固態(tài)硬盤安全功能在國防當(dāng)中的應(yīng)用
Security Features for Solid State Drives in Defense Applications譯文簡介
翻譯了有關(guān)固態(tài)硬盤在軍用上的資料白皮書其中的一部分
正文翻譯
There are various methods for data protection and elimination in Flash solid state drives (SSDs),depending on the security level required within each application. Security techniques can be divided into three categories:
固態(tài)硬盤(SSD)數(shù)據(jù)保護和銷毀方式多種多樣,具體則取決于每種應(yīng)用的所需的安全等級。 安全技術(shù)可以被分為三類:
固態(tài)硬盤(SSD)數(shù)據(jù)保護和銷毀方式多種多樣,具體則取決于每種應(yīng)用的所需的安全等級。 安全技術(shù)可以被分為三類:
1. Data protection
2. Data elimination
3. Media destruction
1.數(shù)據(jù)保護
2.數(shù)據(jù)銷毀
3.媒介破壞
2. Data elimination
3. Media destruction
1.數(shù)據(jù)保護
2.數(shù)據(jù)銷毀
3.媒介破壞
Methods of data protection include write protection, password protection and encryption. Password protection can be used in combination with a biometric key to implement a security scheme that is based on “what you have, what you know, who you are”.
數(shù)據(jù)保護方法包括寫入保護,密碼保護和加密。密碼保護可與生物識別密鑰結(jié)合使用,以實現(xiàn)基于 "你擁有什么、你知道什么、你是誰 "的安全方案。
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
數(shù)據(jù)保護方法包括寫入保護,密碼保護和加密。密碼保護可與生物識別密鑰結(jié)合使用,以實現(xiàn)基于 "你擁有什么、你知道什么、你是誰 "的安全方案。
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
Data elimination is handled by Clear and Sanitize procedures. Which method needs to be implemented depends on the security classification level of the organization in which the application resides.
數(shù)據(jù)銷毀由清除(完全擦除數(shù)據(jù))和消毒(去除敏感信息但同時保留數(shù)據(jù)其它有用部分)程序處理。采用哪種方法取決于應(yīng)用程序所在組織的安全分類級別。
數(shù)據(jù)銷毀由清除(完全擦除數(shù)據(jù))和消毒(去除敏感信息但同時保留數(shù)據(jù)其它有用部分)程序處理。采用哪種方法取決于應(yīng)用程序所在組織的安全分類級別。
Typically, if the device will stay within the same security classification, a Clear procedure will suffice.If it is moved to a higher security classification level, the device needs to be entirely declassified, and a Sanitize procedure is needed. Moving the device to a lower security classification would require destruction of the drive.
通常情況下,設(shè)備如果保持在同一安全等級內(nèi),則只需執(zhí)行 "清除 "程序即可。如果將設(shè)備移至更高的安全等級,則需要對設(shè)備進行完全解密,并執(zhí)行 "消毒 "程序。如果將設(shè)備移動到較低的安全分類級別,則需要銷毀硬盤。
通常情況下,設(shè)備如果保持在同一安全等級內(nèi),則只需執(zhí)行 "清除 "程序即可。如果將設(shè)備移至更高的安全等級,則需要對設(shè)備進行完全解密,并執(zhí)行 "消毒 "程序。如果將設(shè)備移動到較低的安全分類級別,則需要銷毀硬盤。
Sanitizing a solid state drive is much faster and requires fewer cycles of the same procedure when compared to hard disk drives, since SSDs experience far lower levels of data remanence.
與硬盤驅(qū)動器相比,固態(tài)硬盤的消毒速度更快,所需的相同程序循環(huán)次數(shù)也更少,因為固態(tài)硬盤的數(shù)據(jù)殘留水平要低得多。
與硬盤驅(qū)動器相比,固態(tài)硬盤的消毒速度更快,所需的相同程序循環(huán)次數(shù)也更少,因為固態(tài)硬盤的數(shù)據(jù)殘留水平要低得多。
Complete media destruction can be a solution if a Sanitize procedure is too time consuming. However,incineration or disintegration can be expensive and impractical for many situations.
如果消毒程序過于耗時,完全銷毀介質(zhì)也是一種解決方案。不過,焚化或分解可能會很昂貴,而且在很多情況下不切實際。
如果消毒程序過于耗時,完全銷毀介質(zhì)也是一種解決方案。不過,焚化或分解可能會很昂貴,而且在很多情況下不切實際。
In April 2001, a US Navy surveillance plane was intercepted by two Chinese F-8 fighter planes during a routine patrol flight over the Chinese South Sea.The US plane was forced to make an emergency landing in China, after what officials described as a “minor” midair collision, occured with one of the Chinese planes.
