CN101587524B - Method for encrypting data memory apparatus based on virtual system - Google Patents
Method for encrypting data memory apparatus based on virtual system Download PDFInfo
- Publication number
- CN101587524B CN101587524B CN200910053670.9A CN200910053670A CN101587524B CN 101587524 B CN101587524 B CN 101587524B CN 200910053670 A CN200910053670 A CN 200910053670A CN 101587524 B CN101587524 B CN 101587524B
- Authority
- CN
- China
- Prior art keywords
- virtual system
- virtual
- key
- machine platform
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method for encrypting data memory apparatus based on virtual system, which belongs to the field of software technique. The method provided by the invention includes the stepsof: (1) establishing a virtual machine platform and several virtual systems; (2) setting a commutative encryption and decryption algorithm module inside the virtual machine platform for providing anencryption algorithm for the virtual system; (3) dividing a data memory apparatus by the virtual machine platform, allotting a data memory space for each virtual system, meanwhile setting a cipher keyand an encryption algorithm for each virtual system; (4) sending the used cipher key to the virtual machine platform when the virtual system accesses the data memory apparatus; (5) executing a consis tency verification for the cipher key of the virtual system by the virtual machine platform, if consistent, and then using the cipher key and the corresponding encryption algorithm for executing a corresponding data-processing. The encryption algorithm provided by the invention is irrelevant to hard disk and VMM, and the encryption algorithm upgrade is convenient; moreover different storage zone can use different encryption keys for improving data safety.
Description
Technical field
The present invention relates to a kind of encryption method, particularly relate to a kind of method for encrypting data memory apparatus based on virtual system, belong to computer software technical field.
Background technology
Current computer virtual technology reaches its maturity, and based on VMM (virtual machine platform) technology, 1 PC can invent multiple computers and run different operating system respectively.
At HD encryption technical elements, current industry has had the cryptographic algorithm of use to be encrypted hard disk, ensures hard disc data security.But existing problems are hard disks is by same key encryption (key+sector auxiliary information) data, cryptographic algorithm is fixing, can not change, other people can utilize the information versatility of some sector storage to learn this sector ciphertext and plaintext, analyze, guess out the possibility of hard disk key.On a hard disk, use same key dangerous in addition, if PC virtual rear computing two or a multiple system respectively, two systems use a key, then more dangerous: a system issues hard disk key, and another system has not then needed key with regard to energy access hard disk data.In addition the AES encryption algorithm that external hard disk adopts does not meet China's regulation, in China according to service condition, has different cryptographic algorithm, commercial: the close cryptographic algorithm of business, government: general close cryptographic algorithm, army: the close cryptographic algorithm of core.Identical hard disk adds above-mentioned three kinds of cryptographic algorithm simultaneously, not easily realizes, also do not meet national regulation.Therefore how the data storage device based on virtual system is encrypted and becomes a problem demanding prompt solution.
Summary of the invention
The object of the present invention is to provide a kind of method for encrypting data memory apparatus based on virtual system, multiple virtual systems that same machine runs can be used the key of different cryptographic algorithm or encryption by respectively, thus improve the security of data.
Technical method of the present invention is:
Based on a method for encrypting data memory apparatus for virtual system, the steps include:
1) in hardware system, set up a virtual machine platform and several virtual systems;
2) an interchangeable enciphering and deciphering algorithm module is set in described virtual machine platform, for providing cryptographic algorithm for virtual system;
3) virtual machine platform divides data storage device, for each virtual system distributes a data space, arranges key and the cryptographic algorithm of each virtual system use simultaneously;
4) during virtual system accessing data storage devices, oneself key used is sent to described virtual machine platform;
5) virtual machine platform carries out consistency checking to the key of this virtual system, if consistent, utilizes key and corresponding adding
Close algorithm carries out corresponding data process.
Described interchangeable enciphering and deciphering algorithm module comprises a virtual system management list, and described virtual system management list field comprises: virtual system feature, cipher key feature, cryptographic algorithm, virtual system data start address, virtual system data space length, True Data memory device start address, True Data memory device storage space length.
