CN105808977A - Processing methods and apparatuses for file reading and writing operations - Google Patents
Processing methods and apparatuses for file reading and writing operations Download PDFInfo
- Publication number
- CN105808977A CN105808977A CN201410849633.XA CN201410849633A CN105808977A CN 105808977 A CN105808977 A CN 105808977A CN 201410849633 A CN201410849633 A CN 201410849633A CN 105808977 A CN105808977 A CN 105808977A
- Authority
- CN
- China
- Prior art keywords
- file
- module
- encryption
- key
- written
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention is suitable for the technical field of file processing and provides a processing method for a file writing operation. The processing method for the file writing operation comprises the steps of receiving a to-be-written file and a write instruction of the file, sent by an application running in a user space; transmitting the to-be-written file and the write instruction of the file to a virtual file system running in a kernel space; transmitting the to-be-written file and the write instruction of the file to a file encryption and decryption system running in the kernel space through the virtual file system; encrypting the to-be-written file; and according to the write instruction of the file, writing the encrypted file into a real file system running in the kernel space. According to the processing method, encryption and decryption based behaviors and key management are transparent for terminal users; and the file encryption and decryption system can provide an encryption service during data writing and a decryption service during data reading in a background, thereby bringing convenience for user operations.
Description
Technical field
The invention belongs to file processing technology field, particularly relate to a kind of file read operation, the processing method of write operation and device.
Background technology
Along with constantly popularizing of Android smart machine, while bringing great convenience for people's communication, reading, amusement, the file security problem of smart machine also more and more obtains concern.Generally, the mobile terminal being particularly based on Android belongs to the personal effects or individual's use article, its private ownership, privacy are prominent, therefore, the confidentiality requirement of the information stored wherein is high, if still adopting the safe and secret measure of traditional sense, it is possible to the convenience that injury mobile terminal uses greatly, thus losing mobile terminal advantage inherently.That is, it is opaque for being encrypted or decipher the file in mobile terminal to user, it is necessary to user is performed manually by operation.
Therefore, it is necessary to propose a kind of new technical scheme, so that it is transparent for being encrypted or decipher the file in mobile terminal to user, user can operate application program and file normally.
Summary of the invention
It is an object of the invention to provide a kind of file read operation, the processing method of write operation and device, aim to solve the problem that in prior art, being encrypted or decipher the file in mobile terminal to user of existence is opaque, user is needed to be performed manually by operation, to the problem that user operation is made troubles.
First aspect, the invention provides the processing method of a kind of file write operation, said method comprising the steps of:
Receive the write command running file to be written that application program in the user space sends and described file;
The write command of described file to be written and described file is transmitted to the Virtual File System operated in kernel spacing;
By described Virtual File System, the write command of described file to be written and described file is transmitted to the file encryption-decryption system operated in kernel spacing;
Described file to be written is encrypted;
Write command according to described file, writes the file after described encryption to the real file system operated in kernel spacing.
Second aspect, the invention provides the process device of a kind of file write operation, and described device includes:
Receiver module, for receiving the write command running file to be written that application program in the user space sends and described file;
Transport module, for transmitting the write command of described file to be written and described file to the Virtual File System operated in kernel spacing;
Forwarding module, for being transmitted to, by the write command of described file to be written and described file, the file encryption-decryption system operated in kernel spacing by described Virtual File System;
Encrypting module, for being encrypted described file to be written;
Writing module, for the write command according to described file, writes the file after described encryption to the real file system operated in kernel spacing.
The third aspect, the invention provides the processing method of a kind of file read operation, said method comprising the steps of:
Receive the reading instruction running the file continued that application program in the user space sends and described file;
The reading instruction of the described file continued and described file is transmitted to the Virtual File System operated in kernel spacing;
By described Virtual File System, the reading instruction of the described file continued and described file is transmitted to the file encryption-decryption system operated in kernel spacing;
Described file encryption-decryption system reads the file continued of encryption from the real file system operated in kernel spacing;
The encryption file read is decrypted by described file encryption-decryption system, and the file after deciphering is back to application program.
Fourth aspect, the invention provides the process device of a kind of file read operation, and described device includes:
Receiver module, for receiving the reading instruction running the file continued that application program in the user space sends and described file;
Transport module, for transmitting the reading instruction of the described file continued and described file to the Virtual File System operated in kernel spacing;
Forwarding module, for being transmitted to, by the reading instruction of the described file continued and described file, the file encryption-decryption system operated in kernel spacing by described Virtual File System;
Read module, for reading the file continued of encryption from the real file system operated in kernel spacing;
Deciphering module, for the encryption file read is decrypted, and is back to application program by the file after deciphering.
In the present invention, by operating system platform being divided into user's space and kernel spacing;Operating system platform increases file encryption-decryption system, application program operates in user's space, described Virtual File System and file encryption-decryption system and real file system operate in kernel spacing, described Virtual File System, file encryption-decryption system and real file system are linked together, forms a stacking-type file system;User can operate application program and file normally at user's space, encryption and decryption oprerations to file then carry out in kernel spacing, the bridge of user's space and kernel spacing it is used as by Virtual File System, by Virtual File System by the file operation processing forward in user's space to file encryption-decryption system, file encryption-decryption system reads file from real file system, then the file read is decrypted, the application program being transmitted in user's space finally by Virtual File System by the original document that obtains after deciphering to run;For written document, the file of write is encrypted by described file encryption-decryption system;File after described encryption is write to the real file system operated in kernel spacing.As from the foregoing, the present invention is transparent based on behavior and the key management of encrypting and decrypting for terminal use, user can normally open application program and document, extra operation need not be increased, cryptographic services when file encryption-decryption system provides data to write on backstage, and the decryption services when reading data is provided, bring convenience to user operation.
Accompanying drawing explanation
Fig. 1 be the embodiment of the present invention one provide file write operation processing method realize schematic flow sheet;
Fig. 2 is the idiographic flow schematic diagram that the lookup that the embodiment of the present invention two provides currently to carry out the key of the file of write operation;
Fig. 3 be the embodiment of the present invention three provide file write operation processing method implement schematic flow sheet;
Fig. 4 be the embodiment of the present invention four provide file read operation processing method realize schematic flow sheet;
Fig. 5 be the embodiment of the present invention five provide file read operation processing method implement schematic flow sheet;
Fig. 6 is the idiographic flow schematic diagram that the lookup that the embodiment of the present invention six provides currently to carry out the key of the file of read operation;
Fig. 7 is the structural representation processing device of the file write operation that the embodiment of the present invention seven provides;
Fig. 8 is the structural representation processing device of the file read operation that the embodiment of the present invention eight provides.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and beneficial effect clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein is only in order to explain the present invention, is not intended to limit the present invention.
In embodiments of the present invention, by operating system platform being divided into user's space and kernel spacing;Operating system platform increases file encryption-decryption system, the operation of application program and file, operation are all in user's space, Virtual File System and file encryption-decryption system and real file system operate in kernel spacing, described Virtual File System, file encryption-decryption system and real file system are linked together, forms a stacking-type file system;Therefore, user can operate application program and file normally at user's space, encryption and decryption oprerations to file then carry out in kernel spacing, the bridge of user's space and kernel spacing it is used as by Virtual File System, by Virtual File System by the file operation processing forward in user's space to file encryption-decryption system, file encryption-decryption system reads file from real file system, then the file read is decrypted, the application program being transmitted in user's space finally by Virtual File System by the original document that obtains after deciphering to run;For written document, the file of write is encrypted by described file encryption-decryption system;File after described encryption is write to the real file system operated in kernel spacing.As from the foregoing, it is transparent for file in mobile terminal being encrypted or deciphered to user, user need not be performed manually by operation, encryption or deciphering can carry out automatically at kernel spacing, therefore, user can operate application program and file normally at user's space, brings convenience to user operation.
In order to technical solutions according to the invention are described, illustrate below by specific embodiment.
Embodiment one
Refer to Fig. 1, the embodiment of the present invention one provide file write operation processing method realize flow process, it comprises the following steps:
In step S101, receive the write command running file to be written that application program in the user space sends and described file;
In step s 102, the write command of described file to be written and described file is transmitted to the Virtual File System operated in kernel spacing;
In step s 103, by described Virtual File System, the write command of described file to be written and described file is transmitted to the file encryption-decryption system operated in kernel spacing;
In step S104, described file to be written is encrypted by described file encryption-decryption system;
In step S105, the write command according to described file, the file after described encryption is write to the real file system operated in kernel spacing.
What be described below in detail each step above-mentioned implements process.
First, the framework of Virtual File System is discussed in detail
Virtual File System (VFS) is operated in the inner nuclear layer (i.e. kernel spacing) of operating system, and VFS can complete the system of user's space and call mutual with what bottom real file system read-write etc. operated.What VFS concealed the real file system of bottom realizes details, calls the file operation interface providing unified for system, and user need not be concerned about detailed problem and bottom complexity.VFS supports the file system such as general ExtX, YAFFS, the Jfss of Linux, also support other operating system conventional such as file system such as FAT32, NTFS.Data structure main in Virtual File System has:
1. superblock object (superblockobject)
Described superblock object is used for storing the information of specific file system.For disk file system, this class object generally corresponds to the file system control block leaving on disk.
2. index node object (inodeobject)
Described index node object contains whole description information of interior one concrete file of verification.For disk file system, this class object generally corresponds to the file control block leaving on disk.Each index node has an inode number, and this number uniquely represents certain file in this document system.
3. file object (fileobject)
The described file object interactive information for depositing process and between the file that described file object is opened.This information only exists in kernel internal memory during process accesses file.
4. directory entry object (dentryobject)
What described directory entry object represented is an ingredient in path, and it is probably a catalogue, it is also possible to a file.
VFS proposes the concept of dummy node vnode (virtualnodes), and vnode is that file flows through the abstract of different file.Introducing vnode stack, wherein can there are several vnode interface layers in kernel simultaneously, these interface layers are sequentially carried out and call.From the system call interfaces of consumer process, file encryption-decryption system does not change system and calls and vnode interface, but intercepts data mutual with bottom real file system for VFS and process.One consumer process is accessed real file system and has been called by system, and system calls entrance kernel, and System call is a vnode operation by Virtual File System, recalls corresponding real file system.Eventually the return value called and error code are communicated up along original path, until returning to consumer process.
Then, the framework of file encryption-decryption system is discussed in detail
Client-initiated file system operation is finally applied to the real file system of lower floor.Here illustrate for reading: in this file system, user initiates read operation.Correlation function in file encryption-decryption system by the system in VFS call sys_read () call process this request, first it must call the reading function of the real file system of lower floor to read encrypted file data, then decrypted file data, finally returns to user the former data after deciphering.From the above it can be seen that in read operation, it is necessary to call the reading function of the real file system of bottom, this corresponding VFS data structure (such as inode, dentry etc.) just requiring to obtain the real file system of bottom in advance.The acquisition work of the real file system VFS data structure of bottom is exactly carry out path searching work thereon, obtains dentry with this, and then obtains the out of Memory such as inode.In order to avoid repeatedly carry out path searching, the VFS data structure every time searching the real file system obtained all will be saved, and these information all will record in the corresponding data of stacking-type file system.
The key data structure of file encryption-decryption system includes: index node, directory entry object, file object and superblock object.This document encrypting and deciphering system relates generally to the management of the connection between data structure and related data structures.The real file system enabling these data structures and lower floor links together, and be may search for the real file system of lower floor by the related object of file encryption-decryption system.
