Summary of the invention
The object of the present invention is to provide a kind of method for encrypting data memory apparatus based on virtual system, multiple virtual systems that same machine runs can be used the key of different cryptographic algorithm or encryption by respectively, thus improve the security of data.
Technical method of the present invention is:
Based on a method for encrypting data memory apparatus for virtual system, the steps include:
1) in hardware system, set up a virtual machine platform and several virtual systems;
2) an interchangeable enciphering and deciphering algorithm module is set in described virtual machine platform, for providing cryptographic algorithm for virtual system;
3) virtual machine platform divides data storage device, for each virtual system distributes a data space, arranges key and the cryptographic algorithm of each virtual system use simultaneously;
4) during virtual system accessing data storage devices, oneself key used is sent to described virtual machine platform;
5) virtual machine platform carries out consistency checking to the key of this virtual system, if consistent, utilizes key and corresponding adding
Close algorithm carries out corresponding data process.
Described interchangeable enciphering and deciphering algorithm module comprises a virtual system management list, and described virtual system management list field comprises: virtual system feature, cipher key feature, cryptographic algorithm, virtual system data start address, virtual system data space length, True Data memory device start address, True Data memory device storage space length.
Described cipher key feature is the HASH value of key.
If the address that in described method, certain virtual system enciphered data is deposited in described True Data memory device is discontinuous, then each True Data memory device start address of virtual system is added storage space length corresponding to this True Data as this virtual system data space start address.
Described interchangeable enciphering and deciphering algorithm module comprises an access interface, installs, changes or upgrading renewal cryptographic algorithm for virtual system.
Described consistency verification method is: in described virtual machine platform, arrange a confirmation key module, described confirmation key module judges that whether the key received is consistent with the cipher key feature of the corresponding virtual system preserved in described interchangeable enciphering and deciphering algorithm module, carries out described consistency checking.
In described method, if described consistency checking result is inconsistent, then:
A) error message is fed back to virtual system, and record this event;
B) after continuous 3 the transmission false key of virtual system, often receive a secondary key, then suspend this virtual system respective service a period of time, every corresponding many mistakes once, time out doubles, and wherein said a period of time is set as 1 second, and the value of described time out is 2
n-4second, n is the number of times of mistake continuously.
Described virtual machine platform is that described virtual system arranges one or more cryptographic algorithm.
Described cryptographic algorithm comprises SMS4 cryptographic algorithm, 3DES cryptographic algorithm, AES encryption algorithm.
Described data storage device comprises: hard disk, USB flash disk, the network storage equipment.
Flow process of the present invention is as shown in Figure 2:
1. utilize known technology to build a stylobate in the virtual system of VMM, virtual system has multiple, each virtual system has the data space of oneself at hard disk, and the data space of oneself can only be accessed, the data in other virtual systems can not be accessed, virtual system uses the cryptographic algorithm of oneself respectively, and leaves the data on hard disk in the secret key encryption oneself of oneself.
2. utilize known technology, VMM has hard disk de facto control, and the hard disk I/O of all upper-level virtual systems, can be intercepted and captured by VMM, and knows the corresponding hard disc data of access belongs to which virtual system.
3. a built-in interchangeable enciphering and deciphering algorithm module and each system key feature in VMM; Interchangeable enciphering and deciphering algorithm module comprises some cryptographic algorithm; Interchangeable enciphering and deciphering algorithm module comprises an access interface simultaneously, installs, changes or upgrading renewal cryptographic algorithm for virtual system.
3.1. this cipher key feature can be the cipher key feature that known technology generates, as the HASH value of key.
4. during upper-level virtual system access hard disc data, it first utilizes known technology that key is issued VMM, and VMM carries out consistency checking the key of the key received and oneself preservation, examines rear confirmation key aliveness.