2001 年 4 月,一架美國海軍偵察機在中國南海上空進行例行巡邏飛行時,遭到兩架中國 F-8 戰(zhàn)斗機的攔截。在與其中一架中國飛機發(fā)生了被官方稱為 "輕微 "的空中碰撞后,美國飛機被迫在中國緊急迫降。
2001 年 4 月,一架美國海軍偵察機在中國南海上空進行例行巡邏飛行時,遭到兩架中國 F-8 戰(zhàn)斗機的攔截。在與其中一架中國飛機發(fā)生了被官方稱為 "輕微 "的空中碰撞后,美國飛機被迫在中國緊急迫降。
The US crew had between 12 and 20 minutes in the air to destroy all classified material on board before making the emergency landing. In the final moments before the plane landed, the crew tried to destroy the
hardware with hammers and axes. Just how much the crew was able to destroy is not public knowledge.
美國機組人員在空中有 12 至 20 分鐘的時間銷毀機上所有機密材料,然后緊急迫降。在飛機著陸前的最后時刻,機組人員試圖用錘子和斧頭銷毀硬件。至于機組人員能夠銷毀多少,公眾并不知曉。
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
hardware with hammers and axes. Just how much the crew was able to destroy is not public knowledge.
美國機組人員在空中有 12 至 20 分鐘的時間銷毀機上所有機密材料,然后緊急迫降。在飛機著陸前的最后時刻,機組人員試圖用錘子和斧頭銷毀硬件。至于機組人員能夠銷毀多少,公眾并不知曉。
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
This story illustrates the need for high-level security methods in defense systems, and in particular for the storage devices within these systems. This story is at the far end of the security spectrum; there are many systems that require lesser forms of security. For example, devices such as data recorders and ruggedized laptops that are used in training environments require a lower security implementation.
這個故事說明了防御系統(tǒng)中高級安全解決方法的必要性,特別是這些系統(tǒng)內(nèi)部的存儲設(shè)備。這個故事處于安全范圍的最高端;還有許多系統(tǒng)需要較低形式的安全保障。例如,在培訓(xùn)環(huán)境中使用的數(shù)據(jù)記錄器和強化筆記本等設(shè)備需要較低級別的安全實施。
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
Since these devices stay within the same security classification environment, fast elimination of mission data may be all that is required once a training mission has been completed. On the other hand, if the device is moved to an environment with a higher security classification, a complete Sanitize procedure per the specified defense department standard will be required. Moving the device to an environment with a lower security classification requires complete destruction of the device.
由于這些設(shè)備仍處于同一安全分類環(huán)境中,因此一旦完成培訓(xùn)任務(wù),只需快速消除任務(wù)數(shù)據(jù)即可。另一方面,如果將設(shè)備轉(zhuǎn)移到安全等級更高的環(huán)境中,則需要按照指定的國防部標(biāo)準(zhǔn)執(zhí)行完整的 "消毒 "程序。將設(shè)備轉(zhuǎn)移到安全等級較低的環(huán)境中,則需要徹底銷毀設(shè)備。
由于這些設(shè)備仍處于同一安全分類環(huán)境中,因此一旦完成培訓(xùn)任務(wù),只需快速消除任務(wù)數(shù)據(jù)即可。另一方面,如果將設(shè)備轉(zhuǎn)移到安全等級更高的環(huán)境中,則需要按照指定的國防部標(biāo)準(zhǔn)執(zhí)行完整的 "消毒 "程序。將設(shè)備轉(zhuǎn)移到安全等級較低的環(huán)境中,則需要徹底銷毀設(shè)備。
In general, defense storage system security levels are divided into three categories:
通常國防存儲系統(tǒng)安全等級主要分為三大類:
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
通常國防存儲系統(tǒng)安全等級主要分為三大類:
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
1.Data protection
數(shù)據(jù)保護
數(shù)據(jù)保護
2.Data elimination
數(shù)據(jù)清除
數(shù)據(jù)清除
3.Media destruction
媒介銷毀
媒介銷毀
The third method would have definitely been preferred in the case of the US surveillance plane, but, of course, it is impractical, if not impossible, to have incineration or disintegration equipment inside an aircraft.
就上述美國偵察機而言,第三種方法肯定是首選,但是,在飛機內(nèi)安裝焚燒或分解設(shè)備是不切實際,甚至是不可能的。
就上述美國偵察機而言,第三種方法肯定是首選,但是,在飛機內(nèi)安裝焚燒或分解設(shè)備是不切實際,甚至是不可能的。
SMART High Reliability Solutions (SMART HRS) designs and develops security functionality in accordance with commonly used military specifications. As a result of this focus, SMART HRS solid state drives find wide acceptance and deployment in defense applications.
智能高可靠性解決方案 (SMART HRS) 根據(jù)常用的軍用規(guī)范設(shè)計和開發(fā)的安全功能。由于專注于此,SMART HRS 的固態(tài)硬盤在國防應(yīng)用中得到了廣泛的認(rèn)可和部署。
智能高可靠性解決方案 (SMART HRS) 根據(jù)常用的軍用規(guī)范設(shè)計和開發(fā)的安全功能。由于專注于此,SMART HRS 的固態(tài)硬盤在國防應(yīng)用中得到了廣泛的認(rèn)可和部署。
This white paper discusses the various solid state drive data security methods that can be applied in defense applications and environments, and discusses Secure Data Elimination Technology (SDET) implemented within the solid state drive product line from SMART HRS.