Described cipher key feature is the HASH value of key.
If the address that in described method, certain virtual system enciphered data is deposited in described True Data memory device is discontinuous, then each True Data memory device start address of virtual system is added storage space length corresponding to this True Data as this virtual system data space start address.
Described interchangeable enciphering and deciphering algorithm module comprises an access interface, installs, changes or upgrading renewal cryptographic algorithm for virtual system.
Described consistency verification method is: in described virtual machine platform, arrange a confirmation key module, described confirmation key module judges that whether the key received is consistent with the cipher key feature of the corresponding virtual system preserved in described interchangeable enciphering and deciphering algorithm module, carries out described consistency checking.
In described method, if described consistency checking result is inconsistent, then:
A) error message is fed back to virtual system, and record this event;
B) after continuous 3 the transmission false key of virtual system, often receive a secondary key, then suspend this virtual system respective service a period of time, every corresponding many mistakes once, time out doubles, and wherein said a period of time is set as 1 second, and the value of described time out is 2
n-4second, n is the number of times of mistake continuously.
Described virtual machine platform is that described virtual system arranges one or more cryptographic algorithm.
Described cryptographic algorithm comprises SMS4 cryptographic algorithm, 3DES cryptographic algorithm, AES encryption algorithm.
Described data storage device comprises: hard disk, USB flash disk, the network storage equipment.
Flow process of the present invention is as shown in Figure 2:
1. utilize known technology to build a stylobate in the virtual system of VMM, virtual system has multiple, each virtual system has the data space of oneself at hard disk, and the data space of oneself can only be accessed, the data in other virtual systems can not be accessed, virtual system uses the cryptographic algorithm of oneself respectively, and leaves the data on hard disk in the secret key encryption oneself of oneself.
2. utilize known technology, VMM has hard disk de facto control, and the hard disk I/O of all upper-level virtual systems, can be intercepted and captured by VMM, and knows the corresponding hard disc data of access belongs to which virtual system.
3. a built-in interchangeable enciphering and deciphering algorithm module and each system key feature in VMM; Interchangeable enciphering and deciphering algorithm module comprises some cryptographic algorithm; Interchangeable enciphering and deciphering algorithm module comprises an access interface simultaneously, installs, changes or upgrading renewal cryptographic algorithm for virtual system.
3.1. this cipher key feature can be the cipher key feature that known technology generates, as the HASH value of key.
4. during upper-level virtual system access hard disc data, it first utilizes known technology that key is issued VMM, and VMM carries out consistency checking the key of the key received and oneself preservation, examines rear confirmation key aliveness.
4.1. the consistency verification method of this key can be compare the key of upper-level virtual system and the cipher key feature of preservation, also can be do not preserve decrypting feature, and algorithm carries out consistency checking directly to utilize the key of cryptography known technology effectively to confirm;
5. based on the data access requirements being completed virtual system by known technology key and corresponding enciphering and deciphering algorithm;
5.1. data read access requirement can be issue upper-level virtual system with corresponding hard disc data deciphering;
5.2. data write-access requirement can be kept on hard disk with after the data encryption that virtual system is sent;
6. a virtual system different application can use different cryptographic algorithm or different keys;
This enciphered data storage location can be hard disk, also can be USB flash disk, the data storage device that the network storage equipment etc. are like this.
Good effect of the present invention:
1. cryptographic algorithm and hard disk have nothing to do, and VMM has nothing to do, and related algorithm can join in virtual machine by final user, ensure the security of related algorithm;
2. cryptographic algorithm is upgraded conveniently later if needed;
3. arrange according to user, different storage zone uses different encryption keys, improves the security of data;
If 4. there is multiple system on virtual system, these systems can use the key of different cryptographic algorithm or encryption.
Accompanying drawing explanation
Fig. 1, structured flowchart of the present invention;
Fig. 2, method flow diagram of the present invention.
