阅读说明：本技术 一种基于分布式存储的硬件加密方法、系统及装置 (Hardware encryption method, system and device based on distributed storage ) 是由 郑朝晖 阳海华 于 2021-06-15 设计创作，主要内容包括：本发明公开一种基于分布式存储的硬件加密方法、系统及装置,属于数据安全领域,通过加密卡API获取密钥对用户数据切片后进行加密,根据用户身份对数据进行硬件加密而在磁盘上存储密文的方法。采用本发明技术方案,因存在磁盘上为密文数据能够避免因硬盘被盗而造成数据泄密,同时采用不同用户密码不同的策略提供用户数据的逻辑隔离和加密隔离,有助于建立更加安全的加密机制。(The invention discloses a hardware encryption method, a system and a device based on distributed storage, which belong to the field of data security. By adopting the technical scheme of the invention, data leakage caused by the fact that the hard disk is stolen can be avoided due to the fact that the ciphertext data exists on the magnetic disk, and meanwhile, the logic isolation and the encryption isolation of the user data are provided by adopting different strategies of different user passwords, which is beneficial to establishing a safer encryption mechanism.)

1. A hardware encryption method based on distributed storage is characterized by comprising a password registration process, a file writing process to a disk process and a data reading process from the disk;

the password registration process comprises the following steps:

setting a password for a user, and calling an encryption card API to generate a secret key;

selecting three storage nodes, and storing the secret key to an encryption card on the nodes in a form of three copies; after the three key copies are successfully stored, returning a registration success message; storing the position of the encryption card of the user; the three copies comprise a master copy and two slave copies;

the file writing to disk process comprises the following steps:

reading and acquiring a user key through an encryption card API according to the position of an encryption card of a user;

slicing the user data, and calling an encryption card API to encrypt the data slices according to the user key;

writing the encrypted data slice into a master copy, and then synchronizing the master copy and the slave copy to two slave copies; finally, the data ciphertext is landed on a magnetic disk;

the data reading flow from the disk comprises the following steps:

reading and acquiring a user key through an encryption card API according to the position of an encryption card of a user; and reading the ciphertext data from the corresponding physical disk, and decrypting the ciphertext data by using the corresponding key.

2. The hardware encryption method based on distributed storage according to claim 1, wherein in the password registration process, a user is created through an interface of a management platform, and a password is set for the user; and selecting three storage nodes from the distributed cluster by using a distributed algorithm.

3. The hardware encryption method based on distributed storage according to claim 1, wherein in the password registration process, the encryption card API and the secret key are both stored in the encryption card, and the user secret key is stored on the encryption card after being encrypted by the encryption card.

4. The hardware encryption method based on distributed storage according to claim 1, wherein in the file-to-disk flow, user data is sliced, and after the storage locations of three copies are calculated locally, the user data is communicated with Primary OSD directly; calling an encryption card API to encrypt the data slice according to the user key; the distributed storage system writes a master copy first and then synchronizes to two slave copies; the master copy waits for ack messages and application messages of the slave copy; when the primary copy receives the ack message, the write operation is completed by writing in the memory, and when the application message is received, the write operation is completed by writing to the disk.

5. A hardware encryption system based on distributed storage is characterized by comprising a password registration module, a file writing module and a data reading module, wherein the file writing module writes files to a disk module;

the password registration module is used for setting a password for a user; calling an encryption card API to generate a secret key; selecting three storage nodes by using a distributed algorithm, wherein keys are respectively stored in the encryption cards on the nodes in a form of three copies, the three copies comprise a master copy and two slave copies, one key is stored on one node as the master copy, and the other two same keys are respectively stored on the other two nodes as the slave copies; the key is successfully stored in the primary copy, and a successful message is sent back to the management platform; the key is automatically stored to the encryption card from two copies; all three key copies are successfully stored, and a registration success message is returned to the management platform; writing the position of the encryption card where the user is located into a management platform database;

writing the file to a disk module, and reading and acquiring a user key through an encryption card API according to the position of a user encryption card; slicing the user data, locally calculating storage positions of the three copies, and calling an encryption card API (application program interface) according to a user key to encrypt the data slices; sending the encrypted data slice to a client, writing a master copy by the client, and then synchronizing the master copy and the two slave copies;

the data reading module from the disk reads and acquires a user key through an encryption card API according to the position of a user encryption card; reading the sliced data from the appointed OSD through a distributed file system; and reading the ciphertext data from the corresponding physical disk, and decrypting the ciphertext data by using the corresponding key.

6. The hardware encryption system based on distributed storage according to claim 5, wherein the encryption card A PI and the encryption key are stored in the encryption card, and are encrypted and stored by the FPGA chip.

7. The hardware encryption system based on distributed storage according to claim 5, wherein one user corresponds to one key, and the user key is used for data encryption to realize one user and one secret.

8. The distributed storage based hardware encryption system of claim 5, wherein the system comprises clients, management nodes, storage clusters; the storage cluster includes a master storage node and a slave storage node.

9. The distributed storage based hardware encryption system of claim 5, wherein each storage node uses 2 or more cryptographic cards, and utilizes multi-card verification.

10. A hardware encryption apparatus based on distributed storage, comprising a memory, at least one processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to perform the hardware encryption method according to any one of claims 1 to 4.

Technical Field

The invention relates to a hardware encryption method, a system and a device based on distributed storage, and belongs to the technical field of data security.

Background

With the rapid construction and development of various information systems and data centers, the generated sensitive service data volume is more and more, and the distributed storage system solves the storage concentration, capacity, throughput and the like, but the storage is more and more concentrated and the value is more and more important, the internal and external security threat factors are more and more, the security risk is higher and higher, the data leakage event is endless, and the security problem of data storage is more and more prominent.

The security of the storage system comprises confidentiality and integrity, and the root of threatening the security of the stored data is that the data in the storage medium is stored in a plaintext way, so that an intruder can easily and illegally acquire or modify the data.

Disclosure of Invention

The purpose of the invention is as follows: aiming at the problems and the defects in the prior art, the invention provides a hardware encryption method, a system and a device based on distributed storage.

The technical scheme is as follows: a hardware encryption method based on distributed storage comprises a password registration process, a file writing process to a disk process and a data reading process from the disk.

The password registration process comprises the following steps:

setting a password for a user, and calling an encryption card API to generate a secret key;

selecting three storage nodes by using a distributed algorithm, and storing the secret key to an encryption card on the nodes in a form of three copies; after the three key copies are successfully stored, returning a registration success message; storing the position of the encryption card of the user; the three copies include one master copy and two slave copies.

The file writing to disk process comprises the following steps:

reading and acquiring a user key through an encryption card API according to the position of an encryption card of a user;

slicing the user data, and calling an encryption card API to encrypt the data slices according to the user key;

the distributed storage system writes the encrypted data slice into a master copy and then synchronizes to two slave copies; and (5) dropping the data ciphertext onto a disk.

The data reading flow from the disk comprises the following steps:

reading and acquiring a user key through an encryption card API according to the position of an encryption card of a user; and reading the ciphertext data from the corresponding physical disk through the distributed file system, and decrypting the ciphertext data by using the corresponding key.

In the password registration process, the encryption card API and the encryption key are stored in the encryption card, the encryption card API and the encryption key belong to hardware encryption, an FPGA chip is used for encryption and storage, and software is difficult to crack.

In the process of storing the key, a distributed algorithm is adopted to select three servers in the distributed cluster as three storage nodes, and the encryption cards on the three servers are used as media for storing the three-copy key, so that the key can be uniformly distributed, and the reliability of the key can be ensured.

A hardware encryption system based on distributed storage comprises a password registration module, a module for writing files to a disk and a module for reading data from the disk.

The password registration module is used for creating a user through an interface of the management platform and setting a password for the user; calling an encryption card API to generate a secret key; selecting three storage nodes by using a distributed algorithm, wherein keys are respectively stored in the encryption cards on the nodes in a form of three copies, the three copies comprise a master copy and two slave copies, one key is stored on one node as the master copy, and the other two same keys are respectively stored on the other two nodes as the slave copies; the key is successfully stored in the primary copy, and a successful message is sent back to the management platform; the key is automatically stored to the encryption card from two copies; all three key copies are successfully stored, and a registration success message is returned to the management platform; and writing the position of the encryption card where the user is located into a management platform database.

Writing the file to a disk module, and reading and acquiring a user key through an encryption card API according to the position of an encryption card where a user is located; slicing user data, locally calculating storage positions of three copies, and directly communicating with Primary OSD; calling an encryption card API to encrypt the data slice according to the user key; sending the encrypted data slice to a client, writing a master copy by the client, and then synchronizing the master copy and the two slave copies; the master copy waits for ack messages and application messages of the slave copy; when the primary copy receives the ack message, the writing operation is written in the memory and is completed, and when the application message is received, the writing operation is written to the disk; the result is to drop the data cipher text onto disk.

The data reading module from the disk reads and acquires a user key through an encryption card API according to the position of an encryption card where a user is located; reading the sliced data from the appointed OSD through a distributed file system; and reading the ciphertext data from the corresponding physical disk, and decrypting the ciphertext data by using the corresponding key.

And the user key is stored on the encryption card after being encrypted by the encryption card. The password of the user has no problem of secret leakage. And the password has three copies, so that the reliability of the password is ensured.

The data is landed on the disk through the encryption card, namely, the ciphertext is stored on the disk. The data can be ensured not to be stolen under the condition that the physical medium of the hard disk is ensured to be stolen.

One user corresponds to one key, and the user key is used during data encryption, so that one user is encrypted, and the logical isolation between users is ensured to exist in an encrypted form.

A distributed storage based hardware encryption apparatus comprising a memory, at least one processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to perform a distributed storage based hardware encryption method.

In the invention, the file stored in the hard disk is a ciphertext rather than a plaintext, and the loss of the storage medium can also ensure that the key data is not cracked, so that the loss is reduced to the minimum.

The invention provides the backup of the cipher card key, and the unavailability of user data caused by the problems of encryption and decryption can be avoided when the cipher card is damaged.

In the invention, each storage node adopts 2 or more cipher cards, the same data is respectively encrypted by two or more encryption cards, and then encrypted ciphertexts are compared, if the ciphertexts are the same, the ciphertexts pass, and if the ciphertexts fail, the multi-card verification is utilized, so that the integrity and the reliability of the stored data can be ensured; and the speed of encryption and decryption can be improved by utilizing multi-card parallel operation.

In the invention, the distributed algorithm adopts the distributed algorithm of the distributed storage, the difficulty of the algorithm is not increased, the stability of the original distributed system is not damaged, and meanwhile, the algorithm can be used on most distributed storage systems, thereby ensuring the universality of the algorithm.

Drawings

FIG. 1 is a registration flow diagram of an embodiment of the present invention;

FIG. 2 is a flow chart of writing a file to disk according to an embodiment of the present invention;

FIG. 3 is a flow chart of reading a file according to an embodiment of the present invention.

Detailed Description

The present invention is further illustrated by the following examples, which are intended to be purely exemplary and are not intended to limit the scope of the invention, as various equivalent modifications of the invention will occur to those skilled in the art upon reading the present disclosure and fall within the scope of the appended claims.

As shown in fig. 1 to 3, the embodiment provides a hardware encryption method and system based on distributed storage, which involves a client, a management node, and a storage cluster (including a master storage node and a slave storage node).

The client accesses the hardware of the distributed storage through the interface.

The management node is responsible for monitoring the distributed cluster, maintaining the health state of the cluster and maintaining various Map graphs in the cluster.

The storage cluster comprises all storage nodes for data storage, the hard disk serves as a separate storage space, and the raid card of the storage cluster is only used as a data channel.

Each storage node has 2 or more encryption cards for storing user keys, data encryption and decryption and double-card authentication.

The main storage node and the two slave storage nodes are respectively used as data three-copy storage spaces.

The hardware encryption method based on distributed storage specifically comprises the following steps:

a registration stage:

(1) the management node sets a user password;

(2) the management node calls an encryption card API to encrypt the user name and the password to form a key pair;

(3) the management node selects an encryption card storage key pair on three storage nodes through a distributed algorithm, wherein the three storage nodes are a main storage node and two slave storage nodes respectively;

(4) storing the key pair to an encryption card of the main storage node;

(5) the encryption card on the main storage node performs double-card verification on the key (the same data is respectively encrypted by two encryption cards, and then encrypted ciphertexts are compared, if the same data passes, the encrypted ciphertexts fail;

(6) returning the result of whether the key storage is successful to the management node;

(7) synchronizing the key pair to the encryption card of the slave storage node;

(8) performing double-card verification on storage from an encryption card on a storage node;

(9) returning the result of whether the key storage of the slave storage node is successful to the master storage node;

(10) returning a storage result of the storage key pair to the management node;

(11) the management node updates the key location database, i.e. writes the position of the user's encryption card into the key location database of the management node.

And writing the file to a disk stage:

(1) the client sends a user key taking request to the management node;

(2) the management node inquires a storage node where the user key is located through the key position database;

(3) the management node sends a key pair reading instruction on the encryption card to the storage node;

(4) the storage node returns the key pair to the management node;

(5) the management node returns the key pair to the client;

(6) the client slices the data according to a fixed size (default is 4MB, and the data can be modified in the system);

(7) the client sends a data writing application to the management node;

(8) the management node calls an original distributed algorithm of the system to calculate a storage position;

(9) encrypting the user fragment data by using a user key to realize one-user one-secret, and storing a ciphertext to a disk of a main storage node;

(10) carrying out double-card verification on the encrypted data on the main storage node;

(11) feeding back the result of whether the main storage node successfully stores to the management node;

(12) synchronizing master storage node data to the (two) slave storage nodes;

(13) performing double-card verification on the encrypted data on the secondary storage node (the same data are respectively encrypted by two encryption cards, and then encrypted ciphertexts are compared, if the data are the same, the ciphertexts pass, and if the data are different, the ciphertexts fail);

(14) feeding back the result of whether the slave storage node successfully stores to the master storage node;

(15) feeding back a result of whether the slave storage node successfully stores to the management node;

(16) and feeding back the storage result to the client.

And (3) a file reading stage:

(1) the client sends a user key taking request to the management node;

(2) the management node inquires the user key position through the key position database;

(3) sending a key pair reading instruction on an encryption card to a storage node in a storage cluster according to a user key position management node;

(4) the storage node returns the key pair to the management node;

(5) the management node returns the key pair to the client;

(6) a client sends a file reading request to a management node;

(7) the management node acquires (fragments) data storage positions through a distributed algorithm;

(8) reading fragment data (ciphertext) from a main storage node disk;

(9) decrypting the user sliced data by using the user key;

(10) returning the reading result to the management node;

(11) returning (fragmenting) plaintext data to the client;

(12) and synthesizing the fragment data into data required by the user.

The hardware encryption system based on distributed storage comprises a password registration module, a module for writing files to a disk and a module for reading data from the disk.

The password registration module is used for creating a user through an interface of the management platform and setting a password for the user; meanwhile, binding of the USBKey is supported; calling an encryption card API to generate a secret key; selecting three storage nodes by using a distributed algorithm, wherein keys are respectively stored in the encryption cards on the nodes in a three-copy mode, the three copies comprise a master copy and two slave copies, one key is stored on one node as the master copy, and the other two same keys are respectively stored on the other two nodes as the slave copies; the key is successfully stored in the primary copy, and a successful message is sent back to the management platform; the key is automatically stored to the encryption card from two copies; all three key copies are successfully stored, and a registration success message is returned to the management platform; and writing the position of the encryption card where the user is located into a management platform database.

Writing a file to a disk module, and reading and acquiring a user key through an encryption card API according to the position of an encryption card where a user is located; slicing user data, locally calculating storage positions of three copies, and directly communicating with Primary OSD; calling an encryption card API to encrypt the data slice according to the user key; sending the encrypted data slice to a client, writing a master copy by the client, and then synchronizing the master copy and the two slave copies; the master copy waits for ack messages and application messages of the slave copy; when the master copy receives the ack message, the write operation is described to be completed in the memory; receiving an application message, which indicates that the application message is written to the disk; and as a result, the data cipher text is landed on the disk.

A data reading module from the disk reads and acquires a user key through an encryption card API according to the position of an encryption card where a user is located; reading the sliced data from the appointed OSD through a distributed file system; and reading the ciphertext data from the corresponding physical disk, and decrypting the ciphertext data by using the corresponding key.

The user key is stored on the encryption card after being encrypted by the encryption card. The password of the user has no problem of secret leakage. And the password has three copies, so that the reliability of the password is ensured.

The data is landed on the disk through the encryption card, namely, the ciphertext is stored on the disk. The data can be ensured not to be stolen under the condition that the physical medium of the hard disk is ensured to be stolen.

The hardware encryption device based on the distributed storage comprises a memory, at least one processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to execute the hardware encryption method based on the distributed storage.