TWI474189B - Automatic file encryption and decryption system - Google Patents
Automatic file encryption and decryption system Download PDFInfo
- Publication number
- TWI474189B TWI474189B TW101127550A TW101127550A TWI474189B TW I474189 B TWI474189 B TW I474189B TW 101127550 A TW101127550 A TW 101127550A TW 101127550 A TW101127550 A TW 101127550A TW I474189 B TWI474189 B TW I474189B
- Authority
- TW
- Taiwan
- Prior art keywords
- cloud
- module
- virtual host
- encryption
- data
- Prior art date
Links
Description
本發明係關於一種雲端檔案自動加解密系統,特別為一種應用於雲端平台虛擬化主機服務的資料存取加解密系統。在雲端服務平台系統中直接加入資訊安全模組,利用攔截系統指令的方式,進行虛擬化主機操作行為的驗證,以及存取資料的加解密。另搭配金鑰管理伺服器保護金鑰儲存安全。The invention relates to a cloud file automatic encryption and decryption system, in particular to a data access encryption and decryption system applied to a cloud platform virtualization host service. The information security module is directly added to the cloud service platform system, and the method of intercepting system instructions is used to verify the operation behavior of the virtualization host and to encrypt and decrypt the access data. Another key management server is used to protect key storage security.
資訊產業、網路基礎設施與網路技術不斷的提升,促成了雲端服務時代的來臨,讓雲端服務成為近來最熱門的話題。雲端服務是運用網路溝通多個主機進行運算工作;或是讓使用者能利用多樣化的連線裝置,如:個人電腦、筆記型電腦及智慧型手機等設備,藉由網路連線隨時隨地存取及使用雲端服務提供者所提供之整合性資訊服務以及資源。The continuous improvement of the information industry, network infrastructure and network technology has contributed to the advent of the era of cloud services, making cloud services the hottest topic in recent times. The cloud service uses the network to communicate with multiple hosts for computing work, or allows users to use a variety of connection devices, such as personal computers, notebook computers, and smart phones, to connect via the Internet. Access and use the integrated information services and resources provided by cloud service providers.
雲端服務大量採用虛擬化技術與架構,所衍生的資訊安全管理問題與以往傳統資訊安全領域不盡相同,加上雲端虛擬化主機服務之主機設備與資料皆建置、儲存於服務提供者的機房,不在使用者可控制的範圍,此一特性讓大型企業在使用雲端服務時有很大的疑慮。為增進使用者的信任度,除發展雲端服務資訊安全管理,另需提供資料儲 存安全之防護,以提升使用者對虛擬化主機服務的接受度。The cloud service uses a large number of virtualization technologies and architectures. The information security management problem is different from the traditional information security field. The host device and data of the cloud virtualization host service are built and stored in the service provider's computer room. , not in the user-controllable range, this feature allows large enterprises to have great doubts when using cloud services. In order to enhance the trust of users, in addition to the development of cloud service information security management, it is necessary to provide data storage. Security protection is provided to enhance user acceptance of virtualization hosting services.
在實務上,要達到資料儲存安全之防護可藉由資料加密的方式達成,而依防護面向的不同可區分為兩種,一是建置於使用者的虛擬主機上,此方式需額外安裝程式,且進行資料加密時可能需變更使用者習慣,導致使用者的接受度低;另一方式是建置於雲端服務平台系統上,讓資料加密行為不影響變使用者。現有建置於雲端服務平台的資料儲存防護方法,皆是透過額外的硬體模組進行儲存設備的加密及存取管控,其建設成本較高。In practice, the protection against data storage security can be achieved by means of data encryption. The protection can be divided into two types according to the protection aspect. One is built on the user's virtual host. This method requires additional installation. And the data encryption may need to change the user's habits, resulting in low user acceptance; another way is to build on the cloud service platform system, so that the data encryption behavior does not affect the users. The existing data storage protection methods built on the cloud service platform are to encrypt and access the storage devices through additional hardware modules, and the construction cost is high.
本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經苦心孤詣潛心研究後,終於成功研發完成本件發明可解決雲端虛擬化主機資料儲存防護問題。In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after painstaking research, finally successfully developed and completed this invention to solve the cloud virtualization host data storage protection problem.
