CN-121980587-A - Safe shared storage system and method based on transparent encryption projection and strong consistency

Abstract

The invention discloses a safe shared storage system and a method based on transparent encryption projection and strong consistency, wherein the system constructs a unified standard file system on a single physical nonvolatile storage medium, and realizes a transparent encryption projection layer and a global transaction log engine by relying on a Trusted Execution Environment (TEE), so that a general computing device can efficiently access a logic plaintext view through a local interface, simultaneously allows a plurality of authorized mobile terminals to concurrently access a completely consistent file system state through a safe wireless channel, and all data are always stored in a ciphertext form on the physical medium. The invention can realize seamless fusion of plaintext and encrypted access on a single physical nonvolatile storage medium, can ensure data integrity under accidental power failure at any moment, and is suitable for application scenes with strict requirements on security, such as personal data synchronization, enterprise document collaboration, medical image sharing and the like.

Inventors

• LIU WEIBO
• YANG JINRUI

Assignees

• 深圳市铭明电子有限公司

Dates

Publication Date

20260505

Application Date

20260120

Claims (9)

1. 1. The safe shared storage system based on transparent encryption projection and strong consistency is characterized by comprising a Micro Control Unit (MCU) for configuring a protocol stack and controlling equipment to run, a Trusted Execution Environment (TEE) closely cooperated with the MCU for generating a safe key, encrypting and managing logs, and a USB communication interface for connecting a host The system comprises a mobile terminal, a wireless communication module, a pluggable single physical nonvolatile storage medium, a wireless communication module and a wireless communication module, wherein the mobile terminal is used for establishing an encryption channel with the wireless communication module; The unitary physical non-volatile storage medium is integrally formatted as a unitary standard file system All of its directory tree File attribute metadata For host computer connected through USB communication interface And the first is connected with the wireless communication module Mobile terminal Are all completely consistent; When the TEE is subjected to factory security programming or first security initialization of a user, the TEE generates a unique hardware root key of the equipment through a true random number generator TRNG Wherein Representing a set of all 256-bit binary strings, a device-unique hardware root key Permanently non-exportable storage in a secure storage unit manner and ensuring that any polynomial time adversary cannot extract the unique hardware root key of the device with non-negligible probability; The MCU is configured to deploy transparent encryption projection layers within the TEE With global transaction log engine And maintains the USB mass storage protocol stack and the custom multi-host file access protocol stack at the same time when running.
2. 2. The secure shared storage system based on transparent encryption projection and strong consistency of claim 1, wherein the MCU implements the following cooperative functions: When the USB communication interface detects After the USB mass storage device enumeration is inserted and completed, the MCU configures a USB protocol stack to enter a transparent proxy mode, and all pairs Is in TEE Real-time interception and processing using device-level fixed session keys derived from device-unique hardware root keys Encrypting and decrypting the data content so that Logically observing the content of a plaintext file, and always storing SM4 ciphertext on a physical storage medium; When the wireless communication module and the first Mobile terminal Establishing a bidirectional authentication encryption channel based on TLS 1.3 and enabling national cipher SM2/SM4 or equivalent international cipher suite, and passing the validation through TEE verification Access token for individual mobile terminals Immediately afterwards, it is Open independent first Transparent encrypted projection session for a mobile terminal Make it see and see through file protocol Directory tree with physical perfect agreement Metadata with file attributes But using dynamically derived session keys in wireless communication End-to-end encryption protection of data content while physical storage is still secured by device-level fixed session keys Unified encryption and decryption are performed, and all hosts pair the same file The operations of the method are all applied to the same physical data block position, so that the unique storage layout of the bottom layer is ensured; From Or any first Mobile terminal For the same file Any write operations of (1), including new, modified, deleted, and renamed, are uniformly translated to carry a globally monotonically increasing sequence number Is (are) encrypted log entries Wherein Represents a set of natural numbers and, Representing use of device-unique hardware root keys Is to be used in the encryption operation of (a), The type of operation is indicated and, The identifier of the file is represented as such, Indicating the operation change amount, the encrypted log entries are sequentially added and written into the nonvolatile circular log area inside the TEE Playback of threads by background Strictly according to serial numbers Sequential atom commit to file system Thereby ensuring And any number of Stored ciphertext observed at any time Size of the product Time of modification Is completely consistent and has no perceived delay.
3. 3. The transparent encryption projection and strong consistency based secure shared storage system of claim 2, wherein the device unique hardware root key The security of (2) satisfies the following conditions: ; In the formula, Indicating the probability of an event occurring, Representing an attack of an arbitrary polynomial time adversary on the TEE, Representing a negligible probability function in cryptography; The transparent encryption projection layer Device-level fixed session key using a derivative from a device-unique hardware root key Encrypting and decrypting the data content, wherein HKDF denotes an HMAC-based key derivation function, Representing salt value, which is random and unique character string, all the files are connected via USB communication interface Is read from (a) a read operation of (b) By means of Decrypting and storing ciphertext in real time Obtaining plaintext The method comprises the following steps: ; In the storage of ciphertext Representing blocks of ciphertext data stored on a single physical non-volatile storage medium, Representing the use of device-level fixed session keys derived from device-unique hardware root keys by the national secret SM4 symmetric encryption algorithm All through USB communication interface to files Write operation of (a) By means of Encrypting the plaintext in real time and updating the file system, namely: ; In the formula, update represents a file system Is used for the updating operation of (a), Representing the use of device-level fixed session keys derived from device-unique hardware root keys by the national secret SM4 symmetric encryption algorithm Is a cryptographic operation of (a).
4. 4. The transparent encryption projection and strong consistency based secure shared storage system according to claim 3, wherein the transparent encryption projection layer Is the first Mobile terminal Transparent encrypted projection session of (2) Dynamically deriving independent session keys The generation mode is as follows: ; In the formula, Representing a series of bits of operation, Representing a Diffie-Hellman key exchange based on an SM2 elliptic curve, Represent the first Mobile terminal The temporary SM2 public key provided in the TLS handshake, Representing the SM2 private key temporarily generated by the TEE in the current session, Representing salt value, being a random, unique character string, the first Mobile terminal For files Is read from (a) a read operation of (b) By means of Decrypting and storing ciphertext in real time Obtaining plaintext The method comprises the following steps: ; In the formula, Representing the use of dynamically derived session keys by the SM4 symmetric encryption algorithm for national security Is to be used in the encryption operation of (a), Representing the use of dynamically derived session keys by the SM4 symmetric encryption algorithm for national security Decryption operation of (c) Mobile terminal For files Write operation of (a) By means of Encrypting the plaintext in real time and updating the file system, namely: ; In the formula, update represents a file system The transparent encryption projection layer Ensuring that the same file uses completely different encryption keys during different sessions, different mobile terminals, even if Repeated plugging will not reveal or affect any dynamically derived session key 。
5. 5. The transparent encrypted projection and strong consistency based secure shared memory system according to claim 4, wherein the first memory is a memory card Mobile terminal Access token of (c) Using SM2 private key built in device by TEE when binding first distribution network For structured load Digital signature generation is carried out: ; In the formula, Representing a SM 2-based digital signature algorithm; ; In the formula, Representing the unique identifier of the device and, Represent the first A unique identifier of the individual user; a permission bitmap, wherein the 1 st bit indicates list directory permission, the 2 nd bit indicates read file permission, the 3 rd bit indicates write file permission, and the 4 th bit indicates delete or rename permission; representing the root path subtree that the access is allowed to, Indicating the expiration time of the token, Representing a token unique identifier; all subsequent wireless connections must show conditions that are met by Square openable device : ; In the formula, Represents a signature verification algorithm based on SM2, Representing the public key of the device, Indicating that the verification is passed, The current time is indicated as such, Which means that the comparison is smaller than the comparison, Representing a revocation list of tokens, The representation does not belong.
