CN101604296A - Disk-data sector-level encryption method - Google Patents
Disk-data sector-level encryption method Download PDFInfo
- Publication number
- CN101604296A CN101604296A CNA2009103049606A CN200910304960A CN101604296A CN 101604296 A CN101604296 A CN 101604296A CN A2009103049606 A CNA2009103049606 A CN A2009103049606A CN 200910304960 A CN200910304960 A CN 200910304960A CN 101604296 A CN101604296 A CN 101604296A
- Authority
- CN
- China
- Prior art keywords
- data
- disk
- user
- password
- deciphering module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present invention relates to data in magnetic disk encryption technology field, particularly a kind of disk-data sector-level encryption method, it is provided with the data encrypting and deciphering module between operating system and disk, it takes over operating system and the application software read-write requests to disk fully, when writing data in magnetic disk, the at first acquire the right of control of this module, the password of importing according to the user carries out cryptographic operation, and the data that will encrypt write the disk assigned address then; During the reading disk data, the same preferential acquire the right of control of this module is decrypted operation to disk assigned address reading of data and the password imported according to the user, and the data after will deciphering are then submitted to corresponding program; Described data encrypting and deciphering module is in the uni-directional hash value of the authentication password of assigned address storage user preset, when unknown subscriber's login system and when inputing password, the uni-directional hash value of the password of this user input is made comparisons with the uni-directional hash value of authentication password, to verify validated user.This encryption method is difficult for cracking, and cipher round results is good.
Description
Technical field
The present invention relates to data in magnetic disk encryption technology field, particularly a kind of disk-data sector-level encryption method.
Background technology
To the encryption of data in magnetic disk, divide from the level of encrypting, disk level (sector-level) encryption method and file-level encryption method two big classes are arranged.Compared to the file-level encryption method, the advantage of disk level encryption method is:
The Cipher Strength height, security is good.Because this other cipher mode of level is directly encrypted the disk physical sector, do not consider the logical concept of storage data such as file, under this cipher mode, any data that are stored on the disk are all encrypted, on the contrary, adopt general of the cryptographic algorithm of file-level that some file of user's appointment is encrypted, and these files are in the daily use of user, system generally can be at the backup file of local interim these files of storage such as temp directory, though generally speaking, these temporary files all can be deleted after use, but because a variety of causes, temporary file might be omitted and not timely these temporary files of deletion by system after creating temporary file.In addition, in theory, even temporary file is deleted, as long as the data field of these temporary file storages is not capped or did operations such as encryption, just can easily regain by means such as anti-deletions, therefore, the cipher mode of disk level is safer than the cipher mode of file-level.
And in sector-level encryption method, have again:
1, revise the information table of hard disk guiding: this method more easily cracks comparatively speaking, the 02H subfunction of the enough INT 13H of energy is read 0 cylinder, 0 magnetic head, 1 sector, rule of thumb the relevant position data are repaired, realization is to the hard disk release, because the data of these positions are normally fixing or limited several situations.Just can't be to hard disk release and access hard disk.
2, fdisk control of authority: the method be the subregion list structure that utilizes each Logical Disk in the hard disk partition table, adopt the compilation programming to realize, to destroy, do not allow the refitting system.
Crack easily in the said method, data are not carried out real encryption, and may cause heap file to damage, cause capsule information to be lost.
Summary of the invention
The objective of the invention is to overcome the deficiencies in the prior art, a kind of disk-data sector-level encryption method is provided, this encryption method is difficult for cracking, and cipher round results is good.
For achieving the above object, the invention provides a kind of disk-data sector-level encryption method, this encryption method is provided with the data encrypting and deciphering module between operating system and disk;
Described data encrypting and deciphering module is taken over operating system and the application software read-write requests to disk fully, when system when disk writes data, the at first acquire the right of control of described data encrypting and deciphering module, password according to user's input carries out cryptographic operation to the data that will write, and the data that will encrypt write the disk assigned address then; When system read to the disk reading of data, the same preferential acquire the right of control of described data encrypting and deciphering module was decrypted operation to disk assigned address reading of data and the password imported according to the user, and the data after will deciphering are then submitted to corresponding program;
Described data encrypting and deciphering module is in the uni-directional hash value of the authentication password of assigned address storage user preset, when unknown subscriber's login system and when inputing password, described data encrypting and deciphering module is done the uni-directional hash computing with the password of described unknown subscriber's input, and the uni-directional hash value of operation result and described authentication password compared, as identical, judge that then described unknown subscriber is validated user, requirement according to this user is carried out corresponding read-write operation to disk, as difference, judge that then described unknown subscriber is the disabled user, refuse the read-write requests of this user disk.
The invention has the beneficial effects as follows the encryption method of employing based on the physical sector level, it can be encrypted all data that are kept on the hard disk, comprise the cryptographic operation system, any data that are stored on the disk are all encrypted, unauthorized user not only be can't see the file content on the hard disk, and can't see the title that is kept at any file on the disk.
The present invention is described in further detail below in conjunction with drawings and the specific embodiments.
Description of drawings
Fig. 1 is the encryption and decryption schematic diagram of the embodiment of the invention.
Fig. 2 is the computer starting process flow diagram of the embodiment of the invention.
Embodiment
Disk-data sector-level encryption method of the present invention is provided with the data encrypting and deciphering module, as shown in Figure 1 between operating system and disk.
Described data encrypting and deciphering module is taken over operating system and the application software read-write requests to disk fully, when system when disk writes data, the at first acquire the right of control of described data encrypting and deciphering module, password according to user's input carries out cryptographic operation to the data that will write, and the data that will encrypt write the disk assigned address then; When system read to the disk reading of data, the same preferential acquire the right of control of described data encrypting and deciphering module was decrypted operation to disk assigned address reading of data and the password imported according to the user, and the data after will deciphering are then submitted to corresponding program.
Described data encrypting and deciphering module is in the uni-directional hash value of the authentication password of assigned address storage user preset, when unknown subscriber's login system and when inputing password, described data encrypting and deciphering module is done the uni-directional hash computing with the password of described unknown subscriber's input, and the uni-directional hash value of operation result and described authentication password compared, as identical, judge that then described unknown subscriber is validated user, requirement according to this user is carried out corresponding read-write operation to disk, as difference, judge that then described unknown subscriber is the disabled user, refuse the read-write requests of this user disk.
As shown in Figure 2, adopt the start-up course of the computing machine that this method encrypts data in magnetic disk to be different from prior art, it comprises the steps:
(1) starts computing machine;
(2) the request user inputs password;
(3) described data encrypting and deciphering module is done the uni-directional hash computing with the password of this user's input;
(4) the uni-directional hash value of operation result with default authentication password compared,, judge that then this user is validated user, be decrypted operation to disk assigned address reading system log-on data and the password imported according to the user as identical;
(5) load operation system in the usual way.
The present invention writes from data and encrypts and read these two processes of deciphering and realized cryptographic operation to data in magnetic disk.But since data write or readout all needs correct password to carry out data encryption or decryption oprerations, therefore, change user's use habit for the convenience of the user and not, what the present invention adopted is the method for dynamic encryption and deciphering, after validated user is correctly inputed password and login system, described data encrypting and deciphering module is preserved the password of user's input automatically, when the user carries out data writing operation, described data encrypting and deciphering module loads the password of preservation automatically, so that the data that will write are carried out cryptographic operation; When the user carried out the read data operation, described data encrypting and deciphering module was to disk assigned address reading of data and load the password of preserving automatically, so that data are decrypted operation.Thereby make data write with readout all be transparent concerning validated user, the data write operation has any difference after its imperceptible at all employing encryption method of the present invention, data when data of storing on the disk and unencryption are just the same, can directly use data in magnetic disk in normal mode.
Its principle of various disk encryptions is identical, all can abstractly be hook (hook) theory.Promptly on data this path from the user interface to the disk somewhere, the processing procedure of oneself is installed, i.e. " hook ".When the request that writes arrives earlier data through mathematic(al) manipulation, and then call processing procedure on the original path, be written to disk, when request arrives, earlier data through reciprocal transformation, and then be delivered to upper level applications.Encryption method of the present invention adopts the filtering layer driver to realize HD encryption, promptly hook is placed on following one deck of disk driver, by taking over the read-write requests of operating system fully to disk, on sector level, carry out encrypting and decrypting, its reach is identical with hardware encipher, all is whole magnetic disk.This Hook's Realization is not that replace the simple function address on the common meaning, but realizes by a complete filtering layer device driver.It provides and the irrelevant access interface of hard disk at the hardware driving layer, and the upper strata is considered as continuous storage medium to hard disk; At the file system access interface that I/O service interface layer provides and file system format is irrelevant, the upper strata is considered as unified file system to hard disk and no matter this document is what form is.Like this, owing to adopt the driver that compares bottom to realize that can combine together with operating system, speed is faster, encrypt more thorough.Characteristics such as it is very fast that this hard disk encryption method possesses speed, and algorithm is variable, irrelevant with file system, and usable range is wide.Though, owing to used driver, realize more difficultly, with respect to realizing that in the client layer application program it combines together with operating system, and its realization mechanism is identical on different platforms, so have better adaptability.
The present invention can adopt the cryptographic algorithm of present international popular, and there is multiple encryption algorithms to select for the user, according to the principle of contemporary cryptology we as can be known, do not having under the situation of key, even the cracker is knowing under the various prerequisites such as cryptographic algorithm, want the data behind the enabling decryption of encrypted, also be very difficult, the key length that is provided with as the user reaches 16 characters when above, under the condition of active computer arithmetic speed, analyze theoretically, want the data behind the enabling decryption of encrypted, the required time was digit with 1,000,000 years also.
Import key the user, under the situation of normal startup computing machine, the data that are stored on the disk are transparent (promptly In the view of the user to the user, the data that are stored on the disk are expressly), therefore, encryption method of the present invention can't prevent under the normal situation about using of computing machine, transmission mediums such as other users from networks copy user's data, she only is applicable at computer shutdown, under the dormancy and the situation of losing (because in this case, computing machine generally is in shutdown or dormant state, from the principle of Etim-DiskEnc as can be known, all data of storing on the disk are all encrypted, and under the state of computer shutdown or dormancy, want to decipher the data on the disk, must import key), can guarantee that the data in the computing machine are not divulged a secret.
The place one's entire reliance upon password of user preset of the data security that the present invention encrypts disk.In order to prevent to crack, encryption method of the present invention is storage user's preset password on disk not, but the uni-directional hash value of storage user preset password, be used for the correctness that the comparison unknown subscriber inputs password, and according to existing password scientific principle opinion as can be known, be the preset password that can't backstepping goes out original input by hashed value.In fact, encryption method of the present invention can not stored any information relevant with password fully on disk, as long as importing any key, the user just continues to carry out, under this execution flow process, having only password when user input is under the correct situation, data that could correct deciphering disk, otherwise, data after " deciphering " only can be more random, and certainly operating system also can start, and the user has only by restarting computing machine and inputs the correct password system that uses a computer again.
Certainly, as can be known from the above analysis, adopt encryption method of the present invention, under the situation of password loss, the data on the disk can't be replied.Therefore, the user must keep oneself default Crypted password firmly in mind behind preset password.
More than be preferred embodiment of the present invention, all changes of doing according to technical solution of the present invention when the function that is produced does not exceed the scope of technical solution of the present invention, all belong to protection scope of the present invention.
Claims (3)
1. a disk-data sector-level encryption method is characterized in that: the data encrypting and deciphering module is set between operating system and disk;
Described data encrypting and deciphering module is taken over operating system and the application software read-write requests to disk fully, when system when disk writes data, the at first acquire the right of control of described data encrypting and deciphering module, password according to user's input carries out cryptographic operation to the data that will write, and the data that will encrypt write the disk assigned address then; When system read to the disk reading of data, the same preferential acquire the right of control of described data encrypting and deciphering module was decrypted operation to disk assigned address reading of data and the password imported according to the user, and the data after will deciphering are then submitted to corresponding program;
Described data encrypting and deciphering module is in the uni-directional hash value of the authentication password of assigned address storage user preset, when unknown subscriber's login system and when inputing password, described data encrypting and deciphering module is done the uni-directional hash computing with the password of described unknown subscriber's input, and the uni-directional hash value of operation result and described authentication password compared, as identical, judge that then described unknown subscriber is validated user, requirement according to this user is carried out corresponding read-write operation to disk, as difference, judge that then described unknown subscriber is the disabled user, refuse the read-write requests of this user disk.
2. disk-data sector-level encryption method according to claim 1 is characterized in that: adopt the start-up course of the computing machine that this method encrypts data in magnetic disk to comprise the steps:
(1) starts computing machine;
(2) the request user inputs password;
(3) described data encrypting and deciphering module is done the uni-directional hash computing with the password of this user's input;
(4) the uni-directional hash value of operation result with default authentication password compared,, judge that then this user is validated user, be decrypted operation to disk assigned address reading system log-on data and the password imported according to the user as identical;
(5) load operation system in the usual way.
3. disk-data sector-level encryption method according to claim 1 and 2, it is characterized in that: after validated user is correctly inputed password and login system, described data encrypting and deciphering module is preserved the password of user's input automatically, when the user carries out data writing operation, described data encrypting and deciphering module loads the password of preservation automatically, so that the data that will write are carried out cryptographic operation; When the user carried out the read data operation, described data encrypting and deciphering module was to disk assigned address reading of data and load the password of preserving automatically, so that data are decrypted operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009103049606A CN101604296A (en) | 2009-07-29 | 2009-07-29 | Disk-data sector-level encryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009103049606A CN101604296A (en) | 2009-07-29 | 2009-07-29 | Disk-data sector-level encryption method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101604296A true CN101604296A (en) | 2009-12-16 |
Family
ID=41470032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009103049606A Pending CN101604296A (en) | 2009-07-29 | 2009-07-29 | Disk-data sector-level encryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101604296A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104881613A (en) * | 2014-02-27 | 2015-09-02 | 中国科学院声学研究所 | Disk global data encryption system and method |
| CN106357412A (en) * | 2016-10-14 | 2017-01-25 | 国政通科技股份有限公司 | Method, device and system for verifying identity information |
| CN108900550A (en) * | 2018-08-15 | 2018-11-27 | 北京信安世纪科技股份有限公司 | Unified cipher management method for server |
| CN109325355A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | Mobile terminal data method for secure storing based on virtual disk |
-
2009
- 2009-07-29 CN CNA2009103049606A patent/CN101604296A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104881613A (en) * | 2014-02-27 | 2015-09-02 | 中国科学院声学研究所 | Disk global data encryption system and method |
| CN106357412A (en) * | 2016-10-14 | 2017-01-25 | 国政通科技股份有限公司 | Method, device and system for verifying identity information |
| CN106357412B (en) * | 2016-10-14 | 2019-11-26 | 国政通科技股份有限公司 | A kind of method, apparatus and system for veritifying identity information |
| CN109325355A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | Mobile terminal data method for secure storing based on virtual disk |
| CN108900550A (en) * | 2018-08-15 | 2018-11-27 | 北京信安世纪科技股份有限公司 | Unified cipher management method for server |
| CN108900550B (en) * | 2018-08-15 | 2021-04-30 | 北京信安世纪科技股份有限公司 | Unified password management method for server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| US10348497B2 (en) | System and method for content protection based on a combination of a user pin and a device specific identifier | |
| US8412934B2 (en) | System and method for backing up and restoring files encrypted with file-level content protection | |
| US8589680B2 (en) | System and method for synchronizing encrypted data on a device having file-level content protection | |
| US8433901B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| US8233624B2 (en) | Method and apparatus for securing data in a memory device | |
| CN100585608C (en) | Data file safe treatment method and system | |
| CN103530570A (en) | Electronic document safety management system and method | |
| CN102882923A (en) | Secure storage system and method for mobile terminal | |
| CN105117635A (en) | Local data security protection system and method | |
| US8891773B2 (en) | System and method for key wrapping to allow secure access to media by multiple authorities with modifiable permissions | |
| CN104123506A (en) | Data access method and device and data encryption storage and access method and device | |
| US20080098217A1 (en) | Method for efficient and secure data migration between data processing systems | |
| CN101604296A (en) | Disk-data sector-level encryption method | |
| CN106919348A (en) | Distributed memory system and storage method that anti-violence is cracked | |
| CN116594567A (en) | Information management method and device and electronic equipment | |
| CN101763319A (en) | Disk FDE (Full Disk Encryption) system and method | |
| CN113342896B (en) | Scientific research data safety protection system based on cloud fusion and working method thereof | |
| CN115712927A (en) | Encryption disc key management method | |
| SWATHI et al. | A Survey on Secure and Authorized De-Duplication using Hybrid Clouds | |
| JP2013074386A (en) | Information leakage prevention system for portable terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20091216 |