TW201441866A - File protection method for integrating new encrypted virtual disk and hardware verification mechanism - Google Patents

File protection method for integrating new encrypted virtual disk and hardware verification mechanism Download PDF

Info

Publication number
TW201441866A
TW201441866A TW102114862A TW102114862A TW201441866A TW 201441866 A TW201441866 A TW 201441866A TW 102114862 A TW102114862 A TW 102114862A TW 102114862 A TW102114862 A TW 102114862A TW 201441866 A TW201441866 A TW 201441866A
Authority
TW
Taiwan
Prior art keywords
virtual disk
file
encrypted virtual
verification
hardware verification
Prior art date
Application number
TW102114862A
Other languages
Chinese (zh)
Inventor
Chih-Hsueh Lin
Shang-Mou Yu
Meng-Ju Hsieh
Chih-Yu Lin
Original Assignee
Univ Shu Te
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Shu Te filed Critical Univ Shu Te
Priority to TW102114862A priority Critical patent/TW201441866A/en
Publication of TW201441866A publication Critical patent/TW201441866A/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to a file protection method for integrating a new encrypted virtual disk and a hardware verification mechanism. Primarily, catalogs which exist in a file system are mounted and encrypted into a new encrypted virtual hard disk by means of a driver of the file system, and it can be accessed by a file management mechanism of an operating system itself to enhance the operational efficiency of the file system efficiently. Also, no original alert files exist in the file system, and the program list of the encrypted virtual disk is managed and accessed by a built-in whitelist. Furthermore, it is combined with a hardware and software verification and protection mechanism such that the drive of the verification mechanism of the encrypted virtual disk can be operated but not completely through the software. Thereby the situation that the alert files are broken caused form the leakage of the software program after the loss of the hardware equipment can be avoided efficiently so that the security mechanism for the protection of the alert files can be more efficient and various.

Description

整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法File protection method integrating new encrypted virtual disk and hardware verification mechanism

  本發明係有關於一種整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,尤其是指一種可藉由檔案系統之驅動程式將檔案系統內已存在的目錄直接掛載與加密成為新型的加密虛擬硬碟,該加密虛擬硬碟可直接由原始作業系統本身的檔案管理機制存取,可以有效提升檔案系統的運作效率,且不會有原始機密和敏感(機敏)檔案存在於檔案系統中,並以事先內建於驅動程式之白名單來管理存取該加密虛擬磁碟之程式清單,更結合各種軟硬體驗證及保護機制,使機敏檔案的保護更加有效率且多樣化之檔案保護方法。The invention relates to a file protection method for integrating a new encrypted virtual disk and a hardware verification mechanism, in particular to a file system driver capable of directly mounting and encrypting an existing directory in a file system into a new type. Encrypted virtual hard disk, the encrypted virtual hard disk can be directly accessed by the file management mechanism of the original operating system itself, which can effectively improve the efficiency of the file system operation, and no original confidential and sensitive (smart) files exist in the file system. And manage the list of programs accessing the encrypted virtual disk with a white list built into the driver in advance, combined with various software and hardware verification and protection mechanisms to make the protection of the sensitive file more efficient and diverse file protection. method.

  伴隨著科學技術的日新月異,現代人的生活幾乎已經離不開資訊產品的影響範疇,在充滿資訊化的辦公室甚至是居家生活中,任何形式的作業都已經與資訊產品和網際網路緊緊相依,尤其在資料的儲存與使用等方面,使用者除了可以將資料儲存於電腦外,利用隨身碟等行動裝置來進行資料的傳遞或備份也已經是個非常便利的方式,因此,機敏檔案儲存於電腦或是隨身行動裝置的安全顧慮也日益為使用者所重視;機敏檔案加密是目前資訊產品中用以保護機敏檔案最常見的方法之一,而一般最常使用的機敏檔案加密方式就是直接將機敏檔案壓縮,同時系統會設定一組可解壓縮的密碼,限制僅有被授權擁有該組解壓縮密碼的使用者才有權限將該加密檔案解密以進行存取。With the rapid development of science and technology, the life of modern people is almost inseparable from the influence of information products. In the office full of information and even in the home life, any form of homework has been closely related to information products and the Internet. In particular, in terms of the storage and use of data, users can save data to a computer, and it is also a very convenient way to transfer or back up data using a mobile device such as a flash drive. Therefore, the sensitive file is stored in the computer. Or the security concerns of mobile devices are increasingly valued by users; smart file encryption is one of the most common methods used to protect sensitive files in current information products, and the most commonly used smart file encryption method is directly The file is compressed, and the system sets a set of decompressable passwords, limiting that only users authorized to own the set of decompressed passwords have the right to decrypt the encrypted file for access.