6. 6. The transparent encryption projection and strong consistency based secure shared storage system according to claim 5, wherein the global transaction log engine In the log processing, a log is obtained from Or at will For the same file Is uniformly converted to carry a globally monotonically increasing sequence number, including new, modified, deleted and renamed Is (are) encrypted log entries The encrypted log entry Sequentially adding and writing nonvolatile circulation log area inside TEE Playback of threads by background Strictly according to Sequential atom commit to file system The method comprises the following steps: ; In the formula, The full-scale word is represented by the word, And Representing the different time stamps of the time-stamps, And The encrypted log entries representing different time stamps, Which means that the comparison is smaller than the comparison, An atomic commit operation is represented and is performed, Representing a precedent relation of atomic sequences; holding owner access tokens Namely satisfy Can apply for generating a guest sub-token to the TEE through the established encrypted channel Guest child token Is of the load of (2) The method meets the following conditions: ; In the formula, Representing the relationship of the subset of rights, A guest permission bitmap is represented, Representing the master rights bitmap, Indicating the expiration time of the guest token, Representing the expiration time of the host token, TEE pair After the SM2 signature is independently executed, the secure issuing is carried out through an encrypted channel, and the visitor sub-token Also provided is opening an independent guest session Is provided).
7. 7. The transparent encryption projection and strong consistency based secure shared storage system according to claim 6, wherein the transparent encryption projection layer Bonded structured loads Permission bitmap in (a) Root path subtree with access permission Is the first Mobile terminal Transparent encrypted projection session of (2) Constructing virtual file system views in real time Simply called virtual view, satisfies: ; In the formula, The set of representations is represented by a set, Representing documents Belonging to file systems , The separation of the conditions is indicated, The path of the document is represented and, Representation of Is used as a reference to the sub-tree of (c), The logical and is represented by a logical and, Representation of Allowing manipulation of files, directory of unauthorized areas and projection session of files to the transparent encryption Completely invisible, non-traversable and non-inferable to exist, even if High-frequency reading and writing are being performed on these unauthorized areas; TEE internally maintains hash table-based token revocation lists Hold and hold Can send withdrawal command at any time Wherein Indicating that the operation is to be undone, Representing the guest token identifier, the TEE will immediately Adding in And triggers a secure erase: ; In the formula, Indicating a secure erase operation is performed and, Representing the guest session key, Representing visitor plaintext cache established Will be forced to open and return an "access token revoked" error at the next file operation.
8. 8. The transparent encryption projection and strong consistency based secure shared storage system of claim 7, wherein the global transaction log engine In successful playback of any file After the modification operation of (1), if Located nearest to the near-far arrangement by modification time In a modified hot file, wherein Representing the set positive integer value, the corresponding plaintext is then Hot file table cached in TEE secure memory Subsequently, the TEE traverses all established and active first in a set time Mobile terminal Transparent encrypted projection session of (2) Only when When the plaintext is transmitted by the wireless communication module Session keys by dynamic derivation Actively pushing the encrypted data to the corresponding data The method comprises the following steps: ; In the formula, A conditional statement is represented that indicates that, A wireless push operation is indicated and is indicated, Representing the use of dynamically derived session keys by the SM4 symmetric encryption algorithm for national security Is a cryptographic operation of (a).
9. 9. The secure shared storage method based on transparent encryption projection and strong consistency is characterized by being applied to the secure shared storage system based on transparent encryption projection and strong consistency as claimed in any one of claims 1-8, and comprising the following steps: 1) Establishing and maintaining a single standard file system for a single physical non-volatile storage medium after device power-up Its directory structure Metadata with file attributes In the form of cipher text, the file content is stored physically in the form of cipher text of SM4 symmetric encryption algorithm, and when connected to the host via USB communication interface When the device is inserted, the device is accessed in a form of a large-capacity storage device in a logic plaintext manner through a transparent encryption agent in the TEE; 2) First, the Mobile terminal Establishing TLS 1.3 bidirectional authentication channel through wireless communication module and submitting the first Mobile terminal Access token of (c) ; 3) TEE verification No Mobile terminal Access token of (c) After signing, validity period, revocation status and authority, opening the first Mobile terminal Transparent encrypted projection session of (2) And deriving dynamically derived session keys ; 4) First, the Mobile terminal Accessing virtual views through SMB/WebDAV All read-write is by transparent encryption projection layer Encrypting and decrypting in real time, and converting into a serial number Is (are) encrypted log entries Non-volatile circular log area sequentially added to the inside of TEE ; 5) Background playback threads Strictly according to sequence numbers Sequential to encrypt log entries Atomic commit to file system Ensuring strong consistency across hosts; 6) And actively pushing and updating to all connected mobile terminals with access rights within a set time after the hot file is modified, and completing atomic landing before returning confirmation by all writing operations so as to ensure the data consistency under the condition of power failure at any moment.

Description

Safe shared storage system and method based on transparent encryption projection and strong consistency Technical Field The invention relates to the technical field of information security and external storage equipment, in particular to a security sharing storage system and method based on transparent encryption projection and strong consistency. Background With the popularity of mobile office and multi-device collaboration scenarios, more and more users desire portable storage devices that can be accessed directly by a general purpose computer at high speed, and that can provide secure remote sharing capabilities to multiple authorized mobile terminals. In the existing scheme, part of equipment adopts a physical or logical partition architecture, and a storage medium is divided into a USB public area and a user private area, wherein the USB public area and the user private area are exposed to a host operating system in a plaintext or weak encryption mode to ensure compatibility, and the user private area is provided with limited access through a wireless interface. However, such schemes have significant drawbacks, namely 1, the USB area lacks effective protection, the USB area is usually stored in plaintext for compatibility with a general-purpose operating system, sensitive data is exposed to leakage risk once the device is lost, 2, the private area security mechanism is weak, most devices depend on fixed keys or pure software encryption, are not integrated with a hardware-level Trusted Execution Environment (TEE), are difficult to resist physical extraction, firmware tampering or side channel attack, 3, wireless transmission lacks end-to-end encryption, partial devices are only encrypted at a storage layer, the wireless communication process still transmits in plaintext or weak encryption, and are vulnerable to man-in-the-middle attack, 4, the authority control granularity is coarse, only 'full-disc visibility' or 'complete hiding' is usually supported, fine granularity access control cannot be implemented based on user identity, path subtrees or operation types (such as read/write/delete), and 5, trans-area operation introduces a security gap, if decryption and re-encryption are not completed in the TEE atoms when a user moves a private file to the USB area, plain data may remain in the temporary buffer. Disclosure of Invention The invention aims to solve the problem that the prior art cannot simultaneously support the high-speed access of a computer plaintext and the encrypted real-time consistent access of a plurality of mobile terminals, and provides a safe shared storage system based on transparent encryption projection and strong consistency, which can realize the seamless fusion of the plaintext and the encrypted access on a single physical nonvolatile storage medium, can still ensure the data integrity under the unexpected power failure at any moment, and is suitable for application scenes with strict requirements on safety, such as personal data synchronization, enterprise document collaboration, medical image sharing and the like. The second object of the present invention is to provide a secure shared storage method based on transparent encryption projection and strong consistency. The first object of the invention is realized by the following technical scheme that the safe shared storage system based on transparent encryption projection and strong consistency comprises a micro control unit MCU for configuring a protocol stack and controlling equipment to run, a trusted execution environment TEE closely cooperated with the MCU for safe key generation, encryption processing and log management, and a USB communication interface for connecting a host computerThe system comprises a mobile terminal, a wireless communication module, a pluggable single physical nonvolatile storage medium, a wireless communication module and a wireless communication module, wherein the mobile terminal is used for establishing an encryption channel with the wireless communication module; The unitary physical non-volatile storage medium is integrally formatted as a unitary standard file system All of its directory treeFile attribute metadataFor host computer connected through USB communication interfaceAnd the first is connected with the wireless communication moduleMobile terminalAre all completely consistent; When the TEE is subjected to factory security programming or first security initialization of a user, the TEE generates a unique hardware root key of the equipment through a true random number generator TRNG WhereinRepresenting a set of all 256-bit binary strings, a device-unique hardware root keyPermanently non-exportable storage in a secure storage unit manner and ensuring that any polynomial time adversary cannot extract the unique hardware root key of the device with non-negligible probability; The MCU is configured to deploy transparent encryption projection layers within the TEE With global transaction log