Embodiment
Below in conjunction with accompanying drawing, further describe the specific embodiment of the present invention, structured flowchart of the present invention as shown in Figure 1.
One, system initialization
1. in real hardware system, virtual platform VMM is installed;
2. a preset interchangeable enciphering and deciphering algorithm module access interface is provided in VMM, for upper strata virtual system, associated encryption algorithm can be a kind of, also can be multiple; The cryptographic algorithm such as such as SMS4,3DES, AES;
3. on VMM, virtual system is installed, and key and cryptographic algorithm that in virtual system, data use are set, and the space size that data are preserved, different virtual system can according to the needs of oneself Choice encryption algorithm in interchangeable encryption/decryption module;
4. be virtual system distribution data space on hard disk, the data of interchangeable enciphering and deciphering algorithm module key and its corresponding cryptographic algorithm cryptographic storage
5. (field that virtual system management list comprises is as the feature of key to deposit the feature of this key and hard disk address corresponding to encrypted data in the virtual system management list of interchangeable enciphering and deciphering algorithm module, the cryptographic algorithm that makes, virtual system data start address, length, corresponding true hard disk start address, length, if enciphered data is discontinuous in the address of true hard disk storing, then set up true hard disk start address+storage space length as hard-disc storage space start address corresponding to this virtual system), as shown in table 1:
Table 1, virtual system management list
| Virtual system feature | Cipher key feature | Cryptographic algorithm | Virtual system hard disk start address | Length (sector) | True hard disk start address | Length (sector) |
| VMM_VISTA | Feature 1 | SMS4 | 0 | 102,400 | 25,600 | 102,400 |
| VMM_VISTA | Feature 2 | SMS4 | 102,400 | 512,000 | 128,000 | 512,000 |
| VMM_XP | Feature 3 | 3DES | 0 | 4,096,000 | 640,000 | 4,736,000 |
| VMM_XP | Feature 4 | AES | 4,096,000 | 256,000 | 4,736,000 | 4,992,000 |
In table 1, same virtual system VMM_XP have employed AES and 3DES algorithm respectively according to different application and is encrypted.
Two, during virtual system visit data
1. virtual system sends key to the interchangeable enciphering and deciphering algorithm module in VMM
2. whether interchangeable enciphering and deciphering algorithm module check virtual system key is consistent with the cipher key feature of preserving
If a) inconsistent, error message is fed back to virtual system, and record this event
B) after virtual system continuous several times sends false key (3 times), often receive a secondary key, then suspend this virtual system respective service a period of time, once, time out doubles every corresponding many mistakes.When such as the 4th receives false key continuously, next time provides the respective service time to be after 1 second for virtual system, when such as the 5th receives false key continuously, next time provides the respective service time to be after 2 seconds for a little virtual system, continuous when receiving false key n-th time, next time provides the respective service time to be 2 for a little virtual system
n-4second.
3. interchangeable enciphering and deciphering algorithm module check password consistent after, according in managing listings, select corresponding cryptographic algorithm to carry out data processing
A) data read access requirement, utilizes key and corresponding cryptographic algorithm that upper-level virtual system is issued in corresponding hard disc data deciphering
B) data write-access requirement, is kept on hard disk after the data encryption utilizing key and corresponding cryptographic algorithm that virtual system is sent
Claims (9)
1., based on a method for encrypting data memory apparatus for virtual system, the steps include:
1) in hardware system, set up a virtual machine platform and several virtual systems;
2) an interchangeable enciphering and deciphering algorithm module is set in described virtual machine platform, for providing cryptographic algorithm for virtual system;
3) virtual machine platform divides data storage device, for each virtual system distributes a data space, arranges key and the cryptographic algorithm of each virtual system use simultaneously;
4) during virtual system accessing data storage devices, oneself key used is sent to described virtual machine platform;
5) virtual machine platform carries out consistency checking to the key of this virtual system, if consistent, utilizes key and corresponding cryptographic algorithm to carry out corresponding data process.
