Disclosure of Invention
The invention aims to provide a storage encryption gateway and an encryption and decryption method, wherein a receiving end and a sending end of a dual-computing environment are isolated, one end is responsible for receiving data, an encryption module is responsible for encrypting the data, the other end is responsible for sending the data, the data can be written or read only by the encryption module, the encryption process can not be bypassed, the risk that the data is sent out after being received in the same computing environment without encryption can be avoided, and the data security is improved.
The technical aim of the invention is realized by the following technical scheme that the storage encryption gateway comprises a receiving calculation module, an encryption module and a sending calculation module;
The receiving and calculating module is used for receiving and analyzing a request data packet sent by the application server, distributing a key for a storage volume ID in the request data packet, packaging the content of the original data packet and the corresponding key of the storage volume ID into a first private protocol packet and sending the first private protocol packet to the encryption module;
The system comprises a receiving computing module, an encryption module, a first private protocol packet, a second private protocol packet, a third private protocol packet, a fourth private protocol packet and a receiving computing module, wherein the receiving computing module is used for receiving a request type of a first private protocol packet;
The sending calculation module is used for analyzing the second private protocol packet and then repackaging the second private protocol packet into a data packet and then sending the data packet to the memory, and is also used for analyzing the response data packet returned by the memory, repackaging the response data packet into a third private protocol packet and sending the third private protocol packet to the encryption module.
The storage encryption gateway comprises a storage encryption gateway, a PUF module, a target end PUF module, a storage encryption gateway and a storage encryption gateway, wherein the storage encryption gateway comprises a PUF module, the PUF module is used for generating an initiating end PUF fingerprint value and a target end PUF fingerprint value before the storage encryption gateway is applied and importing the initiating end PUF fingerprint value and the target end PUF fingerprint value into the encryption module;
The system comprises a receiving and calculating module, a PUF module, a first private protocol packet, a second private protocol packet, a third private protocol packet, a fourth private protocol packet, a fifth private protocol packet, a sixth private protocol packet, a third private protocol packet, a fourth private protocol packet, a fifth private protocol packet, a sixth private protocol packet, a seventh PUF packet and a sixth PUF packet, wherein the receiving and calculating module is used for initiating a challenge to the PUF module after analyzing a request data packet, obtaining an initiating end PUF fingerprint value, calculating a first check value for an analyzed protocol header, and packaging the analyzed first private protocol packet into a first private protocol packet;
The encryption module is also used for storing an imported initiating end PUF fingerprint value and a target end PUF fingerprint value, calculating a second check value by using the imported initiating end PUF fingerprint value after analyzing the first private protocol packet, comparing the analyzed protocol header with the first check value, if the analyzed protocol header is inconsistent with the first check value, performing special processing, if the analyzed protocol header is consistent with the first check value, calculating a third check value by using the imported target end PUF fingerprint value, packaging the third check value in the second private protocol packet, analyzing the third private protocol packet, calculating a fifth check value by using the imported target end PUF fingerprint value, comparing the protocol header with the fourth check value, and performing special processing if the analyzed protocol header is inconsistent with the fourth check value, calculating a sixth check value by using the imported initiating end PUF fingerprint value, and packaging the sixth check value in the fourth private protocol packet;
the sending calculation module is used for initiating a challenge to the PUF module to obtain a PUF fingerprint value after analyzing the second private protocol packet, calculating a fourth check value for the analyzed protocol header, comparing the fourth check value with the third check value, packaging the third check value in the target protocol packet if the third check value is consistent with the target protocol packet, and performing special processing if the third check value is inconsistent with the target protocol packet, and initiating the challenge to the PUF module to obtain the PUF fingerprint value after analyzing the corresponding response data packet, and packaging the fourth check value in the third private protocol packet.
As a preferred technical solution of the present invention, after obtaining the PUF fingerprint value, the check value calculated for the protocol header is an integrity check value.
The invention is characterized in that the invention discards the current data, records the alarm log and returns the alarm log to the application server.
As a preferred embodiment of the present invention, the request packet is an iSCSI protocol packet.
