Background technology
Along with the range of application of computer technology is increasingly extensive, how assuring data security also becomes the problem that user is concerned about the most.In order to make data security be guaranteed, encryption technology is usually used to be encrypted the Miscellaneous Documents data stored.
At present, normally used encryption technology mainly comprises file ciphering technology and disk encryption technology two kinds.
First, first present document encryption technology.So-called file ciphering technology, its core realizes control extension based on application process, has the following advantages:
1, dispose simply, do not need to change user operation habits, also do not need the applied environment changing user;
2, technology is simple, only relates to process file corresponding technology, the interim redirecting technique of file and upper strata Hook technology;
3, simple to operate, be easily absorbed on a cognitive level by the user than being easier to and accepting.
But, the realization of file ciphering technology is mainly based on the incidence relation of application program and file, and security system and application program closely related, for application complex environment (such as, make design and Software for Design industry), the non-constant of deployable of security system, usually the security system of such Intranet is caused to need to re-start secondary development because user applies too complexity, the upgrading of application program or the increase of application, thus bring restriction and unstable hidden danger greatly to user environment, and then affect the security of file ciphering technology.Further, because file ciphering technology have employed the interim redirecting technique of file, therefore, temporal cache file can be produced, and temporal cache file is exist with plaintext state in a hard disk, this is easy to victim and uses disclosed file monitoring instrument to get, and causes the inefficacy of file encryption mechanism by copying this temporal cache file; Further, use temporal cache file, being equivalent to file will repeat twice read-write operation in a hard disk, this can cause the obvious decline of system service efficiency, (e.g., declining 50%), when being especially encrypted for mass file, more obvious on the impact of system service efficiency.On the other hand, owing to have employed numerous Hook technology in application program, be thus easy to cause the conflict with the software such as anti-virus, cause system unstable, affect the normal use of user, while Hook technology also easily cause use system service efficiency to decline.
Next, then introduce disk encryption technology.So-called disk encryption technology, its core is by being encrypted the sector magnetic track etc. making disk, then and to encryption disk reads and writes, has the following advantages:
1, have nothing to do with application program, can the applied environment of compatible various complexity, the upgrading of support application program and change, without the need to carrying out product-level secondary development for embody rule program, stability and availability are protected.
2, owing to not adopting the interim redirecting technique of file, thus file read-write number of times can not increase, and the system service efficiency of ensure that can not obviously decline.
But; because disk encryption technology is only protected for specific file storage area; lack the judgement to the privacy attribute of file own; therefore there is following shortcoming: adopt disk encryption technology to need to carry out condition restriction to the storage area of file, therefore must need to adapt to disk encryption technology to environment for use adjustment.Further, single disk encryption technology cannot prevent from being divulged a secret behavior by the file of network and other approach, and develops corresponding network security product to integrated network control technology, then development difficulty is large, the cycle is long.On the other hand, in current disk encryption technology, there is no complete key management mechanism, once occur that key to forget etc. situation not having effective recovery ways.
Summary of the invention
The embodiment of the present invention provides a kind of method of being encrypted fdisk and device, for preventing hard disc data from revealing, improves the security of hard disc data.
The concrete technical scheme that the embodiment of the present invention provides is as follows:
To the method that fdisk is encrypted, comprising:
When os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Confirm that user is by after described USBKEY authentication, obtains the encryption key being used for HD encryption from described USBKEY based on the secure transfer protocol preset;
Carry is carried out as encrypted partition in the fdisk of specifying;
Adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
A kind of key management method, comprising:
When os starting flow process is on the subscriber terminal triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Confirm that user is by after described USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, described user terminal is made to carry out carry in the fdisk of will specify as encrypted partition, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
To the device that fdisk is encrypted, comprising:
Log in and resource management module, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Carry module, for confirming that user is by after described USBKEY authentication, obtaining the encryption key being used for HD encryption, and carry is carried out as encrypted partition in the fdisk of specifying from described USBKEY based on the secure transfer protocol preset;
File system driving module, for adopting described encryption key, carries out encryption and decryption to the read-write operation performed in described encrypted partition.
A kind of key management apparatus, comprising:
Password authentication module, when being triggered for os starting flow process on the subscriber terminal, according to the account password information of user's input, carries out USBKEY authentication to this user;
Key management module, for after confirmation user is by described USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to described user terminal, described user terminal is made to carry out carry in the fdisk of will specify as encrypted partition, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
To the system that fdisk is encrypted, comprising:
USBKEY, for after confirmation user passes through USBKEY authentication, is sent to user terminal based on the secure transfer protocol preset by the encryption key being used for HD encryption;
User terminal, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user, and after confirmation user is by described USBKEY authentication, from described USBKEY, obtains described encryption key based on the secure transfer protocol preset, and carry is carried out as encrypted partition in the fdisk of specifying, and adopt described encryption key, encryption and decryption is carried out to the read-write operation performed in described encrypted partition.
In sum, in the embodiment of the present invention, implement encryption and decryption technology based on operating system drive layer Technique dynamic, realize carry to hard disc data, unloading and encryption and decryption read-write by file system driver, thus ensure the real-time encrypted of data in magnetic disk and decryption oprerations.Be specially: when the os starting flow process on user terminal is triggered, after have passed through USBKEY authentication, encryption key just can according to the secure transport mechanism preset, import in operating system safe and punctually and temporarily preserve, and after acquisition encryption key, carry is just carried out as encrypted partition in the fdisk of specifying by user terminal, and carries out encryption and decryption operation according to the encryption key obtained to the read-write operation of this encrypted partition.Like this, just the dynamic read/write encryption and decryption to data is achieved at driving layer, stop third party by independently file system driver to kidnap the hook of operating system existing file system, effectively improve data security, and achieve the carry of encrypted partition and the Seamless integration-of os starting flow process, save the execution efficiency of HD encryption flow process, meet to routine use custom, the extra stand-by period can not be brought to user.
Embodiment
Reveal to prevent hard disc data, improve data security, in the embodiment of the present invention, devise a kind of method that fdisk is encrypted completely newly, be specially: in the process of os starting, before each fdisk of system carry, according to the account password information of user's input, USBKEY authentication is carried out to this user, confirm that user is by after this USBKEY authentication, default encryption key is obtained from USBKEY, and carry is carried out as encrypted partition in the fdisk of specifying, then, adopt the encryption key obtained, encryption and decryption is carried out to the read-write operation performed in above-mentioned encrypted partition.
Like this, in the dynamic read/write encryption and decryption of system drive layer realization to data, thus effectively data security can be improve.
Preferably, the embodiment of the present invention is applicable to Windows operating system, and the operating system of other types also can improve the encryption and decryption of rear realization to fdisk based on thought of the present invention to the embodiment of the present invention, does not repeat them here.
Below in conjunction with accompanying drawing, the preferred embodiment of the present invention is described in detail.
Consult shown in Fig. 1, in the embodiment of the present invention, the detailed process that user terminal is encrypted fdisk is as follows:
Step 100: user terminal, when os starting flow process is triggered, according to the account password information of user's input, carries out USBKEY authentication to this user.
In the embodiment of the present invention, preferably, after USBKEY can be inserted the USB interface of user terminal by user, restart user terminal is with the startup of trigger action system; And after os starting flow process is triggered, user terminal first can carry out operating system login authentication according to the username and password of user's input to user, after logining successfully, perform the USBKEY authentication flow process recorded in step 200 again, or, also can first according to user input account password information carry out USBKEY authentication, to be verified pass through after, the system login that redos certification.
Further, preferably, in order to save the running time of user, the account password information used when the username and password inputted during user login operation system and user can be carried out USBKEY authentication is set to identical content, like this, user only needs input username and password namely can complete the login of USBKEY authentication and operating system, thus effectively improves system service efficiency.
On the other hand, the account password information that user terminal inputs according to user, when USBKEY authentication is carried out to this user, USBKEY authentication can be carried out in this locality according to the account password information of user's input, also the account password information that user inputs can be mail to USBKEY and carry out USBKEY authentication, and be verified according to the feedback acknowledgment of USBKEY.
Step 110: user terminal confirms that user is by after USBKEY authentication, obtains the encryption key being used for HD encryption from USBKEY based on the secure transfer protocol preset.
In the embodiment of the present invention, the concrete executive mode of step 110 is as follows:
Steps A: user terminal receives the transmission security key ciphertext transmitted from USBKEY, and according to the mode of arranging with USBKEY, this transmission security key ciphertext is decrypted, obtain corresponding transmission security key.
Step B: user terminal receives the encryption key ciphertext transmitted from USBKEY, and according to the transmission security key obtained, this encryption key ciphertext is decrypted, obtain corresponding encryption key.
Such as, suppose that a pair initial transmission key of USBKEY and user terminal being arranged is called key A and key B, then USBKEY generates corresponding first transmission security key based on key A, be called key A 1, then, the encryption key (being called key X) that USBKEY adopts key A 1 to pre-set this locality is encrypted, generate encryption key ciphertext x1 and corresponding identifying code x11 (identifying code x11 is generated through encryption by key X, encryption key ciphertext x1 and key A 1, and concrete mode does not repeat them here); Then, USBKEY adopts key A to be encrypted key A 1, generating transmission key ciphertext a1 and corresponding identifying code a11 (identifying code a11 is generated through encryption by key A 1, transmission security key ciphertext a1 and key A, and concrete mode does not repeat them here);
User terminal reads its transmission security key ciphertext a1 generated and identifying code a11 from USBKEY, and after confirming that the identity of USBKEY is legal according to identifying code a11, adopts the key B arranged with USBKEY to be decrypted transmission security key ciphertext a1, thus obtain key A 1; Connect, user terminal reads its encryption key ciphertext x1 generated and identifying code x11 from USBKEY, and after confirming that the identity of USBKEY is legal according to identifying code x11, adopts acquired key A 1 couple of encryption key ciphertext a1 to be decrypted, thus obtains key X.
Certainly, if operating system starts again, then when second time is encrypted secret key safety transmission, USBKEY can adopt the second transmission security key A2 (key A 2) generated based on initial transmission key A to be encrypted encryption key X, and adopt initial transmission key A or last key A 1 pair of key A 2 used to be encrypted, to complete the safe transmission of encryption key, by that analogy, follow-up flow process to be all encrypted encryption key according to this kind of method and to transmit, and will repeat no more.
Visible, in the present embodiment, user terminal adopts the mode of two encryption to realize the safe transmission (transmission security key that namely encryption key is encrypted by transmission security key, transmission security key is made by initial transmission key or last time is encrypted) of encryption key, thus effectively prevent the leakage of encryption key, further increase data security.
On the other hand, the encryption key preset in USBKEY, can adopt discrete logarithm to generate based on a random number (e.g., the identification number of user terminal) by USBKEY in advance; And the account password information verified when carrying out USBKEY identity can by user's regular update.
Step 120: carry is carried out as encrypted partition in the fdisk of specifying by user terminal.
If the username and password that user will use during register system, identical content is set to the account password information used when carrying out USBKEY authentication, then before execution step 120, before can being specifically execution step 100, also can be to perform after step 100 and before performing step 110, can also be to perform after step 110 and before performing step 120, user terminal can according to the account password information register system of user's input, thus when performing step 120, user terminal can start to carry out the carry of fdisk and the loading of other system resource.
When performing step 120, at least one fdisk of specifying is designated as encrypted partition by user terminal, and distributes corresponding drive for it, and the drive of distribution is mapped to explorer carry out registration preserve, the number of encrypted partition can be one or more, is specifically arranged by user.
Then, carry can be carried out as common subregion in other non-designated fdisks by user terminal, for it distributes corresponding drive, and each drive is mapped to explorer carry out registration preserve, do not repeat them here.
After the carry of each fdisk, user terminal can continue to load each class method required during os starting, with the Booting sequence of complete operation system.
Step 130: user terminal adopts the encryption key obtained, and carries out encryption and decryption to the read-write operation performed in above-mentioned encrypted partition.
In the present embodiment, user terminal both can be after execution step 120, in the process of each class method required when load operation system starts, adopted the encryption key obtained, carried out encryption and decryption to the read-write operation performed in above-mentioned encrypted partition; Also can be, according to the associative operation of user, adopt the encryption key obtained, encryption and decryption is carried out to the read-write operation performed in above-mentioned encrypted partition after os starting completes.Be specially: for the write operation performed in above-mentioned encrypted partition, adopt described encryption key to be encrypted, and for the read operation performed in above-mentioned encrypted partition, adopt described encryption key to be decrypted.
On the other hand, based on above-described embodiment, when user terminal detect that USBKEY is pulled out, the account password information authentication failed number of times of user reaches setting threshold value (as, 10 times), when user indicates logoff operation system account, user indicates any one or the multiple combination in shutdown etc. fortuitous event, encrypted partition is needed to unload, as, the drive of encrypted partition is deleted from explorer, to ensure the data security of encrypted partition.
Wherein, when the account password information authentication failed number of times of user reaches setting threshold value, if USBKEY verification operation is completed by user terminal, then user terminal also needs to indicate above-mentioned USBKEY to be locked its this locality, if and USBKEY verification operation is completed by USBKEY, then this locality directly locks by USBKEY, and lock operation is specially: USBKEY needs the encryption key of primary one-tenth to delete, and stops the production and transfer of encryption key; Until after user performs legal unlocking operation, USBKEY generates new encryption key according to predetermined manner again, e.g., discrete logarithm is adopted to generate corresponding encryption key based on user terminal machine numbering.
Based on above-described embodiment, in the security system that the embodiment of the present invention provides, user terminal needs the encryption key provided based on USBKEY to be encrypted fdisk, is specially:
Consult shown in Fig. 2, at least comprise login and resource management module 20 and carry module 21 and file system driving module 22 in user terminal, wherein
Log in and resource management module 20, for when os starting flow process is triggered, according to the account password information of user's input, USBKEY authentication is carried out to this user;
Be specially: the account password information according to user's input carries out USBKEY authentication in this locality; Or, the account password information that user inputs is mail to USBKEY and carries out USBKEY authentication.
Carry module 21, after confirming that user passes through USBKEY authentication, obtains the encryption key being used for HD encryption, and carry is carried out as encrypted partition in the fdisk of specifying from USBKEY based on the secure transfer protocol preset;
Wherein, when obtaining encryption key, load-on module 21 first receives the transmission security key ciphertext that USBKEY sends, and according to the mode of arranging with USBKEY, transmission security key ciphertext is decrypted, obtain transmission security key, receive the encryption key ciphertext that USBKEY sends again, and according to transmission security key, encryption key ciphertext is decrypted, obtain corresponding encryption key.
File system driving module 22, for adopting the encryption key of acquisition, carries out encryption and decryption to the read-write operation performed in above-mentioned encrypted partition;
Be specially: for the write operation performed in above-mentioned encrypted partition, adopt the encryption key obtained to be encrypted, and for the read operation performed in above-mentioned encrypted partition, adopt the encryption key obtained to be decrypted.
On the other hand, in carry module 21 using the fdisk of specifying as before carry is carried out in encrypted partition, to log in and resource management module 20 according to the account password information of user's input, can also carry out operating system login authentication to user; And carry module 21 using the fdisk of specifying as after carry is carried out in encrypted partition, to log in and resource management module 20 can also load each class method required during os starting, with complete operation system Booting sequence.And login and resource management module 20 determine that user is by after USBKEY authentication, can load file system driving module 22, like this, carry is carried out in the fdisk of specifying by carry module 21 during as encrypted partition, file system driving module 22 can be passed through, the fdisk of at least one of specifying is designated as encrypted partition, and distributes corresponding drive for it, and the drive of distribution is mapped to explorer carry out registration preserve.
As shown in Figure 2, be provided with Unload module 23 further in the user terminal, for detecting that USBKEY is pulled out, the account password information authentication failed number of times of user reaches setting threshold value, user indicates logoff operation system account and user to indicate in this several situation of shutdown any one or multiple combination time, the encrypted partition of carry is unloaded; Wherein, if detect, the account password information authentication failed number of times of user reaches setting threshold value, then Unload module 23 also needs while unloading encrypted partition, and instruction USBKEY locks.
As shown in Figure 2, login and resource management module 20, carry module 21 and Unload module 23 as an independently application function existence in user terminal, in order to realize the partition management of hard disk, can be combined and be called fdisk administrative unit.
File system driving module 22 then also can be considered as an independently application function existence in user terminal, in order to realize the file driving of operating system, e.g., and the encryption and decryption driving layer just to carry out transmitting data to the encrypted partition in hard disk with dynamic-form.
Consult shown in Fig. 3, in the embodiment of the present invention, in USBKEY, at least comprise password authentication module 30 and key management module 31, wherein,
Password authentication module 30, when being triggered for os starting flow process on the subscriber terminal, according to the account password information of user's input, carries out USBKEY authentication to this user;
Key management module 31, for after confirmation user passes through USBKEY authentication, based on the secure transfer protocol preset, the encryption key that this locality is preset is mail to user terminal, user terminal is made to carry out carry in the fdisk of will specify as encrypted partition, and adopt the encryption key obtained, encryption and decryption is carried out to the read-write operation performed in above-mentioned encrypted partition.
Wherein, in the account password information that password authentication module 30 inputs according to user, before USBKEY authentication is carried out to this user, key management module 31 first generates the encryption key for carrying out HD encryption according to predetermined manner, and adopt the local transmission security key generated to be encrypted described encryption key, generate corresponding encryption key ciphertext, and to adopt and the user terminal mode of arranging is encrypted described transmission security key, generate corresponding transmission security key ciphertext; And key management module 31 based on preset secure transfer protocol by this locality preset encryption key mail to user terminal time, first the transmission security key ciphertext of generation is mail to user terminal, make user terminal adopt be decrypted transmission security key ciphertext with local mode of arranging, to obtain corresponding transmission security key, again the encryption key ciphertext of generation is mail to user terminal, user terminal is made to adopt the transmission security key deciphered to be decrypted encryption key ciphertext, to obtain corresponding encryption key.
As shown in Figure 3, in USBKEY, comprise locking unlocked state 32 further, for when detecting that the account password information authentication failed number of times of user reaches setting threshold value, this locality is locked, and when determining that user performs legal unlocking operation, instruction key module plumber block 31 regenerates corresponding encryption key according to predetermined manner.Certainly, locking unlocked state 32 can also adjust the safe class of USBKEY according to applied environment, carry out USBKEY authentication to indicate password authentication module 30 the need of to user.
In sum, in the embodiment of the present invention, implement encryption and decryption technology based on operating system drive layer Technique dynamic, realize carry to hard disc data, unloading and encryption and decryption read-write by file system driver, thus ensure the real-time encrypted of data in magnetic disk and decryption oprerations.Be specially: when the os starting flow process on user terminal is triggered, after have passed through USBKEY authentication, encryption key just can according to the secure transport mechanism preset, import in operating system safe and punctually and temporarily preserve, and after acquisition encryption key, carry is just carried out as encrypted partition in the fdisk of specifying by user terminal, and carries out encryption and decryption operation according to the encryption key obtained to the read-write operation of this encrypted partition.Like this, just the dynamic read/write encryption and decryption to data is achieved at driving layer, stop third party by independently file system driver to kidnap the hook of operating system existing file system, effectively improve data security, and achieve the carry of encrypted partition and the Seamless integration-of os starting flow process, save the execution efficiency of HD encryption flow process, meet to routine use custom, the extra stand-by period can not be brought to user.
Further, user terminal can also be extracted situation according to the insertion of USBKEY and drive the strategies such as the carry number of attempt of layer to select carry, unloading encrypted partition at any time, thus attack can be detected rapidly, implement the dynamic defence of effective landlord, obviously, this prevents the leakage of data further, enhances data security.And when user log off operating system account or shutdown, USBKEY can extract from user terminal, thus do not store any key information in user terminal, thoroughly prevent the possibility of hack encryption key,
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.