2. the method for claim 1, it is characterized in that described interchangeable enciphering and deciphering algorithm module comprises a virtual system management list, described virtual system management list field comprises: virtual system feature, cipher key feature, cryptographic algorithm, virtual system data start address, virtual system data space length, True Data memory device start address, True Data memory device storage space length.
3. method as claimed in claim 2, is characterized in that described cipher key feature is the HASH value of key.
4. method as claimed in claim 2, is characterized in that described interchangeable enciphering and deciphering algorithm module comprises an access interface, installs, changes or upgrading renewal cryptographic algorithm for virtual system.
5. method as claimed in claim 2, it is characterized in that described consistency verification method is: a confirmation key module is set in described virtual machine platform, described confirmation key module judges that whether the key received is consistent with the cipher key feature of the corresponding virtual system preserved in described interchangeable enciphering and deciphering algorithm module, carries out described consistency checking.
6. the method as described in claim 1 or 5, is characterized in that if described consistency checking result is inconsistent, then:
A) error message is fed back to virtual system, and record this event;
B) after continuous 3 the transmission false key of virtual system, often receive a secondary key, then suspend this virtual system respective service a period of time, once, time out doubles every many mistakes, and wherein said a period of time is set as 1 second, and the value of described time out is 2
n-4second, n is the number of times of mistake continuously.
7. the method for claim 1, is characterized in that described virtual machine platform is that described virtual system arranges one or more cryptographic algorithm.
8. the method for claim 1, is characterized in that described cryptographic algorithm comprises SMS4 cryptographic algorithm, 3DES cryptographic algorithm, AES encryption algorithm.
9. the method for claim 1, is characterized in that described data storage device comprises: hard disk, USB flash disk, the network storage equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910053670.9A CN101587524B (en) | 2009-06-23 | 2009-06-23 | Method for encrypting data memory apparatus based on virtual system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910053670.9A CN101587524B (en) | 2009-06-23 | 2009-06-23 | Method for encrypting data memory apparatus based on virtual system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101587524A CN101587524A (en) | 2009-11-25 |
| CN101587524B true CN101587524B (en) | 2015-02-11 |
Family
ID=41371768
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910053670.9A Active CN101587524B (en) | 2009-06-23 | 2009-06-23 | Method for encrypting data memory apparatus based on virtual system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101587524B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102009054114A1 (en) * | 2009-11-20 | 2011-05-26 | Siemens Aktiengesellschaft | Method and device for accessing control data according to provided rights information |
| CN102103551A (en) * | 2009-12-22 | 2011-06-22 | 中国长城计算机深圳股份有限公司 | Method and system for encrypting and decrypting storage equipment data, and virtual machine monitor |
| DE102009060686A1 (en) * | 2009-12-29 | 2011-06-30 | Siemens Aktiengesellschaft, 80333 | Method and device for operating a virtual machine according to assigned rights information |
| CN101986285B (en) * | 2010-11-03 | 2012-09-19 | 华为技术有限公司 | Virtual machine storage space management method, system and physical host |
| US8850156B2 (en) | 2010-11-03 | 2014-09-30 | Huawei Technologies Co., Ltd. | Method and system for managing virtual machine storage space and physical host |
| US20120159042A1 (en) * | 2010-12-21 | 2012-06-21 | Western Digital Technologies, Inc. | Data storage device executing a unitary command comprising two cipher keys to access a sector spanning two encryption zones |
| CN102073821B (en) * | 2011-01-27 | 2012-10-31 | 北京工业大学 | XEN platform-based virtual safety communication tunnel establishing method |
| CN102075544A (en) * | 2011-02-18 | 2011-05-25 | 博视联(苏州)信息科技有限公司 | Encryption system, encryption method and decryption method for local area network shared file |