The invention is characterized in that the request type of the request data packet comprises a write request and a non-write request, wherein when the request data packet is the non-write request, the request data packet is directly packaged to obtain a second private protocol packet;
The request type of the response data packet comprises a read request and a non-read request, when the request data packet is the non-read request, the request data packet is directly packaged to obtain a fourth private protocol packet, and when the request data packet is the read request, the request data packet is decrypted by using a secret key and then packaged to obtain the fourth private protocol packet.
An encryption and decryption method of a storage encryption gateway comprises the following steps:
s1, acquiring a secret key and importing the secret key into an encryption module;
S2, responding to a data transmission instruction, receiving and analyzing a request data packet from an application server through a receiving and calculating module, distributing a key for a storage volume ID in the request data packet, packaging the content of the original data packet and the corresponding key of the storage volume ID into a first private protocol packet, and sending the first private protocol packet to an encryption module;
S3, analyzing the first private protocol packet through the encryption module, directly packaging according to the request type, or packaging after encryption by using a secret key to obtain a second private protocol packet and sending the second private protocol packet to the sending calculation module;
s4, analyzing the second private protocol packet through the sending calculation module, repackaging the second private protocol packet into a data packet, and sending the data packet to the memory;
S5, analyzing the response data packet returned by the memory through the sending calculation module, repackaging the response data packet into a third private protocol packet and sending the third private protocol packet to the encryption module;
s6, analyzing the third private protocol packet through the encryption module, directly packaging or decrypting by using a secret key according to the request type, packaging to obtain a fourth private protocol packet, and sending the fourth private protocol packet to the receiving calculation module;
s7, analyzing the fourth private protocol packet through the receiving and calculating module, packaging the fourth private protocol packet into a standard protocol packet and sending the standard protocol packet to the application server.
In S1, before a key is imported for an encryption module, the IP address mapping relationship and access right information of a memory and an application server are acquired and configured in a memory encryption gateway.
In S1, the encryption module is controlled to interact with the PUF module to generate an initiating end PUF fingerprint value and a target end PUF fingerprint value, and the initiating end PUF fingerprint value and the target end PUF fingerprint value are imported into the encryption module;
the method comprises the steps of S2, receiving data packet contents obtained by analysis of a calculation module, namely, a protocol header and a protocol load, after the calculation module distributes a secret key for a storage volume ID, initiating a challenge to a PUF module to obtain a PUF fingerprint value, calculating a first check value for the protocol header by using the PUF fingerprint value, packaging the analyzed protocol header, the protocol load, a key seal corresponding to the storage volume ID and the first check value into a first private protocol packet, and sending the first private protocol packet to an encryption module;
s3, the encryption module analyzes the protocol header, the protocol load, the key seal corresponding to the storage volume ID and the first check value from the first private protocol packet, calculates a second check value for the protocol header analyzed from the first private protocol packet by using the imported initiating end PUF fingerprint value, compares the second check value with the first check value, if the second check value is inconsistent with the first check value, carries out special processing, calculates a third check value for the protocol header analyzed from the first private protocol packet by using the imported target end PUF fingerprint value if the second check value is consistent with the first check value, and directly packages or decrypts the second check value by using the key and packages the second check value in the second private protocol packet;
S4, the sending calculation module analyzes the protocol header, the protocol load, the storage volume ID corresponding key and the third check value from the second private protocol packet, initiates a challenge to the PUF module to acquire a PUF fingerprint value, calculates a fourth check value from the protocol header analyzed from the second private protocol packet by using the PUF fingerprint value, compares the fourth check value with the third check value, encapsulates the fourth check value in the target protocol packet if the fourth check value is consistent with the third check value, and performs special treatment if the fourth check value is inconsistent with the third check value;
S5, the sending calculation module analyzes the response data packet to obtain a protocol header, a protocol load and a storage volume ID corresponding key, initiates a challenge to the PUF module to obtain a PUF fingerprint value, calculates a fourth check value for the protocol header by using the PUF fingerprint value, and encapsulates the fourth check value in a third private protocol packet;
S6, the encryption module analyzes the third private protocol packet to obtain a protocol header, a protocol load, a storage volume ID corresponding key and a fourth check value, calculates the protocol header to obtain a fifth check value by using the imported target end PUF fingerprint value, compares the fifth check value with the fourth check value, carries out special processing if the fifth check value is inconsistent with the fourth check value, calculates a sixth check value by using the imported initiating end PUF fingerprint value if the fifth check value is consistent with the fourth check value, and directly packages or decrypts by using the key and packages the sixth check value in the fourth private protocol packet;
In S7, the receiving calculation module analyzes the fourth private protocol packet to obtain a protocol header, a protocol load, a key corresponding to the storage volume ID, and a sixth check value, initiates a challenge to the PUF module to obtain a PUF fingerprint value, calculates a seventh check value for the protocol header by using the PUF fingerprint value, compares the seventh check value with the sixth check value, encapsulates the sixth check value into a standard protocol packet if the third check value is consistent with the sixth check value, and sends the standard protocol packet to the application server, and performs special processing if the third check value is inconsistent with the sixth check value.
