CN103778384A - Identity authentication based virtual terminal safety environment protection method and system - Google Patents
Identity authentication based virtual terminal safety environment protection method and system Download PDFInfo
- Publication number
- CN103778384A CN103778384A CN201410062426.XA CN201410062426A CN103778384A CN 103778384 A CN103778384 A CN 103778384A CN 201410062426 A CN201410062426 A CN 201410062426A CN 103778384 A CN103778384 A CN 103778384A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- access
- encryption
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/188—Virtual file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention discloses an identity authentication based virtual terminal safety environment protection method and system. The system comprises an intelligent storage monitoring layer, a storage serving layer, and a core safety layer, wherein the intelligent storage monitoring layer comprises a storage access redirecting module, is in charge of monitoring and analyzing data access acts of application programs, and performs actions according to configuration rules, the storage access redirecting module transfers input/output access according to access control rules, the storage serving layer is in charge of encrypting and decrypting files or data and recording file mapping relations, and the core safety layer is the basis of the whole framework, provides a key management function, provides encryption and decryption support for the storage serving layer, and dispatches different algorithms as desired. By means of the identity authentication based virtual terminal safety environment protection method and system, safety of core application data can be protected, data leakage is prevented, and data inside and outside the environment are isolated without influence and do not influence user operation habits.
Description
Technical field
The present invention relates to data security field, relate in particular to a kind of virtual terminal security context based on authentication guard method and
System.
Background technology
More and more extensive due to the application of the intelligent terminal such as mobile phone, also seems more and more urgent to the protection of data on intelligent terminal.Such as, in recent years, along with the developing rapidly and grow of mobile network, movable police had also had larger stage, due to its professional singularity, required network to have better security.Mobile network, is the environment of an opening for everybody, and anyone can intercept and capture other people information.Therefore, everybody focuses on link and access security, often ignores local application safety and the safety of data, once mobile device is lost or fault will cause great consequence.At present, on market, there is the mobile phone application of some similar sandbox technologies, as described below:
A, mobile phone sandbox software, can arrange different mode and application layout, enters different mode, can only use set application, exit rear on mobile phone true environment without impact.
As shown in Figure 1, the data protection flow process that it has shown mobile phone sandbox technology, specifically comprises:
1) on mobile phone, start sandbox environment;
2) enter after sandbox the various I/O operations of supervisory systems;
3) data that write storage are carried out to redirect operation, realize the protection to True Data with this;
4), after data processing completes, exit sandbox environment, cancellation system I/O, supervision;
5) judge whether to retain the data in sandbox;
6) if retained, data are saved to memory device, process ends;
7), if do not retained, clear up data, process ends.
The privacy protection function of B, mobile phone security classes software, can draw in proof box by relevant personal data, enters the data of proof box, invisible in proof box outside, can only in proof box, operate the data of the inside.
As shown in Figure 2, the data protection flow process that it has shown secret protection technology, specifically comprises:
1) mobile phone enters closed security environment;
2) data outside environment are put into environment and automatically encrypt and remove raw data;
3) check, revise, preserve the data in environment;
4) exit closed security environment;
5) process ends
But all there are some shortcomings in above-mentioned technology:
A, for sandbox technology, data can not be deposited in environment inside, can not carry out conservation treatment to data, have leakage of data risk.
B, for secret protection technology, adding of data is all manual operation, and the protection for data that real-life program produces is not provided.
Summary of the invention
The present invention is from the angle of actual demand and application, build a virtual terminal security context protection system based on authentication, the data that can produce for some application in environment inside are carried out automatic encryption, also can manually select some data to be encrypted; The inner data that produce of environment can only be used in inside, invisiblely in outside maybe can not use; Environment inside can environment for use external data, and environmental externality data can not environment for use internal data, is independent of each other each other.
For solving the problems of the technologies described above, the present invention proposes a kind of virtual terminal security context protection system based on authentication, this system comprises: intelligent storage supervisory layers, stores service layer, kernel safety layer, described intelligent storage supervisory layers comprises application data access monitoring modular, memory access redirection module and application data access control module, application program can be caught by described application data access monitoring modular the read-write requests of memory device, then the read-write requests of application program is sent to described application data access control module and carry out analyzing and processing, described application data access control module is according to the access control rule configuring, the data access behavior of coupling application program, for need data access to be processed, change original path that issues by described memory access redirection module, send to the processing of described stores service layer,
Described stores service layer is responsible for processing intelligent monitoring layer and is transmitted the reading and writing data request of getting off, to encryption or the decryption oprerations request of described kernel safety layer Transmit message or data, log file mapping relations;
Described kernel safety layer, support for stores service layer provides encryption and decryption, dispatch according to demand algorithms of different, it receives data encryption or decoding request that described stores service layer passes over, carry out encryption or decryption oprerations to data, and operating result is returned to described stores service layer.
Further, described stores service layer comprises virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module, in the time that reading and writing data request arrives described stores service layer, first analyze type of data access, according to different access types, be delivered to respectively described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module and process.
Further, described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module are processed the reading and writing data request for file, database and internal memory, described three modules being specifically treated to described data access: in the time of requests data reading, the service of calling described kernel safety layer and providing is decrypted to data manipulation, in the time of request data writing, data encryption operation is carried out in the service that calling described kernel safety layer provides.
Further, described kernel safety layer comprises encryption and decryption engine modules, algorithms library support module and key management module, described encryption and decryption engine modules is responsible for analyzing the request from upper strata, according to algorithms library support module and key management module described in request scheduling, complete encryption or the decryption oprerations of data, wherein, described algorithms library support module is realized the algorithm of data encrypting and deciphering, described key management module realizes the key management of algorithms of different, for described encryption and decryption engine modules provides support.
Further, described application data access monitoring modular comprises: application signature analysis and comparing module and application signature storehouse, the signature of the application program that wherein application signature library storage need to be controlled;
Described application data access control module comprises: application memory access monitoring modular and application access control module;
This system is taken over the storage read and write access operation of application program by memory access redirecting technique, according to the access control rule arranging, change storage read and write access, storage read and write access request is directed to appointed area, avoid affecting the data structure outside system, its specific implementation process is as follows:
Described application signature analysis and comparing module are extracted the signature of application program, the signature of extraction is mated with the data in described application signature storehouse, if there is matched data, the reading and writing data request of application program is sent to described application memory access monitoring modular and process;
In the time that described application memory access monitoring modular receives the reading and writing data request that described application signature analysis and comparing module transmission get off, call described application access control module, analyze data read-write control strategy, the reading and writing data request of needs control is delivered to described memory access redirection module and processes;
Described application access control module, the application access control strategy according to the signature of application program, analyze, coupling being corresponding with it, and access control policy is returned to described application memory access monitoring modular;
Described memory access redirection module, receives the reading and writing data request that meets access control policy, transfers to encrypt storage services module and processes, and completes after the encryption or decryption processing of data, operating result is returned to upper strata and process.
Further, described virtual file cryptographic service module comprises: file transparent storage encryption service module, virtual file mapping management module, virtual file access modules;
Described stores service layer is according to environment configurations, mapping relations by redirected data read-write operation foundation with original path, form virtual file, the path of described virtual file and the path of authentic document are different, the read and write access meeting of virtual file is according to encryption and decryption engine modules described in the rule invocation of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device, concrete steps are as follows:
Described file transparent storage encryption service module, receives the reading and writing data request that described access storage redirection module sends over, and sends reading and writing data request, and result is returned to described virtual file mapping management module;
Described virtual file mapping management module, by the source document of reading and writing data request, sets up mapping relations with the authentic document on memory device, issues reading and writing data request;
Described virtual file access modules, receives reading and writing data request, calls described encryption and decryption engine modules, and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor;
Described encryption and decryption engine modules, is responsible for the described algorithms library support module of scheduling and key management module, and data are encrypted or decryption oprerations, and result is returned to described virtual file access modules;
Physical file access modules, according to reading and writing data request, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
For solving the problems of the technologies described above, the present invention proposes a kind of guard method of the virtual terminal security context based on authentication, be applied in virtual terminal security context protection system, this system comprises: intelligent storage supervisory layers, stores service layer, kernel safety layer; Described intelligent storage supervisory layers comprises application data access monitoring modular, memory access redirection module and application data access control module, described stores service layer comprises virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module, described kernel safety layer comprises key management module, encryption and decryption engine modules and algorithms library support module, and the method comprises the steps:
Application program is initiated read-write requests to memory device, described application data access monitoring modular is caught the read-write requests of application program to memory device, then the read-write requests of application program is sent to described application data access control module and carry out analyzing and processing, described application data access control module is according to the access control rule configuring, the data access behavior of coupling application program, for need data access to be processed, change original path that issues by described memory access redirection module, send to the processing of described stores service layer;
Described stores service layer receives intelligent monitoring layer and transmits the reading and writing data request of getting off, to encryption or the decryption oprerations request of described kernel safety layer Transmit message or data, log file mapping relations;
Described kernel safety layer receives data encryption or the decoding request that described stores service layer passes over, and carries out encryption or decryption oprerations to data, and operating result is returned to described stores service layer.
Further, in the time that reading and writing data request arrives described stores service layer, first analyze type of data access, according to different access types, be delivered to respectively described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module and process.
Further, described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module are processed the reading and writing data request for file, database and internal memory, described three modules being specifically treated to described data access: in the time of requests data reading, the service of calling described kernel safety layer and providing is decrypted to data manipulation, in the time of request data writing, data encryption operation is carried out in the service that calling described kernel safety layer provides.
Further, described encryption and decryption engine modules is responsible for analyzing the request from upper strata, according to algorithms library support module and key management module described in request scheduling, complete encryption or the decryption oprerations of data, wherein, described algorithms library support module is realized the algorithm of data encrypting and deciphering, and described key management module realizes the key management of algorithms of different, for described encryption and decryption engine modules provides support.
Further, described application data access monitoring modular comprises: application signature analysis and comparing module and application signature storehouse, the signature of the application program that wherein application signature library storage need to be controlled;
Described application data access control module comprises: application memory access monitoring modular and application access control module;
This system is taken over the storage read and write access operation of application program by memory access redirecting technique, according to the access control rule arranging, change storage read and write access, storage read and write access request is directed to appointed area, avoid affecting the data structure outside system, its specific implementation process is as follows:
Described application signature analysis and comparing module are extracted the signature of application program, the signature of extraction is mated with the data in described application signature storehouse, if there is matched data, the reading and writing data request of application program is sent to described application memory access monitoring modular and process;
In the time that described application memory access monitoring modular receives the reading and writing data request that described application signature analysis and comparing module transmission get off, call described application access control module, analyze data read-write control strategy, the reading and writing data request of needs control is delivered to described memory access redirection module and processes;
Described application access control module, the application access control strategy according to the signature of application program, analyze, coupling being corresponding with it, and access control policy is returned to described application memory access monitoring modular;
Described memory access redirection module, receives the reading and writing data request that meets access control policy, transfers to encrypt storage services module and processes, and completes after the encryption or decryption processing of data, operating result is returned to upper strata and process.
Further, described virtual file cryptographic service module comprises: file transparent storage encryption service module, virtual file mapping management module and virtual file access modules;
Described stores service layer is according to environment configurations, mapping relations by redirected data read-write operation foundation with original path, form virtual file, the path of described virtual file and the path of authentic document are different, the read and write access meeting of virtual file is according to encryption and decryption engine modules described in the rule invocation of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device, concrete steps are as follows:
Described file transparent storage encryption service module, receives the reading and writing data request that described access storage redirection module sends over, and sends reading and writing data request, and result is returned to described virtual file mapping management module;
Described virtual file mapping management module, by the source document of reading and writing data request, sets up mapping relations with the authentic document on memory device, issues reading and writing data request;
Described virtual file access modules, receives reading and writing data request, calls described encryption and decryption engine modules, and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor;
Described encryption and decryption engine modules, is responsible for the described algorithms library support module of scheduling and key management module, and data are encrypted or decryption oprerations, and result is returned to described virtual file access modules;
Physical file access modules, according to reading and writing data request, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
The technical scheme proposing by the present invention, can obtain following useful technique effect:
A, protection core application data security, prevent leakage of data;
B, the inside and outside data isolation of environment, be independent of each other;
C, because the encryption and decryption of data are transparent to user, thereby user operation habits is not affected;
Even D terminal loss, but because data are encrypted, cannot be read easily, guarantee the safety of data.
Accompanying drawing explanation
Fig. 1 is the data protection process flow diagram of mobile phone sandbox technology.
Fig. 2 is the data protection process flow diagram of secret protection technology.
Fig. 3 is overall system frame diagram of the present invention.
Fig. 4 is that data storage of the present invention is redirected frame diagram.
Fig. 5 is virtual terminal security context protection system block diagram of the present invention.
Fig. 6 is that company of the present invention mobile office system uses flow process.
Embodiment
Fig. 3 is the overall system frame diagram in the present invention.
The virtual terminal security context protection system based on authentication that the present invention proposes, is divided into three levels: intelligent storage supervisory layers, stores service layer, kernel safety layer generally.Intelligent monitoring layer is responsible for the data access behavior of monitoring analysis application, performs an action according to configuration rule, and redirection module shifts I/0 access according to access control rule; Stores service layer is responsible for file or data are encrypted or decryption oprerations, log file mapping relations; Kernel safety layer is the basis of whole framework, and key management functions is provided, and supports for stores service layer provides encryption and decryption, dispatches according to demand algorithms of different.
Intelligent storage supervisory layers, is positioned at the superiors of general frame, is mainly responsible for the access of monitoring cell-phone application program to memory device, analyzes mobile phone and apply the read-write operation to memory device, according to access control rule, read-write requests is sent to lower floor and serve.Such as, in virtual terminal security context protection system, an application program of mobile phone writes data in memory device, first will be caught by " application data access monitoring " module in this layer, then the read-write behavior of application program of mobile phone be delivered to " application data access control " module and carried out analyzing and processing; Application data access control module is according to the access control rule configuring, the data access behavior of the matching analysis mobile phone application, for need data access to be processed, send to lower floor's service by " memory access redirection module ", do not need the data access system of giving to be processed to process; Storage redirection module, will need data access to be processed, change original path that issues, and transfer to " system storage service layer " that native system provides to process.
Stores service layer, is positioned at the middle layer of overall architecture, plays the effect of forming a connecting link, and main being responsible for processed the data I/O request that upper layer transfers is got off, and data are encrypted or decryption oprerations.When data I/O request arrives this layer, first analyze type of data access, according to different access types, be delivered to respectively " virtual file cryptographic services ", " data base encryption service ", " service of internal memory stream encryption " three modules are processed.Virtual file cryptographic service module, the main data I/O request of processing for file, in the time of reading out data, is decrypted data by the service of calling " kernel safety layer " and providing, otherwise will carries out data encryption operation.Two other module is similar with " virtual file cryptographic services ", and it is processed action and repeats no more.
Kernel safety layer; being positioned at the orlop of overall architecture, is the basis of virtual terminal security context protection system operation, receives data encryption or decoding request that upper layer transfers is come; carry out encryption or decryption oprerations to data, and operating result is returned to top service." encryption and decryption engine modules " is mainly responsible for analyzing upper strata request, according to request scheduling " algorithms library support " and " key management " two modules, completes encryption or the decryption oprerations of data." algorithms library support " module, realizes the algorithm of data encrypting and deciphering, as AES, 3DES, SM4 etc.; " key management " module, realizes the key management of algorithms of different, for encryption and decryption engine modules provides support.
Accompanying drawing 4 has been shown application data Redirectional system frame diagram of the present invention.
The present invention adopts application data to be redirected, and takes over storage I/O accessing operation, according to the access control rule arranging, changes I/O access, and I/O request of access is directed to appointed area, avoids affecting the data structure outside environment.
In virtual terminal security context protection system, in the time that application program of mobile phone reads and writes data, mobile phone application will be monitored, via following resume module:
1, application signature analysis and comparing module, be responsible for extracting the signature of application program of mobile phone, the signature extracting is mated with the data in " application signature storehouse ", if there is matched data, the data I/O request of application program of mobile phone being sent to " application memory access monitoring " module processes, otherwise transfers to the processing of mobile phone self system.
2, application signature storehouse, storage needs the signature of the application program of mobile phone of controlling.
3, application memory access monitoring modular, is responsible for the access rights control of data I/O request.When application memory access monitoring modular receive " application signature analysis and comparing module transmission get off " I/O " request time; call " application access control " module; analyze " I/O " access control policy; " I/O " request of needs control is delivered to " memory access is redirected " module and processes, other transfer to mobile phone self system on behalf of processing.
4, application access control module, according to the signature of application program of mobile phone, analyzes, the coupling application access control strategy corresponding with it, and access control policy is returned to " application memory access monitoring modular ".
5, memory access redirection module (key modules), reception meets data " I/O " request of access control policy, should be by the request of mobile phone self system processing, first transfer to " encryption stores service " module to process, after finishing dealing with, give mobile phone self system again and process, wherein said " encryption stores service " module is corresponding at least one module in virtual file cryptographic service module, data base encryption service module and the internal memory stream encryption service module of stores service layer.
6, encrypt storage services module, be responsible for encryption or the decryption processing of data, operating result is returned to upper layer module.
Accompanying drawing 5 has been shown the virtual terminal security context protection system frame diagram of stores service layer of the present invention.
According to environment configurations, mapping relations by redirected I/O operation foundation with original path, form virtual file (path and the true path of virtual file are different), the I/O access of virtual file can be according to the rule invocation encryption and decryption engine modules of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device.
In virtual terminal security context protection system; in the time that application program of mobile phone reads and writes data; mobile phone application will be monitored; meet data " I/O " request of monitoring and application access control strategy; will be stored access redirection module and send to data encryption service module, process via following step:
1, file transparent storage encryption service module, is responsible for receiving the data I/O request that " memory access redirection module " sends over, and sends data " I/O " request, and result is returned to calling module to " virtual file mapping management " module.
2, virtual file mapping management module, by the source document of data I/O request, sets up mapping relations with the authentic document on memory device, issues data I/O request.
3, virtual file access modules, receives data I/O request, calls " encryption and decryption engine modules ", and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor.
4, encryption and decryption engine modules, be responsible for scheduling enciphering and deciphering algorithm storehouse and key management module, data are encrypted or decryption oprerations, result is returned to calling module, and the close algorithms library of state that wherein encryption and decryption engine modules can be called in algorithms library support module (comprises SM1, SM3, SM4 etc.) or general-purpose algorithm storehouse (BF, DES, 3DES, AES etc.).
5, physical file access modules, mainly according to data " I/O " requests, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
Fig. 6 shows that Liao Mou company mobile office system uses process flow diagram.
A, in smart mobile phone, login virtual terminal security context protection system, complete necessary initial work.
B, enter authentication system, by the legal identity of one or more authentication of users in the modes such as TF card, Usbkey, certificate, password user, dynamic password password.
C, subscriber authentication failure, record failure information, to add up afterwards, with the application of backed off after random virtual terminal security context protection system.
After D, authentication are passed through, virtual terminal security context protection system starts normal operation, starts monitoring, redirected, encrypting module, and protection comes into force.
E, data access Monitoring Service module, according to application matches rule, whether analysis and identification program is controlled to the access behavior of data.
F, Data access flow forward memory access redirection module to, according to default access control rule, carry out data redirection processing.
G, to be redirected after data, encryption and decryption engine modules, according to configuration, is dispatched respective algorithms and is processed from encryption library, data writing is encrypted operation, reading out data is decrypted operation.
H, operated after, as required, can continue to remain on work in virtual terminal security context protection system, also can exit.
Above-mentioned application program of mobile phone is replaceable is various mobile intelligent terminal application programs, such as PDA, and removable computer, the application program on panel computer etc.
The technical scheme proposing by the present invention, can effectively protect core application data security, avoids leakage of data; And due to data isolation inside and outside environment, thereby the inside and outside data of environment are independent of each other; Because all data manipulations are all transparent to user, thereby without the use habit that changes user; Due to the data on mobile terminal are encrypted, even if Missing data also can guarantee the safety of data.
Such as the technical scheme that has adopted the present invention to propose in the movable police of mentioning in background technology; link and access security are solved; realized the safety of protection terminal local data in conjunction with the present invention; operational data is all stored in virtual terminal security context protection system; exit after environment; can't see operational data, also can not cause and divulge a secret, power-assisted movable police safety even if equipment is lost.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., all should protect within protection scope of the present invention.
Claims (12)
1. a protection system for the virtual terminal security context based on authentication, this system comprises: intelligent storage supervisory layers, stores service layer, kernel safety layer, described intelligent storage supervisory layers comprises application data access monitoring modular, memory access redirection module and application data access control module, application program can be caught by described application data access monitoring modular the read-write requests of memory device, then the read-write requests of application program is sent to described application data access control module and carry out analyzing and processing, described application data access control module is according to the access control rule configuring, the data access behavior of coupling application program, for need data access to be processed, change original path that issues by described memory access redirection module, send to the processing of described stores service layer,
Described stores service layer is responsible for processing intelligent monitoring layer and is transmitted the reading and writing data request of getting off, to encryption or the decryption oprerations request of described kernel safety layer Transmit message or data, log file mapping relations;
Described kernel safety layer, support for stores service layer provides encryption and decryption, dispatch according to demand algorithms of different, it receives data encryption or decoding request that described stores service layer passes over, carry out encryption or decryption oprerations to data, and operating result is returned to described stores service layer.
2. system according to claim 1, described stores service layer comprises virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module, in the time that reading and writing data request arrives described stores service layer, first analyze type of data access, according to different access types, be delivered to respectively described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module and process.
3. system according to claim 2, described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module are processed the reading and writing data request for file, database and internal memory, described three modules being specifically treated to described data access: in the time of requests data reading, the service of calling described kernel safety layer and providing is decrypted to data manipulation, in the time of request data writing, data encryption operation is carried out in the service that calling described kernel safety layer provides.
4. according to the system one of claim 1-3 Suo Shu, described kernel safety layer comprises encryption and decryption engine modules, algorithms library support module and key management module, described encryption and decryption engine modules is responsible for analyzing the request from upper strata, according to algorithms library support module and key management module described in request scheduling, complete encryption or the decryption oprerations of data, wherein, described algorithms library support module is realized the algorithm of data encrypting and deciphering, described key management module realizes the key management of algorithms of different, for described encryption and decryption engine modules provides support.
5. according to the system one of claim 1-3 Suo Shu, described application data access monitoring modular comprises: application signature analysis and comparing module and application signature storehouse, the signature of the application program that wherein application signature library storage need to be controlled;
Described application data access control module comprises: application memory access monitoring modular and application access control module;
This system is taken over the storage read and write access operation of application program by memory access redirecting technique, according to the access control rule arranging, change storage read and write access, storage read and write access request is directed to appointed area, avoid affecting the data structure outside system, its specific implementation process is as follows: described application signature analysis and comparing module are extracted the signature of application program, the signature of extraction is mated with the data in described application signature storehouse, if there is matched data, the reading and writing data request of application program being sent to described application memory access monitoring modular processes, in the time that described application memory access monitoring modular receives the reading and writing data request that described application signature analysis and comparing module transmission get off, call described application access control module, analyze data read-write control strategy, the reading and writing data request of needs control is delivered to described memory access redirection module and processes,
Described application access control module, the application access control strategy according to the signature of application program, analyze, coupling being corresponding with it, and access control policy is returned to described application memory access monitoring modular;
Described memory access redirection module, receives the reading and writing data request that meets access control policy, transfers to encrypt storage services module and processes, and completes after the encryption or decryption processing of data, operating result is returned to upper strata and process.
6. according to the system one of claim 1-3 Suo Shu, described virtual file cryptographic service module comprises: file transparent storage encryption service module, virtual file mapping management module and virtual file access modules;
Described stores service layer is according to environment configurations, mapping relations by redirected data read-write operation foundation with original path, form virtual file, the path of described virtual file and the path of authentic document are different, the read and write access meeting of virtual file is according to encryption and decryption engine modules described in the rule invocation of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device, concrete steps are as follows:
Described file transparent storage encryption service module, receives the reading and writing data request that described access storage redirection module sends over, and sends reading and writing data request, and result is returned to described virtual file mapping management module;
Described virtual file mapping management module, by the source document of reading and writing data request, sets up mapping relations with the authentic document on memory device, issues reading and writing data request;
Described virtual file access modules, receives reading and writing data request, calls described encryption and decryption engine modules, and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor;
Described encryption and decryption engine modules, is responsible for the described algorithms library support module of scheduling and key management module, and data are encrypted or decryption oprerations, and result is returned to described virtual file access modules;
Physical file access modules, according to reading and writing data request, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
7. a guard method for the virtual terminal security context based on authentication, is applied in virtual terminal security context protection system, and this system comprises: intelligent storage supervisory layers, stores service layer, kernel safety layer; Described intelligent storage supervisory layers comprises application data access monitoring modular, memory access redirection module and application data access control module, described stores service layer comprises virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module, described kernel safety layer comprises key management module, encryption and decryption engine modules and algorithms library support module, and the method comprises the steps:
Application program is initiated read-write requests to memory device, described application data access monitoring modular is caught the read-write requests of application program to memory device, then the read-write requests of application program is sent to described application data access control module and carry out analyzing and processing, described application data access control module is according to the access control rule configuring, the data access behavior of coupling application program, for need data access to be processed, change original path that issues by described memory access redirection module, send to the processing of described stores service layer;
Described stores service layer receives intelligent monitoring layer and transmits the reading and writing data request of getting off, to encryption or the decryption oprerations request of described kernel safety layer Transmit message or data, log file mapping relations;
Described kernel safety layer receives data encryption or the decoding request that described stores service layer passes over, and carries out encryption or decryption oprerations to data, and operating result is returned to described stores service layer.
8. method according to claim 7, in the time that reading and writing data request arrives described stores service layer, first analyze type of data access, according to different access types, be delivered to respectively described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module and process.
9. method according to claim 8, described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module are processed the reading and writing data request for file, database and internal memory, described three modules being specifically treated to described data access: in the time of requests data reading, the service of calling described kernel safety layer and providing is decrypted to data manipulation, in the time of request data writing, data encryption operation is carried out in the service that calling described kernel safety layer provides.
10. according to the method one of claim 7-9 Suo Shu, described encryption and decryption engine modules is responsible for analyzing the request from upper strata, according to algorithms library support module and key management module described in request scheduling, complete encryption or the decryption oprerations of data, wherein, described algorithms library support module is realized the algorithm of data encrypting and deciphering, and described key management module realizes the key management of algorithms of different, for described encryption and decryption engine modules provides support.
11. according to the method one of claim 7-9 Suo Shu, and described application data access monitoring modular comprises: application signature analysis and comparing module and application signature storehouse, the signature of the application program that wherein application signature library storage need to be controlled;
Described application data access control module comprises: application memory access monitoring modular and application access control module;
This system is taken over the storage read and write access operation of application program by memory access redirecting technique, according to the access control rule arranging, change storage read and write access, storage read and write access request is directed to appointed area, avoid affecting the data structure outside system, its specific implementation process is as follows: described application signature analysis and comparing module are extracted the signature of application program, the signature of extraction is mated with the data in described application signature storehouse, if there is matched data, the reading and writing data request of application program being sent to described application memory access monitoring modular processes, in the time that described application memory access monitoring modular receives the reading and writing data request that described application signature analysis and comparing module transmission get off, call described application access control module, analyze data read-write control strategy, the reading and writing data request of needs control is delivered to described memory access redirection module and processes,
Described application access control module, the application access control strategy according to the signature of application program, analyze, coupling being corresponding with it, and access control policy is returned to described application memory access monitoring modular;
Described memory access redirection module, receives the reading and writing data request that meets access control policy, transfers to encrypt storage services module and processes, and completes after the encryption or decryption processing of data, operating result is returned to upper strata and process.
12. according to the method one of claim 7-9 Suo Shu, and described virtual file cryptographic service module comprises: file transparent storage encryption service module, virtual file mapping management module and virtual file access modules;
Described stores service layer is according to environment configurations, mapping relations by redirected data read-write operation foundation with original path, form virtual file, the path of described virtual file and the path of authentic document are different, the read and write access meeting of virtual file is according to encryption and decryption engine modules described in the rule invocation of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device, concrete steps are as follows:
Described file transparent storage encryption service module, receives the reading and writing data request that described access storage redirection module sends over, and sends reading and writing data request, and result is returned to described virtual file mapping management module;
Described virtual file mapping management module, by the source document of reading and writing data request, sets up mapping relations with the authentic document on memory device, issues reading and writing data request;
Described virtual file access modules, receives reading and writing data request, calls described encryption and decryption engine modules, and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor;
Described encryption and decryption engine modules, is responsible for the described algorithms library support module of scheduling and key management module, and data are encrypted or decryption oprerations, and result is returned to described virtual file access modules;
Physical file access modules, according to reading and writing data request, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410062426.XA CN103778384B (en) | 2014-02-24 | 2014-02-24 | The guard method of the virtual terminal security context of a kind of identity-based certification and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410062426.XA CN103778384B (en) | 2014-02-24 | 2014-02-24 | The guard method of the virtual terminal security context of a kind of identity-based certification and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103778384A true CN103778384A (en) | 2014-05-07 |
| CN103778384B CN103778384B (en) | 2016-09-28 |
Family
ID=50570605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410062426.XA Active CN103778384B (en) | 2014-02-24 | 2014-02-24 | The guard method of the virtual terminal security context of a kind of identity-based certification and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103778384B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105335663A (en) * | 2015-10-22 | 2016-02-17 | 武汉理工大学 | Encrypted file system based on double-image file |
| CN106874731A (en) * | 2017-04-14 | 2017-06-20 | 深信服科技股份有限公司 | A kind of application layer multi-user method and device based on terminal |
| CN107197075A (en) * | 2017-07-03 | 2017-09-22 | 深圳市海邻科信息技术有限公司 | Clean boot means of defence, device and computer-readable recording medium |
| CN107256362A (en) * | 2017-06-13 | 2017-10-17 | 深信服科技股份有限公司 | A kind of application layer file system partition method and device |
| CN107330324A (en) * | 2017-05-18 | 2017-11-07 | 深信服科技股份有限公司 | The method for deleting and erasing apparatus of a kind of application data |
| CN108427895A (en) * | 2018-03-16 | 2018-08-21 | 何小林 | Data of magnetic disk array protects system and method |
| CN109117664A (en) * | 2018-07-19 | 2019-01-01 | 北京明朝万达科技股份有限公司 | The access control method and device of application program |
| CN109145631A (en) * | 2017-06-15 | 2019-01-04 | 上海长城计算机网络工程有限公司 | A kind of database information security system |
| CN109829324A (en) * | 2019-02-21 | 2019-05-31 | 青岛海信电子设备股份有限公司 | A kind of method and mobile terminal of data safety storage and quick calling |
| CN110134339A (en) * | 2019-05-22 | 2019-08-16 | 北京明朝万达科技股份有限公司 | A kind of data guard method and system based on file virtual disk |
| WO2019174646A1 (en) * | 2018-03-16 | 2019-09-19 | 何小林 | Method and system for protecting raid array data security by means of trusted channel technology. |
| CN110392035A (en) * | 2018-04-20 | 2019-10-29 | 罗德施瓦兹两合股份有限公司 | System and method for secure data processing |
| CN110889133A (en) * | 2019-11-07 | 2020-03-17 | 中国科学院信息工程研究所 | Anti-network tracking privacy protection method and system based on identity behavior confusion |
| CN112016130A (en) * | 2020-08-20 | 2020-12-01 | 杭州银核存储区块链有限公司 | Terminal data leakage protection method |
| CN112131555A (en) * | 2020-09-28 | 2020-12-25 | 数据通信科学技术研究所 | 5G mobile terminal local data entrance guard type safety management device and method |
| CN114979272A (en) * | 2022-06-17 | 2022-08-30 | 贵州东彩供应链科技有限公司 | File storage system based on ecological animal husbandry platform |
| CN115329389A (en) * | 2022-10-17 | 2022-11-11 | 中安网脉(北京)技术股份有限公司 | File protection system and method based on data sandbox |
| CN115361229A (en) * | 2022-10-17 | 2022-11-18 | 太极计算机股份有限公司 | Secure sharing method and system for government public data |
| CN115378659A (en) * | 2022-07-28 | 2022-11-22 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-grained access control method based on user identity |
| CN115378659B (en) * | 2022-07-28 | 2024-04-16 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-granularity access control method based on user identity |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040250110A1 (en) * | 2003-03-28 | 2004-12-09 | Wray Michael John | Security policy in trusted computing systems |
| CN102184372A (en) * | 2011-05-27 | 2011-09-14 | 北京洋浦伟业科技发展有限公司 | Reverse-sandbox-based mobilephone payment protection method |
| CN102542187A (en) * | 2010-12-23 | 2012-07-04 | 盛趣信息技术(上海)有限公司 | Method for improving safety performance of computers on basis of safety sandbox |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
-
2014
- 2014-02-24 CN CN201410062426.XA patent/CN103778384B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040250110A1 (en) * | 2003-03-28 | 2004-12-09 | Wray Michael John | Security policy in trusted computing systems |
| CN102542187A (en) * | 2010-12-23 | 2012-07-04 | 盛趣信息技术(上海)有限公司 | Method for improving safety performance of computers on basis of safety sandbox |
| CN102184372A (en) * | 2011-05-27 | 2011-09-14 | 北京洋浦伟业科技发展有限公司 | Reverse-sandbox-based mobilephone payment protection method |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105335663A (en) * | 2015-10-22 | 2016-02-17 | 武汉理工大学 | Encrypted file system based on double-image file |
| CN105335663B (en) * | 2015-10-22 | 2018-08-03 | 武汉理工大学 | A kind of encrypted file system based on double image file |
| CN106874731A (en) * | 2017-04-14 | 2017-06-20 | 深信服科技股份有限公司 | A kind of application layer multi-user method and device based on terminal |
| CN107330324A (en) * | 2017-05-18 | 2017-11-07 | 深信服科技股份有限公司 | The method for deleting and erasing apparatus of a kind of application data |
| CN107256362A (en) * | 2017-06-13 | 2017-10-17 | 深信服科技股份有限公司 | A kind of application layer file system partition method and device |
| CN107256362B (en) * | 2017-06-13 | 2020-11-27 | 深信服科技股份有限公司 | Application-level file system isolation method and device |
| CN109145631A (en) * | 2017-06-15 | 2019-01-04 | 上海长城计算机网络工程有限公司 | A kind of database information security system |
| CN107197075A (en) * | 2017-07-03 | 2017-09-22 | 深圳市海邻科信息技术有限公司 | Clean boot means of defence, device and computer-readable recording medium |
| CN107197075B (en) * | 2017-07-03 | 2019-11-05 | 深圳市海邻科信息技术有限公司 | Clean boot means of defence, device and computer readable storage medium |
| WO2019174647A1 (en) * | 2018-03-16 | 2019-09-19 | 何小林 | Data protection system and method for disk array |
| WO2019174646A1 (en) * | 2018-03-16 | 2019-09-19 | 何小林 | Method and system for protecting raid array data security by means of trusted channel technology. |
| CN108427895A (en) * | 2018-03-16 | 2018-08-21 | 何小林 | Data of magnetic disk array protects system and method |
| CN110392035A (en) * | 2018-04-20 | 2019-10-29 | 罗德施瓦兹两合股份有限公司 | System and method for secure data processing |
| CN109117664A (en) * | 2018-07-19 | 2019-01-01 | 北京明朝万达科技股份有限公司 | The access control method and device of application program |
| CN109117664B (en) * | 2018-07-19 | 2020-11-10 | 北京明朝万达科技股份有限公司 | Access control method and device for application program |
| CN109829324A (en) * | 2019-02-21 | 2019-05-31 | 青岛海信电子设备股份有限公司 | A kind of method and mobile terminal of data safety storage and quick calling |
| CN109829324B (en) * | 2019-02-21 | 2023-02-17 | 青岛海信电子设备股份有限公司 | Method for safely storing and quickly calling data and mobile terminal |
| CN110134339A (en) * | 2019-05-22 | 2019-08-16 | 北京明朝万达科技股份有限公司 | A kind of data guard method and system based on file virtual disk |
| CN110889133B (en) * | 2019-11-07 | 2022-03-15 | 中国科学院信息工程研究所 | Anti-network tracking privacy protection method and system based on identity behavior confusion |
| CN110889133A (en) * | 2019-11-07 | 2020-03-17 | 中国科学院信息工程研究所 | Anti-network tracking privacy protection method and system based on identity behavior confusion |
| CN112016130A (en) * | 2020-08-20 | 2020-12-01 | 杭州银核存储区块链有限公司 | Terminal data leakage protection method |
| CN112131555A (en) * | 2020-09-28 | 2020-12-25 | 数据通信科学技术研究所 | 5G mobile terminal local data entrance guard type safety management device and method |
| CN114979272A (en) * | 2022-06-17 | 2022-08-30 | 贵州东彩供应链科技有限公司 | File storage system based on ecological animal husbandry platform |
| CN115378659A (en) * | 2022-07-28 | 2022-11-22 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-grained access control method based on user identity |
| CN115378659B (en) * | 2022-07-28 | 2024-04-16 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-granularity access control method based on user identity |
| CN115329389A (en) * | 2022-10-17 | 2022-11-11 | 中安网脉(北京)技术股份有限公司 | File protection system and method based on data sandbox |
| CN115361229A (en) * | 2022-10-17 | 2022-11-18 | 太极计算机股份有限公司 | Secure sharing method and system for government public data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103778384B (en) | 2016-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103778384A (en) | Identity authentication based virtual terminal safety environment protection method and system | |
| CN111191286B (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| Braun et al. | Security and privacy challenges in smart cities | |
| CN102340400B (en) | Method and apparatus for bearer and server independent parental control of a smartphone, using a second smartphone | |
| CN101361076B (en) | Mobile memory system for secure storage and delivery of media content | |
| CA3098247A1 (en) | Systems, methods, and devices for secure blockchain transaction and subnetworks | |
| CN103686716B (en) | Android access control system for enhancing confidentiality and integrality | |
| CN101470783B (en) | Identity recognition method and device based on trusted platform module | |
| CN102136048B (en) | Mobile phone Bluetooth-based ambient intelligent computer protection device and method | |
| CN104794388B (en) | application program access protection method and application program access protection device | |
| CN101506815A (en) | Bi-processor architecture for secure systems | |
| CN102930221A (en) | Method for protecting data in handheld equipment | |
| CN103530570A (en) | Electronic document safety management system and method | |
| CN1939028A (en) | Accessing protected data on network storage from multiple devices | |
| CN103051664A (en) | File management method and device for cloud storage system as well as cloud storage system | |
| CN104123506A (en) | Data access method and device and data encryption storage and access method and device | |
| CN105745660A (en) | Technologies for supporting multiple digital rights management protocols on a client device | |
| CN104200176A (en) | System and method for carrying out transparent encryption and decryption on file in intelligent mobile terminal | |
| CN111274599A (en) | Data sharing method based on block chain and related device | |
| CN103929312A (en) | Mobile terminal and method and system for protecting individual information of mobile terminal | |
| CN104021335A (en) | Password service method based on extensible password service framework | |
| CN102984125A (en) | System and method of isolating mobile data | |
| CN104955043B (en) | A kind of intelligent terminal security protection system | |
| CN105022965B (en) | A kind of data ciphering method and device | |
| KR101657243B1 (en) | Online secret data managing system and method of the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100097 Beijing city Haidian District landianchang Road No. 25 North International Building Jiayou two layer Applicant after: Beijing Mingchaowanda Technology Co., Ltd. Address before: 100088 Beijing city Haidian District Zhichun Road Tai Yue Park 3 Building 6 layer Applicant before: Beijing Wonder-soft Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Zhihua Inventor after: Peng Hongtao Inventor after: Wang Zhigang Inventor after: Yu Bo Inventor after: Wang Zhihai Inventor after: He Jinhao Inventor before: Wang Zhigang Inventor before: Peng Hongtao Inventor before: Yu Bo Inventor before: Wang Zhihai Inventor before: He Jinhao |
|
| CB03 | Change of inventor or designer information |