4.1. the consistency verification method of this key can be compare the key of upper-level virtual system and the cipher key feature of preservation, also can be do not preserve decrypting feature, and algorithm carries out consistency checking directly to utilize the key of cryptography known technology effectively to confirm;
5. based on the data access requirements being completed virtual system by known technology key and corresponding enciphering and deciphering algorithm;
5.1. data read access requirement can be issue upper-level virtual system with corresponding hard disc data deciphering;
5.2. data write-access requirement can be kept on hard disk with after the data encryption that virtual system is sent;
6. a virtual system different application can use different cryptographic algorithm or different keys;
This enciphered data storage location can be hard disk, also can be USB flash disk, the data storage device that the network storage equipment etc. are like this.
Good effect of the present invention:
1. cryptographic algorithm and hard disk have nothing to do, and VMM has nothing to do, and related algorithm can join in virtual machine by final user, ensure the security of related algorithm;
2. cryptographic algorithm is upgraded conveniently later if needed;
3. arrange according to user, different storage zone uses different encryption keys, improves the security of data;
If 4. there is multiple system on virtual system, these systems can use the key of different cryptographic algorithm or encryption.
Embodiment
Below in conjunction with accompanying drawing, further describe the specific embodiment of the present invention, structured flowchart of the present invention as shown in Figure 1.
One, system initialization
1. in real hardware system, virtual platform VMM is installed;
2. a preset interchangeable enciphering and deciphering algorithm module access interface is provided in VMM, for upper strata virtual system, associated encryption algorithm can be a kind of, also can be multiple; The cryptographic algorithm such as such as SMS4,3DES, AES;
3. on VMM, virtual system is installed, and key and cryptographic algorithm that in virtual system, data use are set, and the space size that data are preserved, different virtual system can according to the needs of oneself Choice encryption algorithm in interchangeable encryption/decryption module;
4. be virtual system distribution data space on hard disk, the data of interchangeable enciphering and deciphering algorithm module key and its corresponding cryptographic algorithm cryptographic storage
5. (field that virtual system management list comprises is as the feature of key to deposit the feature of this key and hard disk address corresponding to encrypted data in the virtual system management list of interchangeable enciphering and deciphering algorithm module, the cryptographic algorithm that makes, virtual system data start address, length, corresponding true hard disk start address, length, if enciphered data is discontinuous in the address of true hard disk storing, then set up true hard disk start address+storage space length as hard-disc storage space start address corresponding to this virtual system), as shown in table 1:
Table 1, virtual system management list
Virtual system feature |
Cipher key feature |
Cryptographic algorithm |
Virtual system hard disk start address |
Length (sector) |
True hard disk start address |
Length (sector) |
VMM_VISTA |
Feature 1 |
SMS4 |
0 |
102,400 |
25,600 |
102,400 |
VMM_VISTA |
Feature 2 |
SMS4 |
102,400 |
512,000 |
128,000 |
512,000 |
VMM_XP |
Feature 3 |
3DES |
0 |
4,096,000 |
640,000 |
4,736,000 |
VMM_XP |
Feature 4 |
AES |
4,096,000 |
256,000 |
4,736,000 |
4,992,000 |
In table 1, same virtual system VMM_XP have employed AES and 3DES algorithm respectively according to different application and is encrypted.
Two, during virtual system visit data
1. virtual system sends key to the interchangeable enciphering and deciphering algorithm module in VMM
2. whether interchangeable enciphering and deciphering algorithm module check virtual system key is consistent with the cipher key feature of preserving
If a) inconsistent, error message is fed back to virtual system, and record this event
B) after virtual system continuous several times sends false key (3 times), often receive a secondary key, then suspend this virtual system respective service a period of time, once, time out doubles every corresponding many mistakes.When such as the 4th receives false key continuously, next time provides the respective service time to be after 1 second for virtual system, when such as the 5th receives false key continuously, next time provides the respective service time to be after 2 seconds for a little virtual system, continuous when receiving false key n-th time, next time provides the respective service time to be 2 for a little virtual system
n-4second.
3. interchangeable enciphering and deciphering algorithm module check password consistent after, according in managing listings, select corresponding cryptographic algorithm to carry out data processing
A) data read access requirement, utilizes key and corresponding cryptographic algorithm that upper-level virtual system is issued in corresponding hard disc data deciphering
B) data write-access requirement, is kept on hard disk after the data encryption utilizing key and corresponding cryptographic algorithm that virtual system is sent