CN113591107A - System and method for realizing file redirection encryption and decryption - Google Patents
System and method for realizing file redirection encryption and decryption Download PDFInfo
- Publication number
- CN113591107A CN113591107A CN202110739746.4A CN202110739746A CN113591107A CN 113591107 A CN113591107 A CN 113591107A CN 202110739746 A CN202110739746 A CN 202110739746A CN 113591107 A CN113591107 A CN 113591107A
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- decryption
- plaintext
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a system and a method for realizing file redirection encryption and decryption, which realize the functions of invisibly opening and operating an encrypted file by editing software by blocking a file opening process through an operating system kernel layer, copying and copying the file in a memory and realizing encryption and decryption. The invention can realize that the problems of delaying, memorizing the encryption password and the like do not exist when the user encrypts the file, and meanwhile, the file can not be opened even if being stored on the hard disk, thereby ensuring the safety of data and solving the problem that the current electronic file is difficult to be protected in the storage and use processes.
Description
Technical Field
The invention belongs to the technical field of electronic file security and confidentiality, and particularly relates to a system and a method for realizing file redirection encryption and decryption.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the progress of paperless and electronic information, more and more data information is stored and saved in the form of electronic files, and therefore security and confidentiality of the electronic files are more and more important. At present, many people adopt ways such as compression encryption and independent storage to protect electronic file data, but the ways have the defects of easy forgetting of passwords and complex operation.
Disclosure of Invention
The invention provides a system and a method for realizing file redirection encryption and decryption, which can realize that the problems of delaying, memorizing encryption passwords and the like do not exist when a user encrypts a file, and the file can not be opened even if being stored on a hard disk and stolen, thereby ensuring the safety of data and solving the problem that the current electronic file is difficult to be protected in the storage and use processes.
According to some embodiments, the invention adopts the following technical scheme:
a system for implementing file redirection encryption and decryption, comprising:
the editing software is configured to receive an instruction for opening a target encrypted file and transmit a path of the target encrypted file; acquiring a fed back handle, and performing read-write operation on the file;
an operating system configured to communicate the path to a control management center; receiving the returned plaintext path, obtaining a handle of the plaintext path, and returning the handle to the editing software;
the control management center comprises an encryption and decryption service module and a behavior monitoring service module, wherein the encryption and decryption service module is configured to receive a path transmitted by an operating system, search an encrypted file, decrypt the encrypted file, write the decrypted plaintext file into a memory file system, and transmit the path of the plaintext file back to the operating system; the behavior monitoring service module is configured to backfill the content of the plaintext file into the encrypted file after detecting that the file reading and writing actions are completed.
As an alternative embodiment, the editing software is also configured to call the sys _ open function.
As an alternative embodiment, the operating system is also configured to intercept the sys _ open function by way of a system HOOK.
As an alternative embodiment, after receiving the returned plaintext path, the operating system calls the original sys _ open function using the plaintext path to obtain the handle of the plaintext path.
As an alternative, when the editing software uses the handle to perform read/write operations on a file, all read/write operations occur on a plaintext file in the memory file system.
As an alternative embodiment, the encrypted file is stored on a hard disk.
As an alternative embodiment, the behavior monitoring service module is configured to, after detecting that the file is completely written, read a plaintext file in the memory, encrypt the plaintext file through an encryption algorithm, and write encrypted data into the encrypted file, thereby completing content backfilling.
As an alternative embodiment, the behavior monitoring service module is configured to detect the completion of the read/write action by using the action of closing the file as a mark of the completion of the read/write action.
As an alternative implementation, before encrypting and decrypting a file, the control management center firstly judges whether the current editing software and a system user have read-write permission for the current file, if so, the encryption and decryption are continued, and if not, an error is directly returned to block the operation.
A method for realizing file redirection encryption and decryption comprises the following steps:
when the editing software opens a file, calling a sys _ open function, and transmitting a path of the file to be operated;
the operating system intercepts sys _ open in a HOOK mode, calls an encryption and decryption service module and transmits a file path to the encryption and decryption service module;
the encryption and decryption service module decrypts the file, writes the plaintext into a memory file system, and transmits a plaintext path back to the kernel operating system;
the operating system calls an original sys _ open function by using a plaintext path, obtains a handle of the plaintext path and returns the handle to the editing software;
the editing software uses the handle to read and write the file;
and after the behavior monitoring service detects that the file reading and writing actions are finished, backfilling the contents of the plaintext file to the encrypted file, so as to finish the reading and writing operations of the encrypted file.