本發明之目的即在於提供一種雲端檔案自動加解密系統,利用資訊安全模組對系統的操作行為進行驗證,並對主機資料的存取進行即時加解密,達到增進雲端平台虛擬化主機服務資訊安全防護的目的;藉由攔截系統I\O的方式,使資料加密流程不需變更系統操作流程,達到不影響使用者操作習慣的目的。利用建置資訊安全模組於雲端服務平台系統上的方式,可達到降低雲端平台系統建置成 本的目的。The object of the present invention is to provide a cloud file automatic encryption and decryption system, which utilizes an information security module to verify the operation behavior of the system, and performs instant encryption and decryption on the access of the host data to improve the information security of the cloud platform virtualization host service. The purpose of protection; by intercepting the system I\O, the data encryption process does not need to change the system operation process, so as not to affect the user's operating habits. By using the information security module on the cloud service platform system, the cloud platform system can be reduced. The purpose of this.
達成上述發明目的之一種雲端檔案自動加解密系統,係應用於雲端平台虛擬化主機服務的資料存取加解密系統,在系統資料處理流程中加入資訊安全模組,其中包含雲端虛擬主機管理安全模組、金鑰管控模組、雲端虛擬主機系統I\O攔截模組、加解密模組,另搭配金鑰管理伺服器保護金鑰儲存安全。資訊安全模組,係利用攔截系統指令的方式,當虛擬主機進行開啟、移轉、備份、關閉等具變更系統資料之操作時,資訊安全模組會對系統的操作行為進行驗證,並在讀寫儲存設備或檔案的過程中進行即時的資料加解密。A cloud file automatic encryption and decryption system for achieving the above object is applied to a data access encryption and decryption system of a cloud platform virtualization host service, and an information security module is added in the system data processing flow, which includes a cloud virtual host management security mode. The group, the key management module, the cloud virtual host system I\O interception module, the encryption and decryption module, and the key management server protect the key storage security. The information security module uses the method of intercepting system commands. When the virtual host performs operations such as opening, transferring, backing up, and shutting down the system data, the information security module verifies the operation behavior of the system and is reading. Instant data encryption and decryption during the process of writing a storage device or file.
請參閱圖1所示,為本發明一種雲端檔案自動加解密系統之實施架構示意圖,包含雲端服務平台資料安全防護模組1,係建置於雲端服務平台系統上的資訊安全模組,為一軟體式系統安全模組,不需另外架設硬體模組,其中雲端服務平台系統可為Xen或KVM等雲端服務虛擬化平台系統。Please refer to FIG. 1 , which is a schematic diagram of an implementation structure of a cloud file automatic encryption and decryption system according to the present invention, which includes a data security protection module 1 of a cloud service platform, and an information security module built on a cloud service platform system. The software system security module does not need to install another hardware module, and the cloud service platform system can be a cloud service virtualization platform system such as Xen or KVM.
雲端服務平台資料安全防護模組1包含有嵌入於雲端虛擬主機管理系統的雲端虛擬主機管理安全模組11,利用在雲端虛擬主機管理模組中設定攔截點,以攔截雲端虛擬主機管理指令,如:虛擬主機開啟、移轉、備份、關 閉等,在攔截到管理指令後,會呼叫雲端服務平台資料安全防護模組1中的雲端虛擬主機管理安全模組11,將資料處理流程由雲端虛擬主機管理模組導向雲端虛擬主機管理安全模組,待安全模組執行資訊驗證處理完成後,再將資料處理流程導回雲端虛擬主機管理模組,完成正常的資料處理流程。The cloud service platform data security protection module 1 includes a cloud virtual host management security module 11 embedded in the cloud virtual host management system, and uses an interception point in the cloud virtual host management module to intercept cloud virtual host management commands, such as : virtual host open, transfer, backup, off After the interception of the management command, the cloud virtual host management security module 11 in the data security protection module 1 of the cloud service platform is called, and the data processing flow is directed from the cloud virtual host management module to the cloud virtual host management security module. After the security module performs the information verification processing, the data processing flow is returned to the cloud virtual host management module to complete the normal data processing process.
雲端虛擬主機管理安全模組11會向金鑰管控模組12要求進行虛擬主機資訊與金鑰資訊比對,以驗證該虛擬主機之管理指令是否來自有權限人員的操作,在完成資訊比對後金鑰管控模組12會將驗證結果回傳至雲端虛擬主機管理安全模組11,當驗證資訊結果為正確時,雲端虛擬主機管理安全模組11會放行攔截到的雲端虛擬主機管理指令,使管理流程正確進行虛擬主機的開啟、移轉、備份、關閉等動作;如驗證資訊結果為不正確時,將攔阻雲端虛擬主機管理指令的執行。The cloud virtual host management security module 11 requests the key management module 12 to perform virtual host information and key information comparison to verify whether the virtual host management command is from an authorized person's operation, after completing the information comparison. The key management module 12 will return the verification result to the cloud virtual host management security module 11. When the verification information result is correct, the cloud virtual host management security module 11 will release the intercepted cloud virtual host management command, so that the cloud virtual host management module 11 The management process correctly performs the actions of opening, moving, backing up, and closing the virtual host; if the verification result is incorrect, the execution of the cloud virtual host management instruction will be blocked.
金鑰管控模組12在接收到雲端虛擬主機管理安全模組11的驗證要求時,會以金鑰管控模組12中已存在的金鑰資訊先進行比較,如無相對應之金鑰資訊,則利用虛擬主機資訊向金鑰管理伺服器13要求金鑰資訊,待回傳金鑰資訊後再進行資訊比對,當資訊驗證正確,金鑰管控模組12會先將金鑰資訊暫存於模組中,以方便下次的驗證使用,藉以提升權限驗證的效率,金鑰資訊暫存會始於虛 擬主機的開啟,而結束於虛擬主機的關閉。When receiving the verification request of the cloud virtual host management security module 11, the key management module 12 compares the existing key information in the key management module 12 first, if there is no corresponding key information, The key information is requested from the key management server 13 by using the virtual host information, and the information is compared after the key information is returned. When the information is verified correctly, the key management module 12 temporarily stores the key information in the mode. In the group, in order to facilitate the next verification use, in order to improve the efficiency of the authority verification, the key information temporary storage will start from the virtual The host is turned on, and the virtual host is closed.
金鑰管理伺服器13負責接收金鑰管控模組12送來的金鑰資訊要求,依照虛擬主機資訊參數回傳相對應的金鑰資訊給金鑰管控模組12。金鑰管理伺服器13採用標準的金鑰管理協定KMIP(Key Management Interoperability Protocol),與金鑰管控模組12之間的通訊協定則使用具安全性的傳輸協定SSL(Secure Sockets Layer),以保護金鑰資訊的安全。The key management server 13 is responsible for receiving the key information request sent by the key management module 12, and transmitting the corresponding key information to the key management module 12 according to the virtual host information parameter. The key management server 13 uses a standard Key Management Interoperability Protocol (KMIP), and the communication protocol with the key management module 12 uses a secure transport protocol SSL (Secure Sockets Layer) to protect The security of the key information.
雲端虛擬主機系統I\O攔截模組14嵌入於雲端虛擬主機I\O模組中,利用在雲端虛擬主機I\O模組中設定攔截點,攔截雲端虛擬主機I\O資訊,以取得在資料處理流程中讀取或寫入儲存設備的資料。在攔截到I\O資訊後,會呼叫雲端服務平台資料安全防護模組1中的雲端虛擬主機系統I\O攔截模組14,將資料處理流程由雲端虛擬主機I\O模組導向雲端虛擬主機系統I\O攔截模組,待安全模組執行資料加解密處理完成後,再將資料處理流程導回雲端虛擬主機I\O模組,完成正常的資料處理流程。The cloud virtual host system I\O interception module 14 is embedded in the cloud virtual host I\O module, and uses the intercept point in the cloud virtual host I\O module to intercept the cloud virtual host I\O information to obtain The data of the storage device is read or written in the data processing flow. After intercepting the I\O information, the cloud virtual host system I\O interception module 14 in the data security protection module 1 of the cloud service platform is called, and the data processing flow is guided by the cloud virtual host I\O module to the cloud virtual The host system I\O interception module, after the security module performs data encryption and decryption processing, returns the data processing flow back to the cloud virtual host I\O module to complete the normal data processing flow.
雲端虛擬主機系統I\O攔截模組14會將取得的資料傳送到資料加解密模組15,進行讀取資料的解密以及寫入資料的加密,待資料加解密完成並送回後,雲端虛擬主機系統I\O攔截模組14會放行所攔截到的雲端虛擬主機I\O動作,讓資料處理流程繼續正確進行。由於虛擬主機 讀取儲存設備的資料在雲端虛擬主機系統中已經過解密,所以虛擬主機能正確識別資料內容而不會有資料錯誤或無法識別的情況;而虛擬主機所寫入儲存設備的資料也在雲端虛擬主機系統中進行加密處理,所以儲存於設備的資料皆有經過加密處理。The cloud virtual host system I\O intercepting module 14 transmits the obtained data to the data encryption and decryption module 15, decrypts the read data and encrypts the written data, and after the data is encrypted and decrypted, the cloud virtual The host system I\O interception module 14 will release the intercepted cloud virtual host I\O action, so that the data processing flow continues to proceed correctly. Due to virtual host The data of the read storage device has been decrypted in the cloud virtual host system, so the virtual host can correctly identify the data content without data errors or unrecognizable conditions; and the data written by the virtual host to the storage device is also virtual in the cloud. Encryption processing is performed in the host system, so the data stored in the device is encrypted.
