CN103679066A - Implement method of dependable security disk - Google Patents
Implement method of dependable security disk Download PDFInfo
- Publication number
- CN103679066A CN103679066A CN201310149132.6A CN201310149132A CN103679066A CN 103679066 A CN103679066 A CN 103679066A CN 201310149132 A CN201310149132 A CN 201310149132A CN 103679066 A CN103679066 A CN 103679066A
- Authority
- CN
- China
- Prior art keywords
- disk
- usbkey
- encryption
- driver
- volume
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Abstract
The invention discloses an implement method of a dependable security disk. The implement method is based on the virtual disk management technology and the real-time encryption and decryption disk software Truecrypt, and is combined with the idea of dependable computing, a USBKEY serves as a dependable hardware basis, and a dependable disk encryption system adopting the USBKEY is designed. The credibility of an encrypted disk is achieved by using the USBKEY as the dependable hardware basis.
Description
Technical field:
On the basis of the present invention's design based on virtual disk administrative skill and real-time encryption and decryption diskware Truecrypt, in conjunction with the thought of credible calculating, utilize USBKEY as believable hardware foundation, designed the credible disk encryption system that adopts USBKEY.By using USBKEY to realize the credibility of encrypting disk as believable hardware foundation.
Background technology:
Day by day universal along with computing machine, the safety problem of computer data also more and more comes into one's own.The safety of information is subject to the threat from various aspects, and the protection of data is more and more important, and the safety problem of classified information is more and more outstanding, guarantees that the key of security files and sensitive data is exactly data encryption technology.Yet, traditional encryption disk has just been realized the encryption and decryption to disc content, yet, in close dish encrypt data by malicious modification after, in close dish, the content of ciphertext will change, may produce two kinds of results: the first is that ciphertext becomes the mess code of complete None-identified after decrypted, but do not know key not to or encryption and decryption software piece out of joint; The second result is to cause the connotation of the decrypted rear content of ciphertext variant even completely different from former ciphertext, if data are important business data or important classified papers, the loss causing to user possibly cannot be estimated.Yet in conjunction with the thought of credible calculating, realize encryption disk credible, just can solve the problem of key and disk encryption and decryption software piece credibility.
Summary of the invention:
1. first in computer system, set up a trusted root, the credibility of trusted root is guaranteed jointly by physical security, technical security and management peace.
2, then set up a chain-of-trust, from root of trust, start to hardware platform, to operating system, then arrive application, one-level is measured authentication one-level, and one-level is trusted one-level, this trust extension is arrived to whole computer system, thereby guarantee the credible of whole computer system.
Accompanying drawing explanation:
Fig. 1: virtual disk principle assumption diagram
Fig. 2: credible encryption disk system structural drawing
Embodiment:
One, the system model of credible encryption disk
Credible encryption disk is with lower module (as accompanying drawing Fig. 2):
Interface management module: create interface and encrypted volume loading interface for managing encrypted volume.Setting to encrypted volume creation module and encrypted volume load-on module transmission user.
Encrypted volume creation module: the parameter (user password, encrypted volume path etc.) of the establishment encrypted volume arranging according to user, creates corresponding encrypted volume.
Encrypted volume load-on module: the various loading parameters that arrange according to user, load corresponding encrypted volume, form corresponding virtual disk, for user's operation.
Virtual disk driver module: the I/O manager of the various operations of application program by kernel changes various IRP into asks.The IRP of virtual disk driver corresponding document system driver carries out corresponding read-write operation to virtual disk (volume file).
Encryption and decryption module: enciphering and deciphering algorithm and hash algorithm are provided.Comprising AES, Serpent, Twofish, SHA-1 scheduling algorithm.In addition, also has tandom number generator.
USBKEY control module: complete all operations relevant with USBKEY, for example: read the id of USBKEY, call HASH algorithm in USBKEY etc.
Credible computing function module: complete generation, storage, the credible tolerance of the trusted root that credible calculating is relevant and export the functions such as credible tolerance result.
USBKEY: HASH algorithm and believable hardware foundation used while producing the first key of volume id used and trusted root generation is provided.
Two, the gordian technique of system
The design of virtual disk derives from the hardware virtualization technology of Windows OS, utilizes virtual memory technique to carry out abstract management to bottom memory device, and actual physical store entity and the logical expressions of storage are separated, and forms virtual disk.
1, roll up first partial design
Encrypted volume is divided into two parts: volume stem is divided and data division; what the read-write of data division in encrypted volume was all needed to real-time encryption and decryption (is to encrypt during write operation; during write operation, be deciphering), and the safe coefficient of encrypted volume is determined by the shielded degree of key.Encrypted volume volume is first takies 512 byte spaces, front 64 bytes store of encrypted volume be that the random number being produced by tandom number generator is filled.What the 64th first byte to the 255 bytes of volume were deposited is some parameters of encrypted volume, and the 256th byte to the 511 bytes are deposited is the master key that carries out real-time encryption and decryption during to encrypted volume data division read-write operation.