本白皮書討論了可應(yīng)用于國防應(yīng)用和環(huán)境的各種固態(tài)硬盤數(shù)據(jù)安全方法,并討論了 SMART HRS 在固態(tài)硬盤產(chǎn)品線中實施的安全數(shù)據(jù)消除技術(shù) (SDET)。
本白皮書討論了可應(yīng)用于國防應(yīng)用和環(huán)境的各種固態(tài)硬盤數(shù)據(jù)安全方法,并討論了 SMART HRS 在固態(tài)硬盤產(chǎn)品線中實施的安全數(shù)據(jù)消除技術(shù) (SDET)。
4.SECURITY IN SOLID STATE DRIVES VS. HARD DISK DRIVES
在安全領(lǐng)域固態(tài)硬盤VS. 機械硬盤
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
在安全領(lǐng)域固態(tài)硬盤VS. 機械硬盤
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
Implementing security features that require data elimination or media destruction is far more complex for hard disk drives than solid state drives due to their underlying storage technology. For example, hard disk drives leave behind a much bigger “ghost-image” once data is written to them. This requires more complex and longer data elimination procedures than would be needed for solid state drives.
對于機械硬盤來說,由于其基礎(chǔ)存儲技術(shù),實施消除數(shù)據(jù)或銷毀介質(zhì)的安全功能要比固態(tài)驅(qū)動器復(fù)雜得多。例如,數(shù)據(jù)寫入硬盤后,硬盤會留下更大的 "重影"。這就需要比固態(tài)硬盤更復(fù)雜、更長的數(shù)據(jù)消除程序。
對于機械硬盤來說,由于其基礎(chǔ)存儲技術(shù),實施消除數(shù)據(jù)或銷毀介質(zhì)的安全功能要比固態(tài)驅(qū)動器復(fù)雜得多。例如,數(shù)據(jù)寫入硬盤后,硬盤會留下更大的 "重影"。這就需要比固態(tài)硬盤更復(fù)雜、更長的數(shù)據(jù)消除程序。
In general, the amount of data that could possibly remain after a simple erase on a particular storage medium dictates the complexity of the data elimination and media destruction techniques on that storage medium. The smaller the data remanence on the storage media, the more simple data elimination techniques can be implemented. The next sections review data remanence on hard disk drives and solid state drives.
一般來說,特定存儲介質(zhì)上經(jīng)過簡單擦除后可能殘留的數(shù)據(jù)量決定了該存儲介質(zhì)上數(shù)據(jù)消除和介質(zhì)銷毀技術(shù)的復(fù)雜程度。存儲介質(zhì)上的數(shù)據(jù)殘留量越小,采用的數(shù)據(jù)消除技術(shù)就越簡單。接下來的章節(jié)將回顧硬盤驅(qū)動器和固態(tài)驅(qū)動器上的數(shù)據(jù)殘留情況。
一般來說,特定存儲介質(zhì)上經(jīng)過簡單擦除后可能殘留的數(shù)據(jù)量決定了該存儲介質(zhì)上數(shù)據(jù)消除和介質(zhì)銷毀技術(shù)的復(fù)雜程度。存儲介質(zhì)上的數(shù)據(jù)殘留量越小,采用的數(shù)據(jù)消除技術(shù)就越簡單。接下來的章節(jié)將回顧硬盤驅(qū)動器和固態(tài)驅(qū)動器上的數(shù)據(jù)殘留情況。
3.1Data Remanence in Hard Disk Drives
機械硬盤中的數(shù)據(jù)殘留
機械硬盤中的數(shù)據(jù)殘留
When data is written to a magnetic medium, the write head sets the polarity of most, but not all, of the magnetic substrate. This is partially due to the inability of the write head to write in exactly the same location each time, and partially due to the variations in media sensitivity and field strength among devices over time.
當(dāng)數(shù)據(jù)寫入磁性介質(zhì)時,寫磁頭會設(shè)置大部分磁性基板的極性,但不是全部。部分原因是寫磁頭無法每次都在完全相同的位置寫入,部分原因是隨著時間的推移,設(shè)備之間的介質(zhì)靈敏度和磁場強度會發(fā)生變化。
當(dāng)數(shù)據(jù)寫入磁性介質(zhì)時,寫磁頭會設(shè)置大部分磁性基板的極性,但不是全部。部分原因是寫磁頭無法每次都在完全相同的位置寫入,部分原因是隨著時間的推移,設(shè)備之間的介質(zhì)靈敏度和磁場強度會發(fā)生變化。
When a “1” is written to a disk, the media records a ”1”. When a “0” is written, the media records a ”0”. However, the actual effect is closer to obtaining a 0.95 when a “0” is overwritten with a “1” and a 1.05 when a “1” is overwritten with a ”1”. Deviations of the drive head from the original track may leave significant portions of the previous data along the track edge. Normal disk circuitry is set up so that both these values are read as ”1”, but using specialized tools such as a magnetic force microscope, it is possible to read what previous layers contained. Using thesebspecialized tools, extracting so-called “ghost-images” becomes fairly easy.
當(dāng)向磁盤寫入“1”時,介質(zhì)記錄為“1”。當(dāng)寫入“0”時,介質(zhì)記錄為“0”。然而,實際效果更接近于當(dāng)“0”被覆蓋為“1”時獲得0.95,當(dāng)“1”被覆蓋為“1”時獲得1.05。磁頭從原始軌道偏離可能會使軌道邊緣保留大部分先前的數(shù)據(jù)。普通磁盤電路設(shè)置為將這兩個值都讀取為“1”,但是使用專門的工具,比如磁力顯微鏡,可以讀取以前的層次包含的內(nèi)容。使用這些專門的工具,提取所謂的“幽靈圖像”變得相當(dāng)容易。
當(dāng)向磁盤寫入“1”時,介質(zhì)記錄為“1”。當(dāng)寫入“0”時,介質(zhì)記錄為“0”。然而,實際效果更接近于當(dāng)“0”被覆蓋為“1”時獲得0.95,當(dāng)“1”被覆蓋為“1”時獲得1.05。磁頭從原始軌道偏離可能會使軌道邊緣保留大部分先前的數(shù)據(jù)。普通磁盤電路設(shè)置為將這兩個值都讀取為“1”,但是使用專門的工具,比如磁力顯微鏡,可以讀取以前的層次包含的內(nèi)容。使用這些專門的工具,提取所謂的“幽靈圖像”變得相當(dāng)容易。
To ensure a complete elimination of a “ghost-image”on a magnetic disk drive, two procedures can be followed:
要確保完全消除磁盤驅(qū)動器上的 "鬼影",可以遵循兩個程序:
要確保完全消除磁盤驅(qū)動器上的 "鬼影",可以遵循兩個程序:
· Degaussing the media by applying a reverse (coercive) magnetizing force in order to reduce the correlation between previous and present data to a point that there is no known technique for recovery of previous data.
通過施加反向(強制)磁化力對介質(zhì)進行消磁,以降低先前數(shù)據(jù)和當(dāng)前數(shù)據(jù)之間的相關(guān)性,以至于沒有已知的技術(shù)來恢復(fù)先前的數(shù)據(jù)。
通過施加反向(強制)磁化力對介質(zhì)進行消磁,以降低先前數(shù)據(jù)和當(dāng)前數(shù)據(jù)之間的相關(guān)性,以至于沒有已知的技術(shù)來恢復(fù)先前的數(shù)據(jù)。
· Overwriting the media multiple times with various patterns. A one-time erase of the media will not suffice and military standards specify up to four Sanitize cycles of erase and pattern-overwrite. However, according to industry recommendations, a pattern overwrite of up to 35 times is required to completely clear previously contained data from the media.
用各種模式多次覆寫介質(zhì)。一次性擦除介質(zhì)是不夠的,軍用標(biāo)準(zhǔn)規(guī)定最多可進行四次 "消毒 "循環(huán)擦除和模式覆寫。不過,根據(jù)行業(yè)建議,要徹底清除介質(zhì)中以前包含的數(shù)據(jù),需要進行多達 35 次的模式覆寫。
用各種模式多次覆寫介質(zhì)。一次性擦除介質(zhì)是不夠的,軍用標(biāo)準(zhǔn)規(guī)定最多可進行四次 "消毒 "循環(huán)擦除和模式覆寫。不過,根據(jù)行業(yè)建議,要徹底清除介質(zhì)中以前包含的數(shù)據(jù),需要進行多達 35 次的模式覆寫。
3.2Data Remanence in Solid State Drives
固態(tài)硬盤中的數(shù)據(jù)殘留
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
固態(tài)硬盤中的數(shù)據(jù)殘留
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
Solid state drives use NAND Flash technology for data storage. Figure 2 below shows the internal structure of a NAND Flash cell, which uses a process known as Fowler-Nordheim tunneling to change the charge inside the floating gate.
固態(tài)硬盤使用 NAND 閃存技術(shù)存儲數(shù)據(jù)。下圖 2 顯示了 NAND 閃存單元的內(nèi)部結(jié)構(gòu),它使用一種稱為 Fowler-Nordheim 隧道技術(shù)的工藝來改變浮動?xùn)艠O內(nèi)的電荷。
固態(tài)硬盤使用 NAND 閃存技術(shù)存儲數(shù)據(jù)。下圖 2 顯示了 NAND 閃存單元的內(nèi)部結(jié)構(gòu),它使用一種稱為 Fowler-Nordheim 隧道技術(shù)的工藝來改變浮動?xùn)艠O內(nèi)的電荷。
Writing (programming) a “0” into a cell causes the accumulation of negative charges in the floating gate. Writing a “1” into a cell does not change the cell’s content. To change the content of a cell from “0” to “1”, the cell must be erased in order to release the negative charges in the floating gate.