資料加解密模組15負責加解密由雲端虛擬主機系統I\O攔截模組14所送來的讀取或寫入儲存設備資料,資料加解密模組15的加解密演算法使用磁碟加密演算法,可支援CBC、LRW、XEX、XTS、CMC and EME或ESSIV等加密演算法,搭配128 bits或256 bits金鑰對進行資料的加解密。加解密金鑰對是由資料加解密模組15依據儲存設備資訊向金鑰管控模組12要求資訊所產生,該資訊包含虛擬主機金鑰對的衍生資訊。The data encryption and decryption module 15 is responsible for encrypting and decrypting the read or write storage device data sent by the cloud virtual host system I\O intercepting module 14, and the encryption and decryption algorithm of the data encryption and decryption module 15 uses the disk encryption algorithm. The method can support encryption algorithms such as CBC, LRW, XEX, XTS, CMC and EME or ESSIV, and encrypt and decrypt data with 128 bits or 256 bits. The encryption and decryption key pair is generated by the data encryption/decryption module 15 according to the information of the storage device to the information of the key management module 12, and the information includes derivative information of the virtual host key pair.
本發明所提供之一種雲端檔案自動加解密系統,與其他習用技術相互比較時,更具備下列優點:The cloud file automatic encryption and decryption system provided by the invention has the following advantages when compared with other conventional technologies:
1.本發明提供之系統為建置於雲端服務平台的資料存取防護方法,在資料處理流程中加入資訊安全模組,利用攔截系統指令的方式,可驗證虛擬主機進行開啟、關閉、系統操作等具變更資料之動作是否來自有權限人員的操作,增進雲端平台虛擬化主機服務資訊安全防護。1. The system provided by the present invention is a data access protection method built on the cloud service platform, and an information security module is added in the data processing flow, and the virtual host can be verified to be turned on, off, and operated by means of intercepting system instructions. Whether the action of changing the data comes from the operation of the authorized personnel, and enhances the information security protection of the cloud platform virtualization host service.
2.本發明提供之系統為建置於雲端服務平台的資料存取防護方法,在資料處理流程中加入資訊安全模組, 利用攔截系統I\O的方式,達成資料加密之目的。並達到不改變使用者操作習慣的目的。2. The system provided by the present invention is a data access protection method built on the cloud service platform, and an information security module is added in the data processing flow. The purpose of data encryption is achieved by means of intercepting the system I\O. And achieve the purpose of not changing the user's operating habits.
3.本發明提供之系統為軟體資訊安全模組,不需另外架設硬體模組,即可達成資料加密之目的,可降低雲端服務平台系統建構成本。3. The system provided by the invention is a software information security module, and the data encryption can be achieved without additional hardware modules, which can reduce the construction of the cloud service platform system.
4.本發明提供之資料加解密模組使用磁碟加密演算法,可支援CBC、LRW、XEX、XTS、CMC and EME或ESSIV等加密演算法,並可搭配128 bits或256 bits金鑰對進行資料的加解密。4. The data encryption and decryption module provided by the present invention uses a disk encryption algorithm to support encryption algorithms such as CBC, LRW, XEX, XTS, CMC and EME or ESSIV, and can be paired with 128-bit or 256-bit key pairs. Encryption and decryption of data.
5.本發明提供之金鑰管控模組搭配金鑰管理伺服器,採用標準的金鑰管理協定KMIP(Key Management Interoperability Protocol),金鑰資訊傳送通訊協定則使用具安全性的傳輸協定SSL(Secure Sockets Layer),可保護金鑰資訊的安全。5. The key management module and key management server provided by the present invention adopts a standard Key Management Interoperability Protocol (KMIP), and the key information transmission protocol uses a secure transmission protocol SSL (Secure). Sockets Layer) protects the security of key information.
6.舉凡相關雲端服務平台系統,皆可使用本發明。6. The present invention can be used with any relevant cloud service platform system.
上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.
綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統系統所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至成德便。In summary, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the conventional system of conventional use. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. You have approved this invention patent application, in order to invent the invention, to Chengde.
1‧‧‧雲端服務平台資料安全防護模組1‧‧‧Cloud Service Platform Data Security Protection Module
11‧‧‧雲端虛擬主機管理安全模組11‧‧‧Cloud Virtual Host Management Security Module
12‧‧‧金鑰管控模組12‧‧‧Key Management Module
13‧‧‧金鑰管理伺服器13‧‧‧Key Management Server
14‧‧‧雲端虛擬主機系統I\O攔截模組14‧‧‧Cloud virtual host system I\O interception module
15‧‧‧資料加解密模組15‧‧‧ Data encryption and decryption module
請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1為本發明一種雲端檔案自動加解密系統之實施架構示意圖;The detailed description of the present invention and the accompanying drawings will be further understood. The technical content of the present invention and its functions are as follows: FIG. 1 is a schematic diagram of an implementation structure of a cloud file automatic encryption and decryption system according to the present invention;
1‧‧‧雲端服務平台資料安全防護模組1‧‧‧Cloud Service Platform Data Security Protection Module
11‧‧‧雲端虛擬主機管理安全模組11‧‧‧Cloud Virtual Host Management Security Module
12‧‧‧金鑰管控模組12‧‧‧Key Management Module
13‧‧‧金鑰管理伺服器13‧‧‧Key Management Server
14‧‧‧雲端虛擬主機系統I\O攔截模組14‧‧‧Cloud virtual host system I\O interception module
15‧‧‧資料加解密模組15‧‧‧ Data encryption and decryption module
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW101127550A TWI474189B (en) | 2012-07-31 | 2012-07-31 | Automatic file encryption and decryption system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW101127550A TWI474189B (en) | 2012-07-31 | 2012-07-31 | Automatic file encryption and decryption system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201405325A TW201405325A (en) | 2014-02-01 |
| TWI474189B true TWI474189B (en) | 2015-02-21 |
Family
ID=50550017
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW101127550A TWI474189B (en) | 2012-07-31 | 2012-07-31 | Automatic file encryption and decryption system |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI474189B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI520002B (en) * | 2014-10-21 | 2016-02-01 | Protection Method and System of Cloud Virtual Network Security | |
| CN108076106B (en) * | 2016-11-15 | 2019-11-19 | 中国科学院声学研究所 | A kind of Stream Processing system and method for facing cloud storing data encryption and decryption |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6081597A (en) * | 1996-08-19 | 2000-06-27 | Ntru Cryptosystems, Inc. | Public key cryptosystem method and apparatus |
| CN102291391A (en) * | 2011-07-21 | 2011-12-21 | 西安百盛信息技术有限公司 | Safe transmission method for data in cloud service platform |
| CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
-
2012
- 2012-07-31 TW TW101127550A patent/TWI474189B/en not_active IP Right Cessation
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6081597A (en) * | 1996-08-19 | 2000-06-27 | Ntru Cryptosystems, Inc. | Public key cryptosystem method and apparatus |
| CN102291391A (en) * | 2011-07-21 | 2011-12-21 | 西安百盛信息技术有限公司 | Safe transmission method for data in cloud service platform |
| CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201405325A (en) | 2014-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210390063A1 (en) | Technologies for Secure I/O with Accelerator Devices | |
| US10650167B2 (en) | Trusted computing | |
| US9760727B2 (en) | Secure host interactions | |
| US9690947B2 (en) | Processing a guest event in a hypervisor-controlled system | |
| US9135450B2 (en) | Systems and methods for protecting symmetric encryption keys | |
| US9948668B2 (en) | Secure host communications | |
| US9547773B2 (en) | Secure event log management | |
| CN105320895B (en) | High-performance autonomic hardware engine for on-line encryption processing | |
| CN104160407A (en) | Using storage controller bus interfaces to secure data transfer between storage devices and hosts | |
| CN101877246A (en) | U disk encryption method | |
| CN105678173A (en) | vTPM safety protection method based on hardware transactional memory | |
| KR20210021285A (en) | Safe computer system | |
| WO2019075622A1 (en) | Security element and related device | |
| WO2021057272A1 (en) | Method and apparatus for implementing contract invoking based on fpga | |
| WO2021057273A1 (en) | Method and apparatus for realizing efficient contract calling on fpga | |
| TWI474189B (en) | Automatic file encryption and decryption system | |
| WO2016068996A1 (en) | Security record transfer in a computing system | |
| US20130103953A1 (en) | Apparatus and method for encrypting hard disk | |
| US20240073013A1 (en) | High performance secure io | |
| JP2013003612A (en) | System and method for concealing data when utilizing virtual server | |
| JP2023154825A (en) | Distributed information processing system, and distributed information processing method | |
| JP2012168960A (en) | Data processing device and data processing method | |
| TW201317828A (en) | Cloud competition isolation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |