A kind of guard method and system of the virtual terminal security context based on authentication
Technical field
The present invention relates to data security field, relate in particular to a kind of virtual terminal security context based on authentication guard method and
System.
Background technology
More and more extensive due to the application of the intelligent terminal such as mobile phone, also seems more and more urgent to the protection of data on intelligent terminal.Such as, in recent years, along with the developing rapidly and grow of mobile network, movable police had also had larger stage, due to its professional singularity, required network to have better security.Mobile network, is the environment of an opening for everybody, and anyone can intercept and capture other people information.Therefore, everybody focuses on link and access security, often ignores local application safety and the safety of data, once mobile device is lost or fault will cause great consequence.At present, on market, there is the mobile phone application of some similar sandbox technologies, as described below:
A, mobile phone sandbox software, can arrange different mode and application layout, enters different mode, can only use set application, exit rear on mobile phone true environment without impact.
As shown in Figure 1, the data protection flow process that it has shown mobile phone sandbox technology, specifically comprises:
1) on mobile phone, start sandbox environment;
2) enter after sandbox the various I/O operations of supervisory systems;
3) data that write storage are carried out to redirect operation, realize the protection to True Data with this;
4), after data processing completes, exit sandbox environment, cancellation system I/O, supervision;
5) judge whether to retain the data in sandbox;
6) if retained, data are saved to memory device, process ends;
7), if do not retained, clear up data, process ends.
The privacy protection function of B, mobile phone security classes software, can draw in proof box by relevant personal data, enters the data of proof box, invisible in proof box outside, can only in proof box, operate the data of the inside.
As shown in Figure 2, the data protection flow process that it has shown secret protection technology, specifically comprises:
1) mobile phone enters closed security environment;
2) data outside environment are put into environment and automatically encrypt and remove raw data;
3) check, revise, preserve the data in environment;
4) exit closed security environment;
5) process ends
But all there are some shortcomings in above-mentioned technology:
A, for sandbox technology, data can not be deposited in environment inside, can not carry out conservation treatment to data, have leakage of data risk.
B, for secret protection technology, adding of data is all manual operation, and the protection for data that real-life program produces is not provided.
Summary of the invention
The present invention is from the angle of actual demand and application, build a virtual terminal security context protection system based on authentication, the data that can produce for some application in environment inside are carried out automatic encryption, also can manually select some data to be encrypted; The inner data that produce of environment can only be used in inside, invisiblely in outside maybe can not use; Environment inside can environment for use external data, and environmental externality data can not environment for use internal data, is independent of each other each other.
For solving the problems of the technologies described above, the present invention proposes a kind of virtual terminal security context protection system based on authentication, this system comprises: intelligent storage supervisory layers, stores service layer, kernel safety layer, described intelligent storage supervisory layers comprises application data access monitoring modular, memory access redirection module and application data access control module, application program can be caught by described application data access monitoring modular the read-write requests of memory device, then the read-write requests of application program is sent to described application data access control module and carry out analyzing and processing, described application data access control module is according to the access control rule configuring, the data access behavior of coupling application program, for need data access to be processed, change original path that issues by described memory access redirection module, send to the processing of described stores service layer,
Described stores service layer is responsible for processing intelligent monitoring layer and is transmitted the reading and writing data request of getting off, to encryption or the decryption oprerations request of described kernel safety layer Transmit message or data, log file mapping relations;
Described kernel safety layer, support for stores service layer provides encryption and decryption, dispatch according to demand algorithms of different, it receives data encryption or decoding request that described stores service layer passes over, carry out encryption or decryption oprerations to data, and operating result is returned to described stores service layer.
Further, described stores service layer comprises virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module, in the time that reading and writing data request arrives described stores service layer, first analyze type of data access, according to different access types, be delivered to respectively described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module and process.
Further, described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module are processed the reading and writing data request for file, database and internal memory, described three modules being specifically treated to described data access: in the time of requests data reading, the service of calling described kernel safety layer and providing is decrypted to data manipulation, in the time of request data writing, data encryption operation is carried out in the service that calling described kernel safety layer provides.
Further, described kernel safety layer comprises encryption and decryption engine modules, algorithms library support module and key management module, described encryption and decryption engine modules is responsible for analyzing the request from upper strata, according to algorithms library support module and key management module described in request scheduling, complete encryption or the decryption oprerations of data, wherein, described algorithms library support module is realized the algorithm of data encrypting and deciphering, described key management module realizes the key management of algorithms of different, for described encryption and decryption engine modules provides support.
Further, described application data access monitoring modular comprises: application signature analysis and comparing module and application signature storehouse, the signature of the application program that wherein application signature library storage need to be controlled;
Described application data access control module comprises: application memory access monitoring modular and application access control module;
This system is taken over the storage read and write access operation of application program by memory access redirecting technique, according to the access control rule arranging, change storage read and write access, storage read and write access request is directed to appointed area, avoid affecting the data structure outside system, its specific implementation process is as follows:
Described application signature analysis and comparing module are extracted the signature of application program, the signature of extraction is mated with the data in described application signature storehouse, if there is matched data, the reading and writing data request of application program is sent to described application memory access monitoring modular and process;
In the time that described application memory access monitoring modular receives the reading and writing data request that described application signature analysis and comparing module transmission get off, call described application access control module, analyze data read-write control strategy, the reading and writing data request of needs control is delivered to described memory access redirection module and processes;
Described application access control module, the application access control strategy according to the signature of application program, analyze, coupling being corresponding with it, and access control policy is returned to described application memory access monitoring modular;
Described memory access redirection module, receives the reading and writing data request that meets access control policy, transfers to encrypt storage services module and processes, and completes after the encryption or decryption processing of data, operating result is returned to upper strata and process.
Further, described virtual file cryptographic service module comprises: file transparent storage encryption service module, virtual file mapping management module, virtual file access modules;
Described stores service layer is according to environment configurations, mapping relations by redirected data read-write operation foundation with original path, form virtual file, the path of described virtual file and the path of authentic document are different, the read and write access meeting of virtual file is according to encryption and decryption engine modules described in the rule invocation of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device, concrete steps are as follows:
Described file transparent storage encryption service module, receives the reading and writing data request that described access storage redirection module sends over, and sends reading and writing data request, and result is returned to described virtual file mapping management module;
Described virtual file mapping management module, by the source document of reading and writing data request, sets up mapping relations with the authentic document on memory device, issues reading and writing data request;
Described virtual file access modules, receives reading and writing data request, calls described encryption and decryption engine modules, and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor;
Described encryption and decryption engine modules, is responsible for the described algorithms library support module of scheduling and key management module, and data are encrypted or decryption oprerations, and result is returned to described virtual file access modules;
Physical file access modules, according to reading and writing data request, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
For solving the problems of the technologies described above, the present invention proposes a kind of guard method of the virtual terminal security context based on authentication, be applied in virtual terminal security context protection system, this system comprises: intelligent storage supervisory layers, stores service layer, kernel safety layer; Described intelligent storage supervisory layers comprises application data access monitoring modular, memory access redirection module and application data access control module, described stores service layer comprises virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module, described kernel safety layer comprises key management module, encryption and decryption engine modules and algorithms library support module, and the method comprises the steps:
Application program is initiated read-write requests to memory device, described application data access monitoring modular is caught the read-write requests of application program to memory device, then the read-write requests of application program is sent to described application data access control module and carry out analyzing and processing, described application data access control module is according to the access control rule configuring, the data access behavior of coupling application program, for need data access to be processed, change original path that issues by described memory access redirection module, send to the processing of described stores service layer;
Described stores service layer receives intelligent monitoring layer and transmits the reading and writing data request of getting off, to encryption or the decryption oprerations request of described kernel safety layer Transmit message or data, log file mapping relations;
Described kernel safety layer receives data encryption or the decoding request that described stores service layer passes over, and carries out encryption or decryption oprerations to data, and operating result is returned to described stores service layer.
Further, in the time that reading and writing data request arrives described stores service layer, first analyze type of data access, according to different access types, be delivered to respectively described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module and process.
Further, described virtual file cryptographic service module, data base encryption service module and internal memory stream encryption service module are processed the reading and writing data request for file, database and internal memory, described three modules being specifically treated to described data access: in the time of requests data reading, the service of calling described kernel safety layer and providing is decrypted to data manipulation, in the time of request data writing, data encryption operation is carried out in the service that calling described kernel safety layer provides.
Further, described encryption and decryption engine modules is responsible for analyzing the request from upper strata, according to algorithms library support module and key management module described in request scheduling, complete encryption or the decryption oprerations of data, wherein, described algorithms library support module is realized the algorithm of data encrypting and deciphering, and described key management module realizes the key management of algorithms of different, for described encryption and decryption engine modules provides support.
Further, described application data access monitoring modular comprises: application signature analysis and comparing module and application signature storehouse, the signature of the application program that wherein application signature library storage need to be controlled;
Described application data access control module comprises: application memory access monitoring modular and application access control module;
This system is taken over the storage read and write access operation of application program by memory access redirecting technique, according to the access control rule arranging, change storage read and write access, storage read and write access request is directed to appointed area, avoid affecting the data structure outside system, its specific implementation process is as follows:
Described application signature analysis and comparing module are extracted the signature of application program, the signature of extraction is mated with the data in described application signature storehouse, if there is matched data, the reading and writing data request of application program is sent to described application memory access monitoring modular and process;
In the time that described application memory access monitoring modular receives the reading and writing data request that described application signature analysis and comparing module transmission get off, call described application access control module, analyze data read-write control strategy, the reading and writing data request of needs control is delivered to described memory access redirection module and processes;
Described application access control module, the application access control strategy according to the signature of application program, analyze, coupling being corresponding with it, and access control policy is returned to described application memory access monitoring modular;
Described memory access redirection module, receives the reading and writing data request that meets access control policy, transfers to encrypt storage services module and processes, and completes after the encryption or decryption processing of data, operating result is returned to upper strata and process.
Further, described virtual file cryptographic service module comprises: file transparent storage encryption service module, virtual file mapping management module and virtual file access modules;
Described stores service layer is according to environment configurations, mapping relations by redirected data read-write operation foundation with original path, form virtual file, the path of described virtual file and the path of authentic document are different, the read and write access meeting of virtual file is according to encryption and decryption engine modules described in the rule invocation of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device, concrete steps are as follows:
Described file transparent storage encryption service module, receives the reading and writing data request that described access storage redirection module sends over, and sends reading and writing data request, and result is returned to described virtual file mapping management module;
Described virtual file mapping management module, by the source document of reading and writing data request, sets up mapping relations with the authentic document on memory device, issues reading and writing data request;
Described virtual file access modules, receives reading and writing data request, calls described encryption and decryption engine modules, and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor;
Described encryption and decryption engine modules, is responsible for the described algorithms library support module of scheduling and key management module, and data are encrypted or decryption oprerations, and result is returned to described virtual file access modules;
Physical file access modules, according to reading and writing data request, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
The technical scheme proposing by the present invention, can obtain following useful technique effect:
A, protection core application data security, prevent leakage of data;
B, the inside and outside data isolation of environment, be independent of each other;
C, because the encryption and decryption of data are transparent to user, thereby user operation habits is not affected;
Even D terminal loss, but because data are encrypted, cannot be read easily, guarantee the safety of data.
Accompanying drawing explanation
Fig. 1 is the data protection process flow diagram of mobile phone sandbox technology.
Fig. 2 is the data protection process flow diagram of secret protection technology.
Fig. 3 is overall system frame diagram of the present invention.
Fig. 4 is that data storage of the present invention is redirected frame diagram.
Fig. 5 is virtual terminal security context protection system block diagram of the present invention.
Fig. 6 is that company of the present invention mobile office system uses flow process.
Embodiment
Fig. 3 is the overall system frame diagram in the present invention.
The virtual terminal security context protection system based on authentication that the present invention proposes, is divided into three levels: intelligent storage supervisory layers, stores service layer, kernel safety layer generally.Intelligent monitoring layer is responsible for the data access behavior of monitoring analysis application, performs an action according to configuration rule, and redirection module shifts I/0 access according to access control rule; Stores service layer is responsible for file or data are encrypted or decryption oprerations, log file mapping relations; Kernel safety layer is the basis of whole framework, and key management functions is provided, and supports for stores service layer provides encryption and decryption, dispatches according to demand algorithms of different.
Intelligent storage supervisory layers, is positioned at the superiors of general frame, is mainly responsible for the access of monitoring cell-phone application program to memory device, analyzes mobile phone and apply the read-write operation to memory device, according to access control rule, read-write requests is sent to lower floor and serve.Such as, in virtual terminal security context protection system, an application program of mobile phone writes data in memory device, first will be caught by " application data access monitoring " module in this layer, then the read-write behavior of application program of mobile phone be delivered to " application data access control " module and carried out analyzing and processing; Application data access control module is according to the access control rule configuring, the data access behavior of the matching analysis mobile phone application, for need data access to be processed, send to lower floor's service by " memory access redirection module ", do not need the data access system of giving to be processed to process; Storage redirection module, will need data access to be processed, change original path that issues, and transfer to " system storage service layer " that native system provides to process.
Stores service layer, is positioned at the middle layer of overall architecture, plays the effect of forming a connecting link, and main being responsible for processed the data I/O request that upper layer transfers is got off, and data are encrypted or decryption oprerations.When data I/O request arrives this layer, first analyze type of data access, according to different access types, be delivered to respectively " virtual file cryptographic services ", " data base encryption service ", " service of internal memory stream encryption " three modules are processed.Virtual file cryptographic service module, the main data I/O request of processing for file, in the time of reading out data, is decrypted data by the service of calling " kernel safety layer " and providing, otherwise will carries out data encryption operation.Two other module is similar with " virtual file cryptographic services ", and it is processed action and repeats no more.
Kernel safety layer; being positioned at the orlop of overall architecture, is the basis of virtual terminal security context protection system operation, receives data encryption or decoding request that upper layer transfers is come; carry out encryption or decryption oprerations to data, and operating result is returned to top service." encryption and decryption engine modules " is mainly responsible for analyzing upper strata request, according to request scheduling " algorithms library support " and " key management " two modules, completes encryption or the decryption oprerations of data." algorithms library support " module, realizes the algorithm of data encrypting and deciphering, as AES, 3DES, SM4 etc.; " key management " module, realizes the key management of algorithms of different, for encryption and decryption engine modules provides support.
Accompanying drawing 4 has been shown application data Redirectional system frame diagram of the present invention.
The present invention adopts application data to be redirected, and takes over storage I/O accessing operation, according to the access control rule arranging, changes I/O access, and I/O request of access is directed to appointed area, avoids affecting the data structure outside environment.
In virtual terminal security context protection system, in the time that application program of mobile phone reads and writes data, mobile phone application will be monitored, via following resume module:
1, application signature analysis and comparing module, be responsible for extracting the signature of application program of mobile phone, the signature extracting is mated with the data in " application signature storehouse ", if there is matched data, the data I/O request of application program of mobile phone being sent to " application memory access monitoring " module processes, otherwise transfers to the processing of mobile phone self system.
2, application signature storehouse, storage needs the signature of the application program of mobile phone of controlling.
3, application memory access monitoring modular, is responsible for the access rights control of data I/O request.When application memory access monitoring modular receive " application signature analysis and comparing module transmission get off " I/O " request time; call " application access control " module; analyze " I/O " access control policy; " I/O " request of needs control is delivered to " memory access is redirected " module and processes, other transfer to mobile phone self system on behalf of processing.
4, application access control module, according to the signature of application program of mobile phone, analyzes, the coupling application access control strategy corresponding with it, and access control policy is returned to " application memory access monitoring modular ".
5, memory access redirection module (key modules), reception meets data " I/O " request of access control policy, should be by the request of mobile phone self system processing, first transfer to " encryption stores service " module to process, after finishing dealing with, give mobile phone self system again and process, wherein said " encryption stores service " module is corresponding at least one module in virtual file cryptographic service module, data base encryption service module and the internal memory stream encryption service module of stores service layer.
6, encrypt storage services module, be responsible for encryption or the decryption processing of data, operating result is returned to upper layer module.
Accompanying drawing 5 has been shown the virtual terminal security context protection system frame diagram of stores service layer of the present invention.
According to environment configurations, mapping relations by redirected I/O operation foundation with original path, form virtual file (path and the true path of virtual file are different), the I/O access of virtual file can be according to the rule invocation encryption and decryption engine modules of setting, be encrypted or decryption oprerations, guarantee to write the data security on physical storage device.
In virtual terminal security context protection system; in the time that application program of mobile phone reads and writes data; mobile phone application will be monitored; meet data " I/O " request of monitoring and application access control strategy; will be stored access redirection module and send to data encryption service module, process via following step:
1, file transparent storage encryption service module, is responsible for receiving the data I/O request that " memory access redirection module " sends over, and sends data " I/O " request, and result is returned to calling module to " virtual file mapping management " module.
2, virtual file mapping management module, by the source document of data I/O request, sets up mapping relations with the authentic document on memory device, issues data I/O request.
3, virtual file access modules, receives data I/O request, calls " encryption and decryption engine modules ", and data are encrypted or decryption oprerations, returns to data decryption to upper strata, provides the data after encryption to lower floor.
4, encryption and decryption engine modules, be responsible for scheduling enciphering and deciphering algorithm storehouse and key management module, data are encrypted or decryption oprerations, result is returned to calling module, and the close algorithms library of state that wherein encryption and decryption engine modules can be called in algorithms library support module (comprises SM1, SM3, SM4 etc.) or general-purpose algorithm storehouse (BF, DES, 3DES, AES etc.).
5, physical file access modules, mainly according to data " I/O " requests, to memory device data writing, or from memory device reading out data and return to described encryption and decryption engine modules.
Fig. 6 shows that Liao Mou company mobile office system uses process flow diagram.
A, in smart mobile phone, login virtual terminal security context protection system, complete necessary initial work.
B, enter authentication system, by the legal identity of one or more authentication of users in the modes such as TF card, Usbkey, certificate, password user, dynamic password password.
C, subscriber authentication failure, record failure information, to add up afterwards, with the application of backed off after random virtual terminal security context protection system.
After D, authentication are passed through, virtual terminal security context protection system starts normal operation, starts monitoring, redirected, encrypting module, and protection comes into force.
E, data access Monitoring Service module, according to application matches rule, whether analysis and identification program is controlled to the access behavior of data.
F, Data access flow forward memory access redirection module to, according to default access control rule, carry out data redirection processing.
G, to be redirected after data, encryption and decryption engine modules, according to configuration, is dispatched respective algorithms and is processed from encryption library, data writing is encrypted operation, reading out data is decrypted operation.
H, operated after, as required, can continue to remain on work in virtual terminal security context protection system, also can exit.
Above-mentioned application program of mobile phone is replaceable is various mobile intelligent terminal application programs, such as PDA, and removable computer, the application program on panel computer etc.
The technical scheme proposing by the present invention, can effectively protect core application data security, avoids leakage of data; And due to data isolation inside and outside environment, thereby the inside and outside data of environment are independent of each other; Because all data manipulations are all transparent to user, thereby without the use habit that changes user; Due to the data on mobile terminal are encrypted, even if Missing data also can guarantee the safety of data.
Such as the technical scheme that has adopted the present invention to propose in the movable police of mentioning in background technology; link and access security are solved; realized the safety of protection terminal local data in conjunction with the present invention; operational data is all stored in virtual terminal security context protection system; exit after environment; can't see operational data, also can not cause and divulge a secret, power-assisted movable police safety even if equipment is lost.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., all should protect within protection scope of the present invention.