authorization, only the data in the ciphertext state can be obtained no matter whether an invasion is carried out internally or externally, that is, a third party cannot obtain the real content of the data, thereby greatly improving the confidentiality of the data.
Description
一种通用虚拟数据加密存储*** 技术领域 Universal virtual data encryption storage system
本发明涉及一种数据存储***, 特别涉及一种对数据进行加密的存储***。 背景技术 The present invention relates to a data storage system, and more particularly to a storage system for encrypting data. Background technique
存储器和服务器之间的数据交换是通过数据交换器实现的, 为了提高数据的读写效率, 存储器内的数据均保持在明文状态, 以便服务器能通过数据交换器直接读取。 但由于存储 器内的数据处于明文状态, 所以当受说到内部威胁或者外部入侵时, 第三方能够直接获得所 有信息, 使得信息的保密变得尤其困难, 为此急需一种能够解决上述问题的技术方案。 发明内容 The data exchange between the memory and the server is realized by the data switch. In order to improve the read and write efficiency of the data, the data in the memory is kept in the plaintext state, so that the server can directly read through the data exchanger. However, since the data in the memory is in a clear state, when it is said that an internal threat or an external intrusion, the third party can directly obtain all the information, making the confidentiality of the information particularly difficult. Therefore, a technology capable of solving the above problem is urgently needed. Program. Summary of the invention
本发明目的在于提供一种能够提高数据保密程书度, 使得数据在遭遇内部威胁或外部入 侵的情况下均能保持在密文状态的通用虚拟数据加密存储***。 SUMMARY OF THE INVENTION It is an object of the present invention to provide a universal virtual data encryption storage system capable of improving data confidentiality and enabling data to remain in a ciphertext state in the event of an internal threat or external intrusion.
一种通用虚拟数据加密存储***, 包括依次连接的存储器、 数据交换器和服务器, 所 述数据交换器采用加密算法对存储器内的数据进行加密, 使得存储器的数据保持在密文状 态; 当服务器向存储器请求数据时, 数据交换器对被请求数据进行解密, 使得被请求数据 变为明文状态并送至服务器。 A universal virtual data encryption storage system includes a memory, a data switch and a server connected in sequence, wherein the data switch encrypts data in the memory by using an encryption algorithm, so that the data of the memory is kept in a ciphertext state; When the memory requests data, the data exchanger decrypts the requested data so that the requested data becomes a clear text state and is sent to the server.
在使用本***的过程中, 数据交换器既是一个虚拟存储器, 也是一个虚拟服务器, 当 数据交换器与存储器进行数据交换时, 数据交换器即是一个虚拟服务器, 当数据交换器与 服务器进行数据交换时, 数据交换器即是一个虚拟存储器; 因为数据交换器采用加密算法 对存储器的数据进行了加密, 所以无论从内部或外部均只能获取处于密文状态的数据, 由 于数据属于密文状态, 第三方无法得知数据的真正内容, 从而大大提高了数据的保密程度。 In the process of using the system, the data switch is both a virtual memory and a virtual server. When the data switch exchanges data with the memory, the data switch is a virtual server, and the data switch exchanges data with the server. The data switch is a virtual memory; because the data switch encrypts the data of the memory by using an encryption algorithm, only the data in the ciphertext state can be obtained from the internal or external, because the data belongs to the ciphertext state, Third parties cannot know the true content of the data, which greatly increases the confidentiality of the data.
还需要指出, 本发明的核心在于采用数据交换器实现数据的加密 /解密过程, 虽然这实 现方式可以仅通过软件程序实现, 但本发明的重点不在于如何采用程序实现数据的加密, 而在于将对数据进行加密这一步骤应用于数据传输, 所以实现这一本发明技术方案不仅限 于通过软件程序实现, 也可以直接通过硬件设备实现, 如现有的加密硬件。 It should also be noted that the core of the present invention is to implement a data encryption/decryption process using a data switch. Although this implementation can be implemented only by a software program, the focus of the present invention is not how to implement data encryption using a program, but The step of encrypting the data is applied to the data transmission. Therefore, the technical solution of the present invention is not limited to being implemented by a software program, but may also be directly implemented by a hardware device, such as an existing encryption hardware.
优选的, 所述加密算法为公开算法中的 AES、 DES、 3DES、 RC2/RC4、 IDEA、 RSA 或 BLOWFISH。 Preferably, the encryption algorithm is AES, DES, 3DES, RC2/RC4, IDEA, RSA or BLOWFISH in the public algorithm.
优选的, 所述加密算法为非公开算法中的 SSF33、 SSF28或 SCB2(SM1)。 Preferably, the encryption algorithm is SSF33, SSF28 or SCB2 (SM1) in a non-public algorithm.
优选的, 所述加密算法为应用密匙的加密算法, 该密匙根据设定自动更换, 数据交换 器根据更换后的密匙对存储器的数据进行重新加密。 Preferably, the encryption algorithm is an encryption algorithm of an application key, the key is automatically replaced according to the setting, and the data exchange re-encrypts the data of the memory according to the replaced key.
优选的, 所述存储器同时支持随机存取和顺序存取。 Preferably, the memory supports both random access and sequential access.
优选的, 所述存储器支持的通讯协议为 FCP、 FCoE、 iSCSI、 SCSI、 SAS、 NFS、 CIFS、
SMB、 FTP、 HTTP或 REST。 Preferably, the communication supported by the memory is FCP, FCoE, iSCSI, SCSI, SAS, NFS, CIFS, SMB, FTP, HTTP, or REST.
优选的, 所述存储器的存储方式为模块存储、 对象存储、 归档存储、 备份存储、 DAS、 NAS、 SAN、 磁带、 虚拟存储或云存储。 Preferably, the storage manner of the storage is module storage, object storage, archive storage, backup storage, DAS, NAS, SAN, tape, virtual storage or cloud storage.
优选的, 所述数据交换器与存储器、 服务器之间的通讯协议各不相同, 且数据交换器 具有通讯协议转换功能, 用以实现存储器与服务器之间的通讯协议转换。 Preferably, the data exchange protocol between the data switch and the memory and the server is different, and the data switch has a communication protocol conversion function for implementing communication protocol conversion between the memory and the server.
优选的, 所述数据交换器为软件程序、 硬件装置或软件程序和硬件装置的结合应用。 优选的, 所述数据交换器与存储器、 服务器之间通过光纤连接器或电子交换器进行连 接。 Preferably, the data switch is a software program, a hardware device or a combination of a software program and a hardware device. Preferably, the data switch is connected to the memory and the server through a fiber optic connector or an electronic switch.
优选的, 所述通用虚拟数据加密存储***以存取数据地址对加密数据进行随机化读写。 优选的, 所述通用虚拟数据加密说存储***对静态数存储据进行加密保护, 并同时在网 络层对动态数据加密保护。 Preferably, the universal virtual data encryption storage system performs randomized reading and writing of the encrypted data by accessing the data address. Preferably, the universal virtual data encryption said that the storage system encrypts and protects the static data storage data, and simultaneously encrypts and protects the dynamic data at the network layer.
优选的, 所述通用虚拟数据加密存储***在软件基础上自动对相关加密 /解密处理进行 硬件或者软件加速处理。 书 Preferably, the universal virtual data encryption storage system automatically performs hardware or software acceleration processing on the related encryption/decryption processing on a software basis. Book
优选的, 所述通用虚拟数据加密存储***支持多点集群部署, 或者分布式部署。 附图说明 Preferably, the universal virtual data encryption storage system supports multi-point cluster deployment or distributed deployment. DRAWINGS
图 1是本发明的结构示意图; Figure 1 is a schematic view of the structure of the present invention;
图 2是本发明数据交换器实现功能的示意图; 2 is a schematic diagram showing the functions of the data switch of the present invention;
图 3是本发明服务器与数据交换器的关系示意图; 3 is a schematic diagram showing the relationship between a server and a data switch of the present invention;
图 4是本发明存储器与数据交换器的关系示意图。 具体实施方式 4 is a schematic diagram showing the relationship between a memory and a data switch of the present invention. detailed description
本发明的实施例如图 1至 4所示, 包括存储器、 数据交换器和服务器, 数据交换器可 通过光纤连接器或电子交换器与存储器、 服务器连接, 而本实施例中的数据交换器采用光 纤连接器与存储器、 服务器分别连接。 The embodiment of the present invention, as shown in FIGS. 1 to 4, includes a memory, a data switch, and a server. The data switch can be connected to the memory and the server through a fiber optic connector or an electronic switch, and the data switch in this embodiment uses the optical fiber. The connector is connected to the memory and the server respectively.
有关存储器: About the memory:
所述存储器的存储方式为模块存储、 对象存储、 归档存储、 备份存储、 DAS、 NAS、 SAN、 磁带、 虚拟存储或云存储的一种, 每种存储方式都有其自身的特点, 如 DAS (开放 ***的直连式存储 Direct- Attached Storage的简称) 主要依赖服务器主机操作***进行数据 的 10读写和存储维护管理, 数据备份和恢复要求占用服务器主机资源 (包括 CPU、 *** 10 等), 数据流需要回流主机再到服务器连接着的磁带机, 数据备份通常占用服务器主机资源 20-30%; 而 NAS是一种采用直接与网络介质相连的特殊设备实现数据存储的机制, 由于这 些设备都分配有 IP地址, 所以客户机通过充当数据网关的服务器可以对其进行存取访问, 甚至在某些情况下, 不需要任何中间介质客户机也可以直接访问这些设备; 另 SAN (即存 储区域网络) 是一种高速网络或子网络, 提供在计算机与存储***之间的数据传输, 一个
SAN 网络由负责网络连接的通信结构、 负责组织连接的管理层、 存储部件以及计算机*** 构成, 从而保证数据传输的安全性和力度。 The memory is stored in the form of module storage, object storage, archive storage, backup storage, DAS, NAS, SAN, tape, virtual storage or cloud storage. Each storage method has its own characteristics, such as DAS ( Direct-attached storage for open systems refers to the server host operating system for data read/write and storage maintenance management. Data backup and recovery requires server host resources (including CPU, system 10, etc.), data. The flow needs to be reflowed to the tape drive connected to the server. The data backup usually occupies 20-30% of the server host resources. NAS is a mechanism for realizing data storage by using special devices directly connected to the network medium. There is an IP address, so the client can access it through the server acting as the data gateway, and even in some cases, it can directly access these devices without any intermediate media client; another SAN (ie storage area network) Is a high-speed network or sub-network that is provided in computers and storage Data transfer between systems, a The SAN network consists of the communication structure responsible for network connections, the management layer responsible for organizing connections, storage components, and computer systems to ensure the security and strength of data transmission.
其中上述的云存储方式是现时较为流行的一种存储技术, 它也具有多种选择, 如 EMC Atmos、 Caringo CAStor、 OpenStack、 RackSpace、 Windows Azure Amazon AWS或 Google 等,用户可根据自身需要选择;例如 Windows Azure是微软基于云计算的操作***,和 Azure Services Platform—样, 是微软 "软件和服务"技术的名称, Windows Azure的主要目标是为 开发者提供一个平台, 帮助开发可运行在云服务器、 数据中心、 Web和 PC上的应用程序, 云计算的开发者能使用微软全球数据中心的储存、 计算能力和网络基础服务。 Azure服务平 台包括了以下主要组件: Windows Azure; Microsoft SQL数据库服务, Microsoft .Net服务; 用于分享、 储存和同步文件的 Live说服务; 针对商业的 Microsoft SharePoint禾 P Microsoft Dynamics CRM服务。 The above cloud storage method is a popular storage technology, and it also has various options, such as EMC Atmos, Caringo CAStor, OpenStack, RackSpace, Windows Azure Amazon AWS or Google, etc., users can choose according to their own needs; for example Windows Azure is Microsoft's cloud-based operating system, and the Azure Services Platform is the name of Microsoft's "software and services" technology. The main goal of Windows Azure is to provide developers with a platform to help developers run on cloud servers. Applications in data centers, the Web, and PCs, cloud computing developers can use Microsoft's global data center storage, computing power and network infrastructure services. The Azure Service Platform includes the following major components: Windows Azure; Microsoft SQL Database Services, Microsoft .Net Services; Live Say Service for Sharing, Storing, and Synchronizing Files; Microsoft SharePoint® for Microsoft Business.
还需要说明,存储器的通讯协议并不固定,应该根据实际需要进行选择,如 FCP、 FCoE、 iSCSI、 SCSI、 SAS、 NFS、 CIFS、 SMB、 FTP、 HT书TP和 REST均是较为常用的通讯协议, 用户根据自身需要进行挑选便可, 具体如下: It should also be noted that the communication protocol of the memory is not fixed and should be selected according to actual needs. For example, FCP, FCoE, iSCSI, SCSI, SAS, NFS, CIFS, SMB, FTP, HT book TP and REST are all common communication protocols. The user can select according to their own needs, as follows:
1、 FCP是光纤通道协议 1. FCP is a Fibre Channel protocol.
2、 FCoE即是 Fibre Channel over Ethernet, 属于以太网光纤通道。 2. FCoE is Fibre Channel over Ethernet, which belongs to Fibre Channel over Ethernet.
FCoE技术标准可以将光纤通道映射到以太网, 可以将光纤通道信息***以太网信息包 内, 从而让服务器 -SAN存储设备的光纤通道请求和数据可以通过以太网连接来传输, 而无 需专门的光纤通道结构, 从而可以在以太网上传输 SAN数据。 FCoE允许在一根通信线缆上 传输 LAN和 FC SAN通信, 融合网络可以支持 LAN和 SAN数据类型, 减少数据中心设备 和线缆数量, 同时降低供电和制冷负载, 收敛成一个统一的网络后, 需要支持的点也跟着 减少了, 有助于降低管理负担。 它能够保护客户在现有 FC-SAN上的投资 (如 FC-SAN的 各种工具、 员工的培训、 已建设的 FC-SAN设施及相应的管理架构) 的基础上, 提供一种 以 FC存储协议为核心的 I/O整合方案。 The FCoE technology standard maps Fibre Channel to Ethernet and inserts Fibre Channel information into Ethernet packets, allowing Fibre Channel requests and data from server-SAN storage devices to be transported over Ethernet connections without the need for specialized fibers. The channel structure allows SAN data to be transmitted over Ethernet. FCoE allows LAN and FC SAN communications over a single communication cable. Converged networks can support LAN and SAN data types, reduce data center equipment and cable counts, and reduce power and cooling loads to a unified network. The points that need to be supported are also reduced, which helps to reduce the administrative burden. It protects customers' investments in existing FC-SANs (such as FC-SAN tools, employee training, built-in FC-SAN facilities and corresponding management infrastructure), providing an FC storage The agreement is the core I/O integration solution.
当前的 FCoE技术标准提案可以使用任何速度的网卡, 但需要网卡支持 802.3x PAUSE 机制。 The current FCoE technology standard proposal can use any speed network card, but requires the network card to support the 802.3x PAUSE mechanism.
FCoE面向的是 10G以太网, 其应用的优点是在维持原有服务的基础上, 可以大幅减少 服务器上的网络接口数量 (同时减少了电缆、 节省了交换机端口和管理员需要管理的控制 点数量), 从而降低了功耗, 给管理带来方便。 此外它还提高了***的可用性。 FCoE是通过 增强的 10Gb以太网技术变成现实的, 我们通常称之为数据中心桥接 (Data Center Bridging, DCB)或融合增强型以太网 (Converged Enhanced Ethernet, CEE), 使用隧道协议, 如 FCiP和 iFCP传输长距离 FC通信, 但 FCoE是一个二层封装协议, 本质上使用的是以太网物理传输 协议传输 FC数据。 最近在以太网标准方面也取得了一些进展, 并有计划增强, 如在 10Gb 以太网上提供无损网络特征, 进一步推动 FCoE的发展。 FCoE is for 10G Ethernet, and its application has the advantage of greatly reducing the number of network interfaces on the server while maintaining the original service (while reducing the number of cables, saving switch ports and the number of control points that administrators need to manage) ), which reduces power consumption and brings convenience to management. It also increases the availability of the system. FCoE is becoming a reality with enhanced 10Gb Ethernet technology, commonly referred to as Data Center Bridging (DCB) or Converged Enhanced Ethernet (CEE), using tunneling protocols such as FCiP and iFCP transmits long-distance FC communication, but FCoE is a Layer 2 encapsulation protocol, which essentially uses the Ethernet physical transport protocol to transmit FC data. Recently, some progress has been made in the Ethernet standard, and there are plans to enhance it, such as providing lossless network features on 10Gb Ethernet, further promoting the development of FCoE.
3、 iSCSI技术是一种由 IBM公司研究开发的,是一个供硬件设备使用的可以在 IP协议
的上层运行的 SCSI指令集, 这种指令集合可以实现在 IP网络上运行 SCSI协议, 使其能够 在诸如高速千兆以太网上进行路由选择。 iSCSI技术是一种新储存技术, 该技术是将现有 SCSI接口与以太网络 (Ethernet)技术结合,使服务器可与使用 IP网络的储存装置互相交换资 料。 3, iSCSI technology is developed by IBM Corporation, is a hardware device can be used in the IP protocol The upper layer runs the SCSI instruction set, which enables the implementation of the SCSI protocol over IP networks to enable routing on high-speed Gigabit Ethernet. iSCSI technology is a new storage technology that combines existing SCSI interfaces with Ethernet technology to enable servers to exchange data with storage devices that use IP networks.
4、 SCSI即是小型计算机***接口(英语: Small Computer System Interface; 简写: SCSI), 一种用于计算机和智能设备之间 (硬盘、 软驱、 光驱、 打印机、 扫描仪等) ***级接口的 独立处理器标准。 SCSI是一种智能的通用接口标准。它是各种计算机与外部设备之间的接 口标准。 4, SCSI is a small computer system interface (English: Small Computer System Interface; shorthand: SCSI), a system-level interface between the computer and the smart device (hard disk, floppy drive, optical drive, printer, scanner, etc.) Processor standard. SCSI is an intelligent, universal interface standard. It is the interface standard between various computers and external devices.
5、 NFS, NFS是 Network File System的简写,即网络文件***.网络文件***是 FreeBSD 支持的文件***中的一种,也被称为说 NFS. NFS允许一个***在网络上与他人共享目录和文 件。 通过使用 NFS, 用户和程序可以像访问本地文件一样访问远端***上的文件。 5, NFS, NFS is a shorthand for Network File System, namely the network file system. The network file system is one of the file systems supported by FreeBSD, also known as NFS. NFS allows a system to share directories with others on the network and file. By using NFS, users and programs can access files on remote systems as if they were local files.
6、 CIFS 是一个新提出的协议, 它使程序可以访问远程 Internet计算机上的文件并要求 此计算机的服务。 CIFS 使用客户 /服务器模式。客户书程序请求远在服务器上的服务器程序为 它提供服务。 服务器获得请求并返回响应。 CIFS是公共的或开放的 SMB协议版本, 并由 Microsoft使用。 SMB协议现在是局域网上用于服务器文件访问和打印的协议。 象 SMB协 议一样, CIFS在高层运行, 而不象 TCP/IP协议那样运行在底层。 CIFS可以看做是应用程 序协议如文件传输协议和超文本传输协议的一个实现。 6. CIFS is a newly proposed protocol that allows programs to access files on remote Internet computers and request services from this computer. CIFS uses the client/server model. The client book program requests the server program on the server to serve it. The server gets the request and returns a response. CIFS is a public or open version of the SMB protocol and is used by Microsoft. The SMB protocol is now a protocol for server file access and printing on a local area network. Like the SMB protocol, CIFS runs at a high level, unlike the TCP/IP protocol. CIFS can be thought of as an implementation of application protocols such as file transfer protocols and hypertext transfer protocols.
CIFS可以达到以下功能: CIFS can achieve the following functions:
①访问服务器本地文件并读写这些文件 1 access the server local files and read and write these files
②与其它用户一起共享一些文件块 2 share some file blocks with other users
③在断线时自动恢复与网络的连接 3 automatically restore the connection with the network when the line is disconnected
④使用统一码 (Unicode) 文件名: 文件名可以使用任何字符集, 而不局限于为英语或 西欧语言设计的字符集。 4 Use Unicode (Unicode) File Name: File names can use any character set, not limited to character sets designed for English or Western European languages.
一般来说, CIFS使用户得到比 FTP更好的对文件的控制。 它提供潜在的更直接地服务 器程序接口, 这比使用 HTTP协议的浏览器更好。 CIFS最典型的应用是 windows用户能够 从"网上邻居"中找到网络中的其他主机并访问其中的共享文件夹. In general, CIFS gives users better control over files than FTP. It provides a potentially more straightforward server interface, which is better than a browser using the HTTP protocol. The most typical application of CIFS is that Windows users can find other hosts on the network and access shared folders from "My Network Places".
CIFS 是开放的标准而且已经被作为 Internet应用程序标准被提交到 IETF。 CIFS is an open standard and has been submitted to the IETF as an Internet application standard.
7、 SMB(Server Message Block)是协议名,它能被用于 Warp连接和客户端与服务器之间 的信息沟通。 7. SMB (Server Message Block) is the name of the protocol. It can be used for Warp connection and communication between client and server.
8、 FTP是文件传输协议 (File Transfer Protocol, 缩写: FTP) 是用于在网络上进行文 件传输的一套标准协议。 它属于网络传输协议的应用层。 8. FTP is a file transfer protocol (abbreviation: FTP) is a set of standard protocols for file transfer on the network. It belongs to the application layer of the network transport protocol.
FTP是一个 8位的客户端-服务器协议, 能操作任何类型的文件而不需要进一步处理, 就像 MIME或 Unicode—样。 但是, FTP有着极高的延时, 这意味着, 从开始请求到第一 次接收需求数据之间的时间, 会非常长; 并且不时的必须执行一些冗长的登陆进程。 FTP is an 8-bit client-server protocol that can manipulate any type of file without further processing, just like MIME or Unicode. However, FTP has a very high latency, which means that the time between the start of the request and the first receipt of the demand data can be very long; and from time to time some lengthy login processes must be performed.
9、 HTTP, 即超文本传输协议, 是 HyperText Transfer Protocol的缩写。 浏览网页时在
浏览器地址栏中输入的 URL前面都是以" http://"开始的。 HTTP定义了信息如何被格式化、 如何被传输, 以及在各种命令下服务器和浏览器所采取的响应。 9, HTTP, the hypertext transfer protocol, is the abbreviation of HyperText Transfer Protocol. When browsing the web The URL entered in the browser address bar begins with "http://". HTTP defines how information is formatted, how it is transmitted, and the response taken by the server and browser under various commands.
10、 REST指的是一组架构约束条件和原则。满足这些约束条件和原则的应用程序或设 计就是 RESTfuL 10. REST refers to a set of architectural constraints and principles. The application or design that satisfies these constraints and principles is RESTfuL
REST 定义了一组体系架构原则,可以根据这些原则设计以***资源为中心的 Web 服 务, 包括使用不同语言编写的客户端如何通过 HTTP处理和传输资源状态。 REST defines a set of architectural principles by which system resources-centric Web services can be designed, including how clients written in different languages can process and transfer resource state over HTTP.
有关服务器: About the server:
所述的服务器是指在不同操作***运行下的软硬件平台, 如 LinuX、 Unix, Window, Mac OS、 Androids OS400或 Mainframe/zOS等, 使用该服务器能具有多种应用, 如档案系 统、 数据库、 数据仓库、 文件管理系说统、 大数据分析***、 企业资源管理、 客户关系管理、 邮件***、 网页服务器、 应用服务器和中间件等。 The server refers to a software and hardware platform running under different operating systems, such as Linu X , Unix, Window, Mac OS, Android OS400 or Mainframe/zOS, etc., and the server can have various applications, such as a file system and a database. , data warehouse, file management system, big data analysis system, enterprise resource management, customer relationship management, mail system, web server, application server and middleware.
有关数据交换器: About the data exchanger:
本发明所述的数据交换器既是一个虚拟存储器书, 也是一个虚拟服务器, 如图 4所示, 当数据交换器与存储器进行数据交换时, 数据交换器即是一个虚拟服务器, 如图 3 所示, 当数据交换器与服务器进行数据交换时, 数据交换器即是一个虚拟存储器; 因为数据交换 器采用加密算法对存储器的数据进行了加密, 所以无论从内部或外部均只能获取处于密文 状态的数据, 由于数据属于密文状态, 第三方无法得知数据的真正内容, 从而大大提高了 数据的保密程度。 The data switch of the present invention is both a virtual memory book and a virtual server. As shown in FIG. 4, when the data switch exchanges data with the memory, the data switch is a virtual server, as shown in FIG. When the data switch exchanges data with the server, the data switch is a virtual memory; because the data switch encrypts the data of the memory by using an encryption algorithm, it can only obtain the ciphertext state from internal or external. The data, because the data is in the ciphertext state, the third party can not know the true content of the data, thus greatly improving the confidentiality of the data.
其中上述的加密算法具有多种选择, 可以是开算法中的 AES、 DES、 3DES、 RC2/RC4、 IDEA、 RSA或 BLOWFISH, 也可以是非公开算法中的 SSF33、 SSF28或 SCB2(SM1), 这 些算法均是公知的, 具体如下: The above encryption algorithm has various options, which may be AES, DES, 3DES, RC2/RC4, IDEA, RSA or BLOWFISH in the open algorithm, or SSF33, SSF28 or SCB2 (SM1) in the non-public algorithm. They are all well known and are as follows:
1、 AES是密码学中的高级加密标准 (Advanced Encryption Standard), 又称 Rijndael力口 密法, 是美国联邦政府采用的一种区块加密标准。 这个标准用来替代原先的 DES, 已经被 多方分析且广为全球各行业普遍使用。 经过五年多的严格甄选, 高级加密标准由美国国家 标准与技术研究院 (NIST)于 2001年 11月 26日发布于 FIPS PUB 197, 并在 2002年 5月 26日成为有效的标准。 2006年以来, 高级加密标准已然成为对称密钥加密中全球最流行的 算法之一。 1. AES is the Advanced Encryption Standard in cryptography, also known as Rijndael. It is a block encryption standard adopted by the US federal government. This standard is used to replace the original DES, has been analyzed by many parties and is widely used in various industries around the world. After more than five years of rigorous selection, the Advanced Encryption Standard was published by the National Institute of Standards and Technology (NIST) on FIPS PUB 197 on November 26, 2001, and became an effective standard on May 26, 2002. Since 2006, advanced encryption standards have become one of the most popular algorithms in symmetric key encryption.
2、 DES又称数据加密算法 (Data Encryption Algorithm, DEA) 是一种对称加密算法, 很可能是使用最广泛的密钥***, 特别是在保护金融数据的安全中, 最初开发的 DES是嵌 入硬件中的。 通常, 自动取款机 (Automated Teller Machine, ATM) 都使用 DES。 它出自 IBM的研究工作, IBM也曾对它拥有几年的专利权, 但是在 1983年已到期后, 处于公有范 围中, 允许在特定条件下可以免除专利使用费而使用。 1977年被美国政府正式采纳。 2, DES, also known as Data Encryption Algorithm (DEA) is a symmetric encryption algorithm, probably the most widely used key system, especially in the security of financial data protection, the original development of DES is embedded hardware middle. Usually, Automated Teller Machine (ATM) uses DES. It comes from IBM's research work, and IBM has patented it for several years, but after it expired in 1983, it is in the public domain, allowing for royalty-free use under certain conditions. In 1977, it was formally adopted by the US government.
3、 3DES (或称为 Triple DES ) 是三重数据加密算法 (TDEA, Triple Data Encryption Algorithm) 块密码的通称。 它相当于是对每个数据块应用三次 DES加密算法。 由于计算机 运算能力的增强, 原版 DES密码的密钥长度变得容易被暴力破解; 3DES 即是设计用来提
供一种相对简单的方法, 即通过增加 DES的密钥长度来避免类似的攻击, 而不是设计一种 全新的块密码算法。 3. 3DES (or Triple DES) is a generic term for block ciphers (TDEA, Triple Data Encryption Algorithm). It is equivalent to applying three DES encryption algorithms to each data block. Due to the enhancement of computer computing power, the key length of the original DES password becomes easy to be brute force cracked; 3DES is designed to mention For a relatively simple method, to avoid similar attacks by increasing the key length of DES, instead of designing a new block cipher algorithm.
4、 RC2是由著名密码学家 Ron Rivest设计的一种传统对称分组加密算法, 它可作为 DES算法的建议替代算法。 它的输入和输出都是 64比特。 密钥的长度是从 1字节到 128字 节可变。 此算法被设计为可容易地在 16位的微处理器上实现。 在一个普通的 16位计算机 上, RC2加密算法的执行速度可比 DES算法快两倍。 4. RC2 is a traditional symmetric block cipher algorithm designed by the famous cryptographer Ron Rivest, which can be used as a suggested alternative algorithm for DES algorithm. Its input and output are both 64 bits. The length of the key is variable from 1 byte to 128 bytes. This algorithm is designed to be easily implemented on a 16-bit microprocessor. On a normal 16-bit computer, the RC2 encryption algorithm can execute twice as fast as the DES algorithm.
而 RC4加密算法 RSA三人组中的头号人物 Ron Rivest在 1987年设计的密钥长度可变 的流加密算法簇。 之所以称其为簇, 是由于其核心部分的 S-box 长度可为任意, 但一般为 256字节。 该算法的速度可以达到 DES加密的 10倍左右, 且具有很高级别的非线性。 RC4 起初是用于保护商业机密的。 但是在说 1994年 9月, 它的算法被发布在互联网上, 也就不再 有什么商业机密了。 RC4也被叫做 ARC4 (Alleged RC4——所谓的 RC4), 因为 RSA从来 就没有正式发布过这个算法。 The RC4 encryption algorithm, the number one in the RSA trio, was designed by Ron Rivest in 1987 as a variable-length stream encryption algorithm cluster. It is called a cluster because the S-box length of its core part can be arbitrary, but it is generally 256 bytes. The algorithm can achieve speeds up to 10 times faster than DES encryption and has a very high level of nonlinearity. RC4 was originally used to protect trade secrets. But in September 1994, its algorithm was released on the Internet, and there was no longer any trade secret. RC4 is also called ARC4 (Alleged RC4 - the so-called RC4), because RSA has never officially released this algorithm.
5、 IDEA是旅居瑞士中国青年学者来学嘉和著书名密码专家 J.Massey于 1990年提出的。 它在 1990年正式公布并在以后得到增强。这种算法是在 DES算法的基础上发展出来的,类 似于三重 DES,和 DES—样, IDEA也是属于对称密钥算法。发展 IDEA也是因为感到 DES 具有密钥太短等缺点。 IDEA的密钥为 128位,这么长的密钥在今后若干年内应该是安全的。 5, IDEA is a Swiss young Chinese scholar to study and Jia and book cryptographer J. Massey in 1990. It was officially announced in 1990 and will be enhanced in the future. This algorithm is developed on the basis of the DES algorithm, similar to triple DES, and DES-like, IDEA is also a symmetric key algorithm. IDEA was also developed because of the shortcomings of DES having a key that is too short. IDEA's key is 128 bits, and such a long key should be secure for years to come.
类似于 DES, IDEA算法也是一种数据块加密算法, 它设计了一系列加密轮次, 每轮加 密都使用从完整的加密密钥中生成的一个子密钥。 与 DES的不同处在于, 它采用软件实现 和采用硬件实现同样快速。 Similar to DES, the IDEA algorithm is also a block encryption algorithm that designs a series of encryption rounds, each using a subkey generated from a complete encryption key. The difference with DES is that it is as fast as software implementation and hardware implementation.
由于 IDEA是在美国之外提出并发展起来的,避开了美国法律上对加密技术的诸多使用 限制,因此,有关 IDEA算法和实现技术的书籍都可以自由出版和交流,可极大地促进 IDEA 的发展和完善。 Since IDEA was proposed and developed outside the United States, it avoids many restrictions on the use of encryption technology in the United States. Therefore, books on IDEA algorithms and implementation technologies can be freely published and exchanged, which greatly promotes IDEA. Development and improvement.
IDEA曾今也是 AES算法标准的主要竞争者, 其安全性已经在国际密码年会上被证明。 在 PGP(pretty good privacy)中, IDEA算法被采用。 IDEA is also a major contender for the AES algorithm standard, and its security has been proven at the International Password Conference. In PGP (pretty good privacy), the IDEA algorithm is adopted.
6、 RSA公钥加密算法是 1977年由 Ron Rivest、 Adi Shamirh和 LenAdleman在(美国麻 省理工学院) 开发的。 RSA取名来自开发他们三者的名字。 RSA是目前最有影响力的公钥 加密算法, 它能够抵抗到目前为止已知的所有密码攻击, 已被 ISO推荐为公钥数据加密标 准。 RSA 算法基于一个十分简单的数论事实: 将两个大素数相乘十分容易, 但那时想要对 其乘积进行因式分解却极其困难, 因此可以将乘积公开作为加密密钥。 6. The RSA public key encryption algorithm was developed in 1977 by Ron Rivest, Adi Shamirh, and Len Adleman (Massachusetts Institute of Technology, USA). RSA is named after the name of the three of them. RSA is currently the most influential public key encryption algorithm that is resistant to all known password attacks to date and has been recommended by ISO as a public key data encryption standard. The RSA algorithm is based on a very simple theory of number theory: It is very easy to multiply two large prime numbers, but at that time it is extremely difficult to factorize the product, so the product can be exposed as an encryption key.
7、 BlowFish是一个容易使用的文件和文件夹加密软件, 只要用鼠标把把文件或文件夹 拖到加密的文档地方。 7, BlowFish is an easy-to-use file and folder encryption software, just drag the file or folder to the encrypted document with the mouse.
8、 SSF33, SSF28, SCB2(SM1)是中国国家密码局的隐蔽不公开的商用算法, 只允许在 国内民用和商用范围内使用。 8. SSF33, SSF28, SCB2 (SM1) are concealed and undisclosed commercial algorithms of China National Cryptographic Bureau. They are only allowed to be used in domestic civil and commercial applications.
特别当应用的加密算法需要应用密匙时, 可以设定***定时或不定时地对密匙进行更 换, 当密匙更换后再根据新的密匙对存储器内的数据进行加密, 以加强数据的安全性, 避
免第三方拥有充足的时间去破译已加密的数据。 Especially when the applied encryption algorithm requires an application key, the system can be set to replace the key periodically or irregularly. After the key is replaced, the data in the memory is encrypted according to the new key to enhance the data. Safety, avoid Free third parties have sufficient time to decipher the encrypted data.
更进一步的, 为了提高本发明的保密性和实用性, 还可以进一步优化, 如以存取数据 地址对加密数据进行随机化读写、 同时对静态数存储据和动态数据进行加密、 在软件基础 上自动对相关加密 /解密处理进行硬件或者软件加速处理或支持多点集群部署、 分布式部署 等。 Further, in order to improve the confidentiality and practicability of the present invention, it is further optimized, such as randomizing and reading encrypted data by accessing data addresses, encrypting static data storage data and dynamic data at the same time, on software basis Automatically perform hardware or software acceleration processing on related encryption/decryption processing or support multi-point cluster deployment, distributed deployment, and the like.
根据上述说明书的揭示和教导, 本发明所属领域的技术人员还可以对上述实施方式进 行变更和修改。 因此, 本发明并不局限于上面揭示和描述的具体实施方式, 对本发明的一 些修改和变更也应当落入本发明的权利要求的保护范围内。 此外, 尽管本说明书中使用了 一些特定的术语, 但这些术语只是为了方便说明, 并不对本发明构成任何限制。 Variations and modifications of the above-described embodiments may also be made by those skilled in the art in light of the above disclosure. Therefore, the present invention is not limited to the specific embodiments disclosed and described, and the modifications and variations of the invention are intended to fall within the scope of the appended claims. In addition, although specific terms are used in the specification, these terms are merely for convenience of description and do not limit the invention.
说 Say
书
Book
Claims
I、 一种通用虚拟数据加密存储***, 包括依次连接的存储器、 数据交换器和服务器, 其特征在于: 所述数据交换器采用加密算法对存储器内的数据进行加密, 使得存储器的数 据保持在密文状态; 当服务器向存储器请求数据时, 数据交换器对被请求数据进行解密, 使得被请求数据变为明文状态并送至服务器。 1. A general virtual data encryption storage system, including a memory, a data exchanger and a server connected in sequence, characterized in that: the data exchanger uses an encryption algorithm to encrypt the data in the memory, so that the data in the memory is kept encrypted. text state; when the server requests data from the memory, the data exchanger decrypts the requested data so that the requested data becomes plain text and sent to the server.
2、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述加密算法为 公开算法中的 AES、 DES、 3DES、 RC2/RC4、 IDEA、 RSA或 BLOWFISH。 2. The universal virtual data encryption storage system according to claim 1, characterized in that: the encryption algorithm is AES, DES, 3DES, RC2/RC4, IDEA, RSA or BLOWFISH among the public algorithms.
3、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述加密算法为 非公开算法中的 SSF33、 SSF28或 SCB2(SM1)。 3. The universal virtual data encryption storage system according to claim 1, characterized in that: the encryption algorithm is SSF33, SSF28 or SCB2 (SM1) among the non-public algorithms.
4、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述加密算法为 应用密匙的加密算法, 该密匙根据设定自动更换, 数据交换器根据更换后的密匙对存储器 的数据进行重新加密。 4. The universal virtual data encryption storage system according to claim 1, characterized in that: the encryption algorithm is an encryption algorithm using a key, the key is automatically replaced according to the setting, and the data exchanger uses the replaced key Re-encrypt the data in the storage.
5、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述存储器同时 支持随机存取和顺序存取。 5. The universal virtual data encryption storage system according to claim 1, characterized in that: the memory supports both random access and sequential access.
6、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述存储器支持 的通讯协议为 FCP、 FCoE、 iSCSI、 SCSI、 SAS、 NFS、 CIFS、 SMB、 FTP、 HTTP或 REST。 6. The universal virtual data encryption storage system according to claim 1, characterized in that: the communication protocol supported by the memory is FCP, FCoE, iSCSI, SCSI, SAS, NFS, CIFS, SMB, FTP, HTTP or REST.
7、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述存储器的存 储方式为模块存储、 对象存储、 归档存储、 备份存储、 DAS、 NAS、 SAN、 磁带、 虚拟存 储或云存储。 7. The universal virtual data encryption storage system according to claim 1, characterized in that: the storage mode of the memory is module storage, object storage, archive storage, backup storage, DAS, NAS, SAN, tape, virtual storage or Cloud storage.
8、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述数据交换器 与存储器、 服务器之间的通讯协议各不相同, 且数据交换器具有通讯协议转换功能, 用以 实现存储器与服务器之间的通讯协议转换。 8. The universal virtual data encryption storage system according to claim 1, characterized in that: the communication protocols between the data exchanger, the memory and the server are different, and the data exchanger has a communication protocol conversion function for Realize communication protocol conversion between storage and server.
9、 根据权利要求 1所述的通用虚拟数据加密存储***, 其特征在于: 所述数据交换器 为软件程序、 硬件装置或软件程序和硬件装置的结合应用。 9. The universal virtual data encryption storage system according to claim 1, characterized in that: the data exchanger is a software program, a hardware device, or a combination of a software program and a hardware device.
10、 根据权利要求 1 所述的通用虚拟数据加密存储***, 其特征在于: 所述数据交换 器与存储器、 服务器之间通过光纤连接器或电子交换器进行连接。 10. The universal virtual data encryption storage system according to claim 1, characterized in that: the data switch is connected to the memory and the server through an optical fiber connector or an electronic switch.
II、 根据权利要求 1 所述的通用虚拟数据加密存储***, 其特征在于: 所述通用虚拟 数据加密存储***以存取数据地址对加密数据进行随机化读写。 II. The universal virtual data encryption storage system according to claim 1, characterized in that: the universal virtual data encryption storage system randomly reads and writes encrypted data using access data addresses.
12、 根据权利要求 1 所述的通用虚拟数据加密存储***, 其特征在于: 所述通用虚拟 数据加密存储***对静态数存储据进行加密保护, 并同时在网络层对动态数据加密保护。 12. The universal virtual data encryption storage system according to claim 1, characterized in that: the universal virtual data encryption storage system encrypts and protects static data storage data, and simultaneously encrypts and protects dynamic data at the network layer.
13、 根据权利要求 1 所述的通用虚拟数据加密存储***, 其特征在于: 所述通用虚拟 数据加密存储***在软件基础上自动对相关加密 /解密处理进行硬件或者软件加速处理。 13. The universal virtual data encryption storage system according to claim 1, characterized in that: the universal virtual data encryption storage system automatically performs hardware or software acceleration on related encryption/decryption processing on a software basis.
14、 根据权利要求 1 所述的通用虚拟数据加密存储***, 其特征在于: 所述通用虚拟 数据加密存储***支持多点集群部署, 或者分布式部署。
14. The universal virtual data encryption storage system according to claim 1, characterized in that: the universal virtual data encryption storage system supports multi-point cluster deployment or distributed deployment.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310323235XA CN103414704A (en) | 2013-07-29 | 2013-07-29 | General virtual data encrypted storage system |
| CN201310323235.X | 2013-07-29 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2015014136A1 true WO2015014136A1 (en) | 2015-02-05 |
Family
ID=49607690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2014/076099 WO2015014136A1 (en) | 2013-07-29 | 2014-04-24 | General virtual data encryption storage system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103414704A (en) |
| WO (1) | WO2015014136A1 (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103414704A (en) * | 2013-07-29 | 2013-11-27 | 相韶华 | General virtual data encrypted storage system |
| CN106257858A (en) * | 2015-06-19 | 2016-12-28 | 中兴通讯股份有限公司 | The data ciphering method of a kind of remote storage device, Apparatus and system |
| CN106612247A (en) * | 2015-10-21 | 2017-05-03 | 中兴通讯股份有限公司 | A data processing method and a storage gateway |
| CN105391543A (en) * | 2015-11-09 | 2016-03-09 | 中国电子科技集团公司第三十研究所 | Encryption realization method of iSCSI-based network storage and realization system thereof |
| CN106973028A (en) * | 2016-01-13 | 2017-07-21 | 云南标源科技有限公司 | A kind of Android clouds terminal |
| US10757040B2 (en) | 2017-07-11 | 2020-08-25 | Cisco Technology, Inc. | Efficient distribution of peer zone database in Fibre Channel fabric |
| CN110086753A (en) * | 2018-01-26 | 2019-08-02 | 北京数盾信息科技有限公司 | A kind of citizen's network ID authentication protecting data encryption method |
| CN111159732A (en) * | 2019-12-16 | 2020-05-15 | 佛山科学技术学院 | Safety data storage device |
| CN112636908B (en) * | 2020-12-21 | 2022-08-05 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Key query method and device, encryption equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101561751A (en) * | 2009-04-30 | 2009-10-21 | 苏州国芯科技有限公司 | USB encryption and decryption bridging chip |
| CN103414704A (en) * | 2013-07-29 | 2013-11-27 | 相韶华 | General virtual data encrypted storage system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7240197B1 (en) * | 2000-07-18 | 2007-07-03 | Hitachi, Ltd. | Method and apparatus for encryption and decryption in remote data storage systems |
| JP2007102387A (en) * | 2005-10-03 | 2007-04-19 | Fujitsu Ltd | Storage system, encryption path switching method, program for switching encryption path and recording medium with its program recorded |
-
2013
- 2013-07-29 CN CN201310323235XA patent/CN103414704A/en active Pending
-
2014
- 2014-04-24 WO PCT/CN2014/076099 patent/WO2015014136A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101561751A (en) * | 2009-04-30 | 2009-10-21 | 苏州国芯科技有限公司 | USB encryption and decryption bridging chip |
| CN103414704A (en) * | 2013-07-29 | 2013-11-27 | 相韶华 | General virtual data encrypted storage system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103414704A (en) | 2013-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2021201714B2 (en) | Client(s) to cloud or remote server secure data or file object encryption gateway | |
| WO2015014136A1 (en) | General virtual data encryption storage system | |
| US20240098071A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| US8285993B1 (en) | System and method for establishing a shared secret among nodes of a security appliance | |
| US20070276951A1 (en) | Apparatus and method for efficiently and securely transferring files over a communications network | |
| US8245050B1 (en) | System and method for initial key establishment using a split knowledge protocol | |
| US9325742B1 (en) | Adding an encryption policy in a streaming environment | |
| US20130173903A1 (en) | Unified network architecture having storage devices with secure boot devices | |
| CA3066728A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| US20220085976A1 (en) | Distributed session resumption | |
| US20130173930A1 (en) | Adding or replacing disks with re-key processing | |
| US11582195B1 (en) | Parallel encrypted data streams for virtual private networks | |
| JP2017532916A (en) | RDP data collection apparatus and method | |
| CN105472030A (en) | Remote mirror image method and system based on iSCSI | |
| US20210281608A1 (en) | Separation of handshake and record protocol | |
| Jia et al. | A novel security private cloud solution based on eCryptfs | |
| US20200177540A1 (en) | In-line transmission control protocol processing engine using a systolic array | |
| CN113242216A (en) | Credible network camera based on domestic commercial cryptographic algorithm | |
| US11025728B2 (en) | Methods for facilitating secure connections for an operating system kernel and devices thereof | |
| CN106355101A (en) | Transparent file encryption and decryption system and method for simple storage services | |
| Chaitanya et al. | Design, implementation and evaluation of security in iSCSI-based network storage systems | |
| CN115622715B (en) | Distributed storage system, gateway and method based on token | |
| Das et al. | Mobile security (otp) by cloud computing | |
| US11539755B1 (en) | Decryption of encrypted network traffic using an inline network traffic monitor | |
| Elghazi et al. | New version of iSCSI protocol to secure Cloud data storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14831489 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 14831489 Country of ref document: EP Kind code of ref document: A1 |