  以目前資訊系統業者在市面上提供用以保護機敏檔案之方法計有傳統檔案加密程式與傳統加密虛擬磁碟等兩種,傳統檔案加密程式的運作方式是利用加密程式將存在於檔案系統內的原始機敏檔案進行加密動作,以產生一個新的加密檔案儲存於原系統中,該加密程式之運作模式的缺點是該檔案系統內會同時存在原始機敏檔案與加密檔案,若發生硬體設備遺失或作業系統遭到駭客入侵等情況時,嚴重會造成原始機敏檔案外洩之可能。In the current information system industry, there are two methods for protecting sensitive files, such as traditional file encryption programs and traditional encrypted virtual disks. The traditional file encryption program works by using an encryption program to exist in the file system. The original smart file is encrypted to generate a new encrypted file stored in the original system. The disadvantage of the operating mode of the encrypted program is that the original smart file and the encrypted file are simultaneously present in the file system, and if the hardware device is lost or When the operating system is attacked by hackers, etc., it may seriously cause the leakage of the original smart file.

  傳統加密虛擬磁碟則是利用檔案系統內的驅動程式將獨立虛擬磁碟檔案掛載為虛擬磁碟,然後在存取虛擬磁碟的過程同時進行加解密之動作,然而,該模式實際存取的目標是檔案而非檔案系統,故須自行於驅動程式內實作檔案管理機制來存取該虛擬磁碟,無法使用原始作業系統本身之檔案管理機制,此運作模式容易造成檔案存取之執行效率以及穩定性下降,尤其是進行大量檔案之存取動作時甚為明顯;同時,多數的傳統加密虛擬磁碟僅使用安裝時要求提供之密碼作為保護機制,卻又提供記憶使用者密碼之功能,若發生作業系統遭駭客入侵或硬體設備遺失等情況時,同樣會造成加密虛擬磁碟自動掛載,造成原始機敏資料外洩,或因密碼保護之強度不足而導致機敏檔案遭到破解的嚴重後果,因此,欲達到具有降低設備成本、組裝容易,亦能增加檔案系統的運作效率,進而使系統內機敏檔案之保護可以讓使用者無後顧之憂,仍是業者目前需持續努力克服與解決之課題。The traditional encrypted virtual disk uses the driver in the file system to mount the independent virtual disk file as a virtual disk, and then encrypts and decrypts the process while accessing the virtual disk. However, the mode actually accesses the mode. The target is the file, not the file system. Therefore, it is necessary to implement the file management mechanism in the driver to access the virtual disk. The file management mechanism of the original operating system itself cannot be used. This mode of operation easily leads to the execution of file access. Efficiency and stability are degraded, especially when accessing a large number of files. At the same time, most traditional encrypted virtual disks use only the passwords required during installation as a protection mechanism, but provide the function of remembering user passwords. If the operating system is attacked by a hacker or the hardware device is lost, the encrypted virtual disk will be automatically mounted, causing the original smart data to be leaked, or the sensitive file may be cracked due to insufficient strength of the password protection. Serious consequences, therefore, to achieve lower equipment costs, easy assembly, can also increase the file Operational efficiency of the system, thereby enabling the smart file protection within the system allows users worry-free, the industry is still currently need to continue efforts to overcome the problem and the solution.

  今,發明人即是鑑於上述現有之機敏檔案保護機制因作業系統遭駭客入侵或硬體設備遺失等容易造成機敏檔案外洩等諸多缺失,於是乃一本孜孜不倦之精神,並藉由其豐富之專業知識及多年之實務經驗所輔佐,而加以改善,並據此研創出本發明。Nowadays, the inventor is in the light of the insatiable spirit of the above-mentioned existing smart file protection mechanism due to the hacking of the operating system or the loss of hardware equipment, which is easy to cause the leakage of the smart file, and is rich in it. The expertise and years of practical experience have been used to improve and to develop the present invention.

  本發明主要目的為提供一種新型的加密虛擬磁碟,其運作模式係利用檔案系統中之驅動程式將檔案系統已存在的目錄直接掛載並加密為加密虛擬磁碟,此可藉由原始作業系統本身的檔案管理機制來存取,以有效提升檔案系統運作之效率與穩定性,且不會有原始之機敏檔案存在於檔案系統中,因以加密虛擬磁碟之方式運作,故使用者若有編修檔案之需求時,無須另外使用程式解密檔案後進行存取,使用者可直接在該加密虛擬磁碟內進行操作;同時,本發明亦在驅動程式內建有白名單來管理存取該加密虛擬磁碟之程式限制功能,以避免有惡意程式在該加密虛擬磁碟掛載後進行存取;本發明亦加入軟硬體驗證及保護機制,使該加密虛擬磁碟之啟動驗證機制和加解密邏輯並不完全透過軟體運作,藉此可以有效避免硬體設備遺失後因軟體程式外洩而機敏檔案遭破解之情形發生,進而使機敏檔案保護的安全機制可以更加有效率且多樣化。The main purpose of the present invention is to provide a novel encrypted virtual disk whose operation mode is to directly mount and encrypt an existing directory of the file system into an encrypted virtual disk by using a driver in the file system, which can be used by the original operating system. Its own file management mechanism to access, in order to effectively improve the efficiency and stability of the file system operation, and there will be no original sensitive files in the file system, because it operates in the way of encrypting virtual disks, so if users have When editing the file, there is no need to use another program to decrypt the file and then access it. The user can directly operate in the encrypted virtual disk. At the same time, the present invention also has a whitelist in the driver to manage access to the file. The program limitation function of the virtual disk is to prevent a malicious program from accessing after the encrypted virtual disk is mounted; the invention also adds a software and hardware verification and protection mechanism to enable the activation verification mechanism of the encrypted virtual disk and The decryption logic does not operate completely through the software, which can effectively prevent the hardware device from being lost due to the leakage of the software program. The case was cracked situation occurs, thus protecting the security of smart file can be more diverse and efficient.

  為了達到上述實施目的,本發明人乃研擬如下實施技術,首先,係依據一系統載入驅動程式將系統內指定之檔案目錄直接掛載並加密成為加密虛擬磁碟;接著,驅動程式載入內建之白名單以驗證欲存取該加密虛擬磁碟之程式的存取權限,例如系統僅授權允許作業系統內所安裝的文書處理軟體Office Word存取位於該加密虛擬磁碟內之副檔名為DOC/DOCX的檔案,若有其他不同於文書處理軟體Office Word之程式嘗試存取副檔名為DOC/DOCX的檔案時,該白名單可選擇自動禁止該程式之存取或者彈出警告視窗由使用者自行決定是否允許該程式之存取動作,此方法可避免惡意程式感染作業系統後,再藉由該加密虛擬磁碟完成所有驗證程序並成功掛載該加密虛擬磁碟,伺機偷取解密後的原始機敏檔案;最後,在使用者存取該加密虛擬磁碟時,以軟硬體驗證及保護機制等進行身份驗證的程序,在欲存取該加密虛擬磁碟之使用者通過身份驗證後,該驅動程式會提供解密金鑰給該使用者將該加密虛擬磁碟解密,以進行存取之動作,之後,系統則會移除該驅動程式,完成對機敏檔案保護之運作流程。In order to achieve the above-mentioned implementation purposes, the inventors have developed the following implementation techniques. First, the file directory specified in the system is directly mounted and encrypted into an encrypted virtual disk according to a system loading driver; then, the driver is loaded. A built-in whitelist to verify the access rights of the program to access the encrypted virtual disk. For example, the system only authorizes the Office Word installed in the operating system to access the file located in the encrypted virtual disk. A file named DOC/DOCX, if there are other programs other than the word processing software Office Word, try to access the file with the file name DOC/DOCX, the white list can be automatically prohibited from accessing the program or popping up the warning window. It is up to the user to decide whether to allow access to the program. This method prevents the malicious program from infecting the operating system, and then completes all the verification programs by the encrypted virtual disk and successfully mounts the encrypted virtual disk, waiting for the computer to steal. The original alert file after decryption; finally, in making When accessing the encrypted virtual disk, the program authenticated by the software and hardware authentication and protection mechanism, after the user who wants to access the encrypted virtual disk is authenticated, the driver provides the decryption key. The user is decrypted by the encrypted virtual disk for access, and then the driver is removed to complete the process of protecting the sensitive file.

  在本發明的一實施例中,其中該加密虛擬磁碟係由該檔案系統已存在之目錄直接掛載並加密,故可直接使用原始作業系統本身所提供的檔案管理機制在該加密虛擬磁碟內進行存取,可以有效提升檔案系統運作之效率與穩定性,且不會有原始之機敏檔案存在於檔案系統中,因為本發明以加密虛擬磁碟之方式運作,故使用者若有編修檔案之需求時,無須另外使用程式解密檔案後進行存取,使用者可直接在該加密虛擬磁碟內進行操作。In an embodiment of the present invention, wherein the encrypted virtual disk is directly mounted and encrypted by a directory existing in the file system, the file management mechanism provided by the original operating system itself can be directly used on the encrypted virtual disk. Internal access can effectively improve the efficiency and stability of the file system operation, and there is no original sensitive file in the file system, because the present invention operates in the manner of encrypting a virtual disk, so if the user has to edit the file When the request is needed, the file can be accessed without decrypting the file, and the user can directly operate on the encrypted virtual disk.

  在本發明的一實施例中,其中該用以保護機敏檔案之軟硬體驗證及保護機制係選擇性結合數種驗證之機制,該數種驗證機制係包括使用安裝時要求提供之密碼、以作業系統或網域限制使用者之權限、內建之硬體驗證晶片,與外接式之硬體驗證晶片等四種方式,其中該內建之硬體驗證晶片可以是筆記型電腦中用以啟動驗證之指紋驗證晶片,而該外接式之硬體驗證晶片可以是習知之Arduino韌體、藍芽裝置或RFID模組等裝置。In an embodiment of the invention, the software and hardware verification and protection mechanism for protecting the sensitive file is a mechanism for selectively combining several verification mechanisms, including using a password required during installation. The operating system or the domain limits the user's authority, the built-in hardware verification chip, and the external hardware verification chip, wherein the built-in hardware verification chip can be used in the notebook computer to start The verified fingerprint verification chip, and the external hardware verification chip may be a device such as a conventional Arduino firmware, a Bluetooth device or an RFID module.

(1)...驅動程式(1). . . Driver

(11)...白名單(11). . . whitelist

(2)...加密虛擬磁碟(2). . . Encrypted virtual disk

(3)...軟硬體驗證及保護機制(3). . . Software and hardware verification and protection mechanism

(4)...解密金鑰(4). . . Decryption key

(S1)...步驟一(S1). . . step one

(S2)...步驟二(S2). . . Step two

(S3)...步驟三(S3). . . Step three

第一圖:本發明整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法的步驟流程圖The first figure: the flow chart of the steps of the invention for integrating the file protection method of the new encrypted virtual disk and the hardware verification mechanism

第二圖:本發明整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法之關係配置方塊示意圖The second figure: a schematic diagram of the relationship between the configuration of the new encrypted virtual disk and the file protection method of the hardware verification mechanism

  本發明之目的及其結構設計功能上的優點,將依據以下圖面所示之較佳實施例予以說明,俾使審查委員能對本發明有更深入且具體之瞭解。The object of the present invention and its structural design and advantages will be explained in the light of the preferred embodiments shown in the following drawings, so that the reviewing committee can have a more in-depth and specific understanding of the present invention.

  首先,請參閱第一~二圖所示,為本發明較佳實施例之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法其步驟流程圖與關係配置方塊示意圖,其步驟包括有:First, referring to the first to second embodiments, a block diagram and a relationship configuration block diagram of a file protection method for integrating a new encrypted virtual disk and a hardware verification mechanism according to a preferred embodiment of the present invention include the following steps:

  步驟一(S1):係利用系統載入驅動程式(1),將檔案系統內指定之檔案目錄直接掛載並加密成為加密虛擬磁碟(2);Step 1 (S1): using the system loading driver (1), directly mounting and encrypting the specified file directory in the file system into an encrypted virtual disk (2);

