• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A memory device comprising at least one memory location for storing information representing written data using a first encryption / decryption method, and a read channel using a second encryption / decryption method for encrypting and decrypting information such as and written. The memory device also includes an apparatus which prevents reading of the at least one memory location by means of the second encryption / decryption method, in response to an indication that the at least one memory location has been written by means of the first encryption / decryption method. In another embodiment, a read of all zeros is returned in response to an indication of another encryption / decryption method.
    公开号:FR3025041A1
    申请号:FR1557759
    申请日:2015-08-17
    公开日:2016-02-26
    发明作者:Darin Edward Gerhart;Cory Lappi;Daniel Robert Lipps;William Jared Walker
    申请人:HGST Netherlands BV;
    IPC主号:
    专利说明:

    [0001] METHOD AND APPARATUS FOR GENERATING ZERO CONTENT ON UNNECESSIC DATA WHERE ENCRYPTION PARAMETERS ARE MODIFIED TECHNICAL FIELD The various embodiments described herein relate to a method and apparatus that are used to prevent the generation of unnecessary data after certain associated parameters. data, such as an encryption parameter, have been changed. BACKGROUND Data storage includes writing information representing the data on a device or storage device. There are many types of storage devices. Although they are very diverse, most storage devices have common goals. Among these objectives, some involve storing increased amounts of data, and providing a means to ensure that the data thus stored is safe. Encryption is one way to make data safe. Encryption is the process of encoding information so that only authorized parties can read it. Encryption does not prevent hacking, but it reduces the likelihood that the hacker will be able to read the encrypted data. In an encryption scheme, the information, called plaintext, is encrypted by means of an encryption algorithm, transforming it into an unreadable encrypted text. This is usually done using an encryption key that specifies how the message should be encoded. Any antagonist who can see the ciphertext should not be able to determine anything about the original information. An authorized party, however, is able to decode the cryptogram using a decryption algorithm, which usually requires a secret decryption key, to which the antagonists have no access. For technical reasons, an encryption scheme usually requires a key generation algorithm to randomly generate keys. From time to time, encryption parameters, such as encryption / decryption keys, may be modified for a storage device. When the encryption settings are changed, such as a key or an extended parameter, it is possible to have unnecessary data with cyclic redundancy check ("CRC") errors in the address space of logical block ("LBA") of the change. 3025041 Currently, one way to prevent CRC errors is to disable any data protection on encrypted drives. This situation exposes the data. The data is not safe when the data protection system is disabled. Of course, this solution is far from meeting certain data security standards. Many manufacturers who use e-storage devices in the products they offer qualify storage devices on the basis of compliance with standards. Disabling the security feature prevents proper T10 data protection on encrypted storage devices. Another standard must comply with the Opal SSC standard. The standard states the following: "An Opal SSC compliant SD memory MUST implement full disk encryption for all accessible host user data stored on the media. The AES-128 or AES-256 standards MUST be supported [Section 2.4, page 10 of 81 of the TCG Storage Opal SSC, version 1.0. "Opal SSC is an implementation profile for storage devices designed to: - protect the confidentiality of stored user data from unauthorized access once it is no longer under the control of the user. owner (which involves a power cycle and subsequent authentication termination) - allow interoperability between multiple SD memory providers «An Opal SSC-compliant SD: - facilitates accessibility to features - provides definable functionalities through the user (eg, access control, locking ranges, user passwords, etc.) - support unique Opal SSC behaviors (eg, communication, table management) [Section 2.1, page 10/81] If the data is always safe, the confidentiality of stored user data is protected from unauthorized access once it is released. u owner control. In addition, meeting a standard for data security on a storage device enables interoperability between multiple storage device vendors.
    [0002] Meeting a standard also facilitates accessibility of features, provides user-definable features (eg, access control, locking ranges, user passwords, etc.) and supports behaviors unique (for example, communication, table management).
    [0003] SUMMARY OF THE INVENTION Memory device comprising at least one memory location for storing information representing written data by means of a first encryption / decryption method, and a read channel using a second encryption method decryption to read and decrypt information as written. The memory device also includes a device that prevents reading of the at least one memory location using the second encryption / decryption method, in response to an indication that the at least one memory location has been written using the first encryption / decryption method. The apparatus which prevents the reading of the at least one physical block address includes a device for associating an indicator with the at least one memory location written using the first encryption / decryption method. The apparatus which prevents the reading of the at least one physical block address also includes a device for returning a null content for the at least one memory location written using the first encryption / decryption method in response. an indication that the read channel uses a second encryption / decryption method. The apparatus which prevents reading of the at least one memory location written with the first encryption / decryption method, in one embodiment, includes a device for writing zeros in the at least one location of memory written using the first encryption / decryption method. A storage apparatus comprises a semiconductor device having a plurality of memory locations, a write channel for writing information representing data on the plurality of memory locations in a semiconductor device, and a read channel for reading information representing data from the plurality of memory locations in a semiconductor device. The storage apparatus also includes a controller that controls the operations of the storage apparatus, including writing information about the plurality of memory locations in a semiconductor device and reading information representing data from the plurality of memory locations in a semiconductor device. The storage apparatus also includes an indirection system further comprising a set of logical block addresses, and a set of physical block addresses that correspond to the plurality of memory locations in the semiconductor device. of the storage device. The indirection system also includes a map that associates logic block addresses with at least one physical block address. The card also includes at least one indicator indicating an encryption / decryption method used to write and read data from the physical block address. The controller returns a read of zeros when the encryption / decryption method used to read the physical block address has changed. A method for decreasing the generation of unnecessary data in a storage apparatus includes monitoring a storage apparatus against a change in an encryption / decryption scheme used to read and write data and, in response to the change in the encryption / decryption scheme, causing at least one logical block address to return an indication to be written in zeros when the physical block address associated with the logical block address had been encrypted with the aid of the old encryption / decryption scheme. BRIEF DESCRIPTION OF THE DRAWINGS The embodiments will be readily understood from the following detailed description taken in conjunction with the accompanying drawings, in which like reference numerals designate like structural elements, and wherein: FIG. schematic diagram of a NAND flash memory, according to an exemplary embodiment. FIG. 1B is another schematic diagram of a NAND flash memory, according to an exemplary embodiment. Fig. 2 is a schematic diagram of an apparatus or memory device according to an exemplary embodiment.
    [0004] FIG. 3 is a schematic of an indirect system of a memory device, according to an exemplary embodiment. FIG. 4 is a type of table associated with an indirect system of a memory device, according to an exemplary embodiment. Fig. 5 is a method for returning "zeroes" of data written with a different or old encryption scheme, according to an exemplary embodiment. Fig. 6 is a method for returning "zeroes" of data written with a different or old encryption scheme, according to an exemplary embodiment. Figure 7 is another type of table associated with an indirection controller of a memory device, according to an exemplary embodiment.
    [0005] Fig. 8 is a method for returning "zeroes" of data written with a different or old encryption scheme, according to an exemplary embodiment. FIG. 9 is yet another type of table associated with an indirection controller of a memory device, according to an exemplary embodiment. Fig. 10 is a flowchart of a method for preventing the generation of unnecessary data, according to an exemplary embodiment. DETAILED DESCRIPTION In the following description, many specific details are presented to provide a thorough understanding of the concepts underlying the described embodiments. It will, however, be obvious to those skilled in the art that the described embodiments can be practiced without some or all of these specific details. In other cases, well-known process steps have not been described in detail to avoid unnecessarily obscuring the underlying concepts.
    [0006] In general, this invention describes techniques for writing and reading data on a semiconductor device or other storage medium such as hard disks, hybrid devices, and the like. In this particular application, the present disclosure describes the writing and reading of information representing data on a semiconductor device based on a flash memory. It should be noted that this is only one type of storage medium or semiconductor device, and that the invention could be used in semiconductor devices that employ other types of semiconductor technology. storage. In other words, the invention is not limited to flash memory and could be used in other types of memory, such as phase change memory (PCM), magnetoresistive random access memory (MRAM), Resistive RAM (RRAM or ReRAM), or the like. Now let's go back to the discussion of flash memory. There are two main types of flash memory, which are named after the type of logical gates used to form the flash memory. There is a NAND flash memory and a NOR flash memory type. The internal characteristics of the individual flash memory cells 30 have characteristics similar to those of the corresponding gates. The NAND flash memory can easily be written and read in blocks (or pages) that are generally much smaller than the entire device. A NOR flash memory allows a single word machine (one byte) to be easily written - in an erasable location - or read independently. The NAND type is mainly used in the 5 3025041 main memory, memory cards, USB flash drives, SSDs; , and similar products, for storage and transfer of data in general. The NOR type, which allows truly random access and thus direct code execution, is used in place of the old EPROM and as an alternative to certain types of ROM applications, whereas NOR flash memory can emulate the ROM mainly at the machine code level; many digital models require ROM (or PLA) structures for other purposes, often at significantly higher speeds (economical) than those that flash memory can achieve. Figure 2 is a schematic diagram of a memory apparatus or device 200. The memory consists of memory locations or bits 210, 211, 212, 213, 214 arranged in a two-dimensional grid. The bits 210, 211, 212, 213, 214 are arranged in columns (CAS) 220, 221, 222, 223, 224, 225, 226, 227 and in lines (RAS) 230, 231, 232, 233, 234, 235 , 236, 237. Each bit can be identified by a column and a line. For example, bit 211 is in column 225 and line 232. This particular bit is hatched to represent a value "1". An unshaped bit, such as bit 214, represents a value "0". To write data to a column, a column is selected, and rows are loaded to write data to the bits associated with the specific column. For example, when column 225 is written, column 225 is selected. Lines 230, 232, 234, 235, and 236 are loaded, resulting in a value "1" stored at particular bit locations (shown hatched). In other words, memory cells are etched on a silicon wafer in a network of columns (bit lines) and lines (word lines). The intersection of a bit line and a word line constitutes the address of the memory cell.
    [0007] A charge is passed through the appropriate column (CAS) to turn on the transistor at each bit in the column. When writing, the rows in rows contain the state that the capacitor must take. During playback, a sense amplifier determines the level of charge in the capacitor. If it is greater than 50 percent, it reads it as 1; otherwise, it reads it as 0. The counter follows the refresh sequence based on which ranks were consulted in which order. The time needed to do all this is expressed in nanoseconds. Memory cells alone would be nothing without some way of placing information or extracting information from it. Memory devices include memory associated circuitry for identifying each row and column, for reading and for restoring signals from cells, and for activating loads at different memory locations. FIGS. 1A and 1B each represent a schematic diagram of the NAND flash memory 100 and 100 ', according to an exemplary embodiment. In each case, a NAND flash semiconductor device 110 is connected to a host computer via a host processor 130. In FIG. 1A, the host processor 130 handles most of the operations related to reading and writing information representing data on the NAND flash semiconductor memory device 110. The host processor 130 includes an error recovery code module (ECC) 131, a block management module defective 132, a wear equalizing module 133, a NAND flash memory driver module 134, and an address indirection module 135. All these modules can be hardware, software or a combination of hardware modules and software. The error correction code module (ECC) 131 manages the determination of an error in the reading of the data and the application of the error correction code (ECC) to the read data. The error correction code is used to locate and correct the error in a read data block. The bad block management module 132 manages the bad blocks in the NAND flash memory 110. Data from a host will generally come from the host as a data block. The data block can be of any length, although 512 bytes and 4000 have been the normalized lengths and are very frequent. The NAND flash memory is able to receive blocks of data. The manufacture of a semiconductor device, in some cases, is not perfect. As a result, there may be one or more memory locations that are defective and will not allow a block of data to be reliably stored therein so that it can be retrieved thereafter. The bad block management module 132 stores these bad block locations and prevents data from being stored therein. Bad blocks may also appear during the life of the NAND flash memory 110 so that the bad block management module 132 also notes other memory locations that have developed into bad blocks.
    [0008] The address indirection module 135 works in concert with the bad block management module 132. The address indirection module 135 includes a mapping of the real physical block addresses (PBAs) with the logical addresses of the blocks. (LBA). The BALs remain constant. The host can then give an order to write to a particular LBA. The actual address where the data is stored (PBA) may change. The address indirection module 3025041 follows the location of the LBA as written or stored on the NAND flash memory 110. Thus, when the host needs to read data from the NAND flash memory 110, the address indirection module 135 ensures that the correct PBA associated with the LBA is read to ensure that the information representing the data is read and presented for further processing to duplicate the data as input to the device semiconductor with NAND flash memory. The address indirection module 135 is also necessary to equalize the wear. If the data is written in a particular memory location a number of times greater than the number of wear cycles, the memory location may deteriorate or become unreliable. The wear equalization recognizes this and extends the memory lifetime by changing the memory locations or actual physical locations where the information is written. The LBA will remain the same while the PBA will change to avoid excessive premature wear. The wear equalizer module 133 monitors and manages the locations where the data is written. A NAND flash memory has many memory locations where the data can be written. These memory locations "wear out" over time. The memory locations in a NAND flash memory 110 can be reliably rewritten only a certain number of cycles. The wear equalizer module 133 monitors the number of reads and writes at various memory locations and will switch the memory location to extend the life of the NAND flash memory 110. For example, if only half of the memory locations have been constantly written, this half of the NAND flash memory would then tend to wear out. Although the entire device is not used, the ability to store data would be severely hampered by poor performance. The wear equalizing module 133 manages the wear of the NAND flash memory 110. The wear equalizing module 133 effectively lengthens the life of the NAND flash memory 110. It also works with the modulator module. address indirection 135 because the wear equalizer module 133 may decide that a particular set of blocks (PBA) must be set aside to avoid premature wear of the memory locations in the NAND flash memory 110 The NAND flash memory driver module 134 is a set of instructions for the operation of the NAND flash memory 110. The semiconductor device 100 also includes a security module 136. The security module 136 encrypts the data when they are written and decrypts the data as they are read. Data encryption keeps the data secure. It is important to keep the data secure at all times in accordance with common sense 3025041 as well as certain criteria relating to products that must satisfy them to qualify for use in other products. In some cases, the qualification of a product may include meeting a data security standard. In some encryption and decryption systems, a key piece of information (also known as a parameter) determines the functional output of a cryptographic algorithm or a number. Without a key, the algorithm would produce no useful results. In encryption, a key specifies the particular transformation of plain text into an encrypted text, or vice versa during decryption. Keys are also used in other cryptographic algorithms, such as digital signature systems and message authentication codes for products that are defined by standards bodies. This particular invention relates to cases where a parameter is changed. For example, a key can be changed. It should be noted that when coded information is read, the key associated with the writing must be used at the same time as the algorithm to decode the information and transform it into data as written. Without the parameter, or when the parameter is incorrect, the decoding algorithm does not work. An information output representing decoded data with the wrong key is generally referred to as unnecessary data. These are not the original data as written. Unnecessary data may also be required on a data channel when attempting to read. For example, when unnecessary information is read, the error correction module will determine that there is an error in the read data. The "error" resulting from unnecessary data will not be correctable on the fly. According to the error correction scheme, the error correction module could seek to recover the data using various deep data recovery techniques. This leads to a waste of time and will also waste processor time trying to correct the "error". Of course, this is just one example of the problems that can result from reading information that turns out to be useless data. FIG. 1B shows a schematic diagram of another type of NAND flash memory device 100 ', according to an exemplary embodiment. In each case, a NAND flash semiconductor device 110 is connected to a host computer via a host processor 130. The main difference between the memory device 100 'and the memory device 100 is the processor 120, which is located with the NAND semiconductor device 100 '. The processor 120 is separate from the host processor 130. The host processor 130, in the case of the NAND type semiconductor device 100 ', discharges some of the processor modules to the processor 120 associated with the semiconductor device of FIG. NAND type 100 '. The processor 120 may be a general purpose processor or may be a dedicated processor that manages one or more specific tasks. As shown in FIG. 1B, the processor 120 comprises the error correction module (ECC) 131, the defective block management module 132 and a wear equalization module 133, for example. These operations are transmitted out of the host processor 130 to the processor 120 or the NAND controller. These blocks 131, 132 and 133 operate in the same manner as described above with respect to FIG. 1A. These functions will not be repeated here for brevity. In FIG. 1B, a data bus 160, a command line 161, and a clock signal 162 communicatively couple the host processor and the NAND controller or the processor 120. Some of the commands placed on the command line 161 simply order one of the modules 131, 132, 133 to begin their specific processes. This is useful in that the host processor 130 is released to perform other tasks. The number of tasks transferred out of the host to the NAND controller 120 is a matter of balance as to which tasks are fully specialized and best performed by the NAND controller 120. Other tasks may be more generally applicable. and maintained at the host processor 130. As described above, the data stored on a NAND flash memory 110, 110 'can be organized as data blocks. In some exemplary embodiments, address indirection is used to write data blocks to a NAND flash memory 110, 110 '. In other words, the host file systems operate with logical block address (LBA) in the commands to write blocks of data to a NAND flash memory 110, 110 'and to read blocks of data from the memory NAND type flash 110, 110 'without regard to the actual locations 25 in the NAND flash memory 110, 110'. The actual physical address is the physical block address (PBA) used internally by the NAND flash memory 110, 110 '. Address indirection is typically implemented in the controller portion of the memory device architecture (e.g., the NAND controller 120 of Figure 1B) using indirection tables that are used to keep track of the physical location associated with an LBA. In other words, the indirection tables map the LBA to PBA in the NAND flash memory 110, 110 '. As described above, the data is typically written to or read from a NAND flash memory 110, 110 'in blocks or sectors contained in a set of memory locations in the NAND 102 flash memory. blocks may be 512 bytes or 4000 bytes, in some embodiments. Figure 3 is a schematic of an indirect system of a storage device 300, according to an exemplary embodiment. More specifically, FIG. 3 is a schematic diagram of the storage system 300 communicatively coupled to a host computer 310. The storage system 300 receives write commands from the host 310. The storage system 300 stores information representative of data in logical block addresses (LBAs). The storage system 300 also retrieves information or reads the data and delivers logical block address (LBA) back to the host 310. As shown, the storage system 300 includes an indirection system 320, a first memory device 330, and a second memory device 332. The indirection system 320 may map LBAs to one or more memory devices, such as the memory devices 330 and 332. The first memory device 330 and the second memory device 330. memory device 332 may be a NAND flash memory 110, 110 ', or a general memory device, such as the device 200. The host system 310 may be a processor, an independent computer system, a server system, or a another hardware component that communicates with the storage device 300. The indirection controller 320 includes a processor 307, a memory communicatively coupled to the processor 307. and a computer readable medium 309. The processor 307 may be a programmable logic controller (PLC), a microprocessor, or a microcontroller. The computer readable medium 309 may be separate from the memory devices 330, 332 or may refer to a placeholder in the memory devices 330, 332 for storing data structures and / or instructions for execution by the processor 307.
    [0009] The indirection controller 320 provides a dynamic translation layer between logical block addresses (LBAs) used by the host system and physical block addresses (PBAs) used to access data stored in the semiconductor device 330, 332. The "physical block address" corresponds to a real memory location or a plurality of actual memory locations in the memory devices 330, 332. The indirection controller 320 manages the allocation of the LBAs to the memory devices. PBA. In some storage systems, the mapping of LBAs to PBAs remains relatively static because individual memory cells can be rewritten very infrequently. In more complex architectures, the mapping between LBAs and PBAs may change with each write operation because the system dynamically determines the physical location (i.e. the PBA) assigned to a particular logical location (i.e., an LBA ). The data for the same LBA will be written to a different location the next time the host LBA is updated. In this way, the indirection controller 320 provides a dynamic translation layer between LBAs provided by the host system 310 and PBAs associated with the memory devices 330, 332. The indirection controller 320 is responsible for the management of allocating the LBAs to the plurality of PBAs. In order to keep the data secure in the memory devices 330, 332, the data is many times encrypted by means of a key or other parameter. As long as the key or the other parameter remains the same, the data is secure. The key or parameter is used to encrypt the data before writing the data to the memory device 330, 332. The key or other parameter is also used to decrypt the information as read from the memory device 330, 332 for decoding the information and transforming it into the data as written. Problems occur when the key or other parameter is changed from the key or other parameter as written. If a key or other parameter used to write the data is changed, decode or decrypt the information will not lead to the data as written. In fact, meaningless or "useless" data is returned. This can trigger many time consuming processes such as error recovery procedures that can slow down the storage system's responsiveness by 300. It is not desirable to have slow response times. Rather than triggering these procedures that can degrade the performance of the storage system 300, the storage system 300 is provided with a method for returning a more desirable response. This is described below. The method avoids "useless" data and produces a response as if no data or information was present.
    [0010] This disclosure will now describe means for generating reading of zeros from memory devices that have been previously written with a different write parameter. A write parameter that could be modified is a key that is typically used to write information representing data. Rather than read back "useless" data or information, a content indication consisting of zeros is generated. For example, a zeros content may be indicated by reading all "1s" or "0s" for a block or set of data blocks. The generation of zeros is accomplished when the data is read while keeping the security measures in place. As mentioned above, this requirement applies to many devices because manufacturers do not want to expose the data.
    [0011] Figure 4 is a type of table 400 associated with an indirection controller 320 of a memory system 300, according to an exemplary embodiment. The table 400 is stored in the memory 109 of the indirection controller 300. The table 400 includes a logical block address 410, a physical block address 420, a number of blocks of 430, and an encryption scheme 440. The number of blocks is the length of the logical block address string or physical block address. For example, the logical block address "1" begins said physical block address "2" and has a length of eight blocks. The encryption scheme is designated by a "1". The table 400 is a mapping of the logical block addresses with the physical block addresses in the memory devices 330, 332.
    [0012] The logic block address 3 has a start address "SSD 1", which corresponds to a semiconductor device, such as the SSD 332 shown in Fig. 3. The table 400 includes a number of pointers. A pointer is a variable that contains the memory location (address) of some data rather than the data itself. In other words, the physical block address 420 for each of the data blocks could be called a pointer because it is the address of the beginning of the data block, whether inside the first device of the data block. memory 330, or within the second memory device 332. There are several methods for returning "zeros" from data that has been written with an old or other cryptosystem. The various methods will be described in connection with the tables, such as table 400, and other tables presented below. Fig. 5 is a method 500 for returning "zeroes" from data written with an old or different encryption scheme, according to an exemplary embodiment. Method 500 includes monitoring the memory or storage device for a change in the encryption / decryption scheme used to read and write the data 510. Monitor the storage device for a change in the encryption / decryption scheme includes monitoring a column 440 of the table 400. The column 440 provides an indication of the encryption scheme used. As shown in Fig. 4, the encryption scheme used for logical block addresses 1 and 2 is represented by a value "1" in column 440 of table 400. This is another or an old encryption scheme in this exemplary embodiment. The encryption scheme used for logical block addresses 3 and 4 is represented by a value "2". This is a new encryption scheme that is different from the encryption scheme used to write the data associated with logical block addresses 1 and 2. The method 500 includes returning an indication that it is written in zeros for at least one 13 3025041 logic block address when the physical block address associated with the logical block address has been encrypted using an old encryption / decryption scheme 512. In this case, the value "1" in column 440 indicates that an old encryption scheme has been used for logical block addresses 1 and 2. The new encryption scheme, or the changed or different encryption scheme, is represented by a value "2" in column 440 of Table 4. The current encryption scheme is represented by the value "2". As a result, the read channel will be provided with an input consisting of zeros for the data associated with the logical block addresses 1 and 2 because the indicated encryption scheme associated with these data has a value "1".
    [0013] Figure 6 is a method 600 for returning "zeros" from data written with a different or old encryption scheme, according to an exemplary embodiment. The method 600 includes monitoring the memory device for a change in the encryption / decryption scheme used to read and write the data 610. Monitor the memory device for the change in the encryption scheme / decryption includes monitoring column 440 of table 400, shown in Fig. 4. Once it is determined that some of the data associated with certain logical block addresses has been encrypted using an old or different encryption scheme zeros are written at the physical block address which is previously encrypted using the old encryption / decryption scheme 612. Therefore, in Fig. 4, the data which is associated with the logical block addresses 1. and 2 will be overwritten or rewritten with zeros. More particularly, the physical block address 2 and the eight physical block addresses associated with the logical block address 1, will be overwritten with zeros. Similarly, the physical block address 172 and the 21 physical block addresses associated with the logical block address 2 will also be written over with zeros. Thus, in the actual physical memory locations indicated by the table 400, there will be zeros written at these data locations. The method also includes reading the rewritten physical block addresses that correspond to the associated logical block addresses 614. In other words, the physical block addresses associated with the logical block address will contain zeros therein. When reading, real zeros will be returned to the reading channel rather than useless data. Again, it should be noted that the logical block addresses that are rewritten with zeros are those where an old or different encryption scheme is used, such as the logical block addresses 1 and 2 shown in FIG. 4. This assumes that encryption scheme 2 is the current encryption scheme. FIG. 7 is another type of table 700 associated with a storage system indirection controller 300, according to an exemplary embodiment. Table 700 has 5 columns for logical block addresses 710, physical block addresses that correspond to logical block addresses 720, the number of written blocks 730, an invalid indication 734, and an indication of the encryption scheme. 740. As shown in FIG. 7, when an old or different encryption scheme is used, the logical block address is marked or indicated as invalid as represented by column 734 in table 700. The current encryption scheme is represented by the number "2" and the old or different encryption scheme is represented by the number "1" in column 740 of table 700. In column 734, the first two entries that correspond to Logic block addresses "1" and "2" carry a value of 1 which indicates that the data associated with these logical block addresses are invalid. The other two entries for logical block addresses "3" and "4" have a value of "0", which indicates that these logical block addresses or information representing data at these logical block addresses have been written with the current encryption scheme. FIG. 8 illustrates a method 800 for returning "zeroes" from data written with a different or old encryption scheme, according to an exemplary embodiment. Method 800 includes monitoring the storage system, and more particularly a memory device 330, 332, in search of a change in the encryption / decryption scheme used to read and write the data 810. Monitor the memory device In the search for a change in the encryption / decryption scheme, it is necessary to monitor the column 740 of the table 700, shown in FIG. 7. Defining the invalidity as a value "1" can also be used to define an indicator by report to logical block addresses "1" and "2". An indicator is a marker of a certain type used by computer processing or interpretation information. An indicator is a signal indicating the existence or condition of a particular condition. In this exemplary embodiment, the particular great condition is that the data or information representing data associated with a particular logical block address has been written with an encryption scheme that differs from the currently used encryption scheme. This is indicated by the value "1" in the invalidity column 734 of the table 700. The method 800 also includes associating at least one indicator with at least one physical block address that is associated with a user address. logic block that indicates that information representing data at the associated physical block address is written using an old encryption scheme. The read channel or controller that controls a read channel will not read the physical block addresses of the invalid data and will return a read of all zeros for further processing. In other words, zeros will be returned based on the indication of invalid logical block addresses. This avoids the return of unnecessary data from the physical block addresses associated with the logical block addresses. FIG. 9 is yet another type of table 900 associated with an indirection controller 300 of a storage device 300, according to an exemplary embodiment. In this particular embodiment, when it is determined that the encryption scheme used does not match the current encryption scheme, the physical block address for a particular logical block address is deleted. In other words, the pointer that indicates the starting physical block address is eliminated. This is illustrated in table 900 in column 920. More specifically, the physical block addresses indicating the starting physical block address for logical block addresses "1" and "2" have been removed because the encryption, indicated by a value of "1" is old or different from the current encryption scheme. Without a physical block address for starting point, the memory device assumes that the logical block address corresponding to the values "1" and "2" is empty and will therefore automatically return zeros as read from logical block addresses. Fig. 10 is a flowchart of a method 1000 for preventing the generation of unnecessary data, according to an exemplary embodiment. The method 1000 includes monitoring the storage device or the memory device for a change in the encryption / decryption scheme used to read and write the data 1010. Monitor the storage device for data storage. a change in the encryption / decryption scheme 1010 includes monitoring the column 440 of the table 900, shown in the figure. 9. The method also includes removing a pointer from the logical block address to the physical block address upon an indication that a new encryption / decryption scheme is being used to read the data 1012. other words, the pointer associated with information representing data written with an old or different encryption / decryption scheme will be deleted so that the logical block address appears empty. In the absence of data at a logical block address, the read channel 16 will return zeros to indicate that no data is present. In this way, the reading of useless data is again prevented. A memory device comprising at least one memory location for storing information representing written data by means of a first encryption / decryption method, and a read channel using a second encryption / decryption method for reading and decrypting data. such information as written. The memory device also includes an apparatus which prevents reading of the at least one memory location by means of the second encryption / decryption method, in response to an indication that the at least one memory location has been written by means of of the first encryption / decryption method. The apparatus which prevents the reading of the at least one physical block address includes a device for associating an indicator with the at least one memory location written using the first encryption / decryption method. The apparatus which prevents the reading of the at least one physical block address also includes a device for returning the zeros for the at least one memory location written using the first encryption / decryption method in response to an indication that the read channel uses a second encryption / decryption method. The apparatus which prevents the reading of the at least one memory location written by the first encryption / decryption method, in one embodiment, includes a device for writing zeros to the at least one written memory location. using the first encryption / decryption method. In one embodiment, the information representing data is in a block and the at least one memory location is at least one physical block address. In some embodiments, the memory device also includes an indirection system. The indirection system comprises at least one logical block address, and a database that maps the at least one logical block address to the at least one physical block address. In one embodiment, the indirection system includes an apparatus for mapping the at least one logical block address to the at least one inaccessible physical address in response to the read channel by a second method. encryption / decryption, when the at least one physical block address is written using the first encryption / decryption method. The second encryption / decryption method differs from the first encryption / decryption method. A second encryption parameter associated with the second encryption / decryption method differs from a first encryption parameter associated with the first encryption / decryption method. In another exemplary embodiment, a second encryption scope parameter associated with the second encryption / decryption method differs from a first encryption scope parameter associated with the first encryption / decryption method. In still other embodiments, a second encryption key parameter of the second encryption / decryption method differs from a first encryption key parameter of the first encryption / decryption method. A storage apparatus comprises a semiconductor device having a plurality of memory locations, a write channel for writing information representing data on the plurality of memory locations in a semiconductor device, and a read channel for reading information representing data from the plurality of memory locations in a semiconductor device. The storage apparatus also includes a controller that controls the operations of the storage apparatus, including writing information about the plurality of memory locations in a semiconductor device and reading information representing data from the plurality of memory locations in a semiconductor device. The storage apparatus also includes an indirection system, further comprising a set of logical block addresses, and a set of physical block addresses that correspond to the plurality of memory locations in the semiconductor device. driver of the storage device. The indirection system also includes a mapping that associates logical block addresses with at least one physical block address. The mapping also includes at least one indicator indicating an encryption / decryption method used to write and read data from the physical block address. The controller returns a read of zeros when the encryption / decryption method used to read the physical block address has changed. In an exemplary embodiment, the controller causes the physical block address to be written with zeros in response to a change in the encryption / decryption process. In another exemplary embodiment, the controller returns all zeros in response to an indication of a change in the encryption / decryption method. In yet another embodiment, the controller removes a pointer in the mapping between the logical block address and the physical block address in response to an indication of a change in the encryption / decryption process. In yet another embodiment, the controller generates an indicator indicating that information at a physical block address is invalid in response to an indication of a change in the encryption / decryption method. The controller 3025041 controls the writing of information at the semiconductor device and the reading of information representing data from the semiconductor device. The indirection system includes a set of physical block addresses that correspond to actual memory locations of the semiconductor device. The mapping for associating logic block addresses with at least one of the actual memory locations of the semiconductor device also includes at least one indicator indicating an encryption / decryption method used to write and read data from the memory locations. actual memory of the semiconductor device. When the flag is set, the controller returns a read of zeros when the encryption / decryption method used to read the actual memory locations of the semiconductor device has changed. One method of decreasing the generation of unnecessary data in a storage apparatus includes monitoring a storage apparatus for a change in an encryption / decryption scheme used to read and write data and, in response to the change in the encryption / decryption scheme, causing at least one logical block address to return an indication that it is written in zeros when the physical block address associated with the logical block address has been encrypted by means of the old encryption / decryption scheme. In one embodiment, the previously encrypted physical block address using the old encryption / decryption scheme is written as zeros using the new encryption / decryption scheme. In another embodiment, a pointer from the logical block address to the physical block address is deleted on an indication that a new encryption / decryption scheme is used to read the data. This produces a read that contains only zeros and prevents the generation of unnecessary data. In yet another embodiment, there are a plurality of logical block addresses that are associated with a plurality of physical block addresses written with an old encryption / decryption scheme. Pointers for the plurality of logical block addresses are deleted to the plurality of physical block addresses previously written with an old encryption / decryption scheme. In yet another embodiment, the plurality of logical block addresses are mapped to the physical block addresses in a mapping. The mapping further includes at least one indicator indicating that information representing data at a logical block address is invalid when information representing data written at the physical block address associated with the logical block address is written using an old encryption scheme.
    [0014] In one or more examples, the described functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored or transmitted, in the form of one or more instructions or code, on a computer-readable medium and executed by a hardware-based processing unit. . The computer readable media may include computer readable storage media, which is a tangible medium such as data storage media, or communication means including any media that facilitates the transfer of a computer program. from one place to another, for example, according to a communication protocol. In this manner, the computer-readable media may generally correspond to (1) non-transient tangible computer-readable storage media or (2) a communication means such as a signal or a carrier wave. The data storage media may be any available media that can be accessed by one or more computers or one or more processors for extracting instructions, code, and / or data structures for implementing the data storage media. techniques described in this description. A computer program product may include a computer readable medium. By way of example, and without limitation, these computer readable storage media may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage, or other magnetic storage devices, flash memory, or any other medium that can be used to store desired program code in the form of instructions or data structures, and which are accessible by a computer. In addition, computer readable medium adequately designates any connection. For example, if instructions are transmitted from a web site, server, or other remote source by means of a coaxial cable, a fiber optic cable, a twisted pair , a digital subscriber line (DSL) or wireless technologies such as infrared, radio wave, microwave transmission, then coaxial cable, fiber optic cable, twisted pair, DSL line, or wireless technologies such as infrared, radio wave, microwave transmission are included in the definition of the medium. It should be understood, however, that computer-readable storage media and data storage media do not include connections, carrier waves, signals, or other transient media, but rather are directed to storage media. tangible, non transitory. The term disc, as used herein, includes the compact disc (CD), the laser disc, the optical disk 3025041, the digital versatile disc (DVD), the floppy disk and the Blu-ray disc, where the discs "disks" in English - usually reproduce the data magnetically, while disks - which are called "discs" in English reproduce the data optically with lasers. Combinations of the foregoing should also be included in what is covered by the computer readable media. Instructions may be performed by one or more processors, such as one or more Digital Signal Processors (DSPs), General Purpose Microprocessors, Application Specific Integrated Circuits (ASICs), Programmable Gate Array (FPGA) ICs , or other discrete or integrated logic circuits equivalent. Accordingly, the term "processor" as used herein may refer to any of the foregoing structures or any other suitable structure for carrying out the techniques described herein. In addition, the techniques can be fully implemented in one or more circuits or logical elements. The techniques of this invention can be implemented in a wide variety of devices or devices, including a wireless handset, an integrated circuit (IC), or a set of integrated circuits (e.g., a chipset). . Various components, modules or units are described in this description to highlight the functional aspects of the devices configured to perform the described techniques, but do not necessarily require realization by different hardware units. On the contrary, as described above, different units may be combined in a hardware unit or provided by a set of interoperable hardware units, including one or more processors as described above, in conjunction with software and / or or an appropriate firmware. The foregoing description, for purposes of explanation, has used a specific nomenclature to provide a complete understanding of the invention. However, it will be apparent to those skilled in the art that specific details are not necessary to practice the invention. Thus, the foregoing descriptions of specific embodiments of the present invention are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms described. It will be apparent to those skilled in the art that many modifications and variations are possible in light of the above teachings. The embodiments have been chosen and described in order to best explain the principles of the invention and its practical applications, thereby enabling those skilled in the art to make the best use of the invention and various embodiments. with various modifications 3025041 as appropriate for the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalents. Although the embodiments have been described in terms of several particular embodiments, there are modifications, permutations and equivalents that fall within the scope of these general concepts. It should also be noted that there are many other ways to implement the methods and apparatus of the present embodiments. It is therefore intended that the following appended claims be interpreted to include all such modifications, permutations and equivalents that are covered by the true spirit and scope of the embodiments described. These and other exemplary embodiments are within the scope of the following claims. 22
    权利要求:
    Claims (20)
    [0001]
    REVENDICATIONS1. A memory device comprising: at least one memory location for storing information representing written data using a first encryption / decryption method; a read channel using a second encryption / decryption method for reading and decrypting the information as written; and apparatus which prevents reading of the at least one memory location using the second encryption / decryption method, in response to an indication that the at least one memory location has been written using the first method encryption / decryption.
    [0002]
    The memory device according to claim 1, wherein the apparatus which prevents reading of at least one physical block address comprises a device for associating an indicator with the at least one written memory location using the first one. encryption / decryption method; and returning null content for the at least one written memory location using the first encryption / decryption method in response to the read channel using a second encryption / decryption method. 20
    [0003]
    The memory device of claim 1, wherein the apparatus which prevents reading of the at least one memory location written with the first encryption / decryption method using the second encryption method comprises a device for writing zeros in the at least one memory location written using a first encryption / decryption method. 25
    [0004]
    The memory device of claim 1, wherein the information representing data is in a block and the at least one memory location is at least one physical block address. 30
    [0005]
    The memory device of claim 4, further comprising an indirection system, which further comprises: at least one logical block address; and a database that maps the at least one logical block address to the at least one physical block address. 23 3025041
    [0006]
    The memory device according to claim 5, wherein the indirection system comprises an apparatus which maps the at least one logical block address to the at least one physical block address which is inaccessible in 5. response to the read channel using a second encryption / decryption method when the at least one physical block address is written using the first encryption / decryption method.
    [0007]
    The memory device of claim 6, wherein a second encryption parameter associated with the second encryption / decryption method is different from a first encryption parameter associated with the first encryption / decryption method.
    [0008]
    The memory device of claim 6, wherein a second encryption extent parameter associated with the second encryption / decryption method is different from a first encryption extent parameter associated with the first encryption / decryption method.
    [0009]
    The memory device of claim 6, wherein a second encryption key parameter of the second encryption / decryption method is different from a first encryption key parameter of the first encryption / decryption method.
    [0010]
    A storage apparatus comprising: a semiconductor device comprising a plurality of memory locations; a write channel for writing information representing data on the plurality of memory locations in the semiconductor device; a read channel for reading information representing data from the plurality of memory locations in the semiconductor device; A controller that controls the operations of the storage apparatus, including writing information about the plurality of memory locations in the semiconductor device and reading information representing data from the plurality of memory locations in the semiconductor device; an indirection system, further comprising: a set of logical block addresses; a set of physical block addresses that correspond to the plurality of memory locations in the semiconductor device of the storage apparatus; a mapping that associates logical block addresses with at least one physical block address, the map also including at least one indicator indicating an encryption / decryption method used to write and read data from the physical block address, where the controller returns a read of zeros when the encryption / decryption method used to read the physical block address has changed.
    [0011]
    The storage apparatus of claim 10, wherein the controller causes the physical block address to be written with zeros in response to a change in the encryption / decryption method.
    [0012]
    The storage apparatus of claim 10, wherein the controller returns all zeros in response to an indication of a change in the encryption / decryption method.
    [0013]
    The storage apparatus according to claim 10, wherein the controller deletes a pointer in the mapping between the logical block address and the physical block address in response to an indication of a change in the encryption method. decryption.
    [0014]
    The storage apparatus of claim 10, wherein the controller generates an indicator indicating that information at a physical block address is invalid in response to an indication of a change in the encryption / decryption method.
    [0015]
    The storage apparatus according to claim 10, wherein the controller controls the writing of the information on the semiconductor device and the reading of the information representing data from the semiconductor device; the indirection system further comprising a set of physical block addresses that correspond to actual memory locations of the semiconductor device, the mapping associating logical block addresses to at least one of the actual memory locations of the semiconductor device -conductor, the mapping also comprising at least one indicator indicating an encryption / decryption method used to write and read data from the actual memory locations of the semiconductor device, where the controller returns a read of zeros when the process of Encryption / decryption used to read the actual memory locations of the semiconductor device has changed.
    [0016]
    16. A method of decreasing the generation of unnecessary data in a storage apparatus, the method comprising the steps of: monitoring the storage apparatus for a change in an encryption / decryption scheme used to read and write data. data; and in response to the modification of the encryption / decryption scheme, causing at least one logical block address to return an indication that it is written in zeros when a physical block address associated with the logical block address has been encrypted using an old encryption / decryption scheme.
    [0017]
    The method of claim 16, wherein the encrypted physical block address using the old encryption / decryption scheme is written as zeros using a new encryption / decryption scheme.
    [0018]
    The method of claim 16, wherein a mapping is used to map the logical block address to the physical block address, where a pointer from the logical block address to the physical block address is removed on an indication that a new encryption / decryption scheme is in use for reading data.
    [0019]
    The method of claim 18, wherein there is a plurality of logical block addresses that are associated with a plurality of physical block addresses written with an old encryption / decryption scheme, where the pointers for the plurality of Logical block addresses are deleted. -
    [0020]
    The method of claim 16, wherein there are a plurality of logical block addresses that are associated with a plurality of physical block addresses written with an old encryption / decryption scheme, the plurality of logical block addresses. mapped to the physical block addresses in a map, the map further comprising at least one flag indicating that information representing data at a logical block address is invalid when the information representing the data written to the address of the logical block address is invalid physical block associated with the logical block address are written using an old encryption scheme. 27
    类似技术:
    公开号 | 公开日 | 专利标题
    FR3025041A1|2016-02-26|
    US9037875B1|2015-05-19|Key generation techniques
    US9740639B2|2017-08-22|Map-based rapid data encryption policy compliance
    US8689279B2|2014-04-01|Encrypted chunk-based rapid data encryption policy compliance
    EP2528004A1|2012-11-28|Secure removable media and method for managing the same
    FR3033061A1|2016-08-26|
    US20190377693A1|2019-12-12|Method to generate pattern data over garbage data when encryption parameters are changed
    US20180096143A1|2018-04-05|Secure change log for drive analysis
    CN105700830B|2017-07-14|A kind of solid state hard disc master control, solid state hard disc and the WORM storage methods of supporting WORM to store
    FR2979443A1|2013-03-01|Method for storing data in memory interfacing with secure microcontroller, involves processing input data according to one of data processing methods to achieve data processed in different data formats
    FR2976147A1|2012-12-07|DATA INTERLACEMENT DIAGRAM FOR AN EXTERNAL MEMORY OF A SECURE MICROCONTROLLER
    US9450761B2|2016-09-20|Memory system and method of generating management information
    RU2584755C2|2016-05-20|Method of protecting availability and security of stored data and system for adjustable protection of stored data
    EP2369521A1|2011-09-28|Protection of records against unilateral disruptions
    US20180314837A1|2018-11-01|Secure file wrapper for tiff images
    US20110268265A1|2011-11-03|Disk media security system and method
    US10606985B2|2020-03-31|Secure file wrapper for TIFF images
    KR101854192B1|2018-05-03|Data protection apparatus of storage device and method thereof
    US20180315451A1|2018-11-01|Metadata processing for an optical medium
    WO2015032921A1|2015-03-12|Method of managing consistency of caches
    JP5978260B2|2016-08-24|Virtual band concentrator for self-encrypting drives
    FR3078463A1|2019-08-30|METHOD AND DEVICE FOR REALIZING SUBSTITUTED TABLE OPERATIONS
    US20160352517A1|2016-12-01|Sharing encrypted data with enhanced security
    CA2563144A1|2008-04-12|System and method for file encryption and decryption
    EP1930833A1|2008-06-11|System for protecting data stored in memory
    同族专利:
    公开号 | 公开日
    CN105389265B|2019-01-04|
    GB2531631B|2018-01-10|
    GB2531631A|2016-04-27|
    US20180293177A1|2018-10-11|
    CN105389265A|2016-03-09|
    US20200310989A1|2020-10-01|
    US20160170909A1|2016-06-16|
    US10698840B2|2020-06-30|
    US20160055101A1|2016-02-25|
    US20170031837A1|2017-02-02|
    US9959218B2|2018-05-01|
    GB201513987D0|2015-09-23|
    DE102015010906A1|2016-02-25|
    US9436618B2|2016-09-06|
    US9298647B2|2016-03-29|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US7185205B2|2001-03-26|2007-02-27|Galois Connections, Inc.|Crypto-pointers for secure data storage|
    TWI222598B|2003-07-09|2004-10-21|Sunplus Technology Co Ltd|Device and method protecting data by scrambling address lines|
    US9396752B2|2005-08-05|2016-07-19|Searete Llc|Memory device activation and deactivation|
    EP2304568B1|2008-06-06|2013-08-14|Pivot3|Method and system for distributed raid implementation|
    US9081771B1|2010-12-22|2015-07-14|Emc Corporation|Encrypting in deduplication systems|
    US8649514B2|2010-12-28|2014-02-11|Sony Corporation|On-demand switched content encryption|
    JP5121974B2|2011-05-24|2013-01-16|株式会社東芝|Data storage device, storage control device and method|
    JP5759827B2|2011-08-04|2015-08-05|株式会社メガチップス|MEMORY SYSTEM, INFORMATION PROCESSING DEVICE, MEMORY DEVICE, AND MEMORY SYSTEM OPERATION METHOD|
    KR102015906B1|2012-11-12|2019-08-29|삼성전자주식회사|Memory system comprising nonvolatile memory device and read method tererof|
    US10372627B2|2014-08-25|2019-08-06|Western Digital Technologies, Inc.|Method to generate pattern data over garbage data when encryption parameters are changed|
    US9298647B2|2014-08-25|2016-03-29|HGST Netherlands B.V.|Method and apparatus to generate zero content over garbage data when encryption parameters are changed|US10372627B2|2014-08-25|2019-08-06|Western Digital Technologies, Inc.|Method to generate pattern data over garbage data when encryption parameters are changed|
    US9298647B2|2014-08-25|2016-03-29|HGST Netherlands B.V.|Method and apparatus to generate zero content over garbage data when encryption parameters are changed|
    US10142303B2|2015-07-07|2018-11-27|Qualcomm Incorporated|Separation of software modules by controlled encryption key management|
    US10114782B2|2016-09-27|2018-10-30|Nxp B.V.|USB type C dual-role-port unattached duty cycle randomization|
    US11036651B2|2018-06-29|2021-06-15|Micron Technology, Inc.|Host side caching security for flash memory|
    法律状态:
    2016-08-22| PLFP| Fee payment|Year of fee payment: 2 |
    2017-07-14| PLFP| Fee payment|Year of fee payment: 3 |
    2018-07-12| PLFP| Fee payment|Year of fee payment: 4 |
    优先权:
    申请号 | 申请日 | 专利标题
    US14/467,724|US9298647B2|2014-08-25|2014-08-25|Method and apparatus to generate zero content over garbage data when encryption parameters are changed|
    [返回顶部]