CN-121996162-A - Hardware unidirectional safety data ferry storage device and method thereof

Abstract

The invention discloses a hardware unidirectional security data ferry storage device and a method thereof, and aims to solve the problems of complex data exchange operation, low efficiency and high security risk across a physical isolation network. The device comprises a first storage space, a second storage space, a first host interface used for connecting a first network, a second host interface used for connecting a second network, a control logic unit and a hardware unidirectional data transmission module. The two host interfaces are physically independent and can be simultaneously connected to computers of different security level networks. When the low security network is connected through the first host interface, only the first storage space is visible, and the written data is synchronized to the second storage space in real time by the unidirectional transmission module; when the high security network is connected through the second host interface, only the second storage space is visible for reading the synchronized data. The mechanism fundamentally eliminates the possibility of reverse leakage of data, and obviously improves the efficiency and convenience of data ferry while ensuring the safety of an intranet.

Inventors

• WANG YAN

Assignees

• 王莎莎

Dates

Publication Date

20260508

Application Date

20260119

Claims (10)

1. 1. A storage device for secure data transfer between physically isolated networks, comprising: A first storage space and a second storage space; a first host interface for connecting to a first network and a second host interface for connecting to a second network, the first host interface and the second host interface being physically independent of each other; a control logic unit, and A hardware-implemented unidirectional data transmission module; The control logic unit is configured to: When the storage device is connected to a computer in a first network through the first host interface, making only the first storage space visible to the computer; When the first storage space receives the writing data from the computer, the unidirectional data transmission module is instructed to synchronize the writing data to the second storage space in real time; When the storage device is connected to a computer in a second network through the second host interface, making only the second storage space visible to the computer; The unidirectional data transmission module ensures that data can only be transmitted from the first storage space to the second storage space at the hardware level, and prevents any data from flowing back from the second storage space to the first storage space.
2. 2. The storage device of claim 1, wherein the first storage space and the second storage space are two separate partitions on the same physical storage medium or are two separate physical storage media.
3. 3. The memory device of claim 1, wherein the unidirectional data transmission module is implemented based on an optocoupler or a high-speed data isolation chip, and unidirectional data transmission is accomplished through optical signal or electromagnetic isolation.
4. 4. The memory device of claim 1, wherein the control logic unit is a Field Programmable Gate Array (FPGA) or an Application Specific Integrated Circuit (ASIC).
5. 5. The storage device of claim 1, wherein the storage device is a portable storage device, and the first host interface and the second host interface are located on different sides or different end faces of the device housing, respectively.
6. 6. The storage device of claim 1, wherein the storage device is a built-in storage device and the first host interface and the second host interface are two separate SATA interfaces or NVMe interfaces.
7. 7. The storage device of claim 1, wherein the first host interface is a USB interface and the second host interface is a USB interface or other type of data interface.
8. 8. The storage device of claim 1, further comprising an authentication module, wherein the second storage space is visible only after being connected to a computer in the second network and authenticated by the authentication module.
9. 9. The storage device of claim 1, wherein the first host interface and the second host interface are identified in different physical forms or different colors for user differentiation.
10. 10. A method for secure data transmission between physically isolated networks, comprising the steps of: providing a storage device comprising a first storage space, a second storage space, a first host interface, a second host interface, and a hardware-implemented unidirectional data transfer module; connecting the storage device to a computer in a first network through a first host interface, and exposing only the first storage space to the computer; when the first storage space receives the writing data, the data is automatically synchronized from the first storage space to the second storage space in a one-way through the one-way data transmission module; connecting the storage device to a computer in a second network through a second host interface, and exposing only the second storage space to the computer for reading the synchronized data; wherein the synchronization process of the data is forced to be unidirectional at the hardware level to prevent any data from flowing back from the second memory space to the first memory space.

Description

Hardware unidirectional safety data ferry storage device and method thereof Technical Field The invention relates to the technical field of data storage and information security, in particular to a hardware unidirectional security data ferry storage device and a method thereof. Background In many highly sensitive areas such as government, military, financial, energy and critical infrastructure, a physically isolated network architecture is often used to ensure absolute security of the core data. This architecture physically and completely disconnects the internal "intranet" (high security level network) that handles sensitive information from the external "extranet" (low security level network) that is accessible to the internet to prevent malicious attacks from the external network and leakage of internal data. However, physical isolation also presents challenges for data exchange. In actual operation, public information, update patches, data reports and the like of the external network often need to be imported into the internal network for processing. Currently, the most common way of data exchange is "physical ferry", i.e. using standard portable storage media (e.g. usb disk, removable hard disk) as "ferries". The operational flow typically involves manually switching the storage medium between the intranet and extranet computers and copying the data. The traditional mode has a plurality of serious potential safety hazards and inconvenient operation, and mainly comprises a data leakage risk, namely an operator can copy intranet sensitive data to a medium by mistake and cause leakage when an external network is connected, a virus or malicious software transmission risk, namely a malicious program infected by the external network can be transmitted into the intranet through the medium, and the traditional mode is complex in operation, low in efficiency and lack of effective audit and management. In order to solve the problem of unidirectional data transmission between networks, devices such as a network isolation gatekeeper or a data diode and the like appear in the prior art, and ensure unidirectional data transmission through hardware technology. However, such devices are usually large-scale network devices, which are expensive and complex to deploy, and are suitable for fixed network nodes, and cannot meet the requirements for portable, flexible, plug-and-play secure data ferry under the scenes of individual users or mobile offices. In addition, some dual system isolation schemes implemented by software or virtualization techniques, the security of which is highly dependent on the reliability of the software and the underlying operating system, cannot provide physical isolation guarantees at the hardware level. Therefore, a new data transmission solution is urgently needed in the market, which not only has the hardware unidirectional transmission security of the data diode level, but also has the portability and usability same as the portable storage medium, so as to solve the pain point of data ferry under the current physical isolation environment. Disclosure of Invention The invention aims to provide a hardware unidirectional safe data ferry storage device and a method thereof, which are characterized in that unidirectional data transmission modules, a first host interface, a second host interface and a control logic unit which are physically independent of each other are realized through hardware, unidirectional flow of data from a first storage space to a second storage space is forcedly realized in a hardware level, data backflow is effectively prevented, and the device has high safety and operation convenience. The hardware unidirectional security data ferry storage device comprises a first storage space, a second storage space, a first host interface for connecting a first network, a second host interface for connecting a second network, a control logic unit and a unidirectional data transmission module realized by hardware, wherein the first host interface and the second host interface are physically independent. The control logic unit is configured to make only the first storage space visible to a computer in a first network when the storage device is connected to the computer through the first host interface, instruct the unidirectional data transfer module to synchronize write data to the second storage space in real time when the first storage space receives the write data from the computer, make only the second storage space visible to the computer when the storage device is connected to a computer in a second network through the second host interface, wherein the unidirectional data transfer module ensures that data can only be transferred from the first storage space to the second storage space at a hardware level and prevents any data backflow from the second storage space to the first storage space. The device fundamentally solves the risks of data leakage and virus introduction in th