  步驟二(S2):係根據內建於驅動程式(1)之白名單(11),對欲存取該加密虛擬磁碟(2)之程式驗證其存取之權限,該白名單(11)在驗證不同之程式存取時,可設定為自動禁止該程式存取或者彈出警告視窗由管理者自行決定是否允許該程式之存取動作,此方法可避免惡意程式感染作業系統後,借由該加密虛擬磁碟(2)完成所有驗證程式存取權限之程序並成功掛載該加密虛擬磁碟(2)後,再伺機偷取解密後之原始機敏檔案;以及Step 2 (S2): based on the whitelist (11) built into the driver (1), the access to the encrypted virtual disk (2) is verified to access the whitelist (11). When verifying different program accesses, it can be set to automatically prohibit the program from accessing or popping up the warning window. The administrator can decide whether to allow access to the program. This method can prevent the malicious program from infecting the operating system. Encrypting the virtual disk (2) to complete all the procedures for verifying program access rights and successfully mounting the encrypted virtual disk (2), and then waiting to steal the decrypted original smart file;

  步驟三(S3):在使用者欲存取該加密虛擬磁碟(2)的同時,以軟硬體驗證及保護機制(3)進行使用者身份驗證程序,在該使用者通過身份驗證後,該驅動程式會提供解密金鑰(4)給使用者將該加密虛擬磁碟(2)解密,以進行存取之動作,最後,系統會移除驅動程式,完成對該機敏檔案保護之運作流程。Step 3 (S3): while the user wants to access the encrypted virtual disk (2), the user authentication process is performed by the software and hardware verification and protection mechanism (3), after the user is authenticated, The driver will provide a decryption key (4) to the user to decrypt the encrypted virtual disk (2) for access. Finally, the system will remove the driver and complete the operation process of protecting the sensitive file. .

  再者,本實施例之加密虛擬磁碟(2)係將檔案系統中已存在之目錄直接掛載,並在存取該加密虛擬磁碟(2)的過程同時進行加密動作,故可直接使用原始作業系統本身所提供的檔案管理機制在該加密虛擬磁碟(2)內進行資料存取,而無需自行實作,可以有效提升程式執行之效率及穩定性,且亦不會有該原始之機敏檔案存在於檔案系統中被攔截者輕易讀取之情況發生;同時,因本實施例以加密虛擬磁碟(2)方式進行運作,故使用者若有編修檔案之需求時,無須再另外使用程式解密檔案後進行編修,可直接於加密虛擬磁碟(2)內進行操作,由於本方法直接在背景即時進行加解密動作,此方式亦可以有效降低使用者學習的門檻。Furthermore, the encrypted virtual disk (2) of the embodiment directly mounts the existing directory in the file system, and performs encryption operation while accessing the encrypted virtual disk (2), so that it can be directly used. The file management mechanism provided by the original operating system itself performs data access in the encrypted virtual disk (2) without self-implementation, which can effectively improve the efficiency and stability of program execution, and there is no such original The smart file exists in the file system and is easily read by the interceptor. At the same time, because the embodiment operates in the encrypted virtual disk (2) mode, if the user needs to edit the file, there is no need to use it separately. After the program decrypts the file and edits it, it can be directly operated in the encrypted virtual disk (2). Since the method directly performs encryption and decryption in the background, this method can effectively lower the threshold for the user to learn.

  此外,在結合軟硬體驗證及保護機制(3)中,本系統亦選擇性結合下列各種機制來進行欲存取該加密虛擬磁碟(2)之使用者的身份驗證程序,以達到啟動驗證及保護後續使用之過程:
1.使用安裝時要求提供之密碼進行啟動驗證。
2.藉由作業系統或網域使用者權限進行啟動驗證。

3.使用內建式硬體驗證晶片,如筆記型電腦內建之使用者指紋辨識晶片等進行啟動驗證。 

4.使用外接式硬體驗證晶片進行啟動驗證,該硬體驗證晶片可為下列三種格式其中之一:
A.透過USB裝置向一習知之Arduino輸入密碼,Arduino韌體比對密碼正確後才會提供解密金鑰(4)供欲讀取該加密虛擬磁碟(2)之使用者解密使用,若輸入之密碼錯誤時,則系統會自動關閉該提供解密金鑰(4)之功能,使該加密虛擬磁碟(2)無法正常於系統掛載使用。
B.使用USB裝置連結Arduino,並於Arduino上安裝藍芽通訊機板,然後將其綁定於合法使用者隨身攜帶之藍芽裝置,如藍芽耳機等,若該藍芽通訊機板無法偵測到綁定的藍芽裝置,代表該合法使用者不存在於該藍芽裝置可監控設備之範圍,故立即自動卸載該加密虛擬磁碟(2),自動關閉該提供解密金鑰(4)之功能,直到重新偵測到綁定的藍芽裝置並於使用者完成相關身份驗證程序後,系統才開啟提供解密金鑰(4)之功能,此可避免有心人士利用社交工程等手段,將合法使用者調離可監控設備之範圍,並伺機存取已完成啟動驗證之加密虛擬磁碟(2)內之機敏檔案。
C.使用USB裝置連結Arduino,並於Arduino韌體上安裝RFID通訊機板模組,然後將其所綁定之合法使用者配發已認證之相關身份RFID卡或驗證RFID卡,而系統必須在成功讀取到配發的RFID卡並進行相關使用者身份驗證程序後,才開啟提供解密金鑰(4)之功能供使用者解密使用。In addition, in combination with the hardware and software verification and protection mechanism (3), the system also selectively combines the following various mechanisms to perform an authentication procedure of a user who wants to access the encrypted virtual disk (2) to achieve startup verification. And the process of protecting subsequent use:
1. Use the password required during installation to initiate verification.
2. Start verification by the operating system or domain user rights.

3. Use built-in hardware verification chip, such as the built-in user fingerprint identification chip of the notebook computer for boot verification.

4. Boot verification using an external hardware verification chip, which can be one of three formats:
A. Enter the password to a known Arduino via the USB device. The Arduino firmware will provide the decryption key after the password is correct (4) for the user who wants to read the encrypted virtual disk (2) to decrypt. If the password is incorrect, the system will automatically disable the function of providing the decryption key (4), so that the encrypted virtual disk (2) cannot be normally used for system mounting.
B. Connect the Arduino with a USB device, install the Bluetooth communication board on the Arduino, and then bind it to the Bluetooth device that the legitimate user carries with it, such as Bluetooth headset, etc. If the Bluetooth communication board cannot detect Detecting the bound Bluetooth device, indicating that the legitimate user does not exist in the range of the Bluetooth device monitorable device, so the encrypted virtual disk (2) is automatically uninstalled immediately, and the decryption key is automatically closed (4) The function, until the detected Bluetooth device is re-detected and the user completes the relevant authentication procedure, the system only provides the function of providing the decryption key (4), which can avoid the intention of using social engineering and other means. The legitimate user is transferred from the range of the monitorable device and is waiting to access the smart file in the encrypted virtual disk (2) that has completed the verification.
C. Connect the Arduino with a USB device, install the RFID communication board module on the Arduino firmware, and then distribute the authenticated related RFID card or verify the RFID card to the legal user to which it is bound. The system must be After successfully reading the allotted RFID card and performing related user authentication procedures, the function of providing the decryption key (4) is turned on for the user to decrypt.

  由上述之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法與實施說明可知,本發明具有以下優點:
1.本發明具整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法係藉由檔案系統中之驅動程式將檔案系統已存在的目錄直接掛載並加密為加密虛擬磁碟,可由原始作業系統本身的檔案管理機制來存取,以有效提升檔案系統運作之效率與穩定性。
2.本發明具整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法中將不會有原始之機敏檔案存在於檔案系統中,因以加密虛擬磁碟之方式運作,故使用者若有編修檔案之需求時,無須另外使用程式解密檔案後進行存取,使用者可直接在該加密虛擬磁碟內進行操作,本技術直接在背景即時進行加解密之動作,此方式亦可以有效降低使用者初次學習的門檻。
3.本發明具整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法係於該檔案系統之驅動程式中加入白名單以管理程式存取該加密虛擬磁碟之功能,系統可設定為自動禁止該程式存取或者彈出警告視窗由管理者自行決定是否允許該程式之存取動作,此方法可避免惡意程式感染作業系統後,藉由該加密虛擬磁碟完成所有驗證程式存取權限之程序並成功掛載該加密虛擬磁碟後,再伺機偷取解密後之原始機敏檔案。
4.本發明具整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法係使用軟硬體驗證及保護機制,使該加密虛擬磁碟之啟動驗證機制和加解密邏輯並不完全透過軟體運作,藉此可以有效避免硬體設備遺失後因軟體程式外洩而機敏檔案遭破解之情形發生,進而使機敏檔案保護的安全機制可以更加有效率且多樣化。It can be seen from the above-mentioned file protection method and implementation description of the new encrypted virtual disk and hardware verification mechanism that the present invention has the following advantages:
1. The file protection method with integrated encryption virtual disk and hardware verification mechanism of the present invention directly mounts and encrypts the existing directory of the file system into an encrypted virtual disk by the driver in the file system, which can be the original job. The file management mechanism of the system itself is accessed to effectively improve the efficiency and stability of the file system operation.
2. The file protection method with integrated encryption virtual disk and hardware verification mechanism of the present invention will not have the original smart file in the file system, because it operates by encrypting the virtual disk, so if the user has When editing the file, you do not need to use the program to decrypt the file and access it. The user can directly operate in the encrypted virtual disk. This technology can directly perform encryption and decryption in the background. This method can also effectively reduce the use. The threshold for first time learning.
3. The file protection method with integrated encrypted virtual disk and hardware verification mechanism of the present invention is a whitelist added to the driver of the file system to manage the function of the program to access the encrypted virtual disk, and the system can be set to automatic It is forbidden for the program to access or pop up the warning window. The administrator decides whether to allow access to the program. This method can prevent the program from being accessed by the encrypted virtual disk after the malicious program infects the operating system. After successfully mounting the encrypted virtual disk, it waits for an opportunity to steal the decrypted original smart file.
4. The file protection method with integrated encryption virtual disk and hardware verification mechanism of the invention uses a software and hardware verification and protection mechanism, so that the startup verification mechanism and encryption and decryption logic of the encrypted virtual disk are not completely operated by software. In this way, it can effectively avoid the situation that the smart file is cracked due to the software program leakage after the hardware device is lost, so that the security mechanism of the smart file protection can be more efficient and diverse.

  綜上所述,本發明之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,的確能藉由上述所揭露之實施例,達到所預期之使用功效,且本發明亦未曾公開於申請前,誠已完全符合專利法之規定與要求。爰依法提出發明專利之申請,懇請惠予審查,並賜准專利,則實感德便。In summary, the file protection method of the present invention integrating the new encrypted virtual disk and the hardware verification mechanism can achieve the intended use efficiency by the above disclosed embodiments, and the present invention has not been disclosed in the application. Before, Cheng has fully complied with the requirements and requirements of the Patent Law.爰Issuing an application for a patent for invention in accordance with the law, and asking for a review, and granting a patent, is truly sensible.

  惟,上述所揭之圖示及說明,僅為本發明之較佳實施例,非為限定本發明之保護範圍;大凡熟悉該項技藝之人士,其所依本發明之特徵範疇,所作之其它等效變化或修飾,皆應視為不脫離本發明之設計範疇。The illustrations and descriptions of the present invention are merely preferred embodiments of the present invention, and are not intended to limit the scope of the present invention; those skilled in the art, which are characterized by the scope of the present invention, Equivalent variations or modifications are considered to be within the scope of the design of the invention.

(S1)...步驟一(S1). . . step one

(S2)...步驟二(S2). . . Step two

(S3)...步驟三(S3). . . Step three

Claims (5)

ㄧ種整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,其步驟包括有:
  步驟一:利用檔案系統之驅動程式將檔案系統已存在的目錄直接掛載為加密虛擬磁碟;
步驟二:在驅動程式內建立白名單,管理存取該加密虛擬磁碟之程式清單;以及
  步驟三:於使用者存取該加密虛擬磁碟的過程中,以軟硬體驗證及保護機制進行相關身分驗證程序,在通過驗證後,該驅動程式提供解密之金鑰給使用者將該加密虛擬磁碟進行解密程序。The file protection method for integrating the new encrypted virtual disk and hardware verification mechanism includes the following steps:
Step 1: Use the file system driver to mount the existing directory of the file system directly as an encrypted virtual disk;
Step 2: establish a whitelist in the driver, manage the list of programs accessing the encrypted virtual disk; and step 3: in the process of the user accessing the encrypted virtual disk, perform the software and hardware verification and protection mechanism The relevant identity verification program, after passing the verification, provides the decryption key to the user to decrypt the encrypted virtual disk. 如申請專利範圍第1項所述之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,其中該加密虛擬磁碟係檔案系統已存在之目錄,可直接使用作業系統提供的檔案管理機制在該加密虛擬磁碟內進行存取。The file protection method for integrating the new encrypted virtual disk and the hardware verification mechanism, as described in claim 1, wherein the encrypted virtual disk file system already exists in a directory, and the file management mechanism provided by the operating system can be directly used. Access is made within the encrypted virtual disk. 如申請專利範圍第1項所述之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,其中該軟硬體驗證及保護機制係選擇性結合數種驗證機制,該數種驗證機制係包括使用安裝時要求提供之密碼、以作業系統或網域限制使用者之權限、內建之硬體驗證晶片,與外接式之硬體驗證晶片其中之一。The file protection method for integrating a new encrypted virtual disk and a hardware verification mechanism according to the first aspect of the patent application, wherein the software and hardware verification and protection mechanism selectively combines several verification mechanisms, and the plurality of verification mechanisms are This includes using the password required for installation, restricting the user's authority with the operating system or domain, built-in hardware verification chip, and one of the external hardware verification chips. 如申請專利範圍第3項所述之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,其中該內建之硬體驗證晶片係指紋驗證晶片。The file protection method for integrating a new encrypted virtual disk and a hardware verification mechanism as described in claim 3, wherein the built-in hardware verification chip is a fingerprint verification chip. 如申請專利範圍第3項所述之整合新型加密虛擬磁碟與硬體驗證機制之檔案保護方法,其中該外接式之硬體驗證晶片係Arduino韌體、藍芽裝置或RFID模組其中之一。The file protection method for integrating the new encrypted virtual disk and the hardware verification mechanism, as described in claim 3, wherein the external hardware verification chip is one of an Arduino firmware, a Bluetooth device or an RFID module. .
TW102114862A 2013-04-25 2013-04-25 File protection method for integrating new encrypted virtual disk and hardware verification mechanism TW201441866A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102114862A TW201441866A (en) 2013-04-25 2013-04-25 File protection method for integrating new encrypted virtual disk and hardware verification mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102114862A TW201441866A (en) 2013-04-25 2013-04-25 File protection method for integrating new encrypted virtual disk and hardware verification mechanism

Publications (1)

Publication Number Publication Date
TW201441866A true TW201441866A (en) 2014-11-01

Family

ID=52422928

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102114862A TW201441866A (en) 2013-04-25 2013-04-25 File protection method for integrating new encrypted virtual disk and hardware verification mechanism

Country Status (1)

Country Link
TW (1) TW201441866A (en)

Similar Documents

Publication Publication Date Title
EP3326103B1 (en) Technologies for trusted i/o for multiple co-existing trusted execution environments under isa control
CN104951409B (en) A kind of hardware based full disk encryption system and encryption method
JP4089171B2 (en) Computer system
EP2913956B1 (en) Management control method and device for virtual machines
US20170277898A1 (en) Key management for secure memory address spaces
TWI334130B (en) Embedded system insuring security and integrity, and method of increasing security thereof
EP3074907B1 (en) Controlled storage device access
EP2494435B1 (en) Virtualized migration control
RU2631136C2 (en) Method of protected access and device for protected access of applied program
US20110314279A1 (en) Single-Use Authentication Methods for Accessing Encrypted Data
US20150012748A1 (en) Method And System For Protecting Data
US8938778B2 (en) System and method for controlling user access to encrypted data
JP2015528596A (en) Method and device for selective RAM scrambling
US9288054B2 (en) Method and apparatus for authenticating and managing application using trusted platform module
KR20060108710A (en) Trusted mobile platform architecture
US20190028488A1 (en) Method and system for blocking phishing or ransomware attack
WO2016065636A1 (en) Data management method and data management device for terminal, and terminal
US10747885B2 (en) Technologies for pre-boot biometric authentication
WO2015117523A1 (en) Access control method and device
US20170201528A1 (en) Method for providing trusted service based on secure area and apparatus using the same
JP2008005408A (en) Recorded data processing apparatus
US11941264B2 (en) Data storage apparatus with variable computer file system
CN113051533A (en) Safety management method of terminal equipment
US9177160B1 (en) Key management in full disk and file-level encryption
TW201441866A (en) File protection method for integrating new encrypted virtual disk and hardware verification mechanism