In summary, the invention has the following beneficial effects:
The receiving end and the sending end of the dual-computing environment are isolated, one end is responsible for receiving data, the encryption module is responsible for encrypting the data, the other end is responsible for sending the data, the data can not be written in or read through the encryption module, the encryption process can not be bypassed, the risk that the data is sent out after being received in the same computing environment without encryption can be avoided, and the data safety is improved.
The encryption module is respectively interconnected with the receiving end and the sending end through the private protocol, so that the transmission efficiency is effectively improved, and meanwhile, the risk of illegal invasion caused by using conventional communication modes such as Ethernet and the like is avoided.
And the identity of the receiving end, the sending end and the encryption module is legally authenticated through a PUF unique fingerprint value and an integrity checking mechanism of the iSCSI protocol header, so that the data security is ensured.
The receiving calculation module, the transmitting calculation module and the encryption module verify the integrity of the iSCSI protocol header through the unique fingerprint value of the PUF, ensure that the data packet is processed by the encryption and decryption module, and avoid the data which is not encrypted and decrypted from being transmitted by mistake.
The receiving calculation module, the sending calculation module, the storage end and the encryption and decryption module are integrated equipment, and compared with the calculation and encryption separated equipment, the system is easier to manage and maintain and has higher safety.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
As shown in FIG. 1, the invention provides a storage encryption gateway, which is based on an iSCSI protocol and aims at storing data in an IP SAN array, and comprises a receiving calculation module, an encryption module and a sending calculation module;
The receiving and calculating module is connected with an Initiator end of the application server;
the sending calculation module is connected with the Target end of the IP SAN array.
The receiving and calculating module is used for receiving and analyzing a request data packet sent by the application server, distributing a key for a storage volume ID in the request data packet, packaging the content of the original data packet and the corresponding key of the storage volume ID into a first private protocol packet and sending the first private protocol packet to the encryption module, and analyzing a fourth private protocol packet, packaging the fourth private protocol packet into a standard protocol packet and sending the standard protocol packet to the application server, wherein the request data packet is an iSCSI protocol packet.
The system comprises a receiving computing module, an encryption module, a first private protocol packet, a second private protocol packet, a third private protocol packet, a fourth private protocol packet and a receiving computing module, wherein the receiving computing module is used for receiving a request type of a first private protocol packet;
The sending calculation module is used for analyzing the second private protocol packet and then repackaging the second private protocol packet into a data packet and then sending the data packet to the memory, and is also used for analyzing the response data packet returned by the memory, repackaging the response data packet into a third private protocol packet and sending the third private protocol packet to the encryption module.
Embodiment 1, as shown in fig. 2, the specific implementation of the red and black isolated data encryption method based on the iSCSI protocol layer is as follows:
An iSCSI protocol encryption gateway is deployed, a sending calculation module of the encryption gateway is connected to an IP SAN disk array through an Ethernet, and a receiving calculation module of the encryption gateway is connected to an application server through the Ethernet;
creating ISCSI TARGET on the IP SAN array and configuring an output storage volume to provide a data storage space for a user, and configuring access control authority of an application server;
introducing IP SAN array address information and access authority information on an iSCSI encryption gateway, and initializing an encryption key;
the application server initiates a connection request to the IP SAN array ISCSI TARGET through the iSCSI Initiator, and establishes iSCSI session connection;
The receiving calculation module captures the iSCSI protocol packet interacted by the application server and the IP SAN array, obtains the storage volume identification by analyzing the protocol packet, distributes the encryption key for the volume according to the storage volume identification, locks the encryption key by the application server Initiator name, the IP SAN array end ISCSI TARGET and the volume ID three elements, interacts with the iSCSI encryption gateway in plaintext, encrypts and decrypts the iSCSI data load by using the key in the iSCSI session protocol interaction, transmits data between the iSCSI encryption gateway and the IP SAN array in ciphertext,
As shown in fig. 3, a specific encryption process is as follows:
a1, a receiving and calculating module receives and analyzes an iSCSI protocol packet transmitted by an application server iSCSI Initiator;
A2, encapsulating the parsed iSCSI protocol header and the iSCSI load into a private protocol and sending the private protocol to an encryption module;
a3, the encryption module receives the private protocol packet of the receiving calculation module to unpack and check whether the private protocol packet is an iSCSI legal command word;
A4, the encryption module forwards the private protocol packet of the iSCSI protocol header to the sending calculation module, encrypts the iSCSI protocol load by using the secret key M, encapsulates the encrypted iSCSI protocol load into the private protocol packet and sends the private protocol packet to the sending calculation module;
and A5, the sending calculation module receives the private protocol packet sent by the encryption module to unpack, encapsulates the private protocol packet into an iSCSI protocol packet and sends the iSCSI protocol packet to the IP SAN array ISCSI TARGET.
As shown in fig. 3, a specific decryption process is as follows:
b1, a sending calculation module receives and analyzes an iSCSI protocol packet sent by the IP SAN array ISCSI TARGET;
B2, encapsulating the parsed iSCSI protocol header and the iSCSI load into a private protocol and sending the private protocol to an encryption module;
b3, the encryption module receives the private protocol packet of the sending calculation module to unpack and check whether the private protocol packet is an iSCSI legal command word;
The encryption module forwards the private protocol packet of the iSCSI protocol header to the receiving calculation module, decrypts the iSCSI protocol load by using the secret key M, encapsulates the decrypted iSCSI protocol load into the private protocol packet and sends the private protocol packet to the receiving calculation module;
And B5, the receiving and calculating module receives the private protocol packet sent by the encryption module to unpack, packages the private protocol packet into an iSCSI protocol packet and sends the iSCSI protocol packet to the application server iSCSI Initiator.
As shown in fig. 4, in this embodiment, the iSCSI encryption gateway is connected to the application server and the IP SAN array through ethernet networks, respectively. The IP SAN array is used for providing an original data storage volume, the application server accesses data to the storage volume of the IP SAN array through the iSCSI protocol, the iSCSI encryption gateway captures the iSCSI protocol packet, encrypts and decrypts the iSCSI load data after analysis, and rewacks the iSCSI load data into the iSCSI protocol packet and sends the iSCSI protocol packet, thereby ensuring that the data on the IP SAN array is stored in a ciphertext form.
In embodiment 2, a PUF module is also introduced into the storage encryption gateway, and the specific application process is as follows:
The system comprises a receiving end, a transmitting end, a PUF module, a receiving end, a transmitting end and a transmitting end, wherein the receiving end is used for receiving a challenge of an initiator;
The system comprises a receiving and calculating module, a PUF module, a third private protocol packet, a fourth private protocol packet, a fifth private protocol packet, a sixth private protocol packet and a standard protocol packet, wherein the receiving and calculating module is used for initiating a challenge to the PUF module after analyzing a request data packet to obtain a receiving end PUF fingerprint value, calculating a first check value for an analyzed protocol header and packaging the first check value into the first private protocol packet;
The encryption module is also used for storing an imported receiving end PUF fingerprint value and a transmitting end PUF fingerprint value, calculating a second check value by using the imported receiving end PUF fingerprint value after analyzing the first private protocol packet, comparing the analyzed protocol header with the first check value, if the analyzed protocol header is inconsistent with the first check value, performing special processing, if the analyzed protocol header is consistent with the first check value, calculating a third check value by using the imported transmitting end PUF fingerprint value, and packaging the third check value in the second private protocol packet;
The sending calculation module is used for initiating a challenge to the PUF module to obtain a PUF fingerprint value after analyzing the second private protocol packet, calculating a fourth check value for the analyzed protocol header, comparing the fourth check value with the third check value, packaging the third check value in the target protocol packet if the third check value is consistent with the target protocol packet, and performing special processing if the third check value is inconsistent with the target protocol packet
Specifically, after obtaining the PUF fingerprint value, the verification value calculated for the protocol header is an integrity verification value
The special processing is that the current data is discarded, the alarm log is recorded, and the alarm log is returned to the application server.