Volume stem is divided all by the first key of volume and will be encrypted, and roll up first key, is that derivative function PBKDF2 in PKCS#5 obtains, and this function can effectively be taken precautions against dictionary attack.The derived expression of rolling up first key is DK=PBKDF2 (P, IDH, C, dkLen), the volume first key of DK for deriving, the password that P sets for user, the sequence number that IDH is USBKEY is filled the 64 byte parameters that produce after fixed character, C is iterations, the length of the first key of volume that dkLen is derivation.
2, the establishment of encrypted volume
The constructive process of encrypted volume, first-selected user inserts USBKEY, and chooses position and the input user password of establishment; System reads the id of USBKEY, processes the IDH that generates 64 bytes by HASH; Obtain DK=PBKDF2 (P, IDH, C, dkLen); Then with tandom number generator, produce the primary and secondary key of real-time encryption and decryption, then be encrypted rolling up head with the first key DK of volume, the volume head of encrypting is deposited to volume first; By tandom number generator padding data part, encrypted volume is carried out to HASH processing and obtain HASH value h, h is stored in USBKEY as trusted root, thereby obtain encrypted volume.
3, the loading of encrypted volume
The loading procedure of encrypted volume: first insert USBKEY, input user password P, system reads the id of USBKEY, generates the IDH of 64 bytes by filling fixed character; Obtain DK=PBKDF2 (P, IDH, C, dkLen), obtain rolling up after first key to rolling up the master key that obtains enciphered data part after head is decrypted data portion deciphering; Close dish data division is carried out to HASH algorithm process and obtain HASH value h1, with the trusted root in h1 and USBKEY, measure, obtain measuring result, output tolerance result, can inform that whether the close dish of user is credible; Loading completes, and obtains virtual disk.
4, the transparent encryption and decryption of virtual disk to data
Transparent encryption and decryption is to complete in to the read-write process of data in system.File system driver in Windows operating system
[6,7], I/O manager, Cache manager, VMM closely cooperate and jointly complete the read-write capability of data.Transparent encryption and decryption is automatically used the enciphering and deciphering algorithm of appointment, the file of appointment is carried out to encryption and decryption operation, user is in the process of operation, do not change the accessing operation custom to file, whole encryption and decryption operating process completes automatically, algorithm used, key in encryption and decryption, be all to set in advance, rather than set in encryption and decryption process.
Virtual disk driver needs all I/O requests of disposal system to virtual disk, therefore, can in virtual disk driver, embed encryption and decryption module, thereby, when driver handles I/O asks, the data stream in the time of just can calling enciphering and deciphering algorithm in encryption and decryption module virtual disk is read and write is carried out real-time encryption and decryption and is processed.When virtual disk driver receives the IRP of write data requests, the cryptographic algorithm of just calling in encryption and decryption module is encrypted the clear data in IRP, then ciphertext is write on disk, has so just realized clear text file real-time encrypted for ciphertext; When virtual disk driver is received the IRP of read data request, first from disk, read encrypt data, then call decipherment algorithm and be decrypted, then will expressly write in the internal memory of IRP, now, user just can see expressly.So just realized and from virtual disk, read out file and carry out real time decrypting.
5, the unloading of virtual disk
After unloading virtual disk, call the volume file of the HASH algorithm process virtual disk in USBKEY, generate HASH value and deposit as trusted root, this trusted root is covered to the trusted root of original storage in USBKEY.When unloading virtual disk, the file content in virtual disk also has part expressly to exist in Cache, and this likely causes the leakage of data, so must empty Cache while unloading.Therefore, when unloading, notify Cache manager to empty in time caching.
Claims (2)
1. on the basis based on virtual disk administrative skill and real-time encryption and decryption diskware Truecrypt, in conjunction with the thought of credible calculating, utilize USBKEY as believable hardware foundation, designed the credible disk encryption system that adopts USBKEY.By using USBKEY to realize the credibility of encrypting disk as believable hardware foundation.
2. the hierarchical structure of virtual disk and driver is basically identical with the hierarchical structure of general physical disk and driver, and difference is the function of bottom disk driver.Virtual disk driver, unlike physical disk drives program, is directly accessed physical disk equipment, but visits a volume file in the mode of access physical disk, and this volume file is invented to a disk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310149132.6A CN103679066A (en) | 2013-04-26 | 2013-04-26 | Implement method of dependable security disk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310149132.6A CN103679066A (en) | 2013-04-26 | 2013-04-26 | Implement method of dependable security disk |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103679066A true CN103679066A (en) | 2014-03-26 |
Family
ID=50316572
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310149132.6A Pending CN103679066A (en) | 2013-04-26 | 2013-04-26 | Implement method of dependable security disk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103679066A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812862A (en) * | 2014-01-23 | 2014-05-21 | 厦门密安信息技术有限责任公司 | Dependable security cloud computing composition method |
| CN104361297A (en) * | 2014-11-19 | 2015-02-18 | 成都卫士通信息安全技术有限公司 | File encryption and decryption method based on Linux operating system |
| CN111783077A (en) * | 2020-06-15 | 2020-10-16 | 中国电子科技集团公司第三十研究所 | TrueCrypt encryption software password recovery method, encrypted data evidence obtaining system and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102053925A (en) * | 2009-11-04 | 2011-05-11 | 许燕 | Realization method of data encryption in hard disk |
| CN102662872A (en) * | 2012-03-29 | 2012-09-12 | 山东超越数控电子有限公司 | Trusted cryptography module based method for protection of virtual disk image files |
| CN103065102A (en) * | 2012-12-26 | 2013-04-24 | 中国人民解放军国防科学技术大学 | Data encryption mobile storage management method based on virtual disk |
-
2013
- 2013-04-26 CN CN201310149132.6A patent/CN103679066A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102053925A (en) * | 2009-11-04 | 2011-05-11 | 许燕 | Realization method of data encryption in hard disk |
| CN102662872A (en) * | 2012-03-29 | 2012-09-12 | 山东超越数控电子有限公司 | Trusted cryptography module based method for protection of virtual disk image files |
| CN103065102A (en) * | 2012-12-26 | 2013-04-24 | 中国人民解放军国防科学技术大学 | Data encryption mobile storage management method based on virtual disk |
Non-Patent Citations (3)
| Title |
|---|
| 倪凯斌等: "安全增强型虚拟磁盘加密系统技术", 《计算机应用》 * |
| 李清俊等: "基于虚拟磁盘的文件加密方法", 《计算机工程与设计》 * |
| 阮洪升: "基于USBKey的可信安全增强系统的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812862A (en) * | 2014-01-23 | 2014-05-21 | 厦门密安信息技术有限责任公司 | Dependable security cloud computing composition method |
| CN104361297A (en) * | 2014-11-19 | 2015-02-18 | 成都卫士通信息安全技术有限公司 | File encryption and decryption method based on Linux operating system |
| CN104361297B (en) * | 2014-11-19 | 2017-09-22 | 成都卫士通信息安全技术有限公司 | A kind of file encryption-decryption method based on (SuSE) Linux OS |
| CN111783077A (en) * | 2020-06-15 | 2020-10-16 | 中国电子科技集团公司第三十研究所 | TrueCrypt encryption software password recovery method, encrypted data evidence obtaining system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11088846B2 (en) | Key rotating trees with split counters for efficient hardware replay protection | |
| US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| CN103825953B (en) | A kind of user model encrypted file system | |
| CN106063185B (en) | Method and apparatus for safely shared data | |
| EP3574622B1 (en) | Addressing a trusted execution environment | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| CN104969234B (en) | For the root of trust of the measurement of virtual machine | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| CN103336929B (en) | Method and system for encrypted file access | |
| EP3175575A1 (en) | Secure content packaging using multiple trusted execution environments | |
| CN103378971B (en) | A kind of data encryption system and method | |
| CN103065082A (en) | Software security protection method based on Linux system | |
| CN107908574A (en) | The method for security protection of solid-state disk data storage | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN107294710A (en) | A kind of key migration method and device of vTPM2.0 | |
| CN104463020B (en) | The method of memory data integrity protection | |
| KR101910826B1 (en) | Method and apparatus for security of internet of things devices | |
| US10733306B2 (en) | Write-only limited-read filesystem | |
| CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
| WO2022257411A1 (en) | Data processing method and apparatus | |
| CN103679066A (en) | Implement method of dependable security disk | |
| TW202008744A (en) | Dynamic cryptographic key expansion | |
| US10491387B2 (en) | End-to-end encryption of a block storage device with protected key | |
| CN110932853B (en) | Key management device and key management method based on trusted module | |
| CN102426637B (en) | A kind of embedded database cryptographic storage method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 361008, Xiamen Software Park, Fujian Province, two expect No. 45, Lane 408 Applicant after: XIAMEN DENSE PRINCIPAL INFORMATION TECHNOLOGY CO,LTD Address before: 361008 Fujian province Xiamen software park two sunrise Road No. 32 room 40303 Applicant before: XIAMEN DENSE PRINCIPAL INFORMATION TECHNOLOGY CO,LTD |
|
| COR | Change of bibliographic data | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140326 |
|
| RJ01 | Rejection of invention patent application after publication |