Search

CN-122020684-A - Binding, verifying and data access method and device for memory card

CN122020684ACN 122020684 ACN122020684 ACN 122020684ACN-122020684-A

Abstract

The application provides a binding, verifying and data accessing method of a terminal device memory card and corresponding device, the scheme realizes triple binding among the memory card, the current login user and the terminal device through memory card identification information, user identification information and device identification information during binding, establishes stronger association relation, adopts a double-layer cipher system of a master key and a data encryption key, the master key is dynamically generated based on triple binding information, the data encryption key is independently managed, timestamp information and digital signature for verification are further added on the basis, and a cloud collaborative management mechanism is combined, so that data security is effectively improved, the user can access user data in the memory card only through strict multiple verification, and the data leakage risk of the memory card is effectively solved.

Inventors

  • YE LIN
  • YANG SHENG
  • ZHU ZHUANGHUI
  • TANG YAJIE
  • TANG XIAOXUN

Assignees

  • 上海七十迈数字科技有限公司

Dates

Publication Date
20260512
Application Date
20260116

Claims (16)

  1. 1. A method of binding a memory card, the method comprising: when a memory card is detected, reading physical information of the memory card, and generating first memory card identification information according to the physical information; Acquiring first user identification information and first equipment identification information of a current login user of terminal equipment, constructing binding relation data according to the first memory card identification information, the first user identification information, the first equipment identification information and the timestamp information, and digitally signing the binding relation data by using an equipment private key to generate binding signature information; Generating a first master key according to the first memory card identification information, the first user identification information and the first equipment identification information; Encrypting binding information and a data encryption key respectively by using the first master key, wherein the binding information comprises binding relation data and binding signature information, and the data encryption key is a key used for encrypting user data written into a memory card; Creating a hidden protection partition in the memory card, and writing encrypted binding information and a data encryption key into the hidden protection partition; And reporting the binding information to cloud equipment.
  2. 2. The method of claim 1, wherein generating a first master key from the first memory card identification information, first user identification information, and first device identification information comprises: And carrying out iterative computation of preset times on the first memory card identification information, the first user identification information and the first equipment identification information by adopting a preset key generation algorithm to generate a first master key.
  3. 3. The method of claim 1, wherein creating a hidden protected partition in the memory card and writing encrypted binding information and a data encryption key to the hidden protected partition comprises: Creating a hidden protection partition with a preset size in a starting sector of the memory card; writing the encrypted binding information and the data encryption key into the hidden protection partition, and setting read-only and hidden attributes.
  4. 4. A method of authenticating a memory card, the method comprising: When the memory card is detected, reading the physical information of the memory card, and generating second memory card identification information according to the physical information; Checking whether a hidden protection partition exists in the memory card, and if so, reading encrypted binding information from the hidden protection partition, wherein the encrypted binding information in the hidden protection partition is written by adopting the method of any one of claims 1 to 3; acquiring second user identification information and second equipment identification information of a current login user of the terminal equipment, and generating a second master key according to the acquired second memory card identification information, second user identification information and second equipment identification information; decrypting the encrypted binding information using the second master key; If the decryption is successful, binding relation data and binding signature information are extracted from the encrypted binding information, wherein the binding relation data comprises first memory card identification information, first user identification information, first equipment identification information and timestamp information; Verifying the validity of the binding signature information by using a device public key, and checking the rationality of the timestamp information; If the validity check and the rationality check are passed, the first memory card identification information, the first user identification information and the first equipment identification information are respectively matched with the second memory card identification information, the second user identification information and the second equipment identification information, and an identification matching result is obtained; And judging whether the memory card passes verification or not according to the identification matching result.
  5. 5. The method according to claim 4, wherein the method further comprises: Reporting the first memory card identification information, the first user identification information and the first equipment identification information to cloud equipment for blacklist checking; judging whether the memory card passes verification according to the identification matching result, comprising: and judging whether the memory card passes verification or not according to the identification matching result and the blacklist checking result.
  6. 6. The method of claim 5, wherein determining whether the memory card is authenticated based on the identity matching result and the blacklist checking result comprises: And if the identification matching results are correct and the blacklist checking results are passed, determining that the memory card passes the verification, and allowing the memory card to be subjected to data access.
  7. 7. The method of claim 5, wherein determining whether the memory card is authenticated based on the identity matching result and the blacklist checking result comprises: And if the two items in the identification matching result are matched correctly and the blacklist checking result is passed, determining that the memory card verification part passes, and allowing data access to part of data in the memory card.
  8. 8. The method of claim 7, wherein after determining that the memory card verification portion passes, further comprising: Carrying out identity verification with a current login user of the terminal equipment; If the authentication is successful, updating the encrypted binding information and the data encryption key in the hidden and protected partition and the binding information of the cloud device based on the second memory card identification information, the second user identification information and the second device identification information, and determining that the memory card passes the authentication.
  9. 9. The method of claim 7, wherein the method further comprises: if the number of authentication failures reaches the preset number, determining that the memory card fails to pass the authentication, and prohibiting the data access to the memory card.
  10. 10. The method of claim 5, wherein determining whether the memory card is authenticated based on the identity matching result and the blacklist checking result comprises: If the identification matching results are less than two items of matching results and the blacklist checking results are not passed, determining that the verification of the memory card is not passed, and prohibiting data access to the memory card.
  11. 11. The method of claim 9 or 10, wherein after determining that the memory card fails verification, further comprising: The cloud device is reported to trigger a security warning so that the cloud device sends a security notification to a user bound with the memory card, and an abnormal record about verification at this time is generated, wherein the abnormal record is used for updating a blacklist used for blacklist checking; formatting the memory card or unloading the memory card.
  12. 12. The method of claim 11, wherein formatting the memory card comprises: executing a secure erase algorithm, wherein the first time of writing 0x00 into the whole disk in the memory card, the second time of writing 0xFF into the whole disk in the memory card, and the third time of writing random data into the whole disk in the memory card; Reconstructing a partition table of the memory card, and creating a preset standard file system; and informing the cloud device to clear the corresponding binding information.
  13. 13. A method of accessing data on a memory card, the method comprising: Determining that the memory card is authenticated using the method of any one of claims 4 to 12; decrypting an encrypted data encryption key using a second master key, the encrypted data encryption key read from the hidden protected partition; And performing a data access operation using the data encryption key obtained by the decryption.
  14. 14. The method of claim 13, wherein the method further comprises: And recording the latest access time of the memory card according to the data access operation, and updating the time stamp information in the binding relation data according to the latest access time.
  15. 15. A terminal device comprising a memory for storing computer program instructions and a processor for executing the computer program instructions, wherein the computer program instructions, when executed by the processor, trigger the device to perform the method of any one of claims 1 to 14.
  16. 16. A computer readable medium having stored thereon computer program instructions executable by a processor to implement the method of any of claims 1 to 14.

Description

Binding, verifying and data access method and device for memory card Technical Field The present application relates to the field of information technologies, and in particular, to a method and apparatus for binding, verifying, and accessing data of a memory card. Background With the rapid development of the internet of things and intelligent security equipment, terminal equipment such as intelligent doorbell, automobile data recorder and intelligent camera can use storage cards such as SD cards as local storage media in a large number, and user data such as videos, pictures and configuration information are stored. However, at present, because the memory card generally lacks an effective data security management mechanism, the same memory card can be randomly switched among a plurality of devices for use, for example, after any user can take out the memory card from the device a, the memory card can be inserted into the device B for use, so that user data stored in the memory card can be randomly read, and serious data leakage risks exist. Disclosure of Invention The application aims to provide a method and equipment for binding, verifying and accessing data of a memory card. In order to achieve the above object, the present application provides a binding method of a memory card, the method comprising: when a memory card is detected, reading physical information of the memory card, and generating first memory card identification information according to the physical information; Acquiring first user identification information and first equipment identification information of a current login user of the terminal equipment, constructing binding relation data according to the first memory card identification information, the first user identification information, the first equipment identification information and the timestamp information, and digitally signing the binding relation data by using an equipment private key to generate binding signature information; Generating a first master key according to the first memory card identification information, the first user identification information and the first equipment identification information; Encrypting binding information and a data encryption key respectively by using the first master key, wherein the binding information comprises binding relation data and binding signature information, and the data encryption key is a key used for encrypting user data written into a memory card; Creating a hidden protection partition in the memory card, and writing encrypted binding information and a data encryption key into the hidden protection partition; And reporting the binding information to cloud equipment. Further, generating a first master key according to the first memory card identification information, the first user identification information, and the first device identification information includes: And carrying out iterative computation of preset times on the first memory card identification information, the first user identification information and the first equipment identification information by adopting a preset key generation algorithm to generate a first master key. Further, creating a hidden protection partition in the memory card and writing encrypted binding information and a data encryption key to the hidden protection partition, comprising: Creating a hidden protection partition with a preset size in a starting sector of the memory card; writing the encrypted binding information and the data encryption key into the hidden protection partition, and setting read-only and hidden attributes. The embodiment of the application also provides a verification method of the memory card, which comprises the following steps: when a memory card is detected, reading physical information of the memory card, and generating second memory card identification information according to the physical information; Checking whether a hidden protection partition exists in the memory card, and if so, reading encrypted binding information from the hidden protection partition, wherein the encrypted binding information in the hidden protection partition is written in by adopting the binding method; acquiring second user identification information and second equipment identification information of a current login user of the terminal equipment, and generating a second master key according to the acquired second memory card identification information, second user identification information and second equipment identification information; decrypting the encrypted binding information using the second master key; If the decryption is successful, binding relation data and binding signature information are extracted from the encrypted binding information, wherein the binding relation data comprises first memory card identification information, first user identification information, first equipment identification information and timestamp information; Verifying the validity of the b