The invention also provides an encryption and decryption method of the storage encryption gateway corresponding to the storage encryption gateway, comprising the following steps:
s1, acquiring a secret key and importing the secret key into an encryption module;
Specifically, before a key is imported for the encryption module, the memory and the application server, that is, the IP address mapping relationship and access right information of the IP SAN array Target and the server-side Initiator IP address are obtained and configured in the memory encryption gateway.
When a secret key is imported, the encryption module is also controlled to interact with the PUF module, a receiving end PUF fingerprint value and a transmitting end PUF fingerprint value are generated, and the receiving end PUF fingerprint value and the transmitting end PUF fingerprint value are imported into the encryption module;
in this step, after a key, a receiving end PUF fingerprint value, and a transmitting end PUF fingerprint value are imported for the encryption module, the encryption module is initialized.
S2, responding to the data transmission instruction, receiving a request data packet, namely an iSCSI protocol packet, from an application server through a receiving calculation module, analyzing the request data packet, distributing a key for a storage volume ID in the request data packet, packaging the content of the original data packet and the corresponding key of the storage volume ID into a first private protocol packet, and sending the first private protocol packet to an encryption module;
S2, the data packet content obtained by the analysis of the receiving and calculating module comprises an iSCSI protocol header and an iSCSI load, wherein after the receiving and calculating module distributes a secret key for a storage volume ID, the receiving and calculating module initiates a challenge to a PUF module to obtain a PUF fingerprint value, and calculates a first check value for the protocol header by using the PUF fingerprint value;
S3, analyzing the first private protocol packet through the encryption module, directly packaging according to the request type, or packaging after encryption by using a secret key to obtain a second private protocol packet and sending the second private protocol packet to the sending calculation module;
S3, the encryption module analyzes a protocol header, a protocol load, a key seal corresponding to a storage volume ID and a first check value from a first private protocol packet, calculates a second check value from the protocol header analyzed from the first private protocol packet by using an imported receiving end PUF fingerprint value, compares the second check value with the first check value, carries out special processing if the protocol header is inconsistent with the first check value, namely discarding data, recording an alarm log and returning the alarm log;
The request type of the request data packet comprises a write request and a non-write request, wherein when the request data packet is the non-write request, the request data packet is directly packaged to obtain a second private protocol packet;
s4, analyzing the second private protocol packet through the sending calculation module, then repackaging the second private protocol packet into a data packet, and then sending the data packet to a memory, namely an IP SAN array end;
S4, the sending calculation module analyzes the protocol header, the protocol load, the storage volume ID corresponding key and the third check value from the second private protocol packet, initiates a challenge to the PUF module to acquire a PUF fingerprint value, calculates a fourth check value from the protocol header analyzed from the second private protocol packet by using the PUF fingerprint value, compares the fourth check value with the third check value, encapsulates the fourth check value in the target protocol packet if the fourth check value is consistent with the third check value, and performs special treatment if the fourth check value is inconsistent with the third check value;
S5, analyzing the response data packet returned by the memory through the sending calculation module, repackaging the response data packet into a third private protocol packet and sending the third private protocol packet to the encryption module;
S5, the sending calculation module analyzes the response data packet to obtain a protocol header, a protocol load and a storage volume ID corresponding key, initiates a challenge to the PUF module to obtain a PUF fingerprint value, calculates a fourth check value for the protocol header by using the PUF fingerprint value, and encapsulates the fourth check value in a third private protocol packet;
s6, analyzing the third private protocol packet through the encryption module, directly packaging or decrypting by using a secret key according to the request type, packaging to obtain a fourth private protocol packet, and sending the fourth private protocol packet to the receiving calculation module;
S6, the encryption module analyzes the third private protocol packet to obtain a protocol header, a protocol load, a storage volume ID corresponding key and a fourth check value, calculates the protocol header to obtain a fifth check value by using the imported PUF fingerprint value of the transmitting end, compares the fifth check value with the fourth check value, carries out special processing if the fifth check value is inconsistent with the fourth check value, calculates a sixth check value by using the imported PUF fingerprint value of the receiving end if the fifth check value is consistent with the fourth check value, and directly packages or decrypts by using the key and packages the sixth check value in the fourth private protocol packet;
The request type of the response data packet comprises a read request and a non-read request, when the request data packet is the non-read request, the request data packet is directly packaged to obtain a fourth private protocol packet, and when the request data packet is the read request, the request data packet is decrypted by using a secret key and then packaged to obtain the fourth private protocol packet.
S7, analyzing the fourth private protocol packet through the receiving and calculating module, packaging the fourth private protocol packet into a standard protocol packet and sending the standard protocol packet to the application server.
In S7, the receiving calculation module analyzes the fourth private protocol packet to obtain a protocol header, a protocol load, a key corresponding to the storage volume ID, and a sixth check value, initiates a challenge to the PUF module to obtain a PUF fingerprint value, calculates a seventh check value for the protocol header by using the PUF fingerprint value, compares the seventh check value with the sixth check value, encapsulates the sixth check value into a standard protocol packet if the third check value is consistent with the sixth check value, and sends the standard protocol packet to the application server, and performs special processing if the third check value is inconsistent with the sixth check value.
According to the scheme, the software stack level of the encryption gateway can be reduced, the processing performance is effectively improved, the identity authentication validity of the red and black ends is carried out by combining a PUF (Physical Unclonable Functions, physical unclonable function) technology, meanwhile, the encryption method that data can not be bypassed and can not be bypassed after being transmitted to the IP SAN array end through the encryption module is ensured, and therefore the data security is effectively ensured.
The encryption and decryption method of the storage encryption gateway has the advantages that:
1) The linear encryption and decryption of the data is directly realized at the iSCSI protocol layer on the network path, the remapping of the IP SAN storage volume is not needed, the construction processes of iSCSI and SCSI protocol software stacks and encryption and decryption drivers are reduced, the encryption and decryption efficiency of the data is effectively improved, the data storage performance is improved, and the read-write delay caused by encryption and decryption to the storage is reduced.
2) The protocol layer is transparent in encryption and decryption, compatible with the native iSCSI protocol and supports the MPIO deployment mode of the IP SAN storage volume. Each iSCSI path between the application server and the IP SAN storage volume can be connected to the encryption gateway, so that multipath load balancing and fault taking over are realized.
3) The receiving end and the sending end of the dual-computing environment are isolated, one end is responsible for receiving data, the encryption module is responsible for encrypting the data, the other end is responsible for sending the data, the data can not be written in or read through the encryption module, the encryption process can not be bypassed, the risk that the data is sent out after being received in the same computing environment without encryption can be avoided, and the data safety is improved.
4) The encryption module is respectively interconnected with the receiving end and the sending end through the private protocol, so that the transmission efficiency is effectively improved, and meanwhile, the risk of illegal invasion caused by using conventional communication modes such as Ethernet and the like is avoided.
5) And the identity of the receiving end, the sending end and the encryption module is legally authenticated through a PUF unique fingerprint value and an integrity checking mechanism of the iSCSI protocol header, so that the data security is ensured.
6) The receiving calculation module, the transmitting calculation module and the encryption module verify the integrity of the iSCSI protocol header through the unique fingerprint value of the PUF, ensure that the data packet is processed by the encryption and decryption module, and avoid the data which is not encrypted and decrypted from being transmitted by mistake.
7) The receiving calculation module, the sending calculation module, the storage end and the encryption and decryption module are integrated equipment, and compared with the calculation and encryption separated equipment, the system is easier to manage and maintain and has higher safety.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above examples, and all technical solutions belonging to the concept of the present invention belong to the protection scope of the present invention. It should be noted that modifications and adaptations to the present invention may occur to one skilled in the art without departing from the principles of the present invention and are intended to be within the scope of the present invention.