DATA PROCESSING DEVICE AND DATA PROCESSING METHOD

Abstract

A data encryption device is connected between an HDD and an HDD controller that controls the HDD. The data encryption device encrypts data that is stored from the HDD controller to the HDD, and decrypts data that is read from the HDD. A CPU of the data encryption device receives a command issued from the HDD controller to the HDD, and determines whether the command is executable at the HDD. When it is determined that the command is executable, the command is issued to the HDD. On the other hand, when it is determined that the command is unexecutable, the CPU prohibits issuance of the command to the HDD. Furthermore, when a command issued to the HDD is a specific command, the CPU bypasses data transferred between the HDD controller and the HDD without encryption or decryption.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate numerous embodiments, features, and aspects of the invention and, together with the description, serve to explain the principles of the invention.

FIG. 1 is a block diagram showing a system in which a data encryption device according to an embodiment of the present invention can be used.

FIG. 2 is a flowchart showing an example of a first control program according to the embodiment.

FIG. 3 is a diagram showing a data flow in a case where data is written to an external storage device (e.g., an HDD).

FIG. 4 is a diagram showing a data flow in a case where data is read from an external storage device (e.g., an HDD).

FIG. 5 is a state transition diagram for explaining operation modes of the data encryption device.

FIG. 6 is a block diagram showing the configuration of an ATA bus selector shown in FIG. 1.

FIGS. 7A to 7C are diagrams for explaining operations of the ATA bus selector, shown in FIG. 6, in individual operation modes of the data encryption device.

FIG. 8 is a diagram showing extended commands executable by the data encryption device.

FIG. 9 is a diagram showing commands executable by the data encryption device in a normal mode.

FIG. 10 is a flowchart showing an example of a second control program according to the embodiment.

FIG. 11A is a flowchart showing an example of a third control program according to the embodiment.

FIG. 11B is a flowchart showing an example of a third control program according to the embodiment.

FIG. 12 is a flowchart showing an example of a fourth control program according to the embodiment.

FIG. 13 is a flowchart showing an example of a fifth control program according to the embodiment.

FIG. 14 is a flowchart showing an example of a sixth control program according to the embodiment.

FIG. 15 is a flowchart showing an example of a seventh control program according to the embodiment.

FIG. 16 is a diagram showing a memory map of a storage medium (recording medium) storing various data processing programs that are readable by the data encryption device.

Claims

1. A data processing device for connection between a storage device and a controlling device that controls the storage device, the data processing device comprising: a first receiving unit configured to receive a command issued from the controlling device;a second receiving unit configured to receive data from the storage device;a determining unit configured to determine whether a command received by the first receiving unit is executable;an encryption and decryption unit configured to encrypt data received from the controlling device and to decrypt data received from the storage device;a first controlling unit configured to exercise control so that a command determined by the determining unit as executable may be issued to the storage device and so that a command determined by the determining unit as unexecutable may not be issued to the storage device; anda second controlling unit configured to exercise control to allow data that is received by the second receiving unit from the storage device in response to a command issued by the first controlling unit to pass through the data processing device without being decrypted when the command is a specific command.

2. A data processing device according to claim 1, wherein the specific command is a command for reading unique information of the storage device from the storage device.

3. A data processing device according to claim 1, further comprising: an authentication unit for executing authentication between the controlling device and the data processing device; anda third controlling unit for controlling an operation mode of the data processing device so that the data processing device operates in an intercept mode in which a request to access the storage device received at the first receiving unit, before the authentication by the authentication unit is executed, is intercepted by the data processing device, and so that the data processing device operates in an access mode in which request to access the storage device received at the first receiving unit is permitted after the authentication by the authentication unit is executed;wherein the commands that the determining unit is arranged to determine as executable at the storage device depend on the operation mode of the data processing device.

4. A data processing device according to claim 3, wherein when the determining unit is arranged to determine that a particular command is executable when the data processing device is in the access mode, and the determining unit is arranged to determine that the particular command is unexecutable in the intercept mode.

5. A data processing device according to claim 1, further comprising a storing unit configured to store seed information for generating key information that is used for the encryption and decryption, wherein the encryption and decryption unit is arranged to encrypt and decrypt data using key information generated on the basis of the seed information stored in the storing unit and unique information from the controlling device.

6. A data processing device according to claim 5, further comprising a key generating unit configured to generate the key information and storing the key information in the storing unit, the key information being generated each time the data processing device is activated, based on the seed information stored in the storing unit and the unique information of the controlling device received at the first receiving unit.

7. A data processing apparatus comprising a data processing device according to claim 1, a storage device and a controlling device, wherein the data processing device is connected between the controlling device and the storage device.

8. A data processing method for a data processing device connected between a storage device and a controlling device that controls the storage device, the data processing method comprising: receiving a command issued from the controlling device to the storage device;determining whether the command received from the controlling device is executable; andif the command is determined to be executable: encrypting the command issued from the storage device;transferring the encrypted command to the storage device;receiving data from the storage device;decrypting data received from the storage device; andexercising control so that data received from the storage device is either decrypted and transferred to the controlling device in response to the command or the data that is received from the storage device is allowed to pass through the data processing device without being decrypted depending on whether the command is a specific command.

9. A data processing method according to claim 8, wherein the specific command is a command for reading unique information of the storage device from the storage device.

10. A data processing method according to claim 8, further comprising: executing authentication between the controlling device and the data processing device; andcontrolling an operation mode of the data processing device so that the data processing device operates in one of an intercept mode in which a request to access the storage device from the controlling device, before the authentication in the authentication step is executed, is intercepted, and an access mode in which a request to access the storage device from the controlling device to the storage device is permitted after the authentication in the authentication step is executed;wherein, commands that are determined as executable at the storage device depend on the operation mode of the processing device.

11. A data processing method according to claim 10, wherein, when it is determined a command is executable in the access mode, it is determined that the command is unexecutable in the intercept mode.

12. A data processing method according to claim 8, further comprising storing seed information in a storing unit, the seed information being for use in generating key information that is used in encryption and decryption, wherein the encryption and decryption is executed using key information generated based on the seed information stored in the storing unit and unique information of the controlling device.

13. A data processing method according to claim 12, further comprising generating the key information and storing the key information in the storing unit, the key information being generated each time the data processing device is activated, based on the seed information stored in the storing unit and the unique information of the controlling device obtained each time from the controlling device.