CN102103551A - Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor - Google Patents
Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor Download PDFInfo
- Publication number
- CN102103551A CN102103551A CN200910189226XA CN200910189226A CN102103551A CN 102103551 A CN102103551 A CN 102103551A CN 200910189226X A CN200910189226X A CN 200910189226XA CN 200910189226 A CN200910189226 A CN 200910189226A CN 102103551 A CN102103551 A CN 102103551A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- read
- memory device
- data key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention is applicable to the technical field of computers, and provides a method and a system for encrypting and decrypting storage equipment data, and a virtual machine monitor. The method comprises the following steps of: monitoring a reading and writing operation request of the storage equipment data of an operating system by the virtual machine monitor; acquiring a first decrypted data key from the storage equipment when the reading and writing operation request is monitored; and encrypting or decrypting the data subjected to reading and writing operation of the storage equipment according to the first decrypted data key. In the embodiment of the invention, the virtual machine monitor monitors the reading and writing operation request of the storage equipment of the operating system, the first decrypted data key is acquired from the storage equipment when the reading and writing operation request is monitored; and the data subjected to reading and writing operation of the storage equipment is encrypted or decrypted according to the first decrypted data key, so the problem that storage equipment data is leaked can be solved, and the safety of the storage equipment data can be guaranteed.
Description
Technical field
The invention belongs to field of computer technology, relate in particular to a kind of encipher-decipher method, system and monitor of virtual machine of storage device data.
Background technology
Raising along with the penetration of computer use, it is extremely important that information security has become, therefore, memory device as the crucial carrier of the information in the computer system, after it is had things stolen or loses, the data that are stored in memory device just are stolen easily, cause the leakage of data, bring loss for the memory device user.
Summary of the invention
The purpose of the embodiment of the invention is to provide a kind of encipher-decipher method of storage device data, and the memory device that is intended to solve prior art is after stolen or loss, and storage device data is the problem of leakage easily.
The embodiment of the invention is achieved in that a kind of encipher-decipher method of storage device data, and described method comprises the steps:
Monitor of virtual machine is monitored the read-write operation request of the storage device data of operating system;
When having monitored read-write operation request, obtain deciphering back first data key from memory device, described first data key is stored in memory device in the mode of ciphertext;
According to first data key after the described deciphering, the read-write operation data of memory device are carried out the encryption and decryption operation.
Another purpose of the embodiment of the invention is to provide a kind of encrypting and deciphering system of storage device data, and the encrypting and deciphering system of described storage device data is built in monitor of virtual machine, and described system comprises:
Monitoring module is used for the read-write operation request of the storage device data of operating system is monitored;
The first data key acquisition module is used for when described monitoring module has monitored read-write operation request, obtains deciphering back first data key from memory device, and described first data key is stored in memory device in the mode of ciphertext; And
Encryption and decryption operation control module, first data key after the deciphering that is used for getting access to according to the described first data key acquisition module, control is carried out the encryption and decryption operation to the read-write operation data of memory device.
Another purpose of the embodiment of the invention is to provide a kind of monitor of virtual machine that comprises the encrypting and deciphering system of storage device data.
In embodiments of the present invention, monitor of virtual machine is monitored the read-write operation request of the memory device of operating system; When having monitored read-write operation request, read deciphering back first data key from memory device, described first data key is stored in memory device in the mode of ciphertext; According to first data key after the described deciphering, the read-write operation data of memory device are carried out the encryption and decryption operation, solved the problem that storage device data is revealed, protected the safety of storage device data.
Description of drawings
Fig. 1 is the realization flow figure of the encipher-decipher method of the storage device data that provides of the embodiment of the invention;
Fig. 2 is the structured flowchart of the encrypting and deciphering system of the storage device data that provides of the embodiment of the invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
In embodiments of the present invention, monitor of virtual machine is monitored the read-write operation request of the memory device of operating system; When having monitored read-write operation request, read deciphering back first data key from memory device, described first data key is stored in memory device in the mode of ciphertext; According to first data key after the described deciphering, the read-write operation data of memory device are carried out the encryption and decryption operation.
Fig. 1 shows the realization flow figure of the encipher-decipher method of the storage device data that the embodiment of the invention provides, and its concrete step is as described below:
In step S101, monitor of virtual machine is monitored the read-write operation request of the memory device of operating system.