向單元寫入(編程)"0 "會導(dǎo)致浮動?xùn)咆?fù)電荷累積。向單元寫入 "1 "不會改變單元的內(nèi)容。要將單元內(nèi)容從 "0 "改為 "1",必須擦除單元,以釋放浮動?xùn)艠O中的負(fù)電荷。
向單元寫入(編程)"0 "會導(dǎo)致浮動?xùn)咆?fù)電荷累積。向單元寫入 "1 "不會改變單元的內(nèi)容。要將單元內(nèi)容從 "0 "改為 "1",必須擦除單元,以釋放浮動?xùn)艠O中的負(fù)電荷。
Data remanence in NAND Flash is mainly caused by a so-called hot-carrier effect, where electrons get trapped in the gate oxide layer and can stay there as excess charge. The amount of trapped charge can be determined by measuring the gate-induced drain leakage current of the cell, or more indirectly by measuring the threshold voltage of the cell. The effect is more apparent in fresh cells, and becomes less noticeable after 10 program/erase cycles.
NAND 閃存中的數(shù)據(jù)殘留主要是由所謂的熱載流子效應(yīng)造成的,即電子被困在柵極氧化層中,并作為過剩電荷留在那里。滯留電荷的數(shù)量可通過測量電池的柵極漏電流或更間接地測量電池的閾值電壓來確定。這種效應(yīng)在新電池中更為明顯,10 次編程/擦除循環(huán)后就不那么明顯了。
原創(chuàng)翻譯:龍騰網(wǎng) http://nxnpts.cn 轉(zhuǎn)載請注明出處
Erasing the cell will significantly reduce the amount of trapped electrons, making it extremely difficult to recover any data from the device after an erase cycle.
擦除電池會大大減少滯留電子的數(shù)量,使得在擦除周期后極難從設(shè)備中恢復(fù)任何數(shù)據(jù)。
擦除電池會大大減少滯留電子的數(shù)量,使得在擦除周期后極難從設(shè)備中恢復(fù)任何數(shù)據(jù)。
3.3Flash SSD Data Abstraction Layers
An additional complexity to recovering data from a solid state drive (when compared to hard disk drives) arises from the fact that solid state drives contain additional data abstraction layers. In-depth knowledge would be required of the following layers to obtain a valid picture of the extracted data:
閃存固態(tài)硬盤數(shù)據(jù)抽象層
與硬盤相比,從固態(tài)硬盤恢復(fù)數(shù)據(jù)的額外復(fù)雜性來自于固態(tài)硬盤包含額外的數(shù)據(jù)抽象層。要獲得提取數(shù)據(jù)的有效圖像,需要深入了解以下各層:
An additional complexity to recovering data from a solid state drive (when compared to hard disk drives) arises from the fact that solid state drives contain additional data abstraction layers. In-depth knowledge would be required of the following layers to obtain a valid picture of the extracted data:
閃存固態(tài)硬盤數(shù)據(jù)抽象層
與硬盤相比,從固態(tài)硬盤恢復(fù)數(shù)據(jù)的額外復(fù)雜性來自于固態(tài)硬盤包含額外的數(shù)據(jù)抽象層。要獲得提取數(shù)據(jù)的有效圖像,需要深入了解以下各層:
· File system: Each file system has its own method of mapping files, creating pointers, and storing tables. Knowledge of this would be required for both HDD and solid state drives when data is extracted.
文件系統(tǒng): 每個文件系統(tǒng)都有自己的映射文件、創(chuàng)建指針和存儲表的方法。提取數(shù)據(jù)時,硬盤和固態(tài)硬盤都需要這方面的知識。
文件系統(tǒng): 每個文件系統(tǒng)都有自己的映射文件、創(chuàng)建指針和存儲表的方法。提取數(shù)據(jù)時,硬盤和固態(tài)硬盤都需要這方面的知識。
· Logical to physical mapping: Flash Management Systems map the logical file system sectors to physical locations on the Flash. Each solid state drive vendor implements a different Flash management algorithm for mapping sectors.
邏輯到物理映射: 閃存管理系統(tǒng)將邏輯文件系統(tǒng)扇區(qū)映射到閃存上的物理位置。每個固態(tài)硬盤供應(yīng)商都采用不同的閃存管理算法來映射扇區(qū)。
邏輯到物理映射: 閃存管理系統(tǒng)將邏輯文件系統(tǒng)扇區(qū)映射到閃存上的物理位置。每個固態(tài)硬盤供應(yīng)商都采用不同的閃存管理算法來映射扇區(qū)。
Solid state drive architecture: Each solid state drive vendor has a different architecture, and therefore it is hard to determine where in each Flash chip a logical block address ends up.