| CN102289631B (en) * | 2011-08-12 | 2014-12-10 | 无锡城市云计算中心有限公司 | Method for realizing virtual safety computing environment |
| CN103873245B (en) * | 2012-12-14 | 2017-12-22 | 华为技术有限公司 | Dummy machine system data ciphering method and equipment |
| CN103530169B (en) * | 2013-10-22 | 2017-01-18 | 中国联合网络通信集团有限公司 | Method for protecting virtual machine files and user terminal |
| WO2016106566A1 (en) | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method, apparatus and system for encryption/decryption in virtualization system |
| CN105450638A (en) * | 2015-11-10 | 2016-03-30 | 中国电子科技集团公司第三十研究所 | Virtual machine security control method, management method, system and management system |
| CN106961411B (en) * | 2016-01-08 | 2020-11-27 | 上海木鸡网络科技有限公司 | Data transmission method and system |
| US10303899B2 (en) * | 2016-08-11 | 2019-05-28 | Intel Corporation | Secure public cloud with protected guest-verified host control |
| CN109445902B (en) * | 2018-09-06 | 2021-05-07 | 新华三云计算技术有限公司 | Data operation method and system |
| CN110457924A (en) * | 2019-08-12 | 2019-11-15 | 南京芯驰半导体科技有限公司 | Storing data guard method and device |
-
2009
- 2009-06-23 CN CN200910053670.9A patent/CN101587524B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101587524A (en) | 2009-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101587524B (en) | Method for encrypting data memory apparatus based on virtual system | |
| US8826037B2 (en) | Method for decrypting an encrypted instruction and system thereof | |
| CN110447032A (en) | Storage page between management program and virtual machine converts monitoring | |
| EP1953669A2 (en) | System and method of storage device data encryption and data access via a hardware key | |
| CN104104692A (en) | Virtual machine encryption method, decryption method and encryption-decryption control system | |
| CN105450620A (en) | Information processing method and device | |
| CN104573441A (en) | Computer with data privacy function and data encryption and hiding method thereof | |
| CN109936546B (en) | Data encryption storage method and device and computing equipment | |
| JP2011048661A (en) | Virtual server encryption system | |
| CN105337955A (en) | Domestic, safe and controllable virtual desktop management control system | |
| CN102930223B (en) | Method and system for protecting disk data | |
| CN101488110A (en) | Memory encryption method, apparatus and system | |
| CN101877246A (en) | U disk encryption method | |
| CN101414913A (en) | Computer network authentication system and method based on virtual technology | |
| CN105095945A (en) | SD card capable of securely storing data | |
| CN112507296B (en) | User login verification method and system based on blockchain | |
| CN108491724A (en) | A kind of hardware based computer interface encryption device and method | |
| US20110107109A1 (en) | Storage system and method for managing data security thereof | |
| CN105279453A (en) | Separate storage management-supporting file partition hiding system and method thereof | |
| CN101751531A (en) | File encryption device with USB electronic key | |
| CN105850072A (en) | Data processing system, encryption apparatus, decryption apparatus, and program | |
| CN111177773A (en) | Full disk encryption and decryption method and system based on network card ROM | |
| CN114372242A (en) | Ciphertext data processing method, authority management server and decryption server | |
| CN104468491A (en) | Virtual desktop system and method based on secure channel | |
| CN103745170B (en) | The processing method and processing device of data in magnetic disk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: HU NAN QIU ZEYOU PATENT STRATEGIC PLANNING CO., LT Free format text: FORMER OWNER: QIU ZEYOU Effective date: 20101101 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 410005 28/F, SHUNTIANCHENG, NO.185, FURONG MIDDLE ROAD, CHANGSHA CITY, HU NAN PROVINCE TO: 410205 JUXING INDUSTRY BASE, NO.8, LUJING ROAD, CHANGSHA HIGH-TECH. DEVELOPMENT ZONE, YUELU DISTRICT, CHANGSHA CITY, HU NAN PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20101108 Address after: 3, No. 168 middle Tibet Road, No. 200001, Shanghai, Huangpu District Applicant after: Acer Computer (Shanghai) Co., Ltd. Address before: 200120, 36 building, International Building, 360 South Road, Pudong New Area, Pudong, Shanghai, Shanghai Applicant before: Beida Fangzheng Science & Technology Computer System Co., Ltd., Shanghai |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |