CN101114256B - Real-time data security method - Google Patents
Real-time data security method Download PDFInfo
- Publication number
- CN101114256B CN101114256B CN200610107436A CN200610107436A CN101114256B CN 101114256 B CN101114256 B CN 101114256B CN 200610107436 A CN200610107436 A CN 200610107436A CN 200610107436 A CN200610107436 A CN 200610107436A CN 101114256 B CN101114256 B CN 101114256B
- Authority
- CN
- China
- Prior art keywords
- real
- document
- encryption
- file
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
A real-time data security method used for protecting the system data of a computer, wherein, the best embodiment sets up a file folder in the magnetic disk region of the original operating system which is loaded as a security segmented region to lead all the file data to visit the security segmented region, so as to achieve the goal of real-time encryption and decryption, wherein, the set of the security region is to set a file folder firstly, supplement a real-time encryption and decryption active X to the property of the file folder by using a real-time encryption and decryption module (like OTFE), hide the file folder and load the file folder to the security segmented region. Besides, another embodiment can add a personal identification method to supplement a personal identification mechanism of the user. The data security method ensures the file system of the computer operating system to receive a file storing instruction when storing the files, executes a security program real-timely, annexes the encryption and decryption active X to the property of the file simultaneously and then executes the storing and processing work.
Description
Technical field
The present invention is a kind of real-time data security method, particularly relates to, and adds the data encryption method of real-time encryption and decryption and identification mechanism in the virtual dividing district that is loaded by file.
Background technology
Though the development of computing machine has brought us facility greatly; but, the design of its operating system (operating system) do not do comprehensive consideration because having special protecting data; produced all problems after making conveniently indirectly, comprised that wherein significant data may meet with problems such as the transmission of stealing, alter, assume another's name.
Known technology often only utilizes individual number of the account, password as the mode of visiting protected file on data confidentiality, but user regular meeting causes the puzzlement of access file because forgetting number of the account or password, and simple secret mode like this is easy crack still.In particular for the requirement of maintaining secrecy for sensitive data in the enterprise, general simple safeguard measure also can't prevent really that data from being stolen or abusing by the employee.
For reaching the purpose of above-mentioned data confidentiality; " the data storage time slot scrambling " that known confidentiality of computer data technology such as TaiWan, China patent are disclosed for No. 554268; this case discloses utilizes computing machine data storage device in the computing machine to be carried out the visit of data by a specific driver; computing machine can propose data read request to above-mentioned data storage device; wherein driver then carries out the transform operation of memory location according to this request; and provide the input secret value to protect this data; therefore after when reading this document, the above-mentioned driver of needs cooperate file configuration table (File Allocation Table) to be read by actual storage locations with enciphered data.
Except above-mentioned technology of encrypting at single file; known technology also has the encryption technology at computer disc driver (Disk); it is for being applied on hard disk (Hard Disk) driver; main embodiment is to utilize a disc driver encryption software to set up a file on hard disk drive; and with its loading (mount) be one through the coding virtual disk (virtual disk) driver; as inventing C groove, D groove K groove (drive K) in addition, the user can be by protection access file on above-mentioned virtual disk driver of password.As, password when utilizing above-mentioned encryption software to set up this virtual disk of visit earlier, at storage file during to this virtual disk driver, be a ciphering process (encrypt), and when in the virtual disk driver, reading, be a decrypting process (decrypt), promptly utilize above-mentioned password to decipher, this document could be normally read afterwards, otherwise this document can not be used.
Carry out the technology of encryption and decryption when being known in file access and can consult United States Patent (USP) the 6th to file system, 249, the System and method for of a kind of encrypt file that is disclosed for No. 866 (Encrypting file system andmethod), this case discloses the encryption and decryption of utilizing the PKI (public key) and the scheme of private key (private key) to finish each file in the file system, when the user with file storage in hard disk, the digital key that promptly utilize to produce is encrypted the PKI in (Key-Pair), and the user after when using need be decrypted with relative private key.
See also synoptic diagram shown in Figure 1, the embodiment utilization of this case is when NTFS (Windows NT FileSystem) file system 12 initialization, load the encrypted file system driver (Encrypting File System Driver) 14 of a framework on file system 12, on the particular memory file volume (volume) 10 of 14 runnings of this driver in this file system 12, when this new technology file system 12 when computer system I/O (Input/Output) 16 receives input and output requests (setting up file or file opening this file system), the encryption and decryption service that file system 12 is provided by encrypted file system driver 14 utilization encryption and decryption service modules 18, comprise PKI, the generation of private key and application are to carry out file access.
Haply, when in above-mentioned particular memory file volume, carrying out file access, the encrypted file system driver can provide the metadata (metadata) of file to give in the module that the encryption and decryption service is provided, digital key information comprising encryption and decryption, can utilize public key encryption, when digital key changes, rewrite metadata, or utilize pairing private key to be decrypted etc.
The secret mode that the virtual disk driver is set up in above-mentioned utilization is set up the method for a file load (file mount), with this file load is the virtual disk driver, yet there is the restriction of single file size in the operating system (Operating System) in the mode of file load, be restricted to 4G as single file in the file configuration system (FAT/FAT32) of Windows operating system, in addition, if need set up this single file and be set at a virtual disk driver of carrying out encryption and decryption, promptly occupy hard disk drive one specified vol, and can't elasticity apply to other purposes.
The method that is different from the known technology data encryption, real-time data security method of the present invention is to utilize the file of setting up in the disc driver (folder) to be loaded as the mode of the virtual disk of encrypting usefulness, avoid encrypting the restriction of field capacity, and can actually not occupy the fixed disk drive capacity.
Summary of the invention
The invention provides a kind of real-time data security method, the method that is different from the known technology data encryption, data encryption method of the present invention is to utilize the file of setting up in the disc driver (folder) to be loaded as the mode of the virtual disk driver of encrypting usefulness, avoid the mode of known single file mock disc driver that the restriction of encrypting field capacity is arranged with this, and can actually not occupy the fixed disk drive capacity.In addition, more can cooperate an identity recognition mechanism, reach the purpose of better data confidentiality.
The preferred embodiment of real-time data security method provided by the present invention is to run in the computer system, on former disk region, set up a file, and load into a secret cut section, this method includes the storage instruction that is received a file earlier by the file system of computer operating system, and executed in real time one encipheror, this moment, an additional real-time encryption and decryption control was to the attribute of this document, the real-time encryption and decryption control that this step is added when setting up according to this secret cut section, this real-time encryption and decryption control is additional in the attribute of this document, just carries out stores processor.
Aforesaid real-time data security method judges earlier that wherein the position that this document will be stored is this secret cut section or general unclassified cut section, when this document is to store this secret cut section into promptly to carry out this encryption flow.
Aforesaid real-time data security method, wherein said encipheror are to use a symmetric key to encrypt.
Aforesaid real-time data security method, wherein said encryption flow use an asymmetric golden key to encrypt.
And wherein the establishment step of secret cut section comprises prior to setting up file in the cut section in the operating system, utilizing additional this real-time encryption and decryption control of real-time encryption and decryption module to the attribute of file, follow hidden folder, and this document folder is loaded under the secret cut section.
Aforesaid real-time data security method, wherein, when adding this real-time encryption and decryption control, this real-time encryption and decryption module produces a symmetry or an asymmetric golden key.
Except that above-mentioned storing step, after also can carry out a real time decrypting step when visiting this document, step includes the access instruction that is received this document earlier by the file system of operating system, extract the encryption and decryption information in this document this moment, and at the corresponding decrypted program of this encryption and decryption information and executing.
Aforesaid real-time data security method, wherein the encryption and decryption information of this document that extracts comprises that at least one encrypts calculation technology and the golden key length of an encryption.
Aforesaid real-time data security method, wherein said decrypted program use to should the employed symmetry of encipheror or asymmetrical golden key be decrypted.
Aforesaid real-time data security method, comprise also that wherein one removes the step that this real time data is maintained secrecy, step as removing real-time encryption and decryption mechanism in this secret cut section comprises: unload this secret cut section, this document folder promptly reverts to the generic-document file; And delete this real-time encryption and decryption control.
And another embodiment of the present invention adds the mechanism of identity identification in the encryption and decryption process, method comprises the storage instruction of elder generation by the file system interface message in-coming part of this operating system, carry out the additional flow process of identity identification again, promptly additional identity identification handle is in the attribute of this document, carry out encryption flow again, the real-time encryption and decryption control that is added when promptly setting up according to this secret cut section with the additional real-time encryption and decryption control of file, is carried out stores processor afterwards.
Aforesaid real-time data security method, the additional flow process of wherein said execution identification is carried out an exclusive additional flow process of identification at this document.
Aforesaid real-time data security method is wherein carried out the additional flow process of this identification at all files that are stored in this secret cut section.
Aforesaid real-time data security method, the step of wherein said additional identities identification handle is to utilize a password to be additional in the attribute of this document.
Aforesaid real-time data security method, the step of wherein said additional identities identification handle are that the numerical data of utilizing conversion one biological recognition feature to be produced is additional in the attribute of this document.
Aforesaid real-time data security method, wherein said biometric feature are a fingerprint.
Aforesaid real-time data security method, wherein said biometric feature are one of palmmprint, iris, nethike embrane, face, auricle, voice vocal print, the distribution of the fingers/hand palm/hand back vein.
Aforesaid real-time data security method, wherein, when adding this real-time encryption and decryption control, this real-time encryption and decryption module produces a symmetry or an asymmetric golden key.
Aforesaid real-time data security method wherein also adds this identification handle, with further user individual's identification mechanism.
With respect to Stored Procedure, after when visiting this document, need to carry out a real time decrypting step, include the access instruction that receives this document earlier by the file system of this operating system, by the information of extracting identification in the file, to carry out identification program, extract the encryption and decryption information in this document again, carry out decrypted program again.
The establishment step of above-mentioned secret cut section is included in the cut section in the operating system and sets up file, utilize additional this real-time encryption and decryption control of a real-time encryption and decryption module to the attribute of this document folder, hide this document folder again, and this information kit loaded under the secret cut section, also add an identity means of identification among this embodiment, with further user individual's identification mechanism.
Aforesaid real-time data security method, wherein the encryption and decryption information of this document that extracts comprises that at least one encrypts calculation technology and the golden key length of an encryption.
This identification handle that aforesaid real-time data security method, the corresponding this document of the flow process of wherein said extraction identity identification information are added when storing this secret cut section.
The hook procedure that aforesaid real-time data security method, wherein said identification program utilize the hook function in this operating system to produce, interception this document carries out identity identifying and authenticating.
Aforesaid real-time data security method, comprise also that wherein one removes the step that this real time data is maintained secrecy, step as removing real-time encryption and decryption mechanism in this secret cut section comprises: unload this secret cut section, this document folder promptly reverts to the generic-document file; Delete this identification handle; And delete this real-time encryption and decryption control.
The invention provides a kind of real-time data security method, operate in the operating system, it is characterized in that described method includes: in this operating system, set up a file, and this document folder is stashed; Utilize the additional real-time encryption and decryption control of a real-time encryption and decryption module in the attribute of this document folder; This document folder is loaded into a secret cut section; Receive the storage instruction of a file, receive the storage instruction of this document by the file system of this operating system; Carry out an encipheror; Additional this real-time encryption and decryption control is in the attribute of this document; And execution stores processor.
The present invention also provides a kind of real-time data security method, operates in the operating system, it is characterized in that described method includes: set up a file in this operating system, and this document folder is stashed; Add identity identification handle to set up an identity recognition mechanism at this document folder; Utilize the additional real-time encryption and decryption control of a real-time encryption and decryption module in the attribute of this document folder, so that this document folder is loaded into a secret cut section; Receive the storage instruction of a file, receive the storage instruction of this document by the file system of this operating system; Carry out the additional flow process of identity identification, additional this identification handle is in the attribute of this document; Carry out an encryption flow, utilize additional this real-time encryption and decryption control of this real-time encryption and decryption module in the attribute of this document; And the execution stores processor, this document is stored in this secret cut section.
Description of drawings
Fig. 1 is a prior art encrypted file system synoptic diagram;
Fig. 2 sets up the process flow diagram of confidential folder for real-time data security method of the present invention;
Fig. 3 sets up the process flow diagram in secret virtual dividing district for real-time data security method of the present invention;
Fig. 4 sets up secret virtual dividing district and the process flow diagram that adds real-time encrypted control for real-time data security method of the present invention;
Figure 5 shows that real-time data security method of the present invention is applied to file data and is stored in one of embodiment of storage medium;
Figure 6 shows that real-time data security method of the present invention be applied to file data be stored in storage medium embodiment two;
Figure 7 shows that real-time data security method of the present invention be applied to file data be stored in storage medium embodiment three;
Figure 8 shows that the embodiment synoptic diagram of real-time data security method of the present invention;
Figure 9 shows that file Stored Procedure in the real-time data security method of the present invention;
Figure 10 shows that file Stored Procedure in the real-time data security method of the present invention;
Figure 11 shows that file browsing process in the real-time data security method of the present invention;
Figure 12 shows that file browsing process in the real-time data security method of the present invention;
Figure 13 is for removing the process flow diagram of real-time encryption and decryption mechanism in the real-time data security method of the present invention.
Wherein, description of reference numerals is as follows:
12 file system
14 encrypted file system drivers
10 storage files volume
16 computer system I/O
18 encryption and decryption service modules
50 storage mediums
501 file datas
52 cut section K
503 real-time encryption and decryption means
505 gold medal keys are encrypted
The deciphering of 507 gold medal keys
80 computer screens
82 virtual dividing districts
84 scanning windows
86 users
88 files
85 finger scan machines
Embodiment
The present invention applies to the data of a computer system to carry out real-time encryption and decryption when storing or reading, carry out secrecy provision with file at certain particular space of visit, embodiment is for carrying out an encipheror when file storage, and introduce an identity means of identification simultaneously, increase the confidentiality of this document, prevent that other people from carrying out visit without permission, or allow to visit the people of this document if can't also can't read this document by identification.When operations such as reading, delete, move, then be to need to carry out a decrypted program, and cooperate above-mentioned identification means complete operation in addition.
The present invention uses a real-time encryption and decryption (On-the-fly encryption, OTFE) in section, OTFE is a disk encryption software (encryption software) technology, apply to floppy disk, on hard disk or other non-volatile memory medium, when storage medium has loaded this real-time encrypted software at a certain particular space or file, then visit at this particular space or the file of file and can encrypt immediately or decipher, embodiment needs to go up operation at a disc operating system (DOS) (operating system), and this operating system also need be supported the OTFE technology, when storage file, add an encipheror, when reading, carry out a decrypted program again.
Most preferred embodiment of the present invention is to set up a file in computer system on original cut section, as setting up file in cut sections such as C panel or D panel, and it is loaded as a secret cut section, and its flow implementation is for example shown in Figure 2:
In the operating system of a computer system, as Microsoft Windows
TM(but being not limited thereto operating system), wherein file system comprises FAT, FAT32 or NTFS, also be not limited thereto, at this moment, having cut apart in hard disk or other storage medium has specific cut section (partition), such as the C cut section, the D cut section, under this condition precedent, for reaching the purpose of data confidentiality, what promptly begin secret divided file folder sets up flow process (step S201), the present invention sets up a file (folder) (step S203) in one of therein the cut section, and utilize a real-time encryption and decryption module (to can be real-time encryption and decryption software, hardware) additional real-time encryption and decryption control (OTFE entry) (step S205) in the attribute (attribution) of this document folder, this document folder promptly has the attribute of real-time encryption and decryption, for producing the function of encryption and decryption, wherein utilize known methods such as symmetric cryptography, make wherein data carry out encryption and decryption with the real-time encryption and decryption module, when visit data, above-mentioned real-time encryption and decryption module can be taken out from particular memory space provided by the present invention and be encrypted golden key, comprise the storage space of attribute or there is no the storage space of the attribute of real-time encryption and decryption with real-time encryption and decryption, this encrypts golden key and can pass to the use of real-time encryption and decryption module then. and encryption and decryption length can have multiple choices, this file that will add the encryption and decryption control promptly forms a confidential folder (step S207). when the user with file storage in this confidential folder, then undertaken real-time encrypted by above-mentioned real-time encryption and decryption module, when will taking out file, the user moves, revise or deletion, the step of also utilizing the real-time encryption and decryption module to be decrypted in the process of taking out then, thus reach the purpose of real-time encryption and decryption.
Encryption and decryption mechanism in the file system of above-mentioned utilization in computer system comprises that user and computer system two sides use the embodiment of symmetrical expression password (symmetric cipher) mechanism, and promptly two sides use identical golden key to come encryption and decryption.
Yet embodiment shown in Figure 3 carries out real-time encryption and decryption for above-mentioned confidential folder also further is loaded as a virtual dividing district with the file that will visit this virtual dividing district.
As described in Figure 2, under the operating environment of setting up an operating system, begin secret cut section and set up flow process (step S301), in one of cut section, set up a file (step S303), and this document folder stashed, promptly become non-through special procuring the state that permission or setting can not be viewed, make the general user can not directly browse this document folder (step S305), afterwards, carry out above-mentioned real-time encryption and decryption module, in this file, add the real-time encryption and decryption control, make file have the attribute (step S307) of real-time encryption and decryption, then this document folder is loaded (mount) or is set at a virtual dividing district (virtual partition) (step S309).This virtual dividing district is a common cut section in user's use, when reloading the virtual dividing district, need to revise its file system contingency table (partition table), the section start of each cut section of record in this contingency table, make it there is no different In the view of the user with original already present cut section, when the user with file storage in this secret virtual dividing district, then undertaken real-time encryptedly by above-mentioned real-time encryption and decryption module, when visiting file wherein, produce the function of real-time encryption and decryption.
Shown in Figure 4 then is when setting up secret virtual dividing district, add identity identification (identification) means again, the identification mechanism that adds individual subscriber, when visit secret virtual dividing district or file, non-authorized people then can't visit this document.Under the working environment of operating system and related file system; the secret cut section of beginning step S401 is set up flow process; set up a file (step S403) earlier; then this document folder is stashed; become non-through special procuring the state that permission or setting can not be viewed; the general user can not directly browse this document folder (step S405); afterwards; add the handle that identification mechanism needs at file; make the mechanism that when data access, can utilize identification do further protection to this data file; promptly carry out the flow process of identity identification; need set up the data of identification earlier; as changing user cipher or its biometric feature into numerical data; become the user authentication data storehouse, the comparison foundation during as authentication, the hook procedure that this preferred embodiment utilizes hook (HOOK) function in the operating system to produce; interception need be carried out the accessing operation of identification, so that by just let pass behind the identity identifying and authenticating (step S407).Add the step of identification mechanism through above-mentioned steps after, utilize the real-time encryption and decryption module to add the real-time encryption and decryption control again, make file have the attribute (step S409) of real-time encryption and decryption in this file of hiding.So, except at the maintaining secrecy of file, also make other people who visits this virtual dividing district can't open the file that this has the identification attribute, then this document folder is loaded (mount) or is set at a virtual dividing district (virtual partition) (step S411).With identical as mentioned above, this virtual dividing district is seen as a common cut section the user, as cut section C, cut section D etc., there is no different with original already present cut section, but this virtual dividing district has comprised the attribute of real-time encryption and decryption and identification, when the user with file storage in this secret virtual dividing district, then utilize the symmetrical expression encryption to carry out real-time encrypted by above-mentioned real-time encryption and decryption module, and cooperate the authentication of identification, when visiting wherein file, produce the function of real-time encryption and decryption and authentication.When reading this document, then except decrypting process, also need carry out authentication, could complete access this document.
The above-mentioned file that utilizes produces confidential folder, or the method that is loaded as a virtual dividing district does not have capacity limit, avoid utilizing file load (file mount) mode to produce the capacity limit of single file, it also is not the space that need take a specified vol, promptly, can allow other application target except allowing the storage medium space that the file of being maintained secrecy takies.
In a single day above-mentioned real-time encryption and decryption software be loaded in the computer system, can plan that then wherein certain particular memory dielectric space runs under the environment of real-time encryption and decryption, the file that is stored in this particular memory medium is real-time encrypted, and authorized user can extract this document in the decrypting process of not discovering.When if the mechanism of above-mentioned real-time encryption and decryption removes from operating system, the file in this particular memory medium can't read or revise because lacking the deciphering flow process.For instance, if the hard disk drive of handling through real-time encryption and decryption is removed or is stolen, wherein file then can't be read or revise in the machine-processed following time that does not have encryption and decryption.So can reach the purpose of data confidentiality.
Above-mentioned encryption and decryption process also can cooperate the program of identification, comprise at storage file and set a password (password) or other helps produce the literal of recognition feature, when reading this document except that need through encryption and decryption software piece deciphering, also need key in this password (or identification code, chip identification card etc.) and could read smoothly; Or utilize various biometric mechanisms, comprise human palmmprint (palm print), iris (iris), nethike embrane (retina), face (facial), auricle (auricle), voice vocal print (voiceprint), fingerprint (fingerprint), inherent physiological characteristic on the human bodies such as the fingers/hand palm/hand back vein (vein) distribution, that is to say, when file storage during in above-mentioned storage medium through the real-time encryption and decryption technical finesse, add an identity recognizer, when file reads or revises, also need corresponding identification program just suitable access rights can be arranged, with smooth visit this document.If the hard disk drive of handling through real-time encryption and decryption is removed or is stolen, or the Portable mobile device loses, and wherein file then can't be read or revise in the machine-processed following time that does not have encryption and decryption and correct identification.
The embodiment that the method for this symmetrical expression password is applied to real-time data security method of the present invention can illustrate with reference to figure 5.
Figure 5 shows that real-time data security method of the present invention is applied to file data 501 and is stored in one of embodiment of storage medium 50 in the computer system, there have been cut section (partition) C and cut section D in the diagram in the storage medium 50, and set up file and be loaded as the cut section K (52) in virtual dividing district just like above-mentioned utilization, cut section K one has the cut section of real-time encryption and decryption attribute, and this example is for using technology of symmetrical expression password.
When this document folder adds real-time encryption and decryption control (OTFE entry), the real-time encryption and decryption module produces the golden key of one group of symmetrical expression, to store cut section K (52) in this storage medium 50 into as file data 501, this document data 501 can be through real-time encryption and decryption means (503), encrypt (505) with golden key, this golden key is made up of many positions, do digital operation with golden key and this document data 501, in order to produce the ciphertext (Cyphertext) after encrypting, in cut section K (52), be a pile mess code when making file data 501 without deciphering, when this storage medium during by inaccessible, can't the unscrambling data content.
When reading this document data 501, need,, this document data 501 are reverted to the data that originally can read by mess code with identical golden key deciphering (507) by above-mentioned encryption and decryption means (503) by cut section K (52).
The program of above-mentioned encryption and decryption is that the attribute because of this virtual dividing district comprises the real-time encryption and decryption control, so can allow the user there is no the function of reaching real-time encryption and decryption under the situation about discovering.In addition, cut section K (52) is not the actual capacity that occupies fixed memory medium 50 in the diagram, forms because this virtual dividing district is loaded by file in certain cut section, and the occupied capacity of cut section K (52) is then as the occupied capacity of file storage wherein.
Figure 6 shows that real-time data security method of the present invention be applied to file data 501 be stored in storage medium 50 in the computer system embodiment two, cut section (partition) C and cut section D (cut section be not restricted to this described) have been divided among the figure in the storage medium 50, wherein cut section K (52) sets up file in original cut section, and be loaded as the virtual dividing district, cut section K one has the cut section (seeing also Fig. 3 and Fig. 4) of real-time encryption and decryption attribute, and this example is for using technology of symmetrical expression password.
When being loaded as the virtual dividing district by file originally, the mechanism that promptly adds real-time encryption and decryption control (OTFEentry) and identification, produce the golden key of one group of symmetrical expression, also set up the data of identification simultaneously, in order to identification user identity, as set up personal identification number or the conversion biometric feature be numerical data etc.
Store so far cut section K (52) in the storage medium 50 as file data 501, this document data 501 can be through real-time encryption and decryption means (503), encrypt (505) with this golden key, in order to produce the ciphertext after encrypting, when making file data 501 in the suitable deciphering of nothing and not by identification, can't the unscrambling data content.
When reading this document data 501 by cut section K (52), need by above-mentioned encryption and decryption means (503), with identical golden key deciphering (507), and the identification (509) of being set up at the beginning of need setting up by this virtual dividing district, this document data 501 could be reverted to the data that originally can read by mess code.
Above-mentioned Fig. 6 produces in the virtual dividing district, and add at the beginning of real-time encryption and decryption control and the identification mechanism, promptly produced the golden key of one group of symmetrical expression, data with identification, and embodiment's shown in Figure 7 three is the identification data that just add exclusive this document that access customer adds at each storage file, and this example also non-limiting each access file is all used same identification data.
As shown in the figure, when setting up the virtual dividing district, add real-time encryption and decryption control and identification mechanism, yet only borrow the encryption and decryption means to produce the golden key of encryption and decryption, there is no the data of introducing user identity identification, only when file data 501 is stored to storage medium 50 encryptions by real-time encryption and decryption means (503) before, introduce identification data (509), comprise that personal identification number or conversion biometric feature are numerical data etc., utilize golden key to encrypt (505) again and be stored to cut section K (52).
Store so far cut section K (52) in the storage medium 50 as file data 501, this document data 501 can be through real-time encryption and decryption means (503), encrypt (505) with this golden key, in order to produce the ciphertext after encrypting, and every file data 501 all can be introduced the identification data simultaneously, when making file data 501 in the suitable deciphering of nothing and not by identification, can't the unscrambling data content.
When reading this document data 501 by cut section K (52), need by above-mentioned encryption and decryption means (503), with identical golden key deciphering (507), and need, this document data 501 could be reverted to the data that originally can read by mess code by the identification of every file data 501 (509) relatively.
Disclosed real-time data security method is not the encryption and decryption technology that is defined in above-mentioned utilization gold key.
Figure 8 shows that the embodiment synoptic diagram that utilizes real-time data security method of the present invention, show a computer screen 80 among the figure, wherein show general cut section C and load the virtual dividing district 82 that forms by information kit, as cut section K, when user 86 will open file 88 among the cut section K, computer system is except that carrying out decrypting process that user 86 can't discover, also need carry out an identity recognizer, the hook procedure that preferred embodiment herein can utilize hook (HOOK) function in the operating system to produce, when file 88 visits, this program can be tackled, by just letting pass behind the identity identifying and authenticating.As the scanning window 84 of computer screen 80 display requirements input fingerprint, 86 of users utilize a finger scan machine 85 will point line scanning, utilize this biometric feature to produce numerical data, and carry out identification, could visit this document 88 by identification.Other numerous personal identification methods of bio-identification (as inherent physiological characteristic on the human bodies such as palmmprint, iris, nethike embrane, face, auricle, voice vocal print, fingerprint, the distribution of the fingers/hand palm/hand back vein) that utilize are not given unnecessary details at this.
Figure 9 shows that the flow process of file storage in the real-time data security method preferred embodiment of the present invention, the user will be with the storage medium of file storage in the computer system, at this moment, file system interface message in-coming part storage instruction (step S901), and judgement receives the position that file is stored, cut section by the file indication judges whether to store into secret cut section or general unclassified cut section, if this document is to be stored to secret cut section (step S903), it is the encryption flow (step S905) of execute file system, the real-time encryption and decryption control that is added when setting up according to this secret cut section, with additional this encryption and decryption information of this document, as add the real-time encryption and decryption control to this document (step S907), carry out storing process (step S909) afterwards again. what deserves to be mentioned is, above-mentioned encryption flow is to use the cryptographic means of symmetry, and file in the secret cut section is encrypted as ciphertext, and, encipheror is finished when being stored to this secret cut section in real time, and the user can't obviously discover this ciphering process.
Another embodiment of the present invention promptly adds the identification handle for to set up identification mechanism in the file storage process on file attribute, perhaps, can carry out identification flow process, embodiment flow process as shown in figure 10 at each file.The user will be with the storage medium of file storage to the computer system, at this moment, file system interface message in-coming part storage instruction (step S101), and the file that judge the to receive position of storing, cut section by the file indication judges whether to be stored to secret cut section or general unclassified cut section, if this document is to be stored to secret cut section (step S103), when one of them embodiment adds flow process in the execution identification, carry out an exclusive additional flow process of identification at this document, as add the identification mechanism (step S105) of password or other personal biology characteristics, but this step is for another embodiment and inessential, be not to add identification mechanism, all files that are stored in this secret cut section are all carried out the additional flow process of this identification at single file.
Follow above-mentioned steps S105 or omit step S105, when the user storage file, under situation about not discovering, identity identification handle is attached on this document, the identification mechanism (step S107) that this identification handle is added at the beginning of this secret cut section is set up, and the then encryption flow (step S109) of execute file system, the real-time encryption and decryption control that in this secret cut section foundation, is added, with additional this real-time encryption and decryption control (step S111) of this document, be about to this document afterwards and encrypt and carry out storage operation (step S113).In like manner, the flow process of above-mentioned adding identification controlling mechanism and encryption flow are to finish in real time when this secret cut section in file storage, and the user can't obviously discover this ciphering process.
Figure 11 shows that the present invention is applied to the browsing process of file, when the user need visit (access) and is stored in the file of secret cut section, file system interface message in-coming part access instruction (step S11), then judge this document institute memory location, when judging file storage (step S13) in secret cut section, file system executed in real time decrypted program, need prior to extracting encryption and decryption information in this document, comprise the employed encryption calculation technology of extracting, encrypt relevant informations (step S15) such as golden key length, carry out deciphering afterwards, use the deciphering gold key of pairing symmetry will be stored in the file decryption of encrypting in this secret cut section and be generic-document (step S17), and carry out the access process (step S19) that continues.
Figure 12 shows that the present invention is applied to another embodiment of browsing process of file, when user capture is stored in the file of secret cut section, file system can receive file access instruction (step S21) equally, then judge this document institute memory location, when judging file storage (step S22) at secret cut section, file system executed in real time decrypted program, need in this document, to extract earlier encryption and decryption information, comprise the employed encryption calculation technology of extracting, encrypt relevant informations (step S23) such as golden key length, carry out deciphering afterwards, use the deciphering gold key of pairing symmetry will be stored in the file decryption of encrypting in this secret cut section and be generic-document (step S24), and then carry out identification program, the information of relevant identification in the extraction document, the information (step S25) that comprises password or other people's bio-identification, the identification handle that corresponding this document is added when being stored in this secret cut section, carry out identification (step S26), after authentication, can carry out the access process (step S27) of continuation.The execution sequence of decrypted program and identification program is interchangeable, is not limited to above-mentioned steps.
Utilize file to be loaded as the virtual dividing district and add the real-time encryption and decryption control above-mentioned, or also add under the embodiment of identification handle, if need to remove this encryption and decryption mechanism, releasing real-time encryption and decryption mechanism flow process as shown in figure 13 then.
During beginning, (un-mount) virtual dividing district (step S31) of unloading earlier, this moment, the space in virtual dividing district can revert to the generic-document file, afterwards, utilize above-mentioned real-time encryption and decryption module to delete wherein real-time encryption and decryption control, as OTFE control (entry) (step S33), if the identification of adding mechanism was arranged when setting up the virtual dividing district originally, then need delete this identification handle (step S35), add this identification mechanism if there is no originally, then need not this step.
The appended diagram of above-mentioned real-time data security method only provides reference and explanation usefulness, is not to be used for the present invention is limited.
In sum, the present invention is a kind of real-time data security method, the generic-document folder is added the real-time encryption and decryption control, and set up the mode in a virtual dividing district, reach the function of visit, also can cooperate an identity recognition mechanism to reach the purpose of data confidentiality at the file generation real-time encryption and decryption in this virtual dividing district.
But the above only is a preferable possible embodiments of the present invention, and is non-so promptly limit the scope of claim of the present invention, and therefore the equivalent structure done of all utilizations instructions of the present invention and accompanying drawing content changes, and all in like manner is contained in the scope of the present invention.
Claims (24)
1. a real-time data security method operates in the operating system, it is characterized in that described method includes:
In this operating system, set up a file, and this document folder is stashed;
Utilize the additional real-time encryption and decryption control of a real-time encryption and decryption module in the attribute of this document folder;
This document folder is loaded into a secret cut section;
Receive the storage instruction of a file, receive the storage instruction of this document by the file system of this operating system;
Carry out an encipheror;
Additional this real-time encryption and decryption control is in the attribute of this document; And
Carry out stores processor.
2. real-time data security method as claimed in claim 1 is characterized in that judging earlier that the position that this document will be stored is this secret cut section or general unclassified cut section, when this document is will store this secret cut section into promptly to carry out this encipheror.
3. real-time data security method as claimed in claim 1 is characterized in that described encipheror is to use a symmetric key to encrypt.
4. real-time data security method as claimed in claim 1 is characterized in that described encipheror is to use an asymmetric golden key to encrypt.
5. real-time data security method as claimed in claim 1 is characterized in that described secret cut section is hidden in the cut section in this operating system.
6. real-time data security method as claimed in claim 1 is characterized in that, during to the attribute of this document folder, this real-time encryption and decryption module produces a symmetrical or asymmetric golden key at additional this real-time encryption and decryption control.
7. real-time data security method as claimed in claim 1 is characterized in that, after when visiting this document, carry out a real time decrypting step, include:
Receive the access instruction of this document, receive the access instruction of this document by the file system of this operating system;
Extract the encryption and decryption information in this document; And
Carry out a decrypted program.
8. real-time data security method as claimed in claim 7 is characterized in that the encryption and decryption information of this document of being extracted comprises that at least one encrypts calculation technology and the golden key length of an encryption.
9. real-time data security method as claimed in claim 7, it is characterized in that described decrypted program use to should the employed symmetry of encipheror or asymmetrical golden key be decrypted.
10. real-time data security method as claimed in claim 1 is characterized in that also comprising that one removes the step that this real time data is maintained secrecy, and the step as removing real-time encryption and decryption mechanism in this secret cut section comprises:
Unload this secret cut section, this document folder promptly reverts to the generic-document file; And
Delete this real-time encryption and decryption control.
11. a real-time data security method operates in the operating system, it is characterized in that described method includes:
In this operating system, set up a file, and this document folder is stashed;
Add identity identification handle to set up an identity recognition mechanism at this document folder;
Utilize the additional real-time encryption and decryption control of a real-time encryption and decryption module in the attribute of this document folder, so that this document folder is loaded into a secret cut section;
Receive the storage instruction of a file, receive the storage instruction of this document by the file system of this operating system;
Carry out the additional flow process of identity identification, additional this identification handle is in the attribute of this document;
Carry out an encryption flow,
Utilize additional this real-time encryption and decryption control of this real-time encryption and decryption module in the attribute of this document; And
Carry out stores processor, this document is stored in this secret cut section.
12. real-time data security method as claimed in claim 11 is characterized in that described execution identification adds flow process and carries out an exclusive additional flow process of identification at this document.
13. real-time data security method as claimed in claim 11 is characterized in that carrying out the additional flow process of this identification at all files that is stored in this secret cut section.
14. real-time data security method as claimed in claim 11 is characterized in that the step of described additional this identification handle in the attribute of this document, is to utilize a password to be additional in the attribute of this document.
15. real-time data security method as claimed in claim 11 is characterized in that the step of described additional this identification handle in the attribute of this document, is that the numerical data of utilizing conversion one biological recognition feature to be produced is additional in the attribute of this document.
16. real-time data security method as claimed in claim 15 is characterized in that described biometric feature is a fingerprint.
17. real-time data security method as claimed in claim 15 is characterized in that described biometric feature is palmmprint, iris, nethike embrane, face, auricle, voice vocal print, finger vena distribution, palm vein distributes or hand back vein distributes.
18. real-time data security method as claimed in claim 11 is characterized in that described secret cut section is hidden in the cut section in this operating system.
19. real-time data security method as claimed in claim 11 is characterized in that, during to the attribute of this document folder, this real-time encryption and decryption module produces a symmetrical or asymmetric golden key at additional this real-time encryption and decryption control.
20. real-time data security method as claimed in claim 11 is characterized in that, after when visiting this document, carry out a real time decrypting step, include:
Receive the access instruction of this document, receive the access instruction of this document by the file system of this operating system;
Extract the information of the identification in this document;
Carry out an identity recognizer;
Extract the encryption and decryption information in this document; And
Carry out a decrypted program.
21. real-time data security method as claimed in claim 20 is characterized in that the encryption and decryption information of this document of being extracted comprises that at least one encrypts calculation technology and the golden key length of an encryption.
22. real-time data security method as claimed in claim 20 is characterized in that this identification handle that the corresponding this document of described identity identification information is added when storing this secret cut section.
23. real-time data security method as claimed in claim 20 is characterized in that the hook procedure that described identification program utilizes the hook function in this operating system to produce, interception this document carries out identity identifying and authenticating.
24. real-time data security method as claimed in claim 11 is characterized in that also comprising that one removes the step that this real time data is maintained secrecy, the step as removing real-time encryption and decryption mechanism in this secret cut section comprises:
Unload this secret cut section, this document folder promptly reverts to the generic-document file;
Delete this identification handle; And delete this real-time encryption and decryption control.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610107436A CN101114256B (en) | 2006-07-24 | 2006-07-24 | Real-time data security method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610107436A CN101114256B (en) | 2006-07-24 | 2006-07-24 | Real-time data security method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101114256A CN101114256A (en) | 2008-01-30 |
| CN101114256B true CN101114256B (en) | 2010-05-12 |
Family
ID=39022611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610107436A Expired - Fee Related CN101114256B (en) | 2006-07-24 | 2006-07-24 | Real-time data security method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101114256B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101951443A (en) * | 2010-09-25 | 2011-01-19 | 宇龙计算机通信科技(深圳)有限公司 | File security method, system and mobile terminal |
| CN102479307B (en) * | 2010-11-23 | 2015-03-18 | 腾讯科技(深圳)有限公司 | Mobile device and video file hiding method of mobile device |
| CN102592066A (en) * | 2011-01-14 | 2012-07-18 | 金鹏科技有限公司 | Fingerprint password device adaptive to intelligent device and processing method of the fingerprint password device |
| CN104462998B (en) * | 2014-12-09 | 2018-01-30 | 天津光电安辰信息技术股份有限公司 | Cloud storage encryption system and its implementation based on domestic commercial cipher algorithm |
| CN105787834A (en) * | 2016-01-30 | 2016-07-20 | 宿州学院 | Intelligent student management system |
| CN107239712A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | The hidden method and device of user profile based on application program |
| CN106844464B (en) * | 2016-12-21 | 2020-01-07 | 北京安云世纪科技有限公司 | Mobile terminal and file forbidding method and device thereof |
| CN107133524A (en) * | 2017-04-27 | 2017-09-05 | 北京洋浦伟业科技发展有限公司 | A kind of date storage method and device |
| CN109165525A (en) * | 2018-08-10 | 2019-01-08 | 深圳市智微智能科技开发有限公司 | A kind of method and Related product of embedded-type security storing data |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1641522A (en) * | 2004-01-16 | 2005-07-20 | 西北工业大学 | Computer hard disk data encrypting method and device |
-
2006
- 2006-07-24 CN CN200610107436A patent/CN101114256B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1641522A (en) * | 2004-01-16 | 2005-07-20 | 西北工业大学 | Computer hard disk data encrypting method and device |
Non-Patent Citations (2)
| Title |
|---|
| JP特開2003-242005A 2003.08.29 |
| JP特開2003-244126A 2003.08.29 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101114256A (en) | 2008-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101114256B (en) | Real-time data security method | |
| CN103106372B (en) | For lightweight privacy data encryption method and the system of android system | |
| CN102750233B (en) | Encryption and storage confidential data | |
| CN101196855B (en) | Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method | |
| CN101470783B (en) | Identity recognition method and device based on trusted platform module | |
| CN104573441B (en) | A kind of computer and its data encryption with data security function and hiding method | |
| CN105429761A (en) | Key generation method and device | |
| US20030173400A1 (en) | Storage card with integral file system, access control and cryptographic support | |
| CN101674575B (en) | Method for protecting security of mobile communication terminal data and device thereof | |
| CN101853363A (en) | File protection method and system | |
| CN103294961A (en) | Method and device for file encrypting/decrypting | |
| CN102136048A (en) | Mobile phone Bluetooth-based ambient intelligent computer protection device and method | |
| WO2016192165A1 (en) | Data encryption method and apparatus | |
| CN105005731A (en) | Data encryption and decryption methods and mobile terminal | |
| CN104468937A (en) | Data encryption and decryption methods and devices for mobile terminal and protection system | |
| CN101159754A (en) | Internet application management system operating on intelligent mobile terminal | |
| CN106100851B (en) | Password management system, intelligent wristwatch and its cipher management method | |
| CN114730337A (en) | Cryptographic key management | |
| CN111177773B (en) | Full disk encryption and decryption method and system based on network card ROM | |
| CN102868826A (en) | Terminal and terminal data protection method | |
| CN108399341B (en) | Windows dual file management and control system based on mobile terminal | |
| CN102752112A (en) | Authority control method and device based on signed message 1 (SM1)/SM2 algorithm | |
| CN108052828B (en) | Method and device for generating screen recording file, terminal and storage medium | |
| CN102118503A (en) | Data protection method, device and terminal | |
| CN111159726B (en) | UEFI (unified extensible firmware interface) environment variable-based full-disk encryption and decryption method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING INTERNATIONAL SCIENCE AND TECHNOLOGY CO. Free format text: FORMER OWNER: JING-HU TECHNOLOGY CO., LTD. Effective date: 20080613 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20080613 Address after: Taipei City, Taiwan, China Applicant after: Jingda International Technology Corp. Address before: Taipei City, Taiwan, China Applicant before: Jing Hu Polytron Technologies Inc. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100512 Termination date: 20210724 |