CN110245526B

Movatterモバイル変換

Info

Publication number: CN110245526B
Application number: CN201910376045.1A
Authority: CN
Inventors: 樊凌雁; 张蓝
Original assignee: Hangzhou Dianzi University
Current assignee: Hangzhou Dianzi University
Priority date: 2019-05-07
Filing date: 2019-05-07
Publication date: 2021-04-23
Anticipated expiration: 2039-05-07
Also published as: CN110245526A

Abstract

Translated fromChinese

本发明公开了一种基于PCIe接口的加密设备和方法，CPU、数据分配模块、加密信息模块、AES加密模块、SM4加密模块、高速缓存区、第一PCIe控制器、第二PCIe控制器、PCIe SSD模块、PCIe Host模块和外设，其中，CPU通过内部总线控制其余模块工作以及对各模块的中断做出响应，高速缓存区通过内部总线与第一PCIe控制器、第二PCIe控制器、AES加密模块和SM4加密模块相连，用于缓存写数据和读数据。本发明利用随机算法将数据随机分成长度不等的数据段落，且随机地分配给加密模块进行不同加密模式的加密，并在异常发生后，可接续完成未完成的加密任务，且无需占用HOST操作。

The invention discloses an encryption device and method based on PCIe interface, including CPU, data distribution module, encryption information module, AES encryption module, SM4 encryption module, cache area, first PCIe controller, second PCIe controller, PCIe SSD module, PCIe Host module and peripherals, wherein the CPU controls the work of other modules and responds to the interrupts of each module through the internal bus, and the cache area communicates with the first PCIe controller, the second PCIe controller, the AES through the internal bus The encryption module is connected to the SM4 encryption module and is used to cache write data and read data. The invention uses a random algorithm to randomly divide data into data segments with different lengths, and randomly assigns them to encryption modules for encryption in different encryption modes, and can continue to complete unfinished encryption tasks after an abnormality occurs, and does not need to occupy the HOST operation .

Description

Encryption method based on PCIe interface

Technical Field

The invention belongs to the field of computer encryption, and particularly relates to an encryption method based on a PCIe interface.

Background

The existing encryption equipment based on the PCIe interface firstly generally adopts an encryption algorithm to encrypt data, and as the used encryption algorithms are generally international encryption algorithms, ciphertext is easy to crack.

Second, the encryption device is typically accompanied by application software to facilitate the HOST's transmission and reception to the encryption device. The software design overhead is increased, and during operation, the HOST operation space is occupied, and other operations of the HOST are influenced.

In addition, if an abnormality occurs during encryption, the user needs to perform encryption again when power is supplied, and if the data size is large, a large amount of time may be wasted.

Disclosure of Invention

In view of the above, the present invention provides an encryption device based on PCIe interface, including a CPU, a data distribution module, an encryption information module, an AES encryption module, an SM4 encryption module, a cache region, a first PCIe controller, a second PCIe controller, a PCIe SSD module, a PCIe Host module, and a peripheral device, wherein,

the CPU controls the other modules to work and responds to the interruption of each module through the internal bus, and the cache region is connected with the first PCIe controller, the second PCIe controller, the AES encryption module and the SM4 encryption module through the internal bus and used for caching write data and read data;

the data distribution module randomly segments the data length sent by the CPU by using a random algorithm designed by hardware, and feeds back the offset address and the length of each segmented data segment to the CPU;

the encryption information module stores encryption information which is specially owned by equipment; the AES encryption module and the SM4 encryption module respectively and independently complete AES and SM4 encryption algorithms; the peripheral comprises a keyboard, a status light and an SPI.

Preferably, the encryption information module adopts MRAM.

Preferably, the first PCIe controller comprises a transaction layer, a data link layer and a physical layer of PCIe, and encapsulates the command or data into a data packet which can be identified by NVMe, or analyzes the command or data into a command which can be identified by an encryption device; and automatically accessing data in the PCIe Host module or the cache region according to a command sent by the CPU.

Preferably, the second PCIe controller includes a transaction layer, a data link layer, and a physical layer of PCIe, and encapsulates the command or data into a data packet that can be recognized by NVMe, or parses the command into a command that can be recognized by the encryption device; and automatically accessing the data in the PCIe SSD module or the cache region according to the command sent by the CPU.

Based on the above purpose, the present invention also provides an encryption method, comprising the following steps:

s10, performing writing operation;

s20, performing reading operation;

at S30, if an abnormality occurs at S10 and the operation is suspended, an abnormality is recovered.

Preferably, the S10 includes the steps of:

s110, setting a password by a user through a peripheral;

s120, after the password setting is finished, the HOST sends a write request to the HOST;

s130, the CPU receives an interrupt sent by the first PCIe controller and then takes an instruction from the first PCIe controller;

s140, the CPU informs the first PCIe controller to read corresponding data from a PCIe Host module according to the content of the write request, the corresponding data is cached in a cache region, when one Block is written in, the first PCIe controller marks the position of the Block to be 01, the CPU informs a data distribution module of the data length of the write request, the data distribution module divides the data length provided by the CPU into n data paragraphs with different lengths according to a random algorithm, and feeds back the offset address and the length of each data paragraph to the CPU, and the CPU records the information in the corresponding position distributed for the current equipment by the encryption information module;

s150, enabling the AES encryption module and the SM4 encryption module by the CPU;

s160, the AES encryption module and the SM4 encryption module encrypt blocks which have a flag bit of 01 and are the current encrypted data paragraph subset in the cache region, and after one Block is encrypted, the Block is marked at the position of 10, the second PCIe controller reads the data in the Block with the flag bit of 10 in the cache region and stores the data in the PCIe SSD module, and then the flag bit of the Block is written into 11; according to the time sequence of the encryption completion of the data paragraphs, the CPU marks the encryption mode of the data paragraph recorded in the encryption information module as 01/10, reads the information of the next data paragraph from the data paragraph which is not encrypted to the AES encryption module or the SM4 encryption module which is idle, and continuously encrypts;

s170, when the encryption is completed, the CPU enables an indicator light LED1 in the peripheral equipment, indicates that the encryption is completed, and completely clears the content in the cache area.

Preferably, the S20 includes the steps of:

s210, inputting a password by a user through a peripheral;

s220, after the password is input, the HOST sends a reading request to the HOST;

s230, the CPU receives an interrupt sent by the first PCIe controller and then takes an instruction from the first PCIe controller;

s240, after the CPU identifies the reading request, the CPU inquires the password about the reading content in the encryption information module, if the password is consistent with the password input by the user, the next decryption operation is carried out, and if the password is not consistent, the user is required to continue to input the password;

s250, when the passwords are consistent, the CPU sends a read request to the PCIe SSD module through the second PCIe controller, the second PCIe controller caches data sent by the PCIe SSD module in a cache region, and after a Block is written in, the second PCIe controller correspondingly marks theposition 01, takes out the encryption information belonging to the AES encryption module or the SM4 encryption module in the content to be read from the encryption information module and respectively sends the encryption information to the corresponding AES encryption module or the SM4 encryption module;

s260, enabling an AES encryption module and an SM4 encryption module by the CPU;

s270, the AES encryption module and the SM4 encryption module decrypt data which has a Block bit of 01 and accords with respective encryption information in the cache region, when one Block of data is decrypted, the Block of data is marked in theposition 10, the first PCIe controller takes out the data in the Block with the Block bit of 10, sends the data to the PCIe Host module, and writes the Block bit in the Block by 11;

s280, after the decryption is finished, the CPU enables an indicator light LED2 in the peripheral equipment and initializes the cache area.

Preferably, the S30 includes the steps of:

s310, the CPU inquires whether the encryption information module has a data section without a marked encryption mode;

s320, if the data section without the encryption mode is marked, enabling an indicator light LED3 in the peripheral equipment by the CPU to remind a user whether to continue writing;

s330, if the user selects to continue the writing operation, inputting the password set for the writing operation before, then the CPU inquires the password of the current equipment about the writing content in the encryption information module, if the password is consistent with the password input by the user, continuing, and if the password is not consistent with the password input by the user, requiring the user to continue inputting the password;

s340, the CPU informs the first PCIe controller to read the unencrypted data from the PCIe Host module, the unencrypted data are cached in a cache region, and the first PCIe controller marks theposition 01 of each Block written in;

s350, enabling the AES encryption module and the SM4 encryption module by the CPU;

and S360, decrypting the data which has the flag bit of 01 and accords with the respective encryption information in the cache region by the AES encryption module and the SM4 encryption module, marking the data with the flag bit of 10 when decrypting the data of one Block, taking out the data in the Block with the flag bit of 10 by the first PCIe controller, sending the data to the PCIe Host module, and writing the flag bit of the Block to 11.

Compared with the prior art, the encryption equipment and the encryption method based on the PCIe interface disclosed by the invention at least have the following beneficial effects:

1) data are randomly disassembled into a plurality of data segments with different lengths, and then are randomly distributed into two different encryption algorithms for mixed encryption, so that the encrypted data do not follow a single or regular encryption mode, the data decryption difficulty is greatly increased, and the data security is improved;

2) since the PCIe controller is designed to have the function of actively accessing data, HOST can complete the encryption operation without installing related software. After the password is set, the HOST sends a write command without waiting for the situation that the HOST cannot perform other operations due to the password set by the user. After the encryption equipment receives the write command, the data reading is independently completed by the encryption equipment, so that HOST participation is not needed, and HOST running resources are occupied, thereby improving the user experience and saving the software design cost;

3) when an abnormal condition occurs, the encryption information module MRAM is arranged in the encryption equipment to be used as a nonvolatile memory for memorizing the encryption information of the equipment, so that the equipment supports continuous encryption without re-encryption, time is saved, abrasion to a PCIe SSD module is reduced, the service life is prolonged, and particularly when a large amount of data is encrypted, the function of supporting continuous encryption is very important.

Drawings

In order to make the object, technical scheme and beneficial effect of the invention more clear, the invention provides the following drawings for explanation:

FIG. 1 is a block diagram of an encryption device based on PCIe interface according to an embodiment of the present invention;

FIG. 2 is a table of encryption information of an encryption information module of an encryption device based on a PCIe interface according to an embodiment of the present invention;

FIG. 3 is a table of the meaning of the flag bits in the cache area of the encryption device based on the PCIe interface according to the embodiment of the present invention;

FIG. 4 is a flowchart illustrating the steps of an encryption method based on PCIe interface according to an embodiment of the present invention;

FIG. 5 is a flowchart illustrating the step S10 in the encryption method based on PCIe interface according to the embodiment of the present invention;

FIG. 6 is a flowchart illustrating the step S20 in the encryption method based on PCIe interface according to the embodiment of the present invention;

fig. 7 is a flowchart illustrating the step S30 in the PCIe interface-based encryption method according to the embodiment of the present invention.

Detailed Description

Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

System embodiments referring to fig. 1-3, including a CPU11, a data distribution module 15, an encryption information module 14, an AES encryption module 13, an SM4 encryption module 12, a cache memory 20, a first PCIe controller 16, a second PCIe controller 17, a PCIe SSD module 19, a PCIe Host module 18, and a peripheral 21 module, wherein,

the CPU11 controls the operation of the rest of the modules and responds to the interrupt of each module through the internal bus, the cache area 20 is connected with the first PCIe controller 16, the second PCIe controller 17, the AES encryption module 13 and the SM4 encryption module 12 through the internal bus for caching write data and read data, each Block has 2 flag bits, and the meaning of the flag bits is shown in fig. 3;

the data distribution module 15 randomly segments the data length sent from the CPU11 by using a random algorithm designed by hardware, and feeds back the offset address and length of each segmented data segment to theCPU 11;

the encryption information module 14 stores encryption information specific to the device; the AES encryption module 13 and the SM4 encryption module 12 respectively and independently complete AES and SM4 encryption algorithms; theperipherals 21 include a keyboard, status lights and an SPI port.

The encryption information module 14 uses MRAM to store encryption information specific to a device, and referring to fig. 2, when power is turned on and initialization is performed, a certain space (firmware determines the size of the space) is allocated for storing the encryption information for the device that is encrypted by using the encryption device for the first time.

The first PCIe controller 16 includes a transaction layer, a data link layer, and a physical layer of PCIe, and encapsulates the command or data into a data packet that can be recognized by NVMe, or parses the command into a command that can be recognized by an encryption device; data in the PCIe Host module 18 or cache memory area 20 is automatically accessed according to commands sent by theCPU 11.

The second PCIe controller 17 includes a transaction layer, a data link layer, and a physical layer of PCIe, and encapsulates the command or data into a data packet that can be recognized by NVMe, or parses the command into a command that can be recognized by an encryption device; data in the PCIe SSD module 19 or cache area 20 is automatically accessed according to a command sent by theCPU 11.

Through the arrangement, the encryption equipment provided by the invention improves the cracking difficulty of the encrypted data, thereby protecting the safety of the data from leakage. Meanwhile, HOST operation resources are occupied, special software does not need to be installed, and the first PCIe controller 16 and the second PCIe controller 17 which are used for actively accessing HOST data are used, so that the encryption equipment has the initiative capability, can autonomously access data to the HOST end, reduces the participation degree of HOST, and finally achieves the purpose of reducing the occupation of HOST operation resources.

A flowchart of the steps of an embodiment of the method, as shown in fig. 4-7, includes the steps of:

s10, performing writing operation;

s20, performing reading operation;

S10 includes the steps of:

s110, setting a password by a user through a peripheral;

S20 includes the steps of:

s210, inputting a password by a user through a peripheral;

S30 includes the steps of:

The method embodiment refers to the system embodiment and is not described in detail.

The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. An encryption method based on PCIe interface is characterized by comprising the following steps:

s10, performing writing operation;

s20, performing reading operation;

s30, if the operation is stopped due to the abnormality in S10, the abnormality is recovered;

the S10 includes the steps of:

s110, setting a password by a user through a peripheral;

s170, after the encryption is completed, enabling an indicator light LED1 in the peripheral equipment by the CPU to indicate that the encryption is completed and completely clear the content in the cache region;

the S20 includes the steps of:

s210, inputting a password by a user through a peripheral;

s250, when the passwords are consistent, the CPU sends a read request to the PCIe SSD module through the second PCIe controller, the second PCIe controller caches data sent by the PCIe SSD module in a cache region, and after a Block is written in, the second PCIe controller correspondingly marks the position 01, takes out the encryption information belonging to the AES encryption module or the SM4 encryption module in the content to be read from the encryption information module and respectively sends the encryption information to the corresponding AES encryption module or the SM4 encryption module;

s270, the AES encryption module and the SM4 encryption module decrypt data which has a Block bit of 01 and accords with respective encryption information in the cache region, when one Block of data is decrypted, the Block of data is marked in the position 10, the first PCIe controller takes out the data in the Block with the Block bit of 10, sends the data to the PCIe Host module, and writes the Block bit in the Block by 11;

2. The method according to claim 1, wherein the S30 comprises the following steps:

s340, the CPU informs the first PCIe controller to read the unencrypted data from the PCIe Host module, the unencrypted data are cached in a cache region, and the first PCIe controller marks the position 01 of each Block written in;