By resolving the VFS object record of the real file system of bottom obtained in the data of the corresponding construction of stacking-type file system, it is easy with calling the relevant treatment function of the real file system of bottom, thus being really achieved the purpose of downward management bottom real file system.
Owing to Blowfish algorithm is intermediate security secret grade and the less a kind of AES of operand.And with Blowfish algorithm for encryption file, before and after encryption, file size is constant, so will be mutually corresponding and consistent with the document misregistration in cryptograph files in clear text file, the operations such as file reading and writing are brought many facilities.
Blowfish AES is the block encryption algorithm of variable length, and key is the longest is 448 bits.Blowfish AES is used in the encryption situation that key infrequently converts, the encryption of such as file.Blowfish AES is little to internal memory space requirement.And in conjunction with android system feature, the file encryption-decryption system that therefore the present embodiment proposes adopts Blowfish algorithm to carry out encryption and the decryption oprerations of file.
Blowfish AES uses two " box "-ungignedlongpbox [18] (P box) and unsignedlongsbox [4,256] (S box).Wherein, P box acts primarily as metathesis, and the purpose of displacement is when the minor alteration of plaintext or key will cause the large change of ciphertext.S box serves necessary chaotic effect in AES, is the unique non-linear components in cryptographic algorithm.
When adopting Blowfish AES to add confidential information, it is necessary to being selected a key by user, such as choose the cryptographic Hash of a character string, this key length is variable (the longest is 56 bytes).
The encryption of Blowfish AES is mainly made up of two processes:
1. key pretreatment
Before conciliating ciphertext data with the encryption of Blowfish AES, first calculate P box and S box, and P box and S box are fixing in encryption and decrypting process.This process of key pretreatment mainly aims at generation P box and S box.
The original cipher key pbox [18] and sbox [4] [256] of Blowfish algorithm are fixing, can convert according to the double secret key pbox [18] that user selects and sbox [4] [256], obtain the required key_pbox [18] of encryption and [256] two arrays of key_sbox [4].The P box that wherein key_pbox [18] is Blowfish AES, key_sbox [4] [256] is the S box in Blowfish AES.
Blowfish encryption algorithm key can be expressed as array K:
K [0], K [1] ..., K [17]
P box can be expressed as:
key_pbox[0],key_pbox[1],…,key_pbox[17]
S box can be expressed as:
Key_sbox [0] [0], key_sbox [0] [1] ..., key_sbox [0] [255]
Key_sbox [1] [0], key_sbox [1] [1] ..., key_sbox [1] [255]
Key_sbox [2] [0], key_sbox [2] [1] ..., key_sbox [2] [255]
Key_sbox [3] [0], key_sbox [3] [1] ..., key_sbox [3] [255]
The step generating P box and S box is as follows:
1. initialize key_pbox [0] successively ..., key_pbox [17], key_sbox [0] [0] ..., key_sbox [3] [255].
2. K value and pbox value are carried out step-by-step XOR, the result of XOR is filled in key_pbox.
Key_pbox [i]=pbox [i] K [i], wherein i=0,1 ..., 17
3. fill key_psbox with sbox.
4. encrypt 64 full 0 data blocks with current key_pbox [18] and key_sbox [4] [256], replace key_pbox [0] and key_pbox [1] by output result.
5., by the output result of current key_pbox [18] and key_sbox [4] [256] encrypting step 3, replace key_pbox [2] and key_pbox [3] by current output result.
6. repeat above-mentioned steps, until key_pbox [18] update all.
7., with key_pbox [16] and key_pbox [17] as inputting first, replace the encryption of key_sbox information by similar method.
2. add confidential information
By being expressly divided into two parts, it is designated as LE0And RE0.Use LEiAnd REiRepresent the i-th left-half taking turns output after iteration and right half part.Process is as follows:
Fori=1to16
REi=LEi⊕Pi
LEi=F [REi]⊕REi-1
LE17=RE16⊕P18
RE17=LE16⊕P17
Wherein function F () is the data encryption function of Blowfish algorithm.
Blowfish algorithm is deciphered, and needs also exist for two processes:
1. key pretreatment: identical when the process of key pretreatment is with encryption.
2. information deciphering:
Ciphertext is divided into two parts, is designated as LD0And RD0.Use LDiAnd RDiRepresent the i-th left-half taking turns output after iteration and right half part.Process is as follows:
Fori=1to16
RDi=LDi⊕P19-i
LDi=F [RDi]⊕RDi-1
LD17=RD16⊕P1
RD17=LD16⊕P2
Wherein function F () is the data encryption function of Blowfish algorithm.
The following is for the false code of encryption and the data block of deciphering 8KB.But; it is understandable that; can also adopt other AESs that file is encrypted and decrypted operation; as; the AES such as des encryption algorithm, BASE64, MD5, SHA, HMAC; it is not limiting as above-mentioned several, all any amendment, equivalent replacement and improvement etc. made within the spirit and principles in the present invention, should be included within protection scope of the present invention.
Encryption to data block is described below
Data block in units of 8KB is carried out the encryption false code of blowfish algorithm such as:
Deciphering to data block is described below
Data block in units of 8KB is carried out the deciphering false code of blowfish algorithm such as:
The key of file encryption-decryption security of system relies more heavily on the key management of AES, and is not only the simple complexity relying on algorithm.If assailant obtains the encryption key of system, will cracking cipher-text information and have only to the time of several seconds, therefore the key management of safety is related to the safety of whole system.Key is saved in internal memory by file encryption-decryption system, and is bound together by the session id (sessionid) of key with user UID and process, and its data structure pseudo code definition is as follows.
So, assailant's process is in order to successfully obtain or amendment user account number, it is necessary to managing have the session id identical with authenticating user identification process, this just requires not only terminal to be attacked, and the internal memory of resident kernel program and data is carried out data manipulation, this adds attack difficulty undoubtedly.
Embodiment two
Referring to Fig. 2, the detailed process of key of the file that the lookup provided for the embodiment of the present invention currently to carry out write operation is as follows:
In step s 201, its pointed directory entry object is searched according to when the file object of front opening file.
In step S202, the index node object of file according to pointed directory entry object acquisition.
Superblock object in step S203, according to this sensing this document of index node object acquisition.
In step S204, the private data according to the superblock object acquisition superblock object of this document, wherein, this private data indicates file encryption-decryption system.
In step S205, according to described private data, locating file encrypting and deciphering system is deposited the chained list of ID and key successively.
In step S206, on chained list, search the key corresponding with ID according to the ID of current process.
In embodiments of the present invention, register in the kernel spacing of operating system platform file encryption-decryption system to realize flow process specific as follows:
In android system kernel, each file system has a file_system_type structure corresponding with it, and it is that kernel registers the data of generation during this document system, and the entrance of inner core managing file system is also this data structure.
File encryption-decryption system is installed in android system firstly the need of with file_system_type structure by file encryption-decryption system registry to kernel.First having to it is carried out assignment before using this structure, name field is to identify a unique mark having installed file system.
During carry file encryption-decryption system, mainly the file_system_type structure of this document encrypting and deciphering system is inserted in corresponding chained list.
In android system load document encrypting and deciphering system to realize flow process as follows:
When android system starts, bootloader performs at first.In start-up course, the task of bootloader is initiating hardware equipment, sets up internal memory and maps, and loads Android kernel to internal memory.Android kernel initialization hardware and make device ready.In Android device, boot partition comprises kernel and ramdisk, ramdisk are one and comprise the mini-file system of configuration file needed for kernel binary file and startup system.In Android, init process is the parent process of all processes.Init activates all codes except kernel.Init.rc and init.XXX.rc file in Ramdisk, for init process is configured, is wherein the platform names of XXX equipment.Android file system and other system service is started by the script command of configuration file.Shown in following code is Android one file system of mono-init script carry.
Mountext4/dev/block/mmcblk0p6/systemcommit=1, noauto_da_alloc
Code description init needs carry system subregion.
Embodiment three
Refer to Fig. 3, the processing method of the file write operation that the embodiment of the present invention provides to implement flow process as follows:
In step S301, receive the write command running file to be written that application program in the user space sends and described file;
In step s 302, the key of the file currently carrying out write operation is searched.
In embodiments of the present invention, the key of the file currently carrying out write operation is searched according to the mentioned above implementation obtaining key.
In step S303, the write command of described file to be written and described file is transmitted to the Virtual File System operated in kernel spacing;
In step s 304, the write operation function in Virtual File System is called.
In embodiments of the present invention, the write operation function in Virtual File System is called, for instance for sys_write ().
In step S305, calculate the bounds of the extension page according to the bytes range to write, and according to this range assignment blank page.
In step S306, it is also decrypted by data that the file encryption-decryption system in kernel spacing that operates in sequential reads out in each page.
In step S307, the file data being written into copies to suitable skew place of assignment page.
In step S308, call the encryption function page to all written data and be encrypted.
In embodiments of the present invention, encryption function is such as cryptfs_encode_block ().
In step S309, the write command according to described file, the file after described encryption is write to the real file system operated in kernel spacing.
As from the foregoing, the behavior based on encrypting and decrypting and key management in the embodiment of the present invention are transparent for terminal use, user can normally open application program and document, extra operation need not be increased, cryptographic services when file encryption-decryption system provides data to write on backstage, and the decryption services when reading data is provided, bring convenience to user operation.
Embodiment four
Refer to Fig. 4, for the embodiment of the present invention provide file read operation processing method realize flow process, it comprises the following steps:
In step S401, receive the reading instruction running the file continued that application program in the user space sends and described file;
In step S402, the reading instruction of the described file continued and described file is transmitted to the Virtual File System operated in kernel spacing;
In embodiments of the present invention, framework above-described embodiment one of Virtual File System is described in detail, at this, repeats no more.
In step S403, by described Virtual File System, the reading instruction of the described file continued and described file is transmitted to the file encryption-decryption system operated in kernel spacing;
In embodiments of the present invention, framework above-described embodiment one of file encryption-decryption system is described in detail, at this, repeats no more.
In step s 404, described file encryption-decryption system reads the file continued of encryption from the real file system operated in kernel spacing;
In step S405, the encryption file read is decrypted by described file encryption-decryption system, and the file after deciphering is back to application program.
Embodiment five
Refer to Fig. 5, for the embodiment of the present invention provide file read operation processing method implement flow process, it comprises the following steps:
In step S501, receive the reading instruction running the file continued that application program in the user space sends and described file;
In step S502, search the key of the file currently carrying out read operation.
In step S503, the reading instruction of the described file continued and described file is transmitted to the Virtual File System operated in kernel spacing;
In step S504, it is file distributing buffer space in internal memory.
In embodiments of the present invention, in internal memory, the cushion space of count byte is distributed for file.It is the virtual address continuous print buffer area that the file opened distributes count byte in internal memory with function vmalloc ().
In step S505, call real file system and read function accordingly by the data reading relief area at the place that specifies Offsets.
In embodiments of the present invention, call real file system and read function accordingly by the data reading relief area of the count byte at the place that specifies Offsets.
In step S506, operate in the data deciphering to reading in of the file encryption-decryption system in kernel spacing.
In embodiments of the present invention, with the data deciphering of the decryption function cryptfs_decode_block () the count byte to reading in relief area.
In step s 507, synchronous documents pointer.
In embodiments of the present invention, because random write documentation function sys_read is likely to the file pointer changing in relief area, it is necessary to the file pointer pointed in the file pointer of file encryption-decryption system and relief area is carried out synchronized update.
Embodiment six
Refer to Fig. 6, in embodiments of the present invention, search the step of the key of the file currently carrying out read operation, particularly as follows:
In step s 601, its pointed directory entry object is searched according to the file object of the file currently continued.
In step S602, the index node object of file according to pointed directory entry object acquisition.
Superblock object in step S603, according to this sensing this document of index node object acquisition.
In step s 604, the private data according to the superblock object acquisition superblock object of this document, wherein, this private data indicates file encryption-decryption system.
In step s 605, according to described private data, locating file encrypting and deciphering system is deposited the chained list of ID and key successively.
In step S606, on chained list, search the key corresponding with ID according to the ID of current process.
As from the foregoing, the behavior based on encrypting and decrypting and key management in the embodiment of the present invention are transparent for terminal use, user can normally open application program and document, extra operation need not be increased, file encryption-decryption system provides the decryption services when reading data on backstage, brings convenience to user operation.
Embodiment seven
Refer to Fig. 7, for the embodiment of the present invention provide file write operation process device structural representation, for the ease of illustrate, illustrate only the part relevant to the embodiment of the present invention.The process device of described file write operation includes: receiver module 101, transport module 102, forwarding module 103, encrypting module 104 and writing module 105.The device that processes of described file write operation can be the unit being built in software unit in smart machine, hardware cell or software and hardware combining.It is understood, however, that smart machine can be computer, mobile communication terminal or other smart machines.
Receiver module 101, for receiving the write command running file to be written that application program in the user space sends and described file;
Transport module 102, for transmitting the write command of described file to be written and described file to the Virtual File System operated in kernel spacing;
Forwarding module 103, for being transmitted to, by the write command of described file to be written and described file, the file encryption-decryption system operated in kernel spacing by described Virtual File System;
Encrypting module 104, for being encrypted described file to be written;
Writing module 105, for the write command according to described file, writes the file after described encryption to the real file system operated in kernel spacing.
As one embodiment of the invention, the process device of described file write operation also includes: cipher key lookup module, calling module, distribution module, deciphering module and replication module.
Cipher key lookup module, for searching the key of the file currently carrying out write operation.
Calling module, for calling the write operation function in Virtual File System.
Distribution module, for calculating the bounds of the extension page, and according to this range assignment blank page according to the bytes range to write.
Deciphering module, for sequential reading out the data in each page and it being decrypted.
Replication module, the file data for being written into copies to suitable skew place of assignment page.
Encrypting module 104, is encrypted specifically for calling the encryption function page to all written data.
In embodiments of the present invention, the process device of described file write operation also includes: directory entry object searches module, index node object acquisition module, superblock object acquisition module, private data acquisition module, chained list lookup module and cipher key lookup module.
Directory entry object searches module, for searching its pointed directory entry object according to when the file object of front opening file.
Index node object acquisition module, for the index node object of file according to pointed directory entry object acquisition.
Superblock object acquisition module, for the superblock object according to this sensing this document of index node object acquisition.
Private data acquisition module, for the private data of the superblock object acquisition superblock object according to this document, wherein, this private data indicates file encryption-decryption system.
Chained list searches module, for according to described private data, depositing the chained list of ID and key successively in locating file encrypting and deciphering system.
Cipher key lookup module, for searching the key corresponding with ID according to the ID of current process on chained list.
As from the foregoing, the present embodiment is transparent based on behavior and the key management of encrypting and decrypting for terminal use, user can normally open application program and document, extra operation need not be increased, cryptographic services when file encryption-decryption system provides data to write on backstage, and the decryption services when reading data is provided, bring convenience to user operation.
Embodiment eight
Refer to Fig. 8, for the embodiment of the present invention provide file read operation process device structural representation, for the ease of illustrate, illustrate only the part relevant to the embodiment of the present invention.The process device of described file read operation includes: receiver module 201, transport module 202, forwarding module 203, read module 204 and deciphering module 205.The device that processes of described file read operation can be the unit being built in software unit in smart machine, hardware cell or software and hardware combining.It is understood, however, that smart machine can be computer, mobile communication terminal or other smart machines.
Receiver module 201, for receiving the reading instruction running the file continued that application program in the user space sends and described file;
Transport module 202, for transmitting the reading instruction of the described file continued and described file to the Virtual File System operated in kernel spacing;
Forwarding module 203, for being transmitted to, by the reading instruction of the described file continued and described file, the file encryption-decryption system operated in kernel spacing by described Virtual File System;
Read module 204, for reading the file continued of encryption from the real file system operated in kernel spacing;
Deciphering module 205, for the encryption file read is decrypted, and is back to application program by the file after deciphering.
As one embodiment of the invention, the process device of described file read operation also includes: cipher key lookup module, cushion space distribution module, reading module, deciphering module and synchronization module.
Cipher key lookup module, for searching the key of the file currently carrying out read operation.
Cushion space distribution module, be used for is file distributing buffer space in internal memory.
In embodiments of the present invention, cushion space distribution module, specifically for distributing the cushion space of count byte in internal memory for file.It is the virtual address continuous print buffer area that the file opened distributes count byte in internal memory with function vmalloc ().
Read in module, read function accordingly by the data reading relief area at the place that specifies Offsets for calling real file system.
In embodiments of the present invention, read in module, read function accordingly by the data reading relief area of the count byte at the place that specifies Offsets specifically for calling real file system.
Deciphering module, for the data deciphering read in.
In embodiments of the present invention, deciphering module, specifically for the data deciphering by the decryption function cryptfs_decode_block () the count byte to reading in relief area.
Synchronization module, for synchronous documents pointer.
In embodiments of the present invention, because random write documentation function sys_read is likely to the file pointer changing in relief area, it is necessary to the file pointer pointed in the file pointer of file encryption-decryption system and relief area is carried out synchronized update.
In embodiments of the present invention, the process device of described file read operation also includes: directory entry object searches module, index node object acquisition module, superblock object acquisition module, private data acquisition module, chained list lookup module and cipher key lookup module.
Directory entry object searches module, for searching its pointed directory entry object according to the file object of the file currently continued.
Index node object acquisition module, for the index node object of file according to pointed directory entry object acquisition.
Superblock object acquisition module, for the superblock object according to this sensing this document of index node object acquisition.
Private data acquisition module, for the private data of the superblock object acquisition superblock object according to this document, wherein, this private data indicates file encryption-decryption system.
Chained list searches module, for according to described private data, depositing the chained list of ID and key successively in locating file encrypting and deciphering system.
Cipher key lookup module, for searching the key corresponding with ID according to the ID of current process on chained list.
As from the foregoing, the present embodiment is transparent based on behavior and the key management of encrypting and decrypting for terminal use, user can normally open application program and document, extra operation need not be increased, file encryption-decryption system provides the decryption services when reading data on backstage, brings convenience to user operation.
In sum, the embodiment of the present invention by being divided into user's space and kernel spacing by operating system platform;Operating system platform increases file encryption-decryption system, application program operates in user's space, Virtual File System and file encryption-decryption system and real file system operate in kernel spacing, described Virtual File System, file encryption-decryption system and real file system are linked together, forms a stacking-type file system;User can operate application program and file normally at user's space, encryption and decryption oprerations to file then carry out in kernel spacing, the bridge of user's space and kernel spacing it is used as by Virtual File System, by Virtual File System by the file operation processing forward in user's space to file encryption-decryption system, file encryption-decryption system reads file from real file system, then the file read is decrypted, the application program being transmitted in user's space finally by Virtual File System by the original document that obtains after deciphering to run;For written document, the file of write is encrypted by described file encryption-decryption system;File after described encryption is write to the real file system operated in kernel spacing.As from the foregoing, the embodiment of the present invention is transparent based on behavior and the key management of encrypting and decrypting for terminal use, user can normally open application program and document, extra operation need not be increased, cryptographic services when file encryption-decryption system provides data to write on backstage, and the decryption services when reading data is provided, bring convenience to user operation.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method can be by the hardware that program carrys out instruction relevant and completes, described program can be stored in a computer read/write memory medium, described storage medium, such as ROM/RAM, disk, CD etc..
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all any amendment, equivalent replacement and improvement etc. made within the spirit and principles in the present invention, should be included within protection scope of the present invention.
Claims (12)
1. the processing method of a file write operation, it is characterised in that said method comprising the steps of:
Receive the write command running file to be written that application program in the user space sends and described file;
The write command of described file to be written and described file is transmitted to the Virtual File System operated in kernel spacing;
By described Virtual File System, the write command of described file to be written and described file is transmitted to the file encryption-decryption system operated in kernel spacing;
Described file to be written is encrypted;
Write command according to described file, writes the file after described encryption to the real file system operated in kernel spacing.
2. the processing method of file write operation as claimed in claim 1, it is characterised in that after the step of the described write command receiving and running file to be written that application program in the user space sends and described file, also includes:
Search the key of the file currently carrying out write operation;
After the described step by the write command transmission of described file to be written and described file to the Virtual File System operated in kernel spacing, also include:
Call the write operation function in Virtual File System;
The bounds of the extension page is calculated according to the bytes range to write, and according to this range assignment blank page;
It is also decrypted by data that the file encryption-decryption system in kernel spacing that operates in sequential reads out in each page;
The file data being written into copies to suitable skew place of assignment page;
Call the encryption function page to all written data to be encrypted.
3. the processing method of file write operation as claimed in claim 2, it is characterised in that described lookup currently to carry out the step of the key of the file of write operation, particularly as follows:
Its pointed directory entry object is searched according to when the file object of front opening file;
The index node object of file according to pointed directory entry object acquisition;
Superblock object according to this sensing this document of index node object acquisition;
The private data of the superblock object acquisition superblock object according to this document, wherein, this private data indicates file encryption-decryption system;
According to described private data, locating file encrypting and deciphering system is deposited the chained list of ID and key successively;
ID according to current process searches the key corresponding with ID on chained list.
4. the process device of a file write operation, it is characterised in that described device includes:
Receiver module, for receiving the write command running file to be written that application program in the user space sends and described file;
Transport module, for transmitting the write command of described file to be written and described file to the Virtual File System operated in kernel spacing;
Forwarding module, for being transmitted to, by the write command of described file to be written and described file, the file encryption-decryption system operated in kernel spacing by described Virtual File System;
Encrypting module, for being encrypted described file to be written;
Writing module, for the write command according to described file, writes the file after described encryption to the real file system operated in kernel spacing.
5. the process device of file write operation as claimed in claim 4, it is characterised in that the process device of described file write operation also includes:
Cipher key lookup module, for searching the key of the file currently carrying out write operation;
Calling module, for calling the write operation function in Virtual File System;
Distribution module, for calculating the bounds of the extension page, and according to this range assignment blank page according to the bytes range to write;
Deciphering module, for sequential reading out the data in each page and it being decrypted;
Replication module, the file data for being written into copies to suitable skew place of assignment page;
Encrypting module, is encrypted specifically for calling the encryption function page to all written data.
6. the process device of file write operation as claimed in claim 5, it is characterised in that the process device of described file write operation also includes:
Directory entry object searches module, for searching its pointed directory entry object according to when the file object of front opening file;
Index node object acquisition module, for the index node object of file according to pointed directory entry object acquisition;
Superblock object acquisition module, for the superblock object according to this sensing this document of index node object acquisition;
Private data acquisition module, for the private data of the superblock object acquisition superblock object according to this document, wherein, this private data indicates file encryption-decryption system;
Chained list searches module, for according to described private data, depositing the chained list of ID and key successively in locating file encrypting and deciphering system;
Cipher key lookup module, for searching the key corresponding with ID according to the ID of current process on chained list.
7. the processing method of a file read operation, it is characterised in that said method comprising the steps of:
Receive the reading instruction running the file continued that application program in the user space sends and described file;
The reading instruction of the described file continued and described file is transmitted to the Virtual File System operated in kernel spacing;
By described Virtual File System, the reading instruction of the described file continued and described file is transmitted to the file encryption-decryption system operated in kernel spacing;
Described file encryption-decryption system reads the file continued of encryption from the real file system operated in kernel spacing;
The encryption file read is decrypted by described file encryption-decryption system, and the file after deciphering is back to application program.
8. the processing method of file read operation as claimed in claim 7, it is characterised in that after the step of the described reading instruction receiving and running the file continued that application program in the user space sends and described file, also includes
Search the key of the file currently carrying out read operation;
After the described step by the reading instruction transmission of the described file continued and described file to the Virtual File System operated in kernel spacing, also include:
It internal memory is file distributing buffer space;
Call real file system and read function accordingly by the data reading relief area at the place that specifies Offsets;
Operate in the data deciphering to reading in of the file encryption-decryption system in kernel spacing;
Synchronous documents pointer.
9. the processing method of file read operation as claimed in claim 8, it is characterised in that described lookup currently to carry out the step of the key of the file of read operation, particularly as follows:
File object according to the file currently continued searches the directory entry object that it is pointed;
The index node object of file according to pointed directory entry object acquisition;
Superblock object according to this sensing this document of index node object acquisition;
The private data of the superblock object acquisition superblock object according to this document, wherein, this private data indicates file encryption-decryption system;
According to described private data, locating file encrypting and deciphering system is deposited the chained list of ID and key successively;
ID according to current process searches the key corresponding with ID on chained list.
10. the process device of a file read operation, it is characterised in that described device includes:
Receiver module, for receiving the reading instruction running the file continued that application program in the user space sends and described file;
Transport module, for transmitting the reading instruction of the described file continued and described file to the Virtual File System operated in kernel spacing;
Forwarding module, for being transmitted to, by the reading instruction of the described file continued and described file, the file encryption-decryption system operated in kernel spacing by described Virtual File System;
Read module, for reading the file continued of encryption from the real file system operated in kernel spacing;
Deciphering module, for the encryption file read is decrypted, and is back to application program by the file after deciphering.
11. the process device of file read operation as claimed in claim 10, it is characterised in that the process device of described file read operation also includes:
Cipher key lookup module, for searching the key of the file currently carrying out read operation;
Cushion space distribution module, be used for is file distributing buffer space in internal memory;
Read in module, read function accordingly by the data reading relief area at the place that specifies Offsets for calling real file system;
Deciphering module, for the data deciphering read in;
Synchronization module, for synchronous documents pointer.
12. the process device of file read operation as claimed in claim 11, it is characterised in that the process device of described file read operation also includes:
Directory entry object searches module, for searching its pointed directory entry object according to the file object of the file currently continued;
Index node object acquisition module, for the index node object of file according to pointed directory entry object acquisition;
Superblock object acquisition module, for the superblock object according to this sensing this document of index node object acquisition;
Private data acquisition module, for the private data of the superblock object acquisition superblock object according to this document, wherein, this private data indicates file encryption-decryption system;
Chained list searches module, for according to described private data, depositing the chained list of ID and key successively in locating file encrypting and deciphering system;
Cipher key lookup module, for searching the key corresponding with ID according to the ID of current process on chained list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410849633.XA CN105808977A (en) | 2014-12-30 | 2014-12-30 | Processing methods and apparatuses for file reading and writing operations |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410849633.XA CN105808977A (en) | 2014-12-30 | 2014-12-30 | Processing methods and apparatuses for file reading and writing operations |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105808977A true CN105808977A (en) | 2016-07-27 |
Family
ID=56421101
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410849633.XA Pending CN105808977A (en) | 2014-12-30 | 2014-12-30 | Processing methods and apparatuses for file reading and writing operations |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105808977A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106815528A (en) * | 2016-12-07 | 2017-06-09 | 重庆软云科技有限公司 | A kind of file management method and device, storage device |
| CN109635588A (en) * | 2018-12-20 | 2019-04-16 | 天津天地伟业信息系统集成有限公司 | A kind of document protection method based on Linux Virtual File System |
| CN110598429A (en) * | 2019-08-30 | 2019-12-20 | 百富计算机技术(深圳)有限公司 | Data encryption storage and reading method, terminal equipment and storage medium |
| CN111241556A (en) * | 2019-12-31 | 2020-06-05 | 重庆特斯联智慧科技股份有限公司 | Data security storage method and device, storage medium and terminal |
| CN111339034A (en) * | 2020-05-18 | 2020-06-26 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
| CN112182611A (en) * | 2020-09-27 | 2021-01-05 | 中孚安全技术有限公司 | File transparent encryption and decryption method and system based on Linux kernel layer |
| CN112883387A (en) * | 2021-01-29 | 2021-06-01 | 南京航空航天大学 | Privacy protection method for machine-learning-oriented whole process |
| CN113253942A (en) * | 2021-06-25 | 2021-08-13 | 深圳小米通讯技术有限公司 | File writing method and device, file reading method and device, equipment and medium |
| CN116049131A (en) * | 2022-06-10 | 2023-05-02 | 荣耀终端有限公司 | File management method, system, electronic equipment and storage medium |
| CN117610060A (en) * | 2024-01-19 | 2024-02-27 | 成都理工大学 | Multi-core parallel-based multimedia file hybrid encryption and decryption method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050262341A1 (en) * | 1999-07-13 | 2005-11-24 | Microsoft Corporation | Methods and systems for protecting information in paging operating systems |
| CN1960372A (en) * | 2006-11-09 | 2007-05-09 | 华中科技大学 | Encrypting read / write method in use for NAS storage system |
| CN103617039A (en) * | 2013-11-28 | 2014-03-05 | 北京华胜天成科技股份有限公司 | Method and device for accessing user space file system |
-
2014
- 2014-12-30 CN CN201410849633.XA patent/CN105808977A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050262341A1 (en) * | 1999-07-13 | 2005-11-24 | Microsoft Corporation | Methods and systems for protecting information in paging operating systems |
| CN1960372A (en) * | 2006-11-09 | 2007-05-09 | 华中科技大学 | Encrypting read / write method in use for NAS storage system |
| CN103617039A (en) * | 2013-11-28 | 2014-03-05 | 北京华胜天成科技股份有限公司 | Method and device for accessing user space file system |
Non-Patent Citations (2)
| Title |
|---|
| 虞云翔: "Linux系统中透明加密文件系统的设计与实现", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
| 陈最: "基于Android平台移动终端透明加密系统的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106815528A (en) * | 2016-12-07 | 2017-06-09 | 重庆软云科技有限公司 | A kind of file management method and device, storage device |
| CN106815528B (en) * | 2016-12-07 | 2019-10-29 | 重庆软云科技有限公司 | A kind of file management method and device, storage equipment |
| CN109635588A (en) * | 2018-12-20 | 2019-04-16 | 天津天地伟业信息系统集成有限公司 | A kind of document protection method based on Linux Virtual File System |
| CN110598429B (en) * | 2019-08-30 | 2021-07-13 | 百富计算机技术(深圳)有限公司 | Data encryption storage and reading method, terminal equipment and storage medium |
| CN110598429A (en) * | 2019-08-30 | 2019-12-20 | 百富计算机技术(深圳)有限公司 | Data encryption storage and reading method, terminal equipment and storage medium |
| CN111241556A (en) * | 2019-12-31 | 2020-06-05 | 重庆特斯联智慧科技股份有限公司 | Data security storage method and device, storage medium and terminal |
| CN111339034A (en) * | 2020-05-18 | 2020-06-26 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
| CN111339034B (en) * | 2020-05-18 | 2020-08-11 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
| CN112182611A (en) * | 2020-09-27 | 2021-01-05 | 中孚安全技术有限公司 | File transparent encryption and decryption method and system based on Linux kernel layer |
| CN112883387A (en) * | 2021-01-29 | 2021-06-01 | 南京航空航天大学 | Privacy protection method for machine-learning-oriented whole process |
| CN113253942A (en) * | 2021-06-25 | 2021-08-13 | 深圳小米通讯技术有限公司 | File writing method and device, file reading method and device, equipment and medium |
| CN116049131A (en) * | 2022-06-10 | 2023-05-02 | 荣耀终端有限公司 | File management method, system, electronic equipment and storage medium |
| CN116049131B (en) * | 2022-06-10 | 2023-10-13 | 荣耀终端有限公司 | File management method, system, electronic equipment and storage medium |
| CN117610060A (en) * | 2024-01-19 | 2024-02-27 | 成都理工大学 | Multi-core parallel-based multimedia file hybrid encryption and decryption method and system |
| CN117610060B (en) * | 2024-01-19 | 2024-03-29 | 成都理工大学 | Multi-core parallel-based multimedia file hybrid encryption and decryption method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105808977A (en) | Processing methods and apparatuses for file reading and writing operations | |
| US10097522B2 (en) | Encrypted query-based access to data | |
| Liu et al. | DivORAM: Towards a practical oblivious RAM with variable block size | |
| CN106127075B (en) | Encryption method can search for based on secret protection under a kind of cloud storage environment | |
| US10148437B2 (en) | Encryption system with key recovery | |
| CN105678189B (en) | Data file encryption storage and retrieval system and method | |
| US8533489B2 (en) | Searchable symmetric encryption with dynamic updating | |
| CN103107889B (en) | A kind of cloud computing environment data encryption storage system and method that can search for | |
| CN106022155B (en) | Method and server for database security management | |
| US9021259B2 (en) | Encrypted database system, client terminal, encrypted database server, natural joining method, and program | |
| CN1889426B (en) | Method and system for realizing network safety storing and accessing | |
| CN107077469B (en) | Server device, search system, terminal device, and search method | |
| CN106980794A (en) | TrustZone-based file encryption and decryption method and device and terminal equipment | |
| CN106610995B (en) | Method, device and system for creating ciphertext index | |
| CN102138300A (en) | Message authentication code pre-computation with applications to secure memory | |
| CN106612320A (en) | Encrypted data dereplication method for cloud storage | |
| JP2002504293A (en) | Security device for data transmission using dynamic random encryption | |
| CN103457733A (en) | Data sharing method and system under cloud computing environment | |
| CN106776904A (en) | The fuzzy query encryption method of dynamic authentication is supported in a kind of insincere cloud computing environment | |
| CN104239820A (en) | Secure storage device | |
| JP2008250369A (en) | Management method of secrete data file, management system and proxy server therefor | |
| JP2004126639A (en) | Data management system, method and program | |
| CN100547598C (en) | Preserve and retrieve data based on symmetric key encryption | |
| CN103607420A (en) | Safe electronic medical system for cloud storage | |
| CN115225409A (en) | Cloud data safety deduplication method based on multi-backup joint verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160727 |
|
| RJ01 | Rejection of invention patent application after publication |