In embodiments of the present invention, monitor of virtual machine was activated before host operating system starts, behind os starting, monitor of virtual machine is in the background monitoring position, be meant monitoring to the read-write operation request of storage device data at this background monitoring, certainly, this monitor of virtual machine can be monitored other operations, do not repeat them here, but not in order to restriction the present invention.
Wherein, the memory device in the embodiment of the invention can be meant computer memory device, and promptly hard disk can certainly be other memory devices, this not in order to the restriction the present invention.
In step S102, judge whether monitor of virtual machine monitors the read-write operation request to storage device data, be execution in step S103 then, otherwise finish.
In step S103, when having monitored read-write operation request, take out and be stored in first data key of storing in the mode of ciphertext in the memory device, and described first data key is carried out second encrypted key.
In embodiments of the present invention, above-mentioned first data key is meant the key that storage device data is carried out encryption and decryption, and this first data key generates seed by random number, through the cryptographic algorithm functional transformation, converts the fixing key of length to; And second key is meant the key that this first data key is carried out encryption and decryption, and this second key is made up of system identifier and random number, carries out conversion through transforming function transformation function and obtains.
At this, first data key and second key can adopt other naming methods, but not in order to restriction the present invention.
First data key and second key are stored in the specific position of the data storage area of memory device, and wherein, first data key is stored in the mode of ciphertext, and its encryption key is this second key.
In step S104, according to second key first data key of storing in the mode of ciphertext is decrypted, obtain first data key after the deciphering.
In embodiments of the present invention, when monitor of virtual machine monitors read-write operation request to the memory device of operating system, according to second key that takes out first data key with the encrypted test mode storage that takes out is decrypted, obtains first data key that clear-text way exists.
In step S105,, the read-write operation data of memory device are carried out the encryption and decryption operation according to first data key after the deciphering.
In embodiments of the present invention,, the clear data of the read-write operation of memory device is encrypted according to first data key after the deciphering, or, the encrypt data of the read-write operation of memory device is decrypted.
In embodiments of the present invention, the ciphering process of storage device data is: read first data key that exists with encrypted test mode, by second key first data key that exists with encrypted test mode is decrypted then, obtain first data key that exists with clear-text way, according to first data key that exists with clear-text way clear data is encrypted then, and the storage device data after will encrypting is stored in the user storage area of memory device;
The decrypting process of storage device data is: read first data key that exists with encrypted test mode, by second key first data key that exists with encrypted test mode is decrypted then, obtain first data key that exists with clear-text way, according to first data key that exists with clear-text way encrypt data is decrypted then, and the storage device data of controlling after will deciphering is read.
Above-mentioned only is a specific embodiment of the present invention, but not in order to restriction the present invention.
In embodiments of the present invention, above-mentioned first data key and second key all are to generate when system deployment and be kept in the memory device, so when the reading of follow-up storage device data, only obtaining first data key that once exists with clear-text way behind the needs affirmation user identity gets final product, therefore, the security of reading of data and the loss of system have been guaranteed.
As one embodiment of the present of invention, security for the encryption and decryption scheme that guarantees storage device data, in the encryption and decryption process, need to control the static analysis and the dynamic tracking of forbidding to control store device data encryption and decryption operation code, wherein, this control store device data encryption and decryption operation code belongs to a monitor of virtual machine code part, and following is that example describes with monitor of virtual machine code (VMM code).
Forbid the enforcement of the static analysis of VMM code is specially:
1.VMM in main code grind institute and leave among the UEFI ROM, UEFI BIOS the VMM code is loaded into after the internal memory, the decompress(ion) program of VMM code is according to the needs of code operation, the main code of substep decompress(ion).
2.VMM the code decompressed code itself has added colored instruction and self-generating code, to increase the camouflage of VMM code.
3.VMM in the code character string information is done code conversion, in static code, can not see the information of character string, prevention is by the analysis of character string information to code process.
Forbid being embodied as to the dynamic tracking of VMM code:
1. because the VMM code itself comprises a micro-kernel, computer hardware is managed, do not require the support of operating system, also can't move in operating system environment, software is followed the tracks of in general debugging can't carry out dynamic tracking to the VMM code.
2. simultaneously the VMM code carries out verification to self code in operational process, prevents the illegal modifications to code.