固態(tài)硬盤架構(gòu): 每個固態(tài)硬盤供應(yīng)商都有不同的架構(gòu),因此很難確定邏輯塊地址在每個閃存芯片中的最終位置。
固態(tài)硬盤架構(gòu): 每個固態(tài)硬盤供應(yīng)商都有不同的架構(gòu),因此很難確定邏輯塊地址在每個閃存芯片中的最終位置。
· Flash cell architecture: Different Flash vendors have different Flash cell architectures with different sequences of discrete bits.
閃存單元結(jié)構(gòu): 不同的閃存供應(yīng)商有不同的閃存單元結(jié)構(gòu),其離散位序列也各不相同。
閃存單元結(jié)構(gòu): 不同的閃存供應(yīng)商有不同的閃存單元結(jié)構(gòu),其離散位序列也各不相同。
The additional data abstraction layers in a solid state drive increase the complexity of reverse engineering,making it extremely difficult to extract sensible data.
固態(tài)硬盤中額外的數(shù)據(jù)抽象層增加了逆向工程的復(fù)雜性,使得提取合理數(shù)據(jù)變得極為困難。
固態(tài)硬盤中額外的數(shù)據(jù)抽象層增加了逆向工程的復(fù)雜性,使得提取合理數(shù)據(jù)變得極為困難。
DATA PROTECTION
數(shù)據(jù)保護
數(shù)據(jù)保護
At the most basic level of data security, hardware and software applications achieve protection from viruses or hackers through write protection and password access protection. These isolate the Operating System (OS), applications, and critical data from corruption or infiltration by external sources. Write and password protecting a drive can be meaningful in applications
where the end user is not allowed to tamper with the contents of the data.
在最基礎(chǔ)的數(shù)據(jù)安全級別,硬件和軟件的應(yīng)用程序通過寫入保護和密碼訪問保護來實現(xiàn)對病毒或黑客的防護。這些措施可隔離操作系統(tǒng)(OS)、應(yīng)用程序和關(guān)鍵數(shù)據(jù),使其免受外部資源的破壞或滲透。寫入保護和密碼保護硬盤在以下應(yīng)用中意義重大在不允許最終用戶篡改數(shù)據(jù)內(nèi)容的應(yīng)用中,寫入保護和密碼保護硬盤非常重要。
where the end user is not allowed to tamper with the contents of the data.
在最基礎(chǔ)的數(shù)據(jù)安全級別,硬件和軟件的應(yīng)用程序通過寫入保護和密碼訪問保護來實現(xiàn)對病毒或黑客的防護。這些措施可隔離操作系統(tǒng)(OS)、應(yīng)用程序和關(guān)鍵數(shù)據(jù),使其免受外部資源的破壞或滲透。寫入保護和密碼保護硬盤在以下應(yīng)用中意義重大在不允許最終用戶篡改數(shù)據(jù)內(nèi)容的應(yīng)用中,寫入保護和密碼保護硬盤非常重要。
4.1 Hardware Write Protection
Write protection prevents data modification on a storage device. It is typically enforced by the hardware through a jumper or switch and implemented through a hardware protection mechanism inside the controller of the SSD. In this case, a protection state machine inside the controller blocks writes to the media.
硬件寫入保護
寫入保護可防止存儲設(shè)備上的數(shù)據(jù)被修改。它通常由硬件通過跳線或開關(guān)來執(zhí)行,并通過固態(tài)硬盤控制器內(nèi)部的硬件保護機制來實現(xiàn)。在這種情況下,控制器內(nèi)部的保護狀態(tài)機會阻止對介質(zhì)的寫入。
Write protection prevents data modification on a storage device. It is typically enforced by the hardware through a jumper or switch and implemented through a hardware protection mechanism inside the controller of the SSD. In this case, a protection state machine inside the controller blocks writes to the media.
硬件寫入保護
寫入保護可防止存儲設(shè)備上的數(shù)據(jù)被修改。它通常由硬件通過跳線或開關(guān)來執(zhí)行,并通過固態(tài)硬盤控制器內(nèi)部的硬件保護機制來實現(xiàn)。在這種情況下,控制器內(nèi)部的保護狀態(tài)機會阻止對介質(zhì)的寫入。
4.2 Software Write Protection
Software write protection can be implemented through the firmware of the storage device, whereby the host can set or remove the write protection via a host (vendor-unique) command to the drive. Software password protection is suitable when implementing a security scheme that is based on “what you have, what you know, who you are” . For example, when only authorized personnel are allowed to download mission data from a data recorder, a combined password protection and biometric key would provide a secure identification scheme. In this case, the password would deliver the “what you know,” and a biometric key would cover the “what you have” and “who you are.”
軟件寫入保護
軟件寫入保護可以通過存儲設(shè)備的固件實現(xiàn),從而使主機可以通過主機(供應(yīng)商特有)命令對驅(qū)動器設(shè)置或取消寫保護。軟件密碼保護在執(zhí)行安全計劃時基于 "你有什么、你知道什么、你是誰 "的安全方案。例如,當(dāng)只有授權(quán)人員才能從數(shù)據(jù)記錄器中下載任務(wù)數(shù)據(jù)時,密碼保護和生物識別密鑰相結(jié)合就能提供一個安全的識別方案。在這種情況下,密碼將提供 "你知道什么",而生物識別密鑰將涵蓋 "你是誰"。
Software write protection can be implemented through the firmware of the storage device, whereby the host can set or remove the write protection via a host (vendor-unique) command to the drive. Software password protection is suitable when implementing a security scheme that is based on “what you have, what you know, who you are” . For example, when only authorized personnel are allowed to download mission data from a data recorder, a combined password protection and biometric key would provide a secure identification scheme. In this case, the password would deliver the “what you know,” and a biometric key would cover the “what you have” and “who you are.”
軟件寫入保護
軟件寫入保護可以通過存儲設(shè)備的固件實現(xiàn),從而使主機可以通過主機(供應(yīng)商特有)命令對驅(qū)動器設(shè)置或取消寫保護。軟件密碼保護在執(zhí)行安全計劃時基于 "你有什么、你知道什么、你是誰 "的安全方案。例如,當(dāng)只有授權(quán)人員才能從數(shù)據(jù)記錄器中下載任務(wù)數(shù)據(jù)時,密碼保護和生物識別密鑰相結(jié)合就能提供一個安全的識別方案。在這種情況下,密碼將提供 "你知道什么",而生物識別密鑰將涵蓋 "你是誰"。
4.2.1 Password Protection in SMART HRS Solid State Drives
The password protection feature on SMART HRS solid state drives is implemented through the standard ATA command set and supports both a user and master password. When used for data logging purposes, the device can be locked or unlocked at boot time when used as the boot device, or once an application is loaded.
SMART HRS 固態(tài)硬盤中的密碼保護
SMART HRS 固態(tài)硬盤的密碼保護功能通過標(biāo)準(zhǔn) ATA 命令集實現(xiàn),支持用戶密碼和主密碼。當(dāng)用于數(shù)據(jù)記錄目的時,設(shè)備可在啟動時作為啟動設(shè)備鎖定或解鎖,或在加載應(yīng)用程序后鎖定或解鎖。
The password protection feature on SMART HRS solid state drives is implemented through the standard ATA command set and supports both a user and master password. When used for data logging purposes, the device can be locked or unlocked at boot time when used as the boot device, or once an application is loaded.
SMART HRS 固態(tài)硬盤中的密碼保護
SMART HRS 固態(tài)硬盤的密碼保護功能通過標(biāo)準(zhǔn) ATA 命令集實現(xiàn),支持用戶密碼和主密碼。當(dāng)用于數(shù)據(jù)記錄目的時,設(shè)備可在啟動時作為啟動設(shè)備鎖定或解鎖,或在加載應(yīng)用程序后鎖定或解鎖。
· Password protection during boot: When the SMART HRS solid state drive is used as the boot
device, password protection is implemented in combination with the BIOS of the host system. The BIOS will need to incorporate the ATA commands that enable the usage of the password scheme. During the system boot process, the user must successfully enter a password to the system; otherwise the system will not continue booting.
啟動過程中的密碼保護 將 SMART HRS 固態(tài)硬盤用作啟動設(shè)備時,密碼保護將與主機系統(tǒng)的 BIOS 一起執(zhí)行。BIOS 需要包含啟用密碼方案的 ATA 命令。在系統(tǒng)啟動過程中,用戶必須成功輸入系統(tǒng)密碼,否則系統(tǒng)將無法繼續(xù)啟動。
device, password protection is implemented in combination with the BIOS of the host system. The BIOS will need to incorporate the ATA commands that enable the usage of the password scheme. During the system boot process, the user must successfully enter a password to the system; otherwise the system will not continue booting.
啟動過程中的密碼保護 將 SMART HRS 固態(tài)硬盤用作啟動設(shè)備時,密碼保護將與主機系統(tǒng)的 BIOS 一起執(zhí)行。BIOS 需要包含啟用密碼方案的 ATA 命令。在系統(tǒng)啟動過程中,用戶必須成功輸入系統(tǒng)密碼,否則系統(tǒng)將無法繼續(xù)啟動。
After five unsuccessful attempts of entering a password, the drive will have to be rebooted before new attempts can be made. These include both user and master password attempts.
在嘗試輸入密碼五次之后,硬盤必須重啟后才能進行新的嘗試。這些包括用戶密碼和主密碼嘗試。
在嘗試輸入密碼五次之后,硬盤必須重啟后才能進行新的嘗試。這些包括用戶密碼和主密碼嘗試。
4.3 Encryption
Another form of data protection is encryption, whereby the original data, or plaintext, is converted into a coded equivalent called ciphertext via an encryption algorithm. The ciphertext is decoded (decrypted) at the receiving end and turned back into plaintext.
加密
數(shù)據(jù)保護的另一種形式是加密,即通過加密算法將原始數(shù)據(jù)或明文轉(zhuǎn)換成同等的加密編碼,稱為密文。密文在接收端被解碼(解密),并變回明文。
Another form of data protection is encryption, whereby the original data, or plaintext, is converted into a coded equivalent called ciphertext via an encryption algorithm. The ciphertext is decoded (decrypted) at the receiving end and turned back into plaintext.
加密
數(shù)據(jù)保護的另一種形式是加密,即通過加密算法將原始數(shù)據(jù)或明文轉(zhuǎn)換成同等的加密編碼,稱為密文。密文在接收端被解碼(解密),并變回明文。
When using the most common encryption algorithms, such as RSA, AES and 3DES, it is virtually impossible to recover any data from a storage device,providing a high form of security. For example, to break an AES 128-bit encryption, a “bruteforce” attack with a system that tries keys at the rate of one billion keys per second will take about 10,000,000,000,000,000,000,000 years to try all possible keys.
在使用最常見的加密算法(如 RSA、AES 和 3DES)時,幾乎不可能從存儲設(shè)備中恢復(fù)任何數(shù)據(jù)。因此具有很高的安全性。例如,要破解 AES 128 位加密,如果系統(tǒng)以每秒 10 億個密鑰的速度嘗試所有可能的密鑰,那么 "暴力 "攻擊將需要 10,000,000,000,000,000 年的時間。
在使用最常見的加密算法(如 RSA、AES 和 3DES)時,幾乎不可能從存儲設(shè)備中恢復(fù)任何數(shù)據(jù)。因此具有很高的安全性。例如,要破解 AES 128 位加密,如果系統(tǒng)以每秒 10 億個密鑰的速度嘗試所有可能的密鑰,那么 "暴力 "攻擊將需要 10,000,000,000,000,000 年的時間。
The main hurdle that has prevented encryption from being integrated full scale into host applications and storage devices is related to key management. Creating strong and secure keys appears to be surprisingly difficult. The challenge is that most systems are notoriously deterministic, but what is required of a good and strong key is the opposite – unpredictability and randomness. In addition, it is not a trivial matter to provide a secure method of key storage and distribution without running the risk of keys being tampered with or stolen.
導(dǎo)致加密未能完全整合到主機應(yīng)用程序和存儲設(shè)備中的主要障礙與密鑰管理有關(guān)。創(chuàng)建強大和安全的密鑰似乎是難以逾越的困難。挑戰(zhàn)在于大多數(shù)系統(tǒng)通常是確定性的,但一個好的、強大的密鑰所需要的是相反的 - 不可預(yù)測性和隨機性。此外,提供一種安全的密鑰存儲和分發(fā)方法并不是一件簡單的事情,因為存在密鑰被篡改或被盜的風(fēng)險。
導(dǎo)致加密未能完全整合到主機應(yīng)用程序和存儲設(shè)備中的主要障礙與密鑰管理有關(guān)。創(chuàng)建強大和安全的密鑰似乎是難以逾越的困難。挑戰(zhàn)在于大多數(shù)系統(tǒng)通常是確定性的,但一個好的、強大的密鑰所需要的是相反的 - 不可預(yù)測性和隨機性。此外,提供一種安全的密鑰存儲和分發(fā)方法并不是一件簡單的事情,因為存在密鑰被篡改或被盜的風(fēng)險。
Most modern SSDs incorporate some form of encryption on the data they write to the NAND Flash. Since the SSD internally manages all the elements of the encryption from the key generation, to the key storage, to key deletion, they are called Self-Encrypting Drives (SEDs). In itself, an SED does not offer much data protection except deleting the encryption key in milliseconds, but when combined with other data protection features such as passwords, it provides an additional layer of data protection.
大多數(shù)現(xiàn)代固態(tài)硬盤都對寫入 NAND 閃存的數(shù)據(jù)進行了某種形式的加密。由于固態(tài)硬盤內(nèi)部管理著從密鑰生成、密鑰存儲到密鑰刪除的所有加密要素,因此被稱為自加密硬盤(SED)。SED 本身除了能在幾毫秒內(nèi)刪除加密密鑰外,并不能提供多少數(shù)據(jù)保護,但如果與密碼等其他數(shù)據(jù)保護功能結(jié)合使用,就能提供額外的數(shù)據(jù)保護。
大多數(shù)現(xiàn)代固態(tài)硬盤都對寫入 NAND 閃存的數(shù)據(jù)進行了某種形式的加密。由于固態(tài)硬盤內(nèi)部管理著從密鑰生成、密鑰存儲到密鑰刪除的所有加密要素,因此被稱為自加密硬盤(SED)。SED 本身除了能在幾毫秒內(nèi)刪除加密密鑰外,并不能提供多少數(shù)據(jù)保護,但如果與密碼等其他數(shù)據(jù)保護功能結(jié)合使用,就能提供額外的數(shù)據(jù)保護。
評論翻譯
無
很贊 ( 1 )
收藏