CN104252605B - A file that Android platform transparent encryption and decryption system and method - Google Patents

A file that Android platform transparent encryption and decryption system and method Download PDF

Info

Publication number
CN104252605B
CN104252605B CN 201410475391 CN201410475391A CN104252605B CN 104252605 B CN104252605 B CN 104252605B CN 201410475391 CN201410475391 CN 201410475391 CN 201410475391 A CN201410475391 A CN 201410475391A CN 104252605 B CN104252605 B CN 104252605B
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
file
key
user
encryption
system
Prior art date
Application number
CN 201410475391
Other languages
Chinese (zh)
Other versions
CN104252605A (en )
Inventor
王金伟
张正宇
赵波
徐凌云
周宇
Original Assignee
南京信息工程大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

本发明公开了一种Android平台的文件透明加解密方法,包括以下步骤:选择需要保护的文件所在文件夹的路径并设置密码;根据用户输入的路径和密码,分别生成加密路径目录表和身份验证文件;扫描加密路径目录表,如果是第一次开启操作系统,按照表项将对受保护文件进行第一次初始化加密,然后进行下一步;当用户触发解锁屏幕事件,则接受用户输入的密码短语,对密码短语进行哈希算法运算后与步骤二中产生的身份验证文件进行比对,如果不匹配,则解锁失败;如果匹配,则将密码短语进行sha1算法生成密钥,将该密钥进行存储;调用密钥可实现对文件进行加解密;本发明还公开了一种Android平台的文件透明加解密系统,对用户操作干扰小的前提下实现对文件的保护。 The present invention discloses a method of encryption and decryption file transparent Android platform, comprising the steps of: selecting a path to be protected files from the folder and set a password; user input password and the path, the path generates the encryption and authentication directory table file; scan encrypted path table of contents, if it is the first time open operating system, in accordance with the entries will be protected by encryption initialization file for the first time, then the next step by; unlock the screen when the user triggers an event, accept the password entered by the user the phrase, the phrase hash of the password generated by the arithmetic operation in step two authentication file comparison, if no match is unsuccessful; if match, the password phrases sha1 algorithm to generate a key, the key storing; file calling key may be implemented for encryption and decryption; the present invention also discloses a transparent file, an Android platform encryption system, to achieve the protection of the files in the user operation with small interference premise.

Description

一种Andro id平台的文件透明加解密系统及方法 One kind of file Andro id platform transparent encryption and decryption system and method

技术领域 FIELD

[0001] 本发明涉及信息安全技术领域,特别是一种Android平台的文件透明加解密系统及方法。 [0001] The present invention relates to the field of information security, in particular a document Android platform transparent encryption and decryption system and method.

背景技术 Background technique

[0002]随着信息时代的快速发展,互联网不断深入大众生活和工作的方方面面,成为不可或缺的一部分。 [0002] With the rapid development of the information age, the Internet continued to deepen all aspects of public life and work, become an integral part. 计算机应用的普及和互联网及移动存储设备的发展,以前的纸质文件逐渐转变为电子,电子文件具有体积小,查看方便等诸多的优点,同时电子文件的易更改、易传播的特性,也会严重影响到了电子文件存储和交流的安全性。 Popularization and development of the Internet and mobile storage devices of computer applications, before gradually paper documents into electronic, electronic files with a small, easy to see many advantages, but easy to change the electronic files, features easy to spread, will seriously affect the security of the electronic file storage and exchange.

[0003] 透明加密技术是近年来发展较为迅速的一种文件加密技术。 [0003] Transparent encryption technology is more rapid development in recent years, a file encryption technology. 所谓透明,是指对于授权用户,加解密过程是自动完成的,实现原理为在磁盘中以密文方式存放文件,读入时自动解密,保存到内存中,用户修改完内存中的副本后,再自动加密并写回磁盘。 The so-called transparent means for authorized users, encryption and decryption process is done automatically, for the realization of the principle in cipher text file stored on disk, read in automatically decrypted, saved to memory, after the user has finished modifying the copy in memory, then automatically encrypted and written back to disk. Windows中透明加密实现技术主要有两类:用户层的钩子透明加密技术和内核层的过滤驱动加密技术,且内核层的实现在性能,兼容性以及稳定性上优于用户层实现,同时技术难度也较用户层实现大。 Windows transparent encryption technology to realize two main types: hook encryption filter driver to achieve a transparent core layer encryption and user layer, the kernel layer and user layer to achieve superior in performance, compatibility and stability, while the technical difficulty also achieve relatively large user layer.

[0004] 所基于的Android系统使用针对嵌入式设备所剪裁的Linux内核,它的设计体现了结构化设计的思想,具有很强的层次性,从底层到用户界面,层次主要包括:Linux内核,HAL (硬件抽象层),系统服务层,应用框架层和应用程序。 [0004] Android system is based on the use of devices for embedded Linux kernel tailoring, its design reflects the structural design of the idea, with strong hierarchy, from the bottom to the user interface level including: Linux kernel, HAL (hardware abstraction layer), the system service layer, application layer, and application framework. Linux内核的文件系统的操作由具体文件系统维护几组操作表提供,其表项为函数指针,指向具体的操作代码。 Linux operating system kernel file system maintained by a particular file operation table provides several groups, as a function of which entry pointer to the specific operation code. 透明加密需要改变一些操作(如读写操作)的行为。 Transparent encryption operations need to change some behavior (such as read and write operation). 实验证明,仅仅替换操作表技术上可行,但造成系统结构混乱,可维护性和可扩展性差。 Experiments show that the replacement operation table only technically feasible, but a system configuration confusion, poor scalability and maintainability. 堆栈式文件系统是一种增量式开发模式,用于扩充原有文件系统的功能。 Stackable file system is an incremental development model for the extension of the original file system. 该方式不用修改原文件系统的代码,而是覆盖在其上,过滤读写等操作,在过程中加入自己的处理方法,如加密和压缩等,以增强原有文件系统的功能。 The embodiment without modifying the code of the original file system, but it covers the filter read and write operations, added in the process of their processing method, such as encryption and compression, to enhance the functionality of the original file system. 该模型由ErezZadok提出,包括了FiST框架以方便构造该类文件系统。 The model proposed by ErezZadok, comprising a framework to facilitate FiST class file system configuration. 由于FiST框架构建于二〇〇〇年之前,缺少维护,且仅支持2.4到2.6的内核版本。 Since FiST framework built before 2000, lack of maintenance, and only supports the kernel version 2.4 to 2.6.

[0005] 现有的部分Andro id文件保护系统直接将个人电脑文件保护系统的思想应用在移动设备上,忽略了平台的差异:移动设备主要强调用户体验,不仅仅是功能实现。 [0005] Existing section Andro id file protection system directly to the idea of ​​a personal computer file system protection application on a mobile device, ignoring the differences platforms: mobile devices main emphasis on user experience, not just the function implementation. 这些文件保护系统频繁要求用户输入密码,选择加解密文件,降低了设备的便利程度。 These file protection systems frequently requires the user to enter a password, select the file encryption and decryption, reducing the degree of convenience equipment. 另一方面,现有的透明加解密系统,减少了对用户操作习惯的影响,但是保护工作不全面:比如由于权限问题不能保护特定目录,不能保护SD卡上的文件(而SD卡正式用户数据的重要存放位置);或是只能保护某种指定格式的文件;或是对系统结合度低易受攻击;或是兼容性和扩展性低,比如只能支持部分特定版本的系统。 On the other hand, the existing system of transparent encryption and decryption, reducing the impact on user habits, but the protection is not comprehensive: for example, due to permission issues can not protect a particular directory, can not protect files on the SD card (SD card while the official user data important storage position); or protect only certain specified file format; or a low degree of binding vulnerable system; or a low compatibility and scalability, such as a particular version of the system can only support portion.

发明内容 SUMMARY

[0006] 本发明所要解决的技术问题是克服现有技术的不足而提供一种Android平台的文件透明加解密系统及方法,本发明利用堆栈式文件系统实现技术,采用结合锁频界面尽可能减少对用户操作的影响,紧密结合操作系统本身,实现对外受阻、对内无碍的加解密保护。 [0006] The present invention solves the technical problem to overcome deficiencies of the prior art to provide transparent file encryption and decryption system and method for Android platform, the present invention is the use of stackable file system implementation techniques, using a combination of the frequency-locked interface to minimize impact on user operations, in close conjunction with the operating system itself, to achieve the external obstruction, affect the internal encryption protection.

[0007] 本发明为解决上述技术问题采用以下技术方案: [0007] The present invention employs the following technical solution to solve the above problems:

[0008] 根据本发明提出的一种Andro id平台的文件透明加解密方法,包括以下步骤: [0008] The present invention provides a paper presented Andro id internet transparent encryption and decryption method, comprising the steps of:

[0009] 步骤一、选择需要保护的文件所在文件夹的路径并设置密码; [0009] Step a path selection to be protected files from the folder and set a password;

[0010] 步骤二、根据用户输入的路径和密码,分别生成加密路径目录表和身份验证文件; [0010] Step two, according to a user input password and the path, the path generates the encryption and authentication file directory table;

[0011] 步骤三、扫描加密路径目录表,如果是第一次开启操作系统,按照表项将对受保护文件进行第一次初始化加密,然后进行下一步骤; [0011] Step three, the encrypted scan path table of contents, if the operating system is the first opening, the first initialization encrypted, then the next step in accordance with the file protection table entry will be subject;

[0012] 步骤四、当用户触发解锁屏幕事件,则接受用户输入的密码短语,对密码短语进行哈希算法运算后与步骤二中产生的身份验证文件进行比对:如果不匹配,则解锁失败;如果匹配,则将密码短语采用shal算法换算成密钥,将该密钥进行存储; [0012] Step four, unlock the screen when the user triggers an event, you accept the passphrase entered by the user, the password hash algorithm computation phrases generated in step two and Authentication file for comparison: If not, then unlock failure ; If a match is shal passphrase using algorithm in terms of key, the key is stored;

[0013] 步骤五、当用户访问文件时,如果操作的文件或目录在加密路径目录表中,当用户发出写请求,调用步骤四所存储的密钥对文件进行加密;当用户发出读请求,调用密钥对文件进行解密; [0013] Step 5 when a user accesses a file, the file or directory if the directory path in the encryption operation table, when the user issues a write request, invoking step four key to encrypt the file stored; When the user issues a read request, calling key to decrypt the file;

[0014] 步骤六、当用户触发锁定屏幕事件,则清除存放的密钥并锁屏。 [0014] Step six, when a user event trigger lock screen, clear the stored key and lock screen.

[0015]作为本发明的一种Andro id平台的文件透明加解密方法的进一步优化的方案,所述哈希算法为MD5哈希算法。 [0015] Further optimization of the transparent file encryption and decryption program as a method of the present invention Andro id platform, the hashing algorithm is the MD5 hash algorithm.

[0016] 根据本发明提出的一种Andro id平台的文件透明加解密系统,包括用户模块和内核模块,用户模块包括配置单元和锁屏单元,内核模块包括密钥管理器单元和堆栈式文件系统单元;其中, [0016] The present invention provides a paper presented Andro id internet transparent encryption and decryption system, including the kernel module and a user module, the user module comprises a screen configuration unit and a lock unit comprising a key manager kernel module unit and a stackable file system unit; wherein,

[0017] 配置单元,用于接收用户制定策略,策略包括密码、身份验证文件、加密目录路径表,该密码经shal算法生成第一密钥进行存储;身份验证文件输入至密钥管理器单元,加密目录路径表输入至堆栈式文件系统单元; [0017] The configuration unit for receiving a user-defined policy, the policy including password, document authentication, encryption table directory path, generating the first cryptographic key storing shal algorithm; Authentication file manager to the key input unit, encrypting the directory path table input to the stack file system unit;

[0018] 锁屏单元,将用户输入的密码短语输出至密钥管理器单元; [0018] Lock screen unit, the passphrase entered by the user is output to the key management unit;

[0019] 密钥管理器单元,用于将密码短语采用哈希算法运算后与身份验证文件进行匹配:若不匹配则解锁失败;若匹配一致则在解锁屏幕的同时,将密码短语采用shal算法换算成第二密钥进行存储,当锁屏单元锁屏时,清除第二密钥; [0019] key management unit for using the passphrase hash algorithm operation matches the authentication file: If the unsuccessful matching; if the matching is consistent with the unlocking of the screen while using passphrase algorithm shal converted into the second key storage, when the lock means locks the screen the screen, clear the second key;

[0020] 堆栈式文件系统单元,当第一次开启操作系统,接收到加密目录路径表时调用第一密钥对加密目录路径表所对应的目录里的文件进行初始化加密;并覆盖在操作系统支持并挂载的所有文件系统之上,当用户发出读请求时调用密钥管理器中的第二密钥,对文件进行解密;当用户发出写请求时调用密钥管理器中的第二密钥,对文件进行加密。 [0020] stackable file system unit, a first key when the call is first turned on the operating system, receiving the encrypted directory path to the encrypted table directory path table corresponding to the directory of encrypted files to initialize; and covering an operating system All the above support and mount a file system, the second call key in the key manager when the user issues a read request, the file decryption; calling key in the second dense manager when the user issues a write request key, to encrypt files.

[0021]作为本发明的一种Android平台的文件透明加解密系统的进一步优化的方案,所述用户制定的策略还包括是否启用加解密系统。 [0021] As a further optimization scheme transparent file encryption and decryption system according to an Android platform of the present invention, the user-defined policy whether the encryption system further comprises enabled.

[0022]作为本发明的一种Andro id平台的文件透明加解密系统的进一步优化的方案,所述哈希算法为MD5哈希算法。 [0022] As a further optimization of the embodiment of the present invention Andro id platform file encryption system is transparent, the hashing algorithm is the MD5 hash algorithm.

[0023] 本发明采用以上技术方案与现有技术相比,具有以下技术效果:(I)本发明利用堆栈式文件系统实现技术,采用结合锁频界面尽可能减少对用户操作的影响,紧密结合操作系统本身,实现对外受阻、对内无碍的加解密保护;(2)保护Android终端用户存储在设备中的隐私数据,同时不改变用户操作习惯,不影响用户体验;(3)选用内核级加密方式,增强系统安全性和加解密效率,与系统结合紧密,抗攻击能力强,具有较高的安全性;由于系统核心加解密模块工作在最底层,而与用户交互的界面为最顶层,系统设立中间件,辅助内核模块和上层应用的通信;通过JNI (Java本地访问接口)与中间层通信,中间层再通过1ctI的方式完成与内核模块通信;(4)本发明可以支持目前流行的Android4.x使用的3.x内核,本系统设计文件系统,在文件读取和写入操作上进行处理,并将 [0023] With the above aspect of the present invention compared with the prior art, it has the following technical effects: (I) of the present invention is implemented using a technique stackable file system, using a combination of reducing the impact on the user interface is locked operation as much as possible, closely the operating system itself, to achieve a hindered outside, encryption and decryption affect internal protection; (2) protect the privacy of the end-user data stored in the Android device, without changing user habits, without affecting the user experience; (3) selection of the kernel-level encryption, decryption and processing to enhance the security of the system efficiency, combined with the system closely, anti-attack capability, with high security; Because the system core encryption and decryption module operates at the lowest level, while interacting with the user interface for the top level, communication system established middleware module and the upper secondary kernel applications; via JNI (Java local access interface) communicate with the intermediate layer, the intermediate layer was completed by 1ctI way communication with the kernel module; (4) according to the present invention can support the popular Android4.x used 3.x kernel, file system, the system design, a process on the file read and write operations, and 其它文件操作直接定向到底层文件系统,灵活易移植;(5)加解密对用户透明,对用户操作干扰小,用户体验好;便于部署和移植;具有较高的性能;不区分文件格式,用户可用来加密任意形式的文件;不区分存储位置,可加密手机应用程序信息和存储扩展卡中信息,实现对SD卡文件数据的保护。 Other file operations directed directly to the underlying file system, flexible and easy transplantation; (5) encryption and decryption is transparent to users, small interference to the user operation, the user experience is good; easy to deploy and transplantation; higher performance; does not distinguish the file format, the user any form of encrypted file is available; does not distinguish between a storage position, the encrypted mobile applications expansion card information stored information to achieve protection of the SD card file data.

附图说明 BRIEF DESCRIPTION

[0024]图1是本系统的各模块间的相互作用。 [0024] FIG. 1 is the interaction among the various modules of the system.

[0025]图2是本发明透明加解密文件系统工作原理图。 [0025] FIG. 2 is a transparent encryption and decryption of the present invention, the file system works FIG.

[0026]图3是上层栈式加解密文件系统与下层实际文件系统之间的示意图。 [0026] FIG. 3 is a schematic view of the stack between the upper formula and the underlying file system encryption actual file system.

[0027]图4是锁屏单元工作流程图。 [0027] FIG. 4 is a flowchart of the lock screen unit.

具体实施方式 detailed description

[0028]下面结合附图对本发明的技术方案做进一步的详细说明: [0028] The following detailed description of the drawings further aspect of the present invention in combination:

[0029] —种Andro id平台的文件透明加解密方法,包括以下步骤: [0029] - species Andro id transparent platform file encryption and decryption method, comprising the steps of:

[0030] 步骤一、选择需要保护的文件所在文件夹的路径并设置密码; [0030] Step a path selection to be protected files from the folder and set a password;

[0031] 步骤二、根据用户输入的路径和密码,分别生成加密路径目录表和身份验证文件; [0031] Step two, according to a user input password and the path, the path generates the encryption and authentication file directory table;

[0032] 步骤三、扫描加密路径目录表,如果是第一次开启操作系统,按照表项将对受保护文件进行第一次初始化加密,然后进行下一步骤; [0032] Step three, the encrypted scan path table of contents, if the operating system is the first opening, the first initialization encrypted, then the next step in accordance with the file protection table entry will be subject;

[0033] 步骤四、当用户触发解锁屏幕事件,则接受用户输入的密码短语,对密码短语进行哈希算法运算后与步骤二中产生的身份验证文件进行比对:如果不匹配,则解锁失败;如果匹配,则将密码短语采用shal算法换算成密钥,将该密钥进行存储; [0033] Step four, unlock the screen when the user triggers an event, you accept the passphrase entered by the user, the password hash algorithm computation phrases generated in step two and Authentication file for comparison: If not, then unlock failure ; If a match is shal passphrase using algorithm in terms of key, the key is stored;

[0034] 步骤五、当用户访问文件时,如果操作的文件或目录在加密路径目录表中,当用户发出写请求,调用步骤四所存储的密钥对文件进行加密;当用户发出读请求,调用密钥对文件进行解密; [0034] Step 5 when a user accesses a file, the file or directory if the directory path in the encryption operation table, when the user issues a write request, invoking step four key to encrypt the file stored; When the user issues a read request, calling key to decrypt the file;

[0035] 步骤六、当用户触发锁定屏幕事件,则清除存放的密钥并锁屏。 [0035] Step six, when a user event trigger lock screen, clear the stored key and lock screen.

[0036] 所述哈希算法为MD5哈希算法。 The [0036] a hash algorithm is MD5 hash algorithm.

[0037]如图1所示是本系统的各模块间的相互作用,一种Andro id平台的文件透明加解密系统,包括用户模块和内核模块,用户模块包括配置单元和锁屏单元,内核模块包括密钥管理器单元和堆栈式文件系统单元;其中, [0037] As shown in FIG. 1 is the interaction among the various modules of the system is a file id Andro platform transparent encryption system, including the kernel module and a user module, the user module comprising a lock unit and a configuration panel unit, kernel module includes a key management unit and a stackable file system unit; wherein,

[0038] 配置单元,用于接收用户制定策略,策略包括密码、身份验证文件、加密目录路径表,该密码经shal算法生成第一密钥进行存储;身份验证文件输入至密钥管理器单元,加密目录路径表输入至堆栈式文件系统单元; [0038] The configuration unit for receiving a user-defined policy, the policy including password, document authentication, encryption table directory path, generating the first cryptographic key storing shal algorithm; Authentication file manager to the key input unit, encrypting the directory path table input to the stack file system unit;

[0039] 锁屏单元,将用户输入的密码短语输出至密钥管理器单元; [0039] Lock screen unit, the passphrase entered by the user is output to the key management unit;

[0040] 密钥管理器单元,用于将密码短语采用哈希算法运算后与身份验证文件进行匹配:若不匹配则解锁失败;若匹配一致则在解锁屏幕的同时,将密码短语采用shal算法换算成第二密钥进行存储,当锁屏单元锁屏时,清除第二密钥; [0040] The key management unit for using the passphrase hash algorithm operation matches the authentication file: If the unsuccessful matching; if the matching is consistent with the unlocking of the screen while using passphrase algorithm shal converted into the second key storage, when the lock means locks the screen the screen, clear the second key;

[0041] 堆栈式文件系统单元,当第一次开启操作系统,接收到加密目录路径表时调用第一密钥对加密目录路径表所对应的目录里的文件进行初始化加密;并覆盖在操作系统支持并挂载的所有文件系统之上,当用户发出读请求时调用密钥管理器中的第二密钥,对文件进行解密;当用户发出写请求时调用密钥管理器中的第二密钥,对文件进行加密。 [0041] stackable file system unit, a first key when the call is first turned on the operating system, receiving the encrypted directory path to the encrypted table directory path table corresponding to the directory of encrypted files to initialize; and covering an operating system All the above support and mount a file system, the second call key in the key manager when the user issues a read request, the file decryption; calling key in the second dense manager when the user issues a write request key, to encrypt files.

[0042] 所述用户制定的策略还包括是否启用加解密系统。 [0042] The user-defined policies also include whether to enable encryption system. 所述哈希算法为MD5哈希算法。 The hashing algorithm is the MD5 hash algorithm.

[0043]图2是本发明透明加解密文件系统工作原理图。 [0043] FIG. 2 is a transparent encryption and decryption of the present invention, the file system works FIG. 读取受保护文件的过程:如果用户为非授权用户(未经过锁屏界面身份认证的用户),操作失败。 Reading process protected files: If the user is an unauthorized user (lock screen has not been authenticated users), the operation fails. 对于授权用户,则传递读请求至下层文件系统,获得返回的文件内容,此时内容为密文。 For an authorized user, then transferred to the underlying file system read request to obtain the contents of the file is returned, then the contents of the ciphertext. 向密钥管理器单元请求密钥,利用该密钥对密文进行解密。 The request key unit to the key manager, using the key to decrypt the ciphertext. 将获得的明文从内核空间拷贝至用户空间。 The obtained plain text copied from user space to kernel space.

[0044] 修改相应文件属性,完成读操作。 [0044] modify the appropriate file attribute, a read operation.

[0045]写入受保护文件的过程:如果用户为非授权用户(未经过锁屏界面身份认证的用户),操作失败。 [0045] writing process protected files: If the user is an unauthorized user (lock screen has not been authenticated users), the operation fails.

[0046] 对于授权用户,请求密钥,利用密钥将用户空间传递的数据所在缓冲区加密。 [0046] For an authorized user, the request key, the user key using spatial transfer buffer contains the data encryption.

[0047] 将缓冲区内容传递到下层文件系统,由其写入到磁盘。 [0047] The contents of the buffer is transmitted to the underlying file system, by written to disk.

[0048] 修改相应文件属性,完成写操作。 [0048] modify the appropriate file attribute, the write operation is completed.

[0049]向内核注册文件系统模块,需要实现的文件系统操作方法有:超级块操作方法、节点操作方法、文件操作方法。 [0049] Register file system module to the kernel, file system operations need to implement the method are: The method of operation superblock, a node operating method, the file operation method.

[0050] 本系统文件系统形成一个堆栈结构,上层文件系统就是开发的堆栈式加解密文件系统。 [0050] The system formed a stacked file system encryption File system stack structure, the upper file system is developed. 下层文件系统是实际的文件系统(但也有可能是另一个堆栈式文件系统,如果该堆栈文件系统足够“透明”,也可以认为实际文件系统)。 The actual underlying file system is the file system (but may be another stackable file system, the file system if the stack is sufficiently "transparent", it can be considered the actual file system).

[0051]由于上层文件系统依赖于下层文件系统的操作方法和数据结构,所以第一步应构建上下层文件系统数据结构间的关系。 [0051] Since the upper layer file system depends on the operating methods and data structures of the underlying file system, the first step would be to build the relationship between the upper and lower file system data structure.

[0052]如图3所示是上层栈式加解密文件系统与下层实际文件系统之间的示意图,以file结构为例:这里upper_file是本层文件系统的对象,lower_file是与之相对应的下层文件系统的对象。 [0052] As shown in FIG. 3 is a schematic view of the stack type between the upper and the lower file system encryption actual file system, the file structure to an example: here is the subject of the present upper_file file system layer, lower_file corresponding thereto is lower object file system. 两者通过upper_file的private_date指针联系。 Both upper_file of private_date pointer by contact. 文件操作时调用upper_file中的file_opS文件操作表中的函数。 The function is called when upper_file file_opS file operation table file operations. 因为发给堆栈式文件系统上层的操作请求经过处理后,会传递给下层。 Because the distributed file system the upper stack operation request is processed and passed to the lower layer. 具体说,上层fi le_ops操作表中的函数会调用下层fi I e_ops表中对应函数。 In particular, the upper layer function fi le_ops operation table will be called the lower table fi I e_ops the corresponding function. 类似的,本层文件系统的dentry、inode以及address_space结构体,与下层文件系统的相应数据结构联系,传递各自的操作请求。 Similarly, the corresponding data structures of the present dentry Information file system layer, and address_space the inode structure, the underlying file system, the respective transfer operation request.

[0053] 完成上下层关键数据结构间关系的构建,为下面的操作奠定基础。 [0053] Construction of complete relationship between the critical data structures on the lower layer, the foundation for the following operations.

[0054]除了文件读写操作外,其余文件系统操作的工作仅仅是调用下层文件系统对应函数,或是使用通用处理函数,以实现"通过"。 [0054] In addition to the file read and write operations, the remaining working file system operation is call the function corresponding to the underlying file system, or a generic handler to achieve "through." 如果需要,还要更新下层文件系统数据结构的相关域,如文件访问时间,文件当前读取位置等。 If required, update the data structure related domains underlying file system, such as the file access time, the read current file location. 以读取目录文件为例:此时上下层文件系统关系已构建完成,因为需要调用下层文件系统的操作,首先通过该关系寻找到与本层file对应的下层文件系的数据结构lower_file。 To read the catalog file Example: In this case the underlying file system relationship has been constructed, because the operating system needs to call the underlying file, first data structure to find a file lower_file underlying file system corresponding to this layer by the relationship. 通过VFS层通用函数读取lower_file的目录信息。 General function reads directory information lower_file by VFS layer. 这里的目录信息是下层文件系统的目录信息,但由于没有对该操作进行处理,可以直接作为本层的目录信息返回C3VFSjeaddir读取完信息后会自动更新lower_f ile的访问时间,但上层的file访问时间需要手动更新。 Where directory information is information of the lower directory of the file system, but the absence of the processing operation, as this layer content information directly back C3VFSjeaddir access time to read updated automatically lower_f ile After the information, but the upper layer file access time needs to be updated manually. 这里通过拷贝下层文件访问信息来达到同步两者的目的。 Here the underlying files by copying access information both synchronization purposes.

[0055] 其余需要"通过"的文件操作实现与此类似。 [0055] The remaining needs "through the" file operations to achieve similar.

[0056] 对文件读写操作具体内容如下:在调用底层文件系统读入数据之后,将内容返回到用户空间之前,将缓冲区进行解密。 [0056] The file read and write operations including the following: Before After calling the underlying file system to read data, the content returned to the user space, the buffer will be decrypted. 同样,在写操作时,在调用底层文件系统写操作之前,加密缓冲区。 Similarly, when a write operation, before calling the underlying file system write operations, encryption buffer.

[0057] 其中加解密过程可以使用内核加解密框架实现,以节约时空开销,缩减开发成本。 [0057] The decryption process may be used wherein the core framework implemented encryption and decryption, to save time and memory, reducing development costs.

[0058] 配置单元的实现:策略配置界面是本系统控制核心.其功能在上文发明内容一节已给出描述。 [0058] The configuration unit is achieved: policy configuration interface which is a core function of the present control system has been given in the context of the above described invention, a. 它维护两个文件:用于身份验证时比对的密码md5文件和加密目录表文件。 It maintains two files: a file md5 password encryption and file comparison table of contents when authentication. 它作为普通的Android应用程序,但需要持有管理员权限,需要开机时被自动,然后扫描加密目录表,逐一为表中的目录挂载加解密文件系统。 It as a normal Android applications, but need to hold administrator privileges are automatically turned on when needed, and then scan encrypted directory table, one by one as the table encryption file system directory is mounted.

[0059]内核密钥管理器单元的实现: [0059] implemented kernel key manager unit:

[0060]内核密钥管理器单元,作用类似与内核密钥环。 [0060] The kernel key management unit, a key role is similar to the core ring. 不直接使用内核密钥环是因为其过于复杂,应尽量缩小内核占用的嵌入式设备有限的时间资源和空间资源。 Embedded devices with limited resources of time and space resources do not directly use the kernel keyring because it is too complex and should minimize kernel occupies. 内核密管理器主要包括一个可以被其它模块访问的全局缓冲区,用来存放密钥。 Core density manager includes a global buffer can be accessed by other modules, used to store the key. 该模块直接与应用层锁屏界面通过1ct I方式通信。 This module directly 1ct I communicate with the application layer via the lock screen. 定义TRANSPARENT_1CAUTHEN命令为接受来自用户输入的密码,经过md5运算后,与本地存放的身份验证文件进行比对,若一致则返回验证通过,并将密码经sha I运算转换成I 28b it密钥存放在全局缓冲区内。 TRANSPARENT_1CAUTHEN defined to accept commands from the user-entered password, after md5 operation, for comparison with the authentication file stored locally, if the same is returned by authentication, and the password via the operation sha I I 28b it is converted into the key storage global buffer. 同时定义TRANSPARENT^10CCLEARKEY命令为锁屏幕时需要完成的清除密钥管理器中密钥的任务。 At the same time define the task to be completed when the lock screen TRANSPARENT ^ 10CCLEARKEY command clears Key Manager key.

[0061]图4是锁屏单元工作流程图。 [0061] FIG. 4 is a flowchart of the lock screen unit. 锁屏单元的实现:锁屏应用接受用户输入的密码短语,并读取是否开启加解密服务的开关量。 Achieve lock screen units: lock screen application to accept the passphrase entered by the user, and reads the switch is turned on encryption and decryption services.

[0062] 这些信息被拷贝到内核空间,在这里密码短语被哈希算法计算,与身份验证文件中存放的MD5值比对以确认用户身份。 [0062] The information is copied into kernel space, MD5 value is calculated here passphrase hash algorithm, and the authentication file stored in the alignment to identify the user. 如不相符,则提示解锁失败,用户可进行有限次的尝试;如果相符,转下一步。 If not match, you are prompted to unlock fails, try a limited number of users can be carried out; if the match next step.

[0063] 如果身份验证成功,则判断是否开启加解密服务的开关量;如果服务不开启,则转下一步;如果服务开启,则将密钥进行变换存入密钥管理器,执行下一步。 [0063] If the authentication is successful, it is determined whether the switch is turned on encryption and decryption services; If the service is not turned on, then go to the next step; If the service is on, then the key is converted into the key manager, the next step.

[0064] 解锁屏幕。 [0064] unlock the screen.

[0065] 锁屏单元提供两个与用户交互的控件组:密码输入控件组和一个二值开关。 [0065] The lock screen control unit provides user interaction with the two groups: a control group and a password input binary switch. 前者用于记录用户输入的密钥,后者决定是仅解锁手机操作系统还是即解锁操作系统又解锁加密文件。 The former is used to record the key entered by the user, the latter decision was only unlock the phone operating system or another operating system that is unlocked unlock encrypted files. 锁屏单元本身只接受并缓存用户密码,不负责身份验证。 Lock screen and cache unit itself only accept user password is not responsible for authentication. 处于安全考虑,身份验证由内核密钥管理单元完成。 For safety reasons, the authentication is completed by the kernel key management unit. 锁屏单元通过JNI (Java本地访问接口)与中间层动态库通信,中间层在通过1ctl的方式与内核通信,将密钥从用户空间传递到内核空间。 Locks the screen unit via JNI (Java local access interface) and the communications DLL intermediate layer, the intermediate layer is in communication with the kernel 1ctl by way of the key delivery from user space to kernel space. 考虑到试用本系统的用户分为手机操作系统定制商和个人用户两种,所以JNI部署既可以在应用框架层提供上层调用接口,作为系统API被应用程序调用,或者被第三方应用程序扩展,做到与系统紧密结合,又可以直接编译作为独立的动态库文件被应用程序加载,使得个人用户部署过程简单方便在Android系统中锁屏和解锁屏是以Broadcast形式传递的消息。 Taking into account the user trial of the system into the mobile phone operating system customized business and personal users two types of so JNI deployment can be supplied either in the upper layer application framework calls the interface is called as a system API applications, or third-party applications is extended, It does closely integrated with the system, but also can be compiled directly as a separate dynamic library files are loaded applications, making individual user deployment process is simple and convenient unlock the screen and lock screen message is delivered in the form of Broadcast in the Android system. 本系统锁屏应用模块监听该消息,做出相应的处理。 The system lock screen application module listening to the message, make the appropriate treatment. 代码中的openScreen和closeScreen为解锁/开锁屏幕时执行的动作,主要是调用JNI接口,解锁是完成身份验证和密钥传递,锁屏时清除密钥。 Code openScreen and actions to be performed when the unlock / unlock screen closeScreen, mostly calling the JNI interface, unlocking a complete authentication and key delivery, remove the key when the lock screen.

[0066]以上所述的具体实施方案,对本发明的目的、技术方案和有益效果进行了进一步的详细说明,所应理解的是,以上所述仅为本发明的具体实施方案而已,并非用以限定本发明的范围,任何本领域的技术人员,在不脱离本发明的构思和原则的前提下所做出的等同变化与修改,均应属于本发明保护的范围。 [0066] The foregoing specific embodiments of the object, technical solutions, and advantages of the invention will be further described in detail It should be understood that the above are merely specific embodiments of the present invention, but not to defining the scope of the present invention, anyone skilled in the art, without departing from the spirit and principle of the present invention is made on the premise equivalent changes and modifications shall fall within the scope of the present invention.

Claims (5)

  1. 1.一种Android平台的文件透明加解密方法,其特征在于,包括以下步骤: 步骤一、选择需要保护的文件所在文件夹的路径并设置密码; 步骤二、根据用户输入的路径和密码,分别生成加密路径目录表和身份验证文件; 步骤三、扫描加密路径目录表,如果是第一次开启操作系统,按照表项将对受保护文件进行第一次初始化加密,所使用的密钥为第一密钥,第一密钥是将用户制定策略中的密码经shal算法生成的,然后进行下一步骤; 步骤四、当用户触发解锁屏幕事件,则接受用户输入的密码短语,对密码短语进行哈希算法运算后与步骤二中产生的身份验证文件进行比对:如果不匹配,则解锁失败;如果匹配,则将密码短语采用shal算法换算成密钥,将该密钥进行存储; 步骤五、当用户访问文件时,如果操作的文件或目录在加密路径目录表中,当用户发出写 Transparent file encryption and decryption method for Android platform, characterized by comprising the following steps: a path selection to be protected files from the folder and set a password; step two, according to a user input path and password, respectively, generates an encrypted path table of contents and authentication file; step three, scan encrypted path table of contents, if it is the first time open operating system, in accordance with the entries will protect the file is first initialized by encryption key used for the first a key, the first key is to develop strategies in user passwords generated by shal algorithm, then the next step; step four, unlock the screen when the user triggers an event, accept the passphrase entered by the user, password phrases after generating the hash algorithm computing step two authentication file for comparison: If no match is unsuccessful; If a match is shal passphrase using algorithm in terms of key, the key is stored; step five when the user accesses a file, the file or directory path if the operation in the encryption table of contents, when a user issues a write 求,调用步骤四所存储的密钥对文件进行加密;当用户发出读请求,调用密钥对文件进行解密; 步骤六、当用户触发锁定屏幕事件,则清除存放的密钥并锁屏。 Seeking, calling the steps four stored key to encrypt the file; when a user issues a read request, calling key to decrypt the file; Step six, when a user event trigger lock screen, clear the stored key and lock screen.
  2. 2.根据权利要求1所述的一种Android平台的文件透明加解密方法,其特征在于,所述哈希算法为MD5哈希算法。 The transparent file encryption and decryption method of claim 1, an Android platform as claimed in claim, wherein the hash algorithm is MD5 hash algorithm.
  3. 3.—种Android平台的文件透明加解密系统,包括用户模块和内核模块,其特征在于,用户模块包括配置单元和锁屏单元,内核模块包括密钥管理器单元和堆栈式文件系统单元;其中, 配置单元,用于接收用户制定策略,策略包括密码、身份验证文件、加密目录路径表,该密码经shal算法生成第一密钥进行存储;身份验证文件输入至密钥管理器单元,加密目录路径表输入至堆栈式文件系统单元; 锁屏单元,将用户输入的密码短语输出至密钥管理器单元; 密钥管理器单元,用于将密码短语采用哈希算法运算后与身份验证文件进行匹配:若不匹配则解锁失败;若匹配一致则在解锁屏幕的同时,将密码短语采用shal算法换算成第二密钥进行存储,当锁屏单元锁屏时,清除第二密钥; 堆栈式文件系统单元,当第一次开启操作系统,接收到加密目录路径表时调用第一密 3.- species Android platform transparent encryption and decryption of the file system, including the kernel module and a user module, wherein the user configuration unit modules includes a panel unit and a lock, a key manager module comprises a core unit and a stackable file system unit; wherein , configuration unit for receiving a user-defined policy, the policy including password, document authentication, encryption table directory path, generating the cryptographic algorithm by shal storing a first key; authentication file manager to the key input unit, the encrypted directory input to the path table stackable file system unit; lock screen unit, the passphrase entered by the user is output to the key management unit; key manager means for performing authentication using passphrase file hashing algorithm operating match: If the unsuccessful matching; if the matching is consistent while unlocking the screen, shal passphrase using the second key algorithm in terms of storage, when the lock means locks the screen the screen, clear the second key; stacked file system unit, the first call when the first opening of the tight operating system, receiving the encrypted directory path table 钥对加密目录路径表所对应的目录里的文件进行初始化加密;并覆盖在操作系统支持并挂载的所有文件系统之上,当用户发出读请求时调用密钥管理器中的第二密钥,对文件进行解密;当用户发出写请求时调用密钥管理器中的第二密钥,对文件进行加密。 The encrypted key corresponding to the directory path table directory files to initialize encryption; and over the all file system operations support system and mounted, a second call key in the key manager when the user issues a read request , decrypting the file; call a second key in the key manager when a user issues a write request, the file is encrypted.
  4. 4.根据权利要求3所述的一种Android平台的文件透明加解密系统,其特征在于,所述用户制定的策略还包括是否启用加解密系统。 Transparent file encryption system, an Android platform as claimed in claim 3, characterized in that the user-defined policy whether the encryption system further comprises enabled.
  5. 5.根据权利要求3所述的一种Android平台的文件透明加解密系统,其特征在于,所述哈希算法为MD5哈希算法。 , An Android platform according to claim 3 transparent encryption and decryption of the file system, wherein the hash algorithm is MD5 hash algorithm.
CN 201410475391 2014-09-17 2014-09-17 A file that Android platform transparent encryption and decryption system and method CN104252605B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201410475391 CN104252605B (en) 2014-09-17 2014-09-17 A file that Android platform transparent encryption and decryption system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201410475391 CN104252605B (en) 2014-09-17 2014-09-17 A file that Android platform transparent encryption and decryption system and method

Publications (2)

Publication Number Publication Date
CN104252605A true CN104252605A (en) 2014-12-31
CN104252605B true CN104252605B (en) 2017-03-15

Family

ID=52187488

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201410475391 CN104252605B (en) 2014-09-17 2014-09-17 A file that Android platform transparent encryption and decryption system and method

Country Status (1)

Country Link
CN (1) CN104252605B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539627B (en) * 2015-01-16 2017-02-22 努比亚技术有限公司 A secure access method, and a terminal device
CN104866778A (en) * 2015-01-30 2015-08-26 武汉华工安鼎信息技术有限责任公司 Document safety access control method and device based on Linux kernel
CN106326733A (en) * 2015-06-26 2017-01-11 中兴通讯股份有限公司 Method and apparatus for managing applications in mobile terminal
CN105373744A (en) * 2015-10-29 2016-03-02 成都卫士通信息产业股份有限公司 Method for encrypting extended file system based on Linux
CN106127078A (en) * 2016-07-11 2016-11-16 北京鼎源科技有限公司 Key protecting method and system in Android environment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674575A (en) * 2009-09-17 2010-03-17 中兴通讯股份有限公司 Method for protecting security of mobile communication terminal data and device thereof
CN103078866A (en) * 2013-01-14 2013-05-01 成都西可科技有限公司 Transparent encryption method for mobile platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030226025A1 (en) * 2002-06-04 2003-12-04 Chanson Lin Data security method of storage media

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674575A (en) * 2009-09-17 2010-03-17 中兴通讯股份有限公司 Method for protecting security of mobile communication terminal data and device thereof
CN103078866A (en) * 2013-01-14 2013-05-01 成都西可科技有限公司 Transparent encryption method for mobile platform

Also Published As

Publication number Publication date Type
CN104252605A (en) 2014-12-31 application

Similar Documents

Publication Publication Date Title
US7152165B1 (en) Trusted storage systems and methods
US20080034440A1 (en) Content Control System Using Versatile Control Structure
US20030081784A1 (en) System for optimized key management with file groups
US20040093505A1 (en) Open generic tamper resistant CPU and application system thereof
US20100042824A1 (en) Hardware trust anchors in sp-enabled processors
US20060174352A1 (en) Method and apparatus for providing versatile services on storage devices
US7424612B2 (en) Saving and retrieving data based on symmetric key encryption
US20030088783A1 (en) Systems, methods and devices for secure computing
US20100161928A1 (en) Managing access to an address range in a storage device
US20050268336A1 (en) Method for secure access to multiple secure networks
US20030200450A1 (en) Saving and retrieving data based on public key encryption
US20100228999A1 (en) Trusted Storage Systems and Methods
US7181016B2 (en) Deriving a symmetric key from an asymmetric key for file encryption or decryption
US20080059799A1 (en) Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms
Halcrow eCryptfs: An enterprise-class encrypted filesystem for linux
He et al. Cryptography and relational database management systems
US20090006640A1 (en) Incremental secure backup and restore of user settings and data
US6272631B1 (en) Protected storage of core data secrets
US20130159699A1 (en) Password Recovery Service
US20070180257A1 (en) Application-based access control system and method using virtual disk
US20050132186A1 (en) Method and apparatus for a trust processor
US20110252243A1 (en) System and method for content protection based on a combination of a user pin and a device specific identifier
US20050132226A1 (en) Trusted mobile platform architecture
US6785816B1 (en) System and method for secured configuration data for programmable logic devices
US20120102564A1 (en) Creating distinct user spaces through mountable file systems

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model