CN103067170B - encrypting method based on EXT2 file system - Google Patents
encrypting method based on EXT2 file system Download PDFInfo
- Publication number
- CN103067170B CN103067170B CN201210543698.2A CN201210543698A CN103067170B CN 103067170 B CN103067170 B CN 103067170B CN 201210543698 A CN201210543698 A CN 201210543698A CN 103067170 B CN103067170 B CN 103067170B
- Authority
- CN
- China
- Prior art keywords
- file system
- aes
- index node
- cipher key
- key index
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an encrypting file system based on an EXT2 file system. The encrypting file system based on the EXT2 file system comprises a plurality of block groups, and each block group comprises memory spaces corresponding to the data of a superblock, a block group description list, a block bitmap, a file and catalogue index node bitmap, a file and catalogue index node list and a plurality of data blocks. A plurality of block group description lists are stored in a memory space corresponding to the block group description list. Each block group further comprises a secret key index node bitmap which is arranged behind the file and catalogue index node list and a memory space corresponding to a secret key index node list. The memory space corresponding to the block group description list is further provided with a file system digital certificate (DC). By means of the encrypting file system based on the EXT2 file system, the security of the EXT2 file system is improved. The invention further provides an encrypting method and a deciphering method based on the EXT2 file system.
Description
Technical field
The present invention relates to file system and store Technology On Data Encryption, particularly relate to a kind of encrypted file system based on EXT2 file system, encryption method and decryption method.
Background technology
File system is a kind of method of storage and constituent act and data, and it makes to access it and search to become easy.The memory device that file system uses SD card, USB flash disk, hard disk, SPI FLASH, NOR FLASH, NANDFLASH so usually, and maintenance documentation physical location in a device.A lot of file system only has management document and data function at present, does not have file and data security protecting function.As fruit product uses transparent file system, when product is lost, in product, valuable data is likely illegally used.
Such as, the EXT2 file system being usually used in built-in field provides storage and constituent act and data management, and file and data transparency mode store, and it can not be encrypted file, cause its Information Security not high.
Therefore, how to solve the problem of the data security in EXT2 file system, become current and be badly in need of one of technical problem solved.
Summary of the invention
The object of this invention is to provide a kind of encrypted file system based on EXT2 file system.
For solving technical problem of the present invention, the present invention discloses a kind of encrypted file system based on EXT2 file system, it comprises multiple pieces of groups, and each piece of group comprises memory space corresponding to following data: superblock, block group description list, bitmap block, file and directory inode bitmap, file and directory inode table and multiple data block; Organize in memory space corresponding to description list for described piece and have multiple pieces of group description lists; Wherein, described piece of group comprises further and is positioned at the file memory space corresponding with the cipher key index node bitmap after directory inode table and cipher key index node table, organizes in memory space corresponding to description list for described piece and has file system digital certificate further.
Wherein, described file or directory inode list item comprise " encryption indicator " and " cipher key index numbering " data item further, " encryption indicator " represents whether file or catalogue encrypt, if encryption, can find in corresponding " cipher key index node list item ", " cipher key index node list item " according to the value of " cipher key index node serial number " and there is file or catalogue deciphering relevant information.
Wherein, cipher key index node bitmap is for managing, following the tracks of the service condition of cipher key index node table.
Wherein, described cipher key index node table is made up of cipher key index node table item array, and each cipher key index node list item is made a summary by the plaintext of magic number, version number, AES pattern, digest algorithm pattern, AES key, AES initial vector, encrypted content, retain position (filling zero), random number filler forms.
The present invention also discloses a kind of encryption method based on EXT2 file system, and it comprises:
Step S11: first according to AES key and AES initial vector create-rule algorithm, generates AES key and AES initial vector;
Step S12: according to user's configuration excerpt algorithm pattern, the summary of calculation document or directory content;
Step S13: configure AES pattern according to AES key, AES initial vector, user, encrypt file or catalogue;
Step S14: the information combination of the plaintext of magic number, version number, AES pattern, digest algorithm pattern, AES key, AES initial vector, encrypted content summary is become expressly " cipher key index node list item ";
Step S15: read " file system digital certificate " in internal memory from file system storage device, the validity of checking " file system digital certificate "; If " file system digital certificate " is effective, then extract the public key information in " file system digital certificate ";
Step S16: the plaintext of step S14 " cipher key index node list item " PKI is encrypted to ciphertext " cipher key index node list item " in RSA cryptographic algorithms mode;
Step S17: according to " cipher key index node bitmap " information searching free time " cipher key index node list item ", obtain corresponding " cipher key index numbering " information;
Step S18: the data upgrading " encryption indicator " and " cipher key index node serial number " in " file or directory inode list item ", writes ciphertext in internal memory " cipher key index node list item " in file system storage device according to " cipher key index node serial number ".
In step S11, the value of the beginning 8 of 128 keys of AES is 0x53, and latter 120 are passed through random number CMOS macro cell; The value of the beginning 8 of 128 initial vectors of AES is 0x4D, and latter 120 are passed through random number CMOS macro cell.
In step S12, user's configuration excerpt algorithm pattern adopts SHA1 or SHA256.
In step S13, be electronic codebook mode (ECB) pattern when user configures AES pattern, with AES key, 128 bit data be blocked into file or catalogue and encrypt respectively; Be password packet train (CBC) pattern when user configures AES pattern, 128 bit data be blocked into file or catalogue encrypt in packet train mode with AES key, AES initial vector.
The present invention also provides a kind of decryption method based on EXT2 file system, it is characterized in that comprising:
Step S21: according to the data of " encryption indicator " and " cipher key index node serial number " in access " file or directory inode list item ", read corresponding ciphertext " cipher key index node list item " data in internal memory;
Step S22, ciphertext " cipher key index node list item " the data private key in internal memory to be decrypted into expressly " cipher key index node list item " in RSA decipherment algorithm mode;
Step S23, according to AES key, AES initial vector, AES pattern information declassified document or catalogue in expressly " cipher key index node list item ".
The described decryption method based on EXT2 file system, comprises further:
Step S24: according to digest algorithm type in plaintext " cipher key index node list item ", recalculates the rear file of plaintext of deciphering or the summary of catalogue;
Step S25: whether the summary recalculated in comparison step S24 is consistent with the digest value in plaintext " cipher key index node list item ", if comparative result is consistent, then illustrate that decrypting process is correct, if comparative result is inconsistent, declassified document or directory process failure are then described, prompting is abnormal.
Compared with prior art, because the encrypted file system based on EXT2 file system of the present invention adds file system digital certificate, cipher key index node bitmap and cipher key index node table on the basis of EXT2 file system, adopt file provided by the invention and encrypted directory and decryption method to be encrypted file or catalogue or to decipher, improve the fail safe of EXT2 file system.
Accompanying drawing explanation
Fig. 1 is EXT2 file system structure figure.
Fig. 2 is the encrypted file system structure chart based on EXT2 file system of the present invention.
Fig. 3 is cipher key index list structure figure.
Fig. 4 is file system encryption flow figure.
Fig. 5 is AES key generating structure figure.
Fig. 6 is AES initial vector generating structure figure.
Fig. 7 is file or directory content digest calculations structure chart.
Fig. 8 is file or directory content cryptographic structure figure.
Fig. 9 is file system deciphering flow chart.
Figure 10 is file or directory content deciphering structure chart.
Embodiment
As shown in Figure 1, be the structure chart of EXT2 file system organising data on a storage device.When formaing, first dividing multiple pieces of groups according to capacity of memory device, then comprising independently superblock, block group description list, bitmap block, file and directory inode bitmap, file and directory inode table and multiple data block each piece of group.
The placement data block address of the content record file of file or directory inode list item or the attribute of catalogue and file or catalogue real data.Physical record information is: the time that access mode, owner and group, amount of capacity, establishment or state change, the last reading time, nearest time etc. of revising.
As shown in Figure 2, be the structure chart of the encrypted file system based on EXT2 file system of the present invention organising data on a storage device.It increases safety encipher deciphering relevant information in each piece of group." file system digital certificate " is increased in block group description list; " cipher key index node bitmap ", " cipher key index node table " is increased after file and directory inode table.In order to meet PKIX based on safety requirements, file system digital certificate uses the form of general digital certificate, is convenient to the validity verifying digital certificate.
The data structure of each list item in " cipher key index node table ", as shown in Figure 3, its content has the plaintext summary of magic number, version number, AES pattern, digest algorithm pattern, AES key, AES initial vector, encrypted content, and total length is 2048.
" encryption indicator " and " cipher key index node serial number " data item is increased in file or directory inode list item." encryption indicator " represents whether file or catalogue encrypt, if encryption, can find corresponding " cipher key index node list item " according to the value of " cipher key index node serial number ".There is in " cipher key index node list item " file or catalogue deciphering relevant information.
EXT2 encrypted file system encrypt file or directory process, as shown in Figure 4.
Concrete steps are as follows:
Step S11, need encryption when file or catalogue, first according to AES key and AES initial vector create-rule algorithm, generation AES key and AES initial vector.128 keys of AES: the value starting 8 is 0x53 (in State word the ASCII character of S, as symmetric key identifying information), rear 120 by random number CMOS macro cell, as shown in Figure 5.128 initial vectors of AES: the value starting 8 is 0x4D (in Micro word the ASCII character of M, as initial vector identifying information), rear 120 by random number CMOS macro cell, as shown in Figure 6.
Step S12, according to user's configuration excerpt algorithm pattern, the summary of calculation document or directory content.As shown in Figure 7, when user's configuration excerpt algorithm pattern is SHA1, summary result length be 160 (align forward, after not enough zero padding).When user's configuration excerpt algorithm pattern is SHA256, summary result length is 256.
Step S13, configure AES pattern according to AES key, AES initial vector, user, encrypt file or catalogue, as shown in Figure 8.Be electronic codebook mode (ECB) pattern when user configures AES pattern, with AES key, 128 bit data be blocked into file or catalogue and encrypt respectively.Be password packet train (CBC) pattern when user configures AES pattern, 128 bit data be blocked into file or catalogue encrypt in packet train mode with AES key, AES initial vector.When length for file or catalogue is not the integral multiple of 128, last block mantissa according to this plaintext version directly adds after last group of ciphertext.
Step S14, information combination one-tenth plaintext " cipher key index node list item " that the plaintext of magic number, version number, AES pattern, digest algorithm pattern, AES key, AES initial vector, encrypted content is made a summary.The structure of " cipher key index node list item ", as shown in Figure 3.
Step S15, from file system storage device read " file system digital certificate " in internal memory, checking " file system digital certificate " validity.The inspection aspect of concrete validity: authentication certificate trust chain, confirms that certificate is effective; Look into CRL CRL(Certificate Revocation List), also known as blacklist, check whether certificate is revoked.If " file system digital certificate " is invalid, report is abnormal, stops subsequent file Dynamic System.If " file system digital certificate " is effective, extract public key information in " file system digital certificate ".Improve operational efficiency, during load document system, perform once.
Step S16, the plaintext of step S14 " cipher key index node list item " PKI is encrypted to ciphertext " cipher key index node list item " in RSA cryptographic algorithms mode.
Step S17, basis " cipher key index node bitmap " information searching free time " cipher key index node list item ".If do not found, " cipher key index node list item " is finished, and report is abnormal, current encrypt file or directory process failure.If found, obtain corresponding " cipher key index numbering " information.
The data of " encryption indicator " and " cipher key index node serial number " in step S18, renewal " file or directory inode list item ".According to " cipher key index node serial number ", ciphertext in internal memory " cipher key index node list item " is write in file system storage device.
EXT2 encrypted file system declassified document or directory process, as shown in Figure 9.
Concrete steps are as follows:
Step S21, according to the data of " encryption indicator " and " cipher key index node serial number " in access " file or directory inode list item ", read corresponding ciphertext " cipher key index node list item " data in internal memory.
Step S22, being ready in internal memory, ciphertext " cipher key index node list item " data private key is decrypted into expressly " cipher key index node list item " in RSA decipherment algorithm mode.Whether checking expressly " cipher key index node list item " magic number is effective, if magic number is invalid, possible private key data has problem; Report is abnormal, stops file system decrypting process.If magic number is effective, expressly the data of " cipher key index node list item " are also effective.
Step S23, according to AES key, AES initial vector, AES pattern information declassified document or catalogue in expressly " cipher key index node list item ", as shown in Figure 10.When AES pattern is electronic codebook mode (ECB) pattern, with AES key, 128 bit data is blocked into file or catalogue and deciphers respectively.When AES pattern is password packet train (CBC) pattern, 128 bit data are blocked into file or catalogue decipher in packet train mode with AES key, AES initial vector.When length for file or catalogue is not the integral multiple of 128, last block mantissa, according to being exactly expressly, does not need to process.
Step S24, according to digest algorithm type in expressly " cipher key index node list item ", to recalculate after deciphering the summary of file expressly or catalogue, as shown in Figure 7.When digest algorithm pattern is SHA1, summary result length is 160.When digest algorithm pattern is SHA256, summary result length is 256.
Step S25, comparison step S24 recalculate summary and expressly more whether " cipher key index node list item " middle digest value is consistent.If comparative result is consistent, then decrypting process is correct; If comparative result is inconsistent, then declassified document or directory process failure, report is abnormal, and data may be destroyed.
In sum, because the encrypted file system based on EXT2 file system of the present invention adds file system digital certificate, cipher key index node bitmap and cipher key index node table on the basis of EXT2 file system, adopt file provided by the invention and encrypted directory and decryption method to be encrypted file or catalogue or to decipher, improve the fail safe of EXT2 file system.
Claims (4)
1., based on an encryption method for EXT2 file system, it is characterized in that comprising:
Step S11: first according to AES key and AES initial vector create-rule algorithm, generates AES key and AES initial vector;
Step S12: according to user's configuration excerpt algorithm pattern, the summary of calculation document or directory content;
Step S13: configure AES pattern according to AES key, AES initial vector, user, encrypt file or catalogue;
Step S14: the information combination of the plaintext of magic number, version number, AES pattern, digest algorithm pattern, AES key, AES initial vector, encrypted content summary is become expressly " cipher key index node list item ";
Step S15: read " file system digital certificate " in internal memory from file system storage device, the validity of checking " file system digital certificate "; If " file system digital certificate " is effective, then extract the public key information in " file system digital certificate ";
Step S16: the plaintext of step S14 " cipher key index node list item " PKI is encrypted to ciphertext " cipher key index node list item " in RSA cryptographic algorithms mode;
Step S17: according to " cipher key index node bitmap " information searching free time " cipher key index node list item ", obtain corresponding " cipher key index numbering " information;
Step S18: the data upgrading " encryption indicator " and " cipher key index node serial number " in " file or directory inode list item ", writes ciphertext in internal memory " cipher key index node list item " in file system storage device according to " cipher key index node serial number ".
2. the encryption method based on EXT2 file system according to claim 1, is characterized in that, in step S11, the value of the beginning 8 of 128 keys of AES is 0x53, and latter 120 are passed through random number CMOS macro cell; The value of the beginning 8 of 128 initial vectors of AES is 0x4D, and latter 120 are passed through random number CMOS macro cell.
3. the encryption method based on EXT2 file system according to claim 1, is characterized in that, in step S12, user's configuration excerpt algorithm pattern adopts SHA1 or SHA256.
4. the encryption method based on EXT2 file system according to claim 1, is characterized in that, in step S13, is electronic codebook mode (ECB) pattern, is blocked into 128 bit data encrypts respectively with AES key to file or catalogue when user configures AES pattern; Be password packet train (CBC) pattern when user configures AES pattern, 128 bit data be blocked into file or catalogue encrypt in packet train mode with AES key, AES initial vector.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210543698.2A CN103067170B (en) | 2012-12-14 | 2012-12-14 | encrypting method based on EXT2 file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210543698.2A CN103067170B (en) | 2012-12-14 | 2012-12-14 | encrypting method based on EXT2 file system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103067170A CN103067170A (en) | 2013-04-24 |
| CN103067170B true CN103067170B (en) | 2015-04-15 |
Family
ID=48109641
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210543698.2A Expired - Fee Related CN103067170B (en) | 2012-12-14 | 2012-12-14 | encrypting method based on EXT2 file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103067170B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761487B (en) * | 2014-01-27 | 2017-03-15 | 宇龙计算机通信科技(深圳)有限公司 | The hidden method and device of file |
| CN103955654A (en) * | 2014-04-02 | 2014-07-30 | 西北工业大学 | USB (Universal Serial Bus) flash disk secure storage method based on virtual file system |
| TWI554073B (en) * | 2014-07-28 | 2016-10-11 | 柯呈翰 | A multiple encrypting method and system for encrypting a file and/or a protocol |
| CN106709380A (en) * | 2015-07-20 | 2017-05-24 | 中国科学院声学研究所 | Encryption and decryption method and system capable of aiming at disk data memory area |
| CN105183401A (en) * | 2015-10-30 | 2015-12-23 | 深圳市泽云科技有限公司 | Method, device and system for recovering data in solid state disk |
| CN106021466A (en) * | 2016-05-17 | 2016-10-12 | 浙江大华技术股份有限公司 | Data storage method and apparatus |
| CN106156639A (en) * | 2016-06-28 | 2016-11-23 | 北京小米移动软件有限公司 | Data partition encryption method and device |
| CN108228647B (en) * | 2016-12-21 | 2022-05-24 | 伊姆西Ip控股有限责任公司 | Method and apparatus for data copying |
| WO2020011358A1 (en) * | 2018-07-12 | 2020-01-16 | Seclous Gmbh | Method for establishing a secure hierarchical referencing system |
| CN109274663A (en) * | 2018-09-07 | 2019-01-25 | 西安莫贝克半导体科技有限公司 | Communication means based on SM2 dynamic key exchange and SM4 data encryption |
| CN109657497B (en) * | 2018-12-21 | 2023-06-13 | 北京思源理想控股集团有限公司 | Secure file system and method thereof |
| CN110557680B (en) * | 2019-07-30 | 2020-11-27 | 视联动力信息技术股份有限公司 | Audio and video data frame transmission method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159556A (en) * | 2007-11-09 | 2008-04-09 | 清华大学 | Group key server based key management method in sharing encryption file system |
| CN101247506A (en) * | 2007-02-14 | 2008-08-20 | 中国科学院声学研究所 | File enciphering method and enciphered file structure in digital media broadcasting system |
| CN102129532A (en) * | 2011-03-23 | 2011-07-20 | 阮晓迅 | Method and system for digital copyright protection |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1238335A1 (en) * | 1999-12-07 | 2002-09-11 | Data Foundation, Inc. | Scalable storage architecture |
-
2012
- 2012-12-14 CN CN201210543698.2A patent/CN103067170B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247506A (en) * | 2007-02-14 | 2008-08-20 | 中国科学院声学研究所 | File enciphering method and enciphered file structure in digital media broadcasting system |
| CN101159556A (en) * | 2007-11-09 | 2008-04-09 | 清华大学 | Group key server based key management method in sharing encryption file system |
| CN102129532A (en) * | 2011-03-23 | 2011-07-20 | 阮晓迅 | Method and system for digital copyright protection |
Non-Patent Citations (1)
| Title |
|---|
| 基于滚动加密在Linux文件系统下的安全存储技术;易飞;《中国优秀硕士学位论文全文数据库》;20101015;正文第2.2节、第3.1.1、3.1.2、3.2.1、3.4.2节,图3-1、3-3 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103067170A (en) | 2013-04-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103067170B (en) | encrypting method based on EXT2 file system | |
| CN100468438C (en) | Encryption and decryption method for realizing hardware and software binding | |
| US11184164B2 (en) | Secure crypto system attributes | |
| CN201181472Y (en) | Hardware key device and movable memory system | |
| CN101149768B (en) | Special processor software encryption and decryption method | |
| US20100005318A1 (en) | Process for securing data in a storage unit | |
| CN103701757B (en) | Identity authentication method and system for service access | |
| CN102355352B (en) | Data confidentiality and integrity protection method | |
| CN109067814B (en) | Media data encryption method, system, device and storage medium | |
| CN102904712A (en) | Information encrypting method | |
| CN102236756A (en) | File encryption method based on TCM (trusted cryptography module) and USBkey | |
| CN110298186B (en) | Non-key data encryption and decryption method based on dynamic reconfigurable cipher chip | |
| CN103914662A (en) | Access control method and device of file encrypting system on the basis of partitions | |
| CN103544453A (en) | USB (universal serial bus) KEY based virtual desktop file protection method and device | |
| CN103198264A (en) | Method and device for recovering encrypted file system data | |
| CN110650011A (en) | Encryption storage method and encryption storage card based on quantum key | |
| CN104410493A (en) | Secure data storage method and secure data read method based on distributed system infrastructure | |
| CN102811124B (en) | Based on the system Authentication method of two card trigram technology | |
| KR20110067417A (en) | Method and apparatus for data encrypting and method and apparatus for data deciphering | |
| CN102270285B (en) | Key authorization information management method and device | |
| CN107911221A (en) | The key management method of solid-state disk data safety storage | |
| CN102612025A (en) | Protective system and protective method for mobile phone documents | |
| CN112787996B (en) | Password equipment management method and system | |
| CN102480353A (en) | Method of password authentication and secret key protection | |
| CN100594504C (en) | Mobile medium divulgence-proof method based on concealed encrypted partition and PKI technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 518000 Guangdong Province Shenzhen Nanshan District High-tech Industrial Park South District High-tech Nandao National Micro-R&D Building 1 Floor West Part, 2 Floors Patentee after: GUOWEI GROUP (SHENZHEN) Co.,Ltd. Address before: 518000 2F, Shenzhen new high tech Industrial Park, Guangdong, China. Patentee before: SHENZHEN STATE MICRO TECHNOLOGY Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150415 Termination date: 20211214 |