Compared with the prior art, the invention has the beneficial effects that:
the invention supports all electronic file editing software without customizing and developing the software. Because the technology is modified at the bottom layer of the operating system, the operating system shields the particularity of the file editing software, and therefore the technology has wide application scenes.
Although the file is opened twice, the second opening is performed in the memory, and the read-write speed of the memory is far higher than that of the hard disk, so that the delay time is much shorter than that of the hard disk.
The invention has the authority control measure, the encrypted file can be opened only for the user with the operation authority, and the encrypted file can not be opened even if the hard disk is lost, thereby ensuring the safety of data.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
Fig. 1 is a schematic flow chart of the present embodiment.
The specific implementation mode is as follows:
the invention is further described with reference to the following figures and examples.
It is to be understood that the following detailed description is exemplary and is intended to provide further explanation of the invention as claimed. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
As shown in fig. 1, an operation method is provided for blocking a file opening process through an operating system kernel layer, copying and copying the file in a memory, and implementing encryption and decryption, so that functions of opening and operating an encrypted file without feeling of editing software are implemented.
According to the invention, the functions of redirection of the encrypted file, backfill of the plaintext file and the like are completed through the HOOK file operation related API, and the quick encryption and decryption of the file are realized. The user operates the encrypted file as other files, so that the problems of delaying, memorizing the encrypted password and the like do not exist, and the file can not be opened even if being stored on the hard disk, so that the data security is ensured, and the problem that the current electronic file is difficult to protect in the storage and use processes is solved.
1. When the editing software opens a file, calling sys _ open system call, and transmitting a path (such as/home/user/test.txt) of a file to be operated;
2. at the 'control point', the sys _ open is intercepted in a system HOOK mode, an encryption and decryption service module of the 'control management center' is called, and a file path is transmitted to an encryption and decryption service;
3. the encryption and decryption service module decrypts the file, writes the plaintext into a memory file system, and transmits a plaintext path back to the kernel (such as/home/ramfs/test.txt);
4. at the 'control point', the HOOK module calls the original sys _ open by using the plaintext path, obtains a handle of the plaintext path, and returns the handle to the editing software;
at the 'control point', sys _ open is intercepted in a system HOOK mode, an encryption and decryption service module of a 'control management center' is called, before a file is encrypted and decrypted, the 'control management center' firstly judges whether current editing software and a system user have read-write permission on the current file, if so, encryption and decryption are continued, and if not, an error is directly returned to block the operation.
5. And the editing software subsequently uses the handle to read and write the file. Because the handle corresponds to the plaintext file in the memory file system, all read-write operations occur on the plaintext file in the memory file system;
6. after the behavior monitoring service of the 'control management center' detects that the file reading and writing actions are finished, the contents of the plaintext file are backfilled to the encrypted file, and the reading and writing operations of the encrypted file are finished.
After the completion of the file writing is detected, the write-back service program reads a plaintext file in the memory, encrypts the plaintext file through an encryption algorithm, and writes encrypted data into an encrypted file, so that the content backfilling is completed.
The standard flow of the read and write actions of the file is as follows: open file, read/write content, close file. The behavior monitoring service module takes the action of closing the file as a mark for completing the read-write action, so as to detect the completion of the read-write action.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.
Claims (10)
1. A system for realizing file redirection encryption and decryption is characterized in that: the method comprises the following steps:
the editing software is configured to receive an instruction for opening a target encrypted file and transmit a path of the target encrypted file; acquiring a fed back handle, and performing read-write operation on the file;
an operating system configured to communicate the path to a control management center; receiving the returned plaintext path, obtaining a handle of the plaintext path, and returning the handle to the editing software;
the control management center comprises an encryption and decryption service module and a behavior monitoring service module, wherein the encryption and decryption service module is configured to receive a path transmitted by an operating system, search an encrypted file, decrypt the encrypted file, write the decrypted plaintext file into a memory file system, and transmit the path of the plaintext file back to the operating system; the behavior monitoring service module is configured to backfill the content of the plaintext file into the encrypted file after detecting that the file reading and writing actions are completed.
2. The system for implementing file redirection encryption and decryption of claim 1, wherein: the editing software is also configured to call the sys _ open function.
3. The system for implementing file redirection encryption and decryption of claim 1, wherein: the operating system is also configured to intercept sys _ open functions by way of a system HOOK.
4. The system for implementing file redirection encryption and decryption of claim 1, wherein: after receiving the returned plaintext path, the operating system calls the original sys _ open function by using the plaintext path to obtain a handle of the plaintext path.
5. The system for implementing file redirection encryption and decryption of claim 1, wherein: when the editing software uses the handle to perform read-write operation on the file, all the read-write operation occurs on the plaintext file in the memory file system.
6. The system for implementing file redirection encryption and decryption of claim 1, wherein: the encrypted file is stored on a hard disk.
7. The system for implementing file redirection encryption and decryption of claim 1, wherein: the behavior monitoring service module is configured to read a plaintext file in the memory after detecting that the file is completely written, encrypt the plaintext file through an encryption algorithm, write encrypted data into the encrypted file, and complete content backfilling.
8. The system for implementing file redirection encryption and decryption of claim 7, wherein: the behavior monitoring service module is configured to detect that the read-write action is completed by taking the action of closing the file as a mark of the completion of the read-write action.
9. The system for implementing file redirection encryption and decryption of claim 1, wherein: before encrypting and decrypting the file, the control management center firstly judges whether the current editing software and a system user have read-write permission on the current file, if so, the encryption and decryption are continued, and if not, an error is directly returned to block the operation.
10. A method for realizing file redirection encryption and decryption is characterized in that: the method comprises the following steps:
when the editing software opens a file, calling a sys _ open function, and transmitting a path of the file to be operated;
the operating system intercepts sys _ open in a HOOK mode, calls an encryption and decryption service module and transmits a file path to the encryption and decryption service module;
the encryption and decryption service module decrypts the file, writes the plaintext into a memory file system, and transmits a plaintext path back to the kernel operating system;
the operating system calls an original sys _ open function by using a plaintext path, obtains a handle of the plaintext path and returns the handle to the editing software;
the editing software uses the handle to read and write the file;
and after the behavior monitoring service detects that the file reading and writing actions are finished, backfilling the contents of the plaintext file to the encrypted file, so as to finish the reading and writing operations of the encrypted file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110739746.4A CN113591107A (en) | 2021-06-30 | 2021-06-30 | System and method for realizing file redirection encryption and decryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110739746.4A CN113591107A (en) | 2021-06-30 | 2021-06-30 | System and method for realizing file redirection encryption and decryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113591107A true CN113591107A (en) | 2021-11-02 |
Family
ID=78245387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110739746.4A Pending CN113591107A (en) | 2021-06-30 | 2021-06-30 | System and method for realizing file redirection encryption and decryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113591107A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117201021A (en) * | 2023-11-08 | 2023-12-08 | 中孚信息股份有限公司 | Key dynamic switching method, system, device and medium for main service system |
-
2021
- 2021-06-30 CN CN202110739746.4A patent/CN113591107A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117201021A (en) * | 2023-11-08 | 2023-12-08 | 中孚信息股份有限公司 | Key dynamic switching method, system, device and medium for main service system |
| CN117201021B (en) * | 2023-11-08 | 2024-02-23 | 中孚信息股份有限公司 | Key dynamic switching method, system, device and medium for main service system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10708051B2 (en) | Controlled access to data in a sandboxed environment | |
| KR100737628B1 (en) | Attestation using both fixed token and portable token | |
| RU2295834C2 (en) | Initialization, maintenance, renewal and restoration of protected mode of operation of integrated system, using device for controlling access to data | |
| US7480806B2 (en) | Multi-token seal and unseal | |
| EP2696305B1 (en) | Method and device for file protection | |
| EP3103048B1 (en) | Content item encryption on mobile devices | |
| WO2011137743A1 (en) | File protection method and system | |
| JP2002202720A (en) | Method for sharing enciphered data area among processes in a tamper-resistant processor | |
| US20040117318A1 (en) | Portable token controlling trusted environment launch | |
| US20120137372A1 (en) | Apparatus and method for protecting confidential information of mobile terminal | |
| CN105303074A (en) | Method for protecting security of Web application | |
| TW201530344A (en) | Application program access protection method and application program access protection device | |
| EP3080945B1 (en) | Obfuscating in memory encryption keys | |
| CN110262908A (en) | A kind of processing method and processing device of shear plate data | |
| CN109376119B (en) | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium | |
| JP6343869B2 (en) | Portable terminal device and decryption processing program | |
| JPWO2007142072A1 (en) | Terminal apparatus and data management system provided with the same | |
| CN113591107A (en) | System and method for realizing file redirection encryption and decryption | |
| CN103605934A (en) | Protection method and device for executable files | |
| JPH09204360A (en) | Method for protecting confidential data | |
| CN109871327B (en) | Method and device for testing security of secure storage of trusted execution environment | |
| CN109344656B (en) | Database data encryption/decryption method, device and equipment | |
| CN116594567A (en) | Information management method and device and electronic equipment | |
| US9122504B2 (en) | Apparatus and method for encryption in virtualized environment using auxiliary medium | |
| CN112287415B (en) | USB storage device access control method, system, medium, device and application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |