CN104252605B - A kind of file transparent encrypting and deciphering system of Android platform and method - Google Patents
A kind of file transparent encrypting and deciphering system of Android platform and method Download PDFInfo
- Publication number
- CN104252605B CN104252605B CN201410475391.2A CN201410475391A CN104252605B CN 104252605 B CN104252605 B CN 104252605B CN 201410475391 A CN201410475391 A CN 201410475391A CN 104252605 B CN104252605 B CN 104252605B
- Authority
- CN
- China
- Prior art keywords
- file
- key
- user
- password
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims description 10
- 101100234002 Drosophila melanogaster Shal gene Proteins 0.000 claims description 4
- 235000015076 Shorea robusta Nutrition 0.000 claims description 4
- 244000166071 Shorea robusta Species 0.000 claims description 4
- 230000006870 function Effects 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000008571 general function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000002054 transplantation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/01—Input arrangements or combined input and output arrangements for interaction between user and computer
- G06F3/048—Interaction techniques based on graphical user interfaces [GUI]
- G06F3/0484—Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Human Computer Interaction (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of file transparent encipher-decipher method of Android platform, comprises the following steps:Select to need the path of document to be protected place file and arrange password;According to path and the password of user input, encryption path catalogue listing and authentication file is generated respectively;Scanning encryption path catalogue listing, if opening operating system for the first time, will carry out first time initialization encryption to agent-protected file according to list item, then carry out next step;When user's triggering unblock screen event, then receive the pass phrase of user input, pass phrase is carried out to compare with the authentication file of generation in step 2 after hash algorithm computing, if it does not match, unblock failure;If it does, then pass phrase is carried out sha1 algorithms generates key, the key is stored;Key is called to can achieve to carry out encryption and decryption to file;The invention also discloses a kind of file transparent encrypting and deciphering system of Android platform, little to user operation interference on the premise of realize the protection to file.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a file transparent encryption and decryption system and method for an Android platform.
Background
With the rapid development of the information age, the internet is continuously deepened into the aspects of public life and work, and becomes an indispensable part. The popularization of computer application and the development of internet and mobile storage equipment gradually change the former paper files into electrons, the electronic files have the advantages of small volume, convenience in viewing and the like, and meanwhile, the safety of electronic file storage and communication can be seriously influenced due to the characteristics of easy change and easy propagation of the electronic files.
Transparent encryption technology is a file encryption technology that has been developed rapidly in recent years. Transparent means that the encryption and decryption processes are automatically completed for authorized users, and the realization principle is that files are stored in a magnetic disk in a ciphertext mode, automatically decrypted when being read in, stored in an internal memory, automatically encrypted and written back to the magnetic disk after the user modifies a copy in the internal memory. The transparent encryption implementation technology in Windows mainly includes two types: the method comprises a hook transparent encryption technology of a user layer and a filter driving encryption technology of a kernel layer, the realization of the kernel layer is superior to the realization of the user layer in performance, compatibility and stability, and the technical difficulty is higher than the realization of the user layer.
The Android system based on the method uses the Linux kernel tailored for the embedded equipment, the design of the Android system embodies the idea of structured design, and the Android system has strong hierarchy, and the hierarchy mainly comprises the following components from a bottom layer to a user interface: linux kernel, HAL (hardware abstraction layer), system services layer, application framework layer and application programs. The file system operation of the Linux kernel is provided by maintaining several sets of operation tables by a specific file system, and the table entries of the operation tables are function pointers and point to specific operation codes. Transparent encryption requires changing the behavior of some operations, such as read and write operations. Experiments prove that only replacing the operation table is technically feasible, but the system structure is disordered, and the maintainability and the expandability are poor. The stack file system is an incremental development mode, which is used to expand the functions of the original file system. The method does not need to modify the code of the original file system, but covers the code, filters the operations of reading and writing and the like, and adds own processing methods such as encryption, compression and the like in the process so as to enhance the function of the original file system. The model is proposed by erezzadka, which includes a cast framework to facilitate construction of this type of file system. Since the FinT frame architecture is built on two good before the year, the kernel version of 2.4 to 2.6 is supported only due to the lack of maintenance.
The existing Android file protection system directly applies the idea of a personal computer file protection system to mobile equipment, and platform differences are ignored: mobile devices primarily emphasize user experience and are not merely functional implementations. These file protection systems frequently require users to enter passwords to select encrypted and decrypted files, reducing the convenience of the device. On the other hand, the existing transparent encryption and decryption system reduces the influence on the operation habit of the user, but the protection work is not comprehensive: for example, a specific directory cannot be protected due to a permission problem, and a file on the SD card cannot be protected (and an important storage location of the SD card official user data); or only files in a certain specified format can be protected; or low system combination degree and easy attack; or compatibility and extensibility are low, such as systems that can only support a portion of a particular version.
Disclosure of Invention
The invention provides a transparent file encryption and decryption system and a transparent file encryption and decryption method for an Android platform, aiming at overcoming the defects of the prior art.
The invention adopts the following technical scheme for solving the technical problems:
the transparent file encryption and decryption method for the Android platform provided by the invention comprises the following steps:
step one, selecting a path of a folder where a file to be protected is located and setting a password;
step two, respectively generating an encrypted path directory table and an identity verification file according to a path and a password input by a user;
step three, scanning an encryption path directory table, if the operating system is started for the first time, performing first initialization encryption on the protected file according to the table entry, and then performing the next step;
step four, when the user triggers the screen unlocking event, the user receives the password phrase input by the user, and the password phrase is compared with the identity verification file generated in the step two after the hash algorithm operation is carried out on the password phrase: if not, the unlocking fails; if the password phrase is matched with the password, the password phrase is converted into a key by adopting a sha1 algorithm, and the key is stored;
step five, when the user accesses the file, if the operated file or directory is in the encrypted path directory table, when the user sends a write request, calling the key stored in the step four to encrypt the file; when a user sends a reading request, a secret key is called to decrypt the file;
and step six, when the user triggers a screen locking event, clearing the stored secret key and locking the screen.
As a further optimization scheme of the file transparent encryption and decryption method for the Android platform, the hash algorithm is an MD5 hash algorithm.
The transparent file encryption and decryption system for the Android platform comprises a user module and a kernel module, wherein the user module comprises a configuration unit and a screen locking unit, and the kernel module comprises a key manager unit and a stacked file system unit; wherein,
the configuration unit is used for receiving a user-made strategy, wherein the strategy comprises a password, an identity authentication file and an encrypted directory path table, and the password generates a first key through a sha1 algorithm for storage; the identity authentication file is input to the key manager unit, and the encrypted directory path table is input to the stacked file system unit;
a screen locking unit for outputting the passphrase input by the user to the key manager unit;
the key manager unit is used for matching the password phrase with the identity verification file after the operation of the Hash algorithm: if not, the unlocking is failed; if the matching is consistent, the screen is unlocked, the passphrase is converted into a second key for storage by adopting a shal algorithm, and the second key is removed when the screen is locked by the screen locking unit;
the stack file system unit calls a first key to initialize and encrypt files in a directory corresponding to the encrypted directory path table when the operating system is started for the first time and the encrypted directory path table is received; covering all file systems supported and mounted by an operating system, calling a second key in the key manager when a user sends a read request, and decrypting the file; when a user sends a write request, a second key in the key manager is called to encrypt the file.
As a further optimization scheme of the transparent file encryption and decryption system of the Android platform, the policy set by the user further includes whether to enable the encryption and decryption system.
As a scheme for further optimizing the transparent file encryption and decryption system of the Android platform, the hash algorithm is an MD5 hash algorithm.
Compared with the prior art, the invention adopting the technical scheme has the following technical effects: (1) the invention utilizes the stack file system realization technology, reduces the influence on the user operation as much as possible by combining with a frequency locking interface, and realizes the encryption and decryption protection which is blocked externally and has no obstacle internally by closely combining with the operation system; (2) the method has the advantages that the private data stored in the equipment by the Android terminal user are protected, meanwhile, the operation habit of the user is not changed, and the user experience is not influenced; (3) a kernel-level encryption mode is selected, so that the system security and the encryption and decryption efficiency are enhanced, the system is tightly combined with the system, the attack resistance is strong, and the security is high; because the system core encryption and decryption module works at the bottommost layer, and the interface interacting with the user is the topmost layer, the system sets up middleware to assist the communication between the kernel module and the upper application; the middle layer communicates with the middle layer through a JNI (Java local access interface), and the middle layer communicates with the kernel module through an ioctl mode; (4) the invention can support the 3.x kernel used by the current popular android4.x, the system designs a file system, processes the file reading and writing operation, directly orients other file operation to the bottom file system, and is flexible and easy to transplant; (5) the encryption and decryption are transparent to the user, the interference to the user operation is small, and the user experience is good; the deployment and the transplantation are convenient; the performance is higher; the file formats are not distinguished, and a user can encrypt files in any form; the storage position is not distinguished, the information of the application program of the mobile phone and the information in the storage expansion card can be encrypted, and the protection of the file data of the SD card is realized.
Drawings
FIG. 1 is a diagram of the interaction between the various modules of the system.
FIG. 2 is a diagram illustrating the operation of the transparent encryption and decryption file system according to the present invention.
FIG. 3 is a schematic diagram of an upper stacked encryption/decryption file system and a lower actual file system.
Fig. 4 is a flowchart of the operation of the lock screen unit.
Detailed Description
The technical scheme of the invention is further explained in detail by combining the attached drawings:
a file transparent encryption and decryption method for an Android platform comprises the following steps:
step one, selecting a path of a folder where a file to be protected is located and setting a password;
step two, respectively generating an encrypted path directory table and an identity verification file according to a path and a password input by a user;
step three, scanning an encryption path directory table, if the operating system is started for the first time, performing first initialization encryption on the protected file according to the table entry, and then performing the next step;
step four, when the user triggers the screen unlocking event, the user receives the password phrase input by the user, and the password phrase is compared with the identity verification file generated in the step two after the hash algorithm operation is carried out on the password phrase: if not, the unlocking fails; if the password phrase is matched with the password, the password phrase is converted into a key by adopting a sha1 algorithm, and the key is stored;
step five, when the user accesses the file, if the operated file or directory is in the encrypted path directory table, when the user sends a write request, calling the key stored in the step four to encrypt the file; when a user sends a reading request, a secret key is called to decrypt the file;
and step six, when the user triggers a screen locking event, clearing the stored secret key and locking the screen.
The hash algorithm is an MD5 hash algorithm.
As shown in fig. 1, the system is an interaction between modules of the system, and a file transparent encryption and decryption system of an Android platform includes a user module and a kernel module, where the user module includes a configuration unit and a screen locking unit, and the kernel module includes a key manager unit and a stacked file system unit; wherein,
the configuration unit is used for receiving a user-made strategy, wherein the strategy comprises a password, an identity authentication file and an encrypted directory path table, and the password generates a first key through a sha1 algorithm for storage; the identity authentication file is input to the key manager unit, and the encrypted directory path table is input to the stacked file system unit;
a screen locking unit for outputting the passphrase input by the user to the key manager unit;
the key manager unit is used for matching the password phrase with the identity verification file after the operation of the Hash algorithm: if not, the unlocking is failed; if the matching is consistent, the screen is unlocked, the passphrase is converted into a second key for storage by adopting a shal algorithm, and the second key is removed when the screen is locked by the screen locking unit;
the stack file system unit calls a first key to initialize and encrypt files in a directory corresponding to the encrypted directory path table when the operating system is started for the first time and the encrypted directory path table is received; covering all file systems supported and mounted by an operating system, calling a second key in the key manager when a user sends a read request, and decrypting the file; when a user sends a write request, a second key in the key manager is called to encrypt the file.
The user-defined policy also includes whether to enable the encryption and decryption system. The hash algorithm is an MD5 hash algorithm.
FIG. 2 is a diagram illustrating the operation of the transparent encryption and decryption file system according to the present invention. Reading the protected file: if the user is an unauthorized user (a user who is not authenticated by the screen locking interface), the operation fails. And for the authorized user, transmitting a reading request to the lower-layer file system to obtain the returned file content, wherein the content is the ciphertext. A key is requested from the key manager unit, with which the ciphertext is decrypted. The obtained plaintext is copied from the kernel space to the user space.
And modifying the attribute of the corresponding file to finish the reading operation.
Procedure for writing protected files: if the user is an unauthorized user (a user who is not authenticated by the screen locking interface), the operation fails.
For authorized users, a key is requested, and the buffer where the data transferred by the user space is located is encrypted by the key.
The buffer contents are passed to the underlying file system, where they are written to disk.
And modifying the attribute of the corresponding file to finish the write operation.
Registering a file system module with a kernel, wherein the file system operation method to be realized comprises the following steps: a super block operation method, a node operation method and a file operation method.
The file system of the system forms a stack structure, and the upper-layer file system is the developed stack type encryption and decryption file system. The underlying file system is the actual file system (but it could also be another stacked file system, which could also be considered the actual file system if it is sufficiently "transparent").
Since the upper file system depends on the operation method and data structure of the lower file system, the first step should be to construct the relationship between the data structures of the upper and lower file systems.
As shown in FIG. 3, a diagram of the upper layer stacked encryption/decryption file system and the lower layer actual file system is shown, taking the file structure as an example, where upper _ file is the object of the file system of this layer, and lower _ file is the corresponding object of the lower layer file system. The two are linked by the private _ date pointer of the upper _ file. When the file is operated, the function in the file _ ops file operation table in the upper _ file is called. Because the operation request sent to the upper layer of the stack file system is processed and then transmitted to the lower layer. Specifically, a function in the upper file _ ops operation table calls a corresponding function in the lower file _ ops operation table. Similarly, the entry, inode, and address _ space structures of the file system of the current layer are associated with the corresponding data structures of the file system of the lower layer to transmit respective operation requests.
And the construction of the relationship between the upper and lower key data structures is completed, and a foundation is laid for the following operation.
In addition to the file read and write operations, the remaining file system operations may simply call the underlying file system corresponding function or use a general purpose processing function to achieve a "pass through". If necessary, the relevant fields of the underlying file system data structure, such as the file access time, the current reading position of the file, etc., are also updated. Taking the reading directory file as an example: at this time, the relationship between the upper and lower file systems is already established, because the operation of the lower file system needs to be called, the data structure lower _ file of the lower file system corresponding to the file of the current layer is found through the relationship. And reading the directory information of the lower _ file through the VFS layer general function. The directory information here is directory information of the underlying file system, but since this operation is not processed, it can be returned as directory information of the present layer as it is. After the VFS _ readdir finishes reading the information, the access time of the lower _ file is automatically updated, but the access time of the upper file needs to be manually updated. Here, the synchronization is achieved by copying the underlying file access information.
The rest needs to be realized similarly through the file operation.
The specific contents of the file reading and writing operations are as follows: after invoking the underlying file system to read in the data, the buffer is decrypted before returning the content to the user space. Also, at the time of a write operation, the buffer is encrypted before the underlying file system write operation is invoked.
The encryption and decryption process can be realized by using a kernel encryption and decryption framework, so that the space-time overhead is saved, and the development cost is reduced.
The implementation of the configuration unit: the policy configuration interface is the control core of the system, and the functions of the policy configuration interface are described in the section of the summary of the invention. It maintains two files: the password md5 file and the encrypted directory table file are compared for identity authentication. The file system is used as a common Android application program, but needs to hold administrator authority, is automatically started when the computer is started, and then scans an encrypted directory table to mount the file systems for the directories in the table one by one.
Implementation of the kernel key manager unit:
the kernel key manager unit, functions like a kernel key ring. The kernel key ring is not used directly because it is too complex to minimize the limited time and space resources of the embedded device occupied by the kernel. The kernel key manager mainly comprises a global buffer which can be accessed by other modules and is used for storing keys. The module directly communicates with an application layer screen locking interface in an ioctl mode. Defining a TRANSPARENT _ IOCAUTHEN command as receiving a password input by a user, comparing the password with a locally stored authentication file after md5 operation, if the password is consistent with the locally stored authentication file, returning the authentication to pass, converting the password into a 128bit key through sha1 operation, and storing the 128bit key in a global buffer area. And defining the transfer _ iocklearkey command as the task of clearing the key in the key manager to be completed when the screen is locked.
Fig. 4 is a flowchart of the operation of the lock screen unit. The realization of the screen locking unit: the screen locking application receives the password phrase input by the user and reads whether the switching quantity of the encryption and decryption service is opened or not.
This information is copied to the kernel space where the passphrase is computed by a hashing algorithm and compared to the MD5 value stored in the authentication file to confirm the user's identity. If the unlocking result does not accord with the preset unlocking result, the unlocking failure is prompted, and the user can perform limited attempts; if the two match, go to the next step.
If the identity authentication is successful, judging whether to start the switching value of the encryption and decryption service; if the service is not started, the next step is carried out; if the service is opened, the key is transformed and stored in the key manager, and the next step is executed.
And unlocking the screen.
The screen locking unit provides two control groups for interaction with a user: a password input control group and a binary switch. The former is used for recording a key input by a user, and the latter decides whether only the mobile phone operating system is unlocked or both the operating system and the encrypted file are unlocked. The screen locking unit only receives and caches the user password and is not responsible for identity authentication. Authentication is done by the kernel key management unit, in security considerations. The screen locking unit communicates with the middle layer dynamic library through a JNI (Java native Access interface), and the middle layer communicates with the kernel through ioctl to transfer the key from the user space to the kernel space. Considering that users who try out the system are divided into two types, namely mobile phone operating system customizers and personal users, JNI deployment can provide an upper layer calling interface on an application framework layer, is used as a system API and called by an application program or is expanded by a third party application program, is tightly combined with the system, and can be directly compiled to be used as an independent dynamic library file and loaded by the application program, so that the personal user deployment process is simple and convenient, and screen locking and screen unlocking in the Android system are messages transmitted in a BroadCast form. The system screen locking application module monitors the message and carries out corresponding processing. openScreen and closScreen in the code are actions executed when the screen is unlocked/unlocked, the JNI interface is mainly called, the unlocking is to finish identity verification and key transmission, and the key is cleared when the screen is locked.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only illustrative of the present invention, and are not intended to limit the scope of the present invention, and any person skilled in the art should understand that equivalent changes and modifications made without departing from the concept and principle of the present invention should fall within the protection scope of the present invention.
Claims (5)
1. A file transparent encryption and decryption method for an Android platform is characterized by comprising the following steps:
step one, selecting a path of a folder where a file to be protected is located and setting a password;
step two, respectively generating an encrypted path directory table and an identity verification file according to a path and a password input by a user;
step three, scanning an encryption path directory table, if an operating system is started for the first time, initializing and encrypting the protected file for the first time according to the table entry, wherein the used key is a first key, the first key is generated by using a shal algorithm for a password in a user-made strategy, and then performing the next step;
step four, when the user triggers the screen unlocking event, the user receives the password phrase input by the user, and the password phrase is compared with the identity verification file generated in the step two after the hash algorithm operation is carried out on the password phrase: if not, the unlocking fails; if the password phrase is matched with the password, the password phrase is converted into a key by adopting a sha1 algorithm, and the key is stored;
step five, when the user accesses the file, if the operated file or directory is in the encrypted path directory table, when the user sends a write request, calling the key stored in the step four to encrypt the file; when a user sends a reading request, a secret key is called to decrypt the file;
and step six, when the user triggers a screen locking event, clearing the stored secret key and locking the screen.
2. The file transparent encryption and decryption method for the Android platform according to claim 1, wherein the hash algorithm is an MD5 hash algorithm.
3. A file transparent encryption and decryption system of an Android platform comprises a user module and a kernel module, and is characterized in that the user module comprises a configuration unit and a screen locking unit, and the kernel module comprises a key manager unit and a stack file system unit; wherein,
the configuration unit is used for receiving a user-made strategy, wherein the strategy comprises a password, an identity authentication file and an encrypted directory path table, and the password generates a first key through a sha1 algorithm for storage; the identity authentication file is input to the key manager unit, and the encrypted directory path table is input to the stacked file system unit;
a screen locking unit for outputting the passphrase input by the user to the key manager unit;
the key manager unit is used for matching the password phrase with the identity verification file after the operation of the Hash algorithm: if not, the unlocking is failed; if the matching is consistent, the screen is unlocked, the passphrase is converted into a second key for storage by adopting a shal algorithm, and the second key is removed when the screen is locked by the screen locking unit;
the stack file system unit calls a first key to initialize and encrypt files in a directory corresponding to the encrypted directory path table when the operating system is started for the first time and the encrypted directory path table is received; covering all file systems supported and mounted by an operating system, calling a second key in the key manager when a user sends a read request, and decrypting the file; when a user sends a write request, a second key in the key manager is called to encrypt the file.
4. The Android platform file transparent encryption and decryption system of claim 3, wherein the user-defined policy further includes whether to enable the encryption and decryption system.
5. The Android platform file transparent encryption and decryption system of claim 3, wherein the hash algorithm is an MD5 hash algorithm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410475391.2A CN104252605B (en) | 2014-09-17 | 2014-09-17 | A kind of file transparent encrypting and deciphering system of Android platform and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410475391.2A CN104252605B (en) | 2014-09-17 | 2014-09-17 | A kind of file transparent encrypting and deciphering system of Android platform and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104252605A CN104252605A (en) | 2014-12-31 |
CN104252605B true CN104252605B (en) | 2017-03-15 |
Family
ID=52187488
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410475391.2A Expired - Fee Related CN104252605B (en) | 2014-09-17 | 2014-09-17 | A kind of file transparent encrypting and deciphering system of Android platform and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104252605B (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104539627B (en) * | 2015-01-16 | 2017-02-22 | 努比亚技术有限公司 | Safety access method, device and terminal |
CN104866778A (en) * | 2015-01-30 | 2015-08-26 | 武汉华工安鼎信息技术有限责任公司 | Document safety access control method and device based on Linux kernel |
CN106326733A (en) * | 2015-06-26 | 2017-01-11 | 中兴通讯股份有限公司 | Method and apparatus for managing applications in mobile terminal |
CN105373744A (en) * | 2015-10-29 | 2016-03-02 | 成都卫士通信息产业股份有限公司 | Method for encrypting extended file system based on Linux |
CN107305606A (en) * | 2016-04-20 | 2017-10-31 | 中兴通讯股份有限公司 | The processing method and processing device of application file and the access method of file and device |
CN106060010A (en) * | 2016-05-11 | 2016-10-26 | 广东七洲科技股份有限公司 | Android platform transparent encryption and decryption system |
CN106127078A (en) * | 2016-07-11 | 2016-11-16 | 北京鼎源科技有限公司 | Cryptographic key protection method under a kind of Android environment and system |
CN109145623A (en) * | 2018-08-24 | 2019-01-04 | 深圳竹云科技有限公司 | A kind of equipment Id encryption technology based on Android kernel |
CN109492417A (en) * | 2018-11-13 | 2019-03-19 | 熊予舒 | Data ciphering method and system |
CN110209428B (en) * | 2018-12-28 | 2023-08-29 | 深圳市泰衡诺科技有限公司 | Terminal screen awakening method and device, terminal and storage medium |
CN111062049A (en) * | 2019-11-21 | 2020-04-24 | 视联动力信息技术股份有限公司 | File protection method and device, terminal equipment and storage medium |
CN111079159B (en) * | 2019-12-03 | 2021-04-27 | 北京元心科技有限公司 | Encrypted communication method and system for Hypervisor multi-domain architecture |
CN111143879A (en) * | 2019-12-26 | 2020-05-12 | 厦门市美亚柏科信息股份有限公司 | Android platform SD card file protection method, terminal device and storage medium |
CN112182611A (en) * | 2020-09-27 | 2021-01-05 | 中孚安全技术有限公司 | File transparent encryption and decryption method and system based on Linux kernel layer |
CN114168983A (en) * | 2021-11-30 | 2022-03-11 | 麒麟软件有限公司 | Transparent encryption and decryption method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101674575A (en) * | 2009-09-17 | 2010-03-17 | 中兴通讯股份有限公司 | Method for protecting security of mobile communication terminal data and device thereof |
CN103078866A (en) * | 2013-01-14 | 2013-05-01 | 成都西可科技有限公司 | Transparent encryption method for mobile platform |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW591630B (en) * | 2002-06-04 | 2004-06-11 | Key Technology Corp | Data security device of storage medium and data security method |
-
2014
- 2014-09-17 CN CN201410475391.2A patent/CN104252605B/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101674575A (en) * | 2009-09-17 | 2010-03-17 | 中兴通讯股份有限公司 | Method for protecting security of mobile communication terminal data and device thereof |
CN103078866A (en) * | 2013-01-14 | 2013-05-01 | 成都西可科技有限公司 | Transparent encryption method for mobile platform |
Non-Patent Citations (1)
Title |
---|
基于Android平台的文件透明加密的设计与实现;唐铭若;《中国优秀硕士论文全文数据库》;20130215(第02期);第I138-905页 * |
Also Published As
Publication number | Publication date |
---|---|
CN104252605A (en) | 2014-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104252605B (en) | A kind of file transparent encrypting and deciphering system of Android platform and method | |
LU101903B1 (en) | System and method for storing and accessing private data of Hyperledger Fabric blockchain | |
US10268827B2 (en) | Method and system for securing data | |
JP4993733B2 (en) | Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device | |
US11232222B2 (en) | Access management system, access management method and program | |
US8209540B2 (en) | Incremental secure backup and restore of user settings and data | |
CN110489996B (en) | Database data security management method and system | |
US20130159699A1 (en) | Password Recovery Service | |
US7970142B2 (en) | System, method and apparatus for decrypting data stored on removable media | |
CN110059499A (en) | A kind of file access purview certification method and electronic equipment | |
US20090240956A1 (en) | Transparent encryption using secure encryption device | |
US11582025B2 (en) | Efficient deduplication using block-based convergent encryption | |
EP3866041B1 (en) | Secure group file sharing | |
BRPI0407722B1 (en) | Multilevel electronic device control system and method | |
CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
CN104769983A (en) | Methods and apparatus for managing data within a secure element | |
CN107066885A (en) | Cross-platform credible middleware realizes system and implementation method | |
CN115758396B (en) | Database security access control technology based on trusted execution environment | |
CN106127078A (en) | Cryptographic key protection method under a kind of Android environment and system | |
KR101206735B1 (en) | Apparatus for protecting information associated with security of mobile terminal and method thereof | |
JP2018110442A (en) | Access management system, access management method, and program | |
KR101249343B1 (en) | Method for protection of a digital rights file | |
JP2007258769A (en) | Personal information protection system and method | |
CN118093555B (en) | Database management method, system and storage medium | |
Boukayoua et al. | Secure storage on Android with context-aware access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20190820 Address after: Room 1009, Building B, Dongshou Software Industrial Park, Yingbin Avenue, Shuyang County, Suqian City, Jiangsu Province Patentee after: SUQIAN XINCHAO INFORMATION TECHNOLOGY Co.,Ltd. Address before: Zhongshan road Wuzhong District Mudu town of Suzhou city in Jiangsu province 215101 No. 70 Wuzhong Science Park Building 2 room 2310 Patentee before: Nanjing University of Information Science and Technology |
|
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170315 |