Above-mentioned forbidding only is a specific embodiment of the present invention to the static analysis of VMM code and the description of dynamic tracking, but not in order to restriction the present invention.
Fig. 2 shows the structured flowchart of the encrypting and deciphering system of the storage device data that the embodiment of the invention provides, for convenience of explanation, only provided the part relevant with the embodiment of the invention among the figure, the encrypting and deciphering system of this storage device data is built in the software unit of monitor of virtual machine.
The read-write operation request of the storage device data of 11 pairs of operating systems of monitoring module is monitored; When described monitoring module 11 has monitored read-write operation request, read module 12 takes out and is stored in first data key of storing in the mode of ciphertext in the memory device, and described first data key carried out second encrypted key, the first data key acquisition module 13 is according to described second key, obtain deciphering back first data key from memory device, first data key is stored in memory device in the mode of ciphertext; First data key after the deciphering that encryption and decryption operation control module 14 gets access to according to the first data key acquisition module 13, control is carried out the encryption and decryption operation to the read-write operation data of memory device.
In embodiments of the present invention, the specific implementation flow process of encryption and decryption operation control module 14 is: according to first data key after the deciphering (first data key that clear-text way exists), clear data to the read-write operation of memory device is encrypted, or, encrypt data to the read-write operation of memory device is decrypted, at this not in order to restriction the present invention.
In embodiments of the present invention, the static analysis to control store device data encryption and decryption operation code is forbidden in 15 controls of first control module, the dynamic tracking to control store device data encryption and decryption operation code is forbidden in 16 controls of second control module, its concrete realization is as described in the above-mentioned embodiment, do not repeat them here, but not in order to restriction the present invention.
In embodiments of the present invention, monitor of virtual machine is monitored the read-write operation request of the memory device of operating system; When having monitored read-write operation request, read deciphering back first data key from memory device, described first data key is stored in memory device in the mode of ciphertext; According to first data key after the described deciphering, the read-write operation data of memory device are carried out the encryption and decryption operation, solved the problem that storage device data is revealed, protected the safety of storage device data; Simultaneously, employing is forbidden the static analysis of code and the mode of dynamic tracking have effectively been guaranteed the safety of storage device data.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. the encipher-decipher method of a storage device data is characterized in that, described method comprises the steps:
Monitor of virtual machine is monitored the read-write operation request of the storage device data of operating system;
When having monitored read-write operation request, obtain deciphering back first data key from memory device, described first data key is stored in memory device in the mode of ciphertext;
According to first data key after the described deciphering, the read-write operation data of memory device are carried out the encryption and decryption operation.
2. the method for claim 1 is characterized in that, and is described when having monitored read-write operation request, reads deciphering back first data key from memory device, and described first data key specifically also comprises with the step that the mode of ciphertext is stored in memory device:
When having monitored read-write operation request, take out and be stored in first data key of storing in the mode of ciphertext in the memory device, and described first data key is carried out second encrypted key;
According to described second key described first data key of storing in the mode of ciphertext is decrypted, obtains first data key after the deciphering.
3. method as claimed in claim 2 is characterized in that, and is described according to first data key after the described deciphering, and the step that control is carried out the encryption and decryption operation to the read-write operation data of memory device specifically comprises:
According to first data key after the deciphering, the clear data of the read-write operation of memory device is encrypted;
According to first data key after the deciphering, the encrypt data of the read-write operation of memory device is decrypted.
4. the method for claim 1 is characterized in that, described method also comprises the steps:
The static analysis to control store device data encryption and decryption operation code is forbidden in control.
5. the method for claim 1 is characterized in that, described method also comprises the steps:
The dynamic tracking to control store device data encryption and decryption operation code is forbidden in control.
6. the encrypting and deciphering system of a storage device data is characterized in that, the encrypting and deciphering system of described storage device data is built in monitor of virtual machine, and described system comprises:
Monitoring module is used for the read-write operation request of the storage device data of operating system is monitored;
The first data key acquisition module is used for when described monitoring module has monitored read-write operation request, obtains deciphering back first data key from memory device, and described first data key is stored in memory device in the mode of ciphertext; And
Encryption and decryption operation control module, first data key after the deciphering that is used for getting access to according to the described first data key acquisition module, control is carried out the encryption and decryption operation to the read-write operation data of memory device.
7. system as claimed in claim 6 is characterized in that, described system also comprises:
Read module is used for when having monitored read-write operation request, takes out and is stored in first data key of storing in the mode of ciphertext in the memory device, and described first data key is carried out second encrypted key.
8. system as claimed in claim 6 is characterized in that, described method, system also comprises:
First control module is used to control the static analysis of forbidding control store device data encryption and decryption operation code.
9. system as claimed in claim 6 is characterized in that, described system also comprises:
Second control module is used to control the dynamic tracking of forbidding control store device data encryption and decryption operation code.
10. monitor of virtual machine that comprises the encrypting and deciphering system of each described storage device data of claim 6 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910189226XA CN102103551A (en) | 2009-12-22 | 2009-12-22 | Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910189226XA CN102103551A (en) | 2009-12-22 | 2009-12-22 | Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102103551A true CN102103551A (en) | 2011-06-22 |
Family
ID=44156338
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910189226XA Pending CN102103551A (en) | 2009-12-22 | 2009-12-22 | Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102103551A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110457924A (en) * | 2019-08-12 | 2019-11-15 | 南京芯驰半导体科技有限公司 | Storing data guard method and device |
| CN114244515A (en) * | 2022-02-25 | 2022-03-25 | 中瓴智行(成都)科技有限公司 | Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1787431A (en) * | 2004-12-09 | 2006-06-14 | 国际商业机器公司 | Apparatus, system, and method for transparent end-to-end security of storage data |
| CN101587524A (en) * | 2009-06-23 | 2009-11-25 | 上海北大方正科技电脑系统有限公司 | Method for encrypting data memory apparatus based on virtual system |
-
2009
- 2009-12-22 CN CN200910189226XA patent/CN102103551A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1787431A (en) * | 2004-12-09 | 2006-06-14 | 国际商业机器公司 | Apparatus, system, and method for transparent end-to-end security of storage data |
| CN101587524A (en) * | 2009-06-23 | 2009-11-25 | 上海北大方正科技电脑系统有限公司 | Method for encrypting data memory apparatus based on virtual system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110457924A (en) * | 2019-08-12 | 2019-11-15 | 南京芯驰半导体科技有限公司 | Storing data guard method and device |
| CN114244515A (en) * | 2022-02-25 | 2022-03-25 | 中瓴智行(成都)科技有限公司 | Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102884535B (en) | Protected device manages | |
| CN102624699B (en) | Method and system for protecting data | |
| US20170277898A1 (en) | Key management for secure memory address spaces | |
| US8315394B2 (en) | Techniques for encrypting data on storage devices using an intermediate key | |
| CN104951409A (en) | System and method for full disk encryption based on hardware | |
| CN102136048B (en) | Mobile phone Bluetooth-based ambient intelligent computer protection device and method | |
| EP3667535B1 (en) | Storage data encryption and decryption device and method | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| CN103154963A (en) | Scrambling an address and encrypting write data for storing in a storage device | |
| US8539250B2 (en) | Secure, two-stage storage system | |
| CN112269547B (en) | Active and controllable hard disk data deleting method and device without operating system | |
| CN102053925A (en) | Realization method of data encryption in hard disk | |
| Yu et al. | Mobihydra: Pragmatic and multi-level plausibly deniable encryption storage for mobile devices | |
| CN103294969A (en) | File system mounting method and file system mounting device | |
| CN101123507A (en) | A protection method and storage device for data information in storage device | |
| CN102915415A (en) | Safety control method and system of mobile terminal | |
| CN114785503B (en) | Cipher card, root key protection method thereof and computer readable storage medium | |
| Chang et al. | User-friendly deniable storage for mobile devices | |
| CN111177773B (en) | Full disk encryption and decryption method and system based on network card ROM | |
| CN101464934B (en) | Mutual binding and authenticating method for computer platform and storage device, and computer thereof | |
| Türpe et al. | Attacking the BitLocker boot process | |
| CN102662874A (en) | Double-interface encryption memory card and management method and system of data in double-interface encryption memory card | |
| CN103177224A (en) | Data protection method and device used for terminal external storage card | |
| CN111159726B (en) | UEFI (unified extensible firmware interface) environment variable-based full-disk encryption and decryption method and system | |
| CN104955043A (en) | Intelligent terminal safety protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110622 |