CN106355101B - A kind of transparent file encrypting and deciphering system and its method towards simple storage service - Google Patents

A kind of transparent file encrypting and deciphering system and its method towards simple storage service Download PDF

Info

Publication number
CN106355101B
CN106355101B CN201510415809.5A CN201510415809A CN106355101B CN 106355101 B CN106355101 B CN 106355101B CN 201510415809 A CN201510415809 A CN 201510415809A CN 106355101 B CN106355101 B CN 106355101B
Authority
CN
China
Prior art keywords
data packet
encryption
decryption
module
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510415809.5A
Other languages
Chinese (zh)
Other versions
CN106355101A (en
Inventor
叶晓舟
孟祥辉
任静思
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinrand Network Technology Co ltd
Institute of Acoustics CAS
Original Assignee
Institute of Acoustics CAS
Beijing Intellix Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Acoustics CAS, Beijing Intellix Technologies Co Ltd filed Critical Institute of Acoustics CAS
Priority to CN201510415809.5A priority Critical patent/CN106355101B/en
Publication of CN106355101A publication Critical patent/CN106355101A/en
Application granted granted Critical
Publication of CN106355101B publication Critical patent/CN106355101B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a kind of transparent file encrypting and deciphering system and its method towards simple storage service, which includes initialization module, input module, processing module and output module;Wherein initialization module is used to complete the initialization process to file encryption-decryption system;Input module is used to complete to carry out classification processing to the data packet for being input to file encryption-decryption system, and first kind data packet is sent to processing module, Second Type data packet is sent to output module;Processing module is used to carry out matching treatment to first kind data packet;If successful match, encryption and decryption processing is carried out to first kind data packet;If matching is unsuccessful, to first kind data packet without encryption and decryption processing;First kind data packet after matching treatment is sent to output module;Output module is used to send the corresponding network port for received first kind data packet or Second Type data packet.Present invention alleviates the encryption loads of user and server, realize the encryption and decryption frame of stability and high efficiency.

Description

A kind of transparent file encrypting and deciphering system and its method towards simple storage service
Technical field
The present invention relates to file encryption-decryption technical fields more particularly to a kind of transparent file towards simple storage service to add Decryption system and its method.
Background technique
Computer industry is faced with severe tests, and in the epoch that big data has arrived, information data is in geometry rank Increase, is promptly filled with all available memory spaces in system.Currently, network storage has become being total to for storage industry Know.The simple storage service of Amazon S3, Quan Mingwei Amazon (Amazon Simple Storage Service), by Amazon Company, network online storage service provided by the Amazon service system using them.Via Web service interface, packet REST, SOAP, with BitTorrent are included, providing user can store files on network server easily.
Present-day data is most crucial assets, and shelf space of the storage system as data is last one of data protection Defence line;As storage system is developed by locally direct-connected towards networking and distributed direction, and by numerous calculating on network Machine is shared, and storage system is made to become to be more vulnerable to attack, and the storage system of relative quiescent often becomes the preferred object of attacker, Achieve the purpose that steal, distort or destroy data.Ministry of Industry and Information proposes specific protection mark also for the information security of the network user Standard, following internet and its data analysis application will all carry out around data safety, therefore security mechanism will be deposited as network Urgent problem to be solved in storage also will be the necessary condition of future network sound development.It can be seen that security mechanism is that network is deposited The underlying issue of storage is the key factor for influencing the network storages such as S3 application, has been increasingly becoming network storage service solution party The key points and difficulties of overriding concern in case.
Summary of the invention
The purpose of the invention is to improve the security mechanism of network storage, propose a kind of towards simple storage service Transparent file encrypting and deciphering system and its method build encrypting and deciphering system between user and storage server, provide transparent add Decryption service, to improve data storage safety.
To achieve the goals above, on the one hand, the present invention provides a kind of transparent files towards simple storage service to add Decryption system, the system include initialization module, input module, processing module and output module;Wherein initialization module is used for Complete the initialization process to file encryption-decryption system;Input module is for completing to the data for being input to file encryption-decryption system Packet carries out classification processing, and first kind data packet is sent to processing module, Second Type data packet is sent to output module; Processing module is used to carry out matching treatment to first kind data packet;If successful match, first kind data packet is carried out plus is solved Close processing;If matching is unsuccessful, to first kind data packet without encryption and decryption processing;First kind data after matching treatment Packet is sent to output module;Output module is for sending received first kind data packet or Second Type data packet to accordingly The network port on.
On the other hand, the present invention provides a kind of transparent file encipher-decipher method towards simple storage service, this method The following steps are included: carrying out initialization process to the file encryption-decryption system;To being input to the file encryption-decryption system Data packet carries out classification processing, and first kind data packet is sent to the processing module, Second Type data packet is sent to The output module;Matching treatment is carried out to the first kind data packet;If successful match, to the first kind data Packet carries out encryption and decryption processing;If matching is unsuccessful, to the first kind data packet without encryption and decryption processing;Matching treatment First kind data packet afterwards is sent to the output module;By the received first kind data packet or the Second Type Data packet is sent on the corresponding network port.
The present invention alleviates the encryption load of user and server by the way that encryption and decryption is arranged between user and server, Realize the encryption and decryption frame of stability and high efficiency.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill of field, without creative efforts, it can also be obtained according to these attached drawings others Attached drawing.
Fig. 1 is that a kind of transparent file encrypting and deciphering system structure towards simple storage service provided in an embodiment of the present invention is shown It is intended to;
Fig. 2 is another transparent file encrypting and deciphering system structure towards simple storage service provided in an embodiment of the present invention Schematic diagram;
Fig. 3 is that a kind of transparent file encipher-decipher method process towards simple storage service provided in an embodiment of the present invention is shown It is intended to.
Specific embodiment
Transmission control protocol (Transmission Control Protocol, abbreviation TCP) be it is a kind of it is connection-oriented, Reliably, the transport layer communication protocol based on byte stream;Hypertext transfer protocol (HyperText Transfer Protocol, Abbreviation HTTP) it is a kind of network protocol being most widely used on internet.All WWW files must comply with this mark Standard, HTTP are the standards (TCP) of client and server end a request and response, and client is terminal user, server end It is website.
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Fig. 1 is that a kind of transparent file encrypting and deciphering system structure towards simple storage service provided in an embodiment of the present invention is shown It is intended to.As shown in Figure 1, this system includes initialization module 101, input module 102, processing module 103 and output module 104。
Initialization module 101 is for completing the memory to this system, network interface, Encryption Algorithm, encryption and decryption list of rules and close The initialization of key list establishes TPC link information according to the source IP of data packet, destination IP, source port and destination port four-tuple, Also known as TCP quaternary group information generates encryption and decryption rule according to the http protocol in TCP data packet to distinguish different data flows, And distinguish initialization key list and encryption and decryption list of rules.
Encryption and decryption rule is generated according to http protocol, and the upload put order of http protocol and user information are generated and added Close rule generates decryption rule for the downloading get order of http protocol and user information.Encryption and decryption rule by user information, TCP connection information and key are constituted.
Input module 102 is responsible for completing to classify to the data packet for being input to S3 file encryption-decryption system, by non-TCP number Output module is submitted to according to packet, TCP data packet is submitted into processing module 103 and is further processed.
Processing module 103 is matched in encryption and decryption list of rules according to the four-tuple of TCP data packet, for matching at The data packet of function carries out encryption and decryption, for matching unsuccessful data packet without encryption and decryption.When being handed between user and server Mutual Data Matching encryption and decryption rule, then according to the Encryption Algorithm of encryption and decryption rule and data key progress encryption and decryption, to The file that family is stored in server carries out transparent encryption, carries out transparent decryption to the file that user reads from S3 server.
Output module 104 delivers a packet on the network port, according to rule predetermined, for inputting from some The data that port enters forward a packet on corresponding output port, and the output length of data packet does not change.
From the above mentioned, this system operational process is as shown in Figure 3:
Step 1: first initialization module 101 complete to the memory of S3 file encryption-decryption system, network interface, Encryption Algorithm and The initial configuration of data structure, and initialization key list and encryption and decryption list of rules.
Step 2: and then input module 102 is completed to carry out data packet point to the data packet for being input to S3 file encryption-decryption system Non- TCP data packet is submitted to output module, TCP data packet is submitted to processing module 103 and is further processed by class.
Step 3: processing module 103 receives the TCP data packet filtered by input module 102, according to TCP data packet quaternary Group is matched in encryption and decryption list of rules.
Step 3-1: if successful match illustrates that the data packet needs to carry out encryption and decryption, distributed according to user information from key Server obtains user key, carries out encryption and decryption to useful load payload data using the stream encryption algorithm by configuration;
Step 3-2: if the unsuccessful explanation data packet of matching does not need to carry out encryption and decryption, needing further to analyze should Whether TCP data packet includes http protocol, if logged in comprising http protocol, and in http protocol comprising user, log-off message, It then needs to update cipher key list, establishes the mapping relations of user and key;If including file download/upload life in http protocol It enables, then needs to update encryption and decryption list of rules, for the data flow log-on data encryption and decryption;
Step 3-3: not matched TCP data packet and the HTTP data packet not comprising mentioned order are required to directly submit To output module.
Step 4: output module 104 delivers a packet on the corresponding network port according to rule predetermined.
Fig. 2 is that a kind of transparent file encrypting and deciphering system structure towards simple storage service provided in an embodiment of the present invention is shown It is intended to.As shown in Fig. 2, this system includes initialization module 101, input module 102, processing module 103 and output module 104.Wherein, initialization module 101 includes cipher key initialization unit 113, internal memory initialization unit 114, network interface initialization unit 115, encryption rule initialization unit 116 and Encryption Algorithm initialization unit 117;Processing module 103 is by encryption and decryption rule match Unit 105, Transmission Control Protocol resolution unit 106, HTTP command resolution unit 107, encryption and decryption regulation management unit 108, key management Unit 109, encryption and decryption list of rules 110, cipher key list 111 and data encrypting and deciphering unit 112 form.
This system first by initialization module 101 complete initial work, to memory, network interface required for system, key, Add solution rule and Encryption Algorithm etc. to be initialized, and distributes corresponding resource.
When the data packet that user interacts with S3 server enters this system, first by input module 102 to data packet Classify: non-TCP data packet can submit to output module 104 and output system by directly filtering;TCP data Bao Ze is submitted to Processing module 103, specific process flow of the processing module 103 to TCP data packet are as follows:
The S3 server stage is logged in user, TCP data packet can include HTTP request, this TCP data packet enters processing mould After block 103, HTTP data packet is judged as by encryption and decryption rule match unit 105 first, and pass through HTTP command resolution unit 107 Identify HTTP request in critical field and acquisition request in user information, later this system by key management 109 with Family information is interacted with Key Management server, acquisition and the one-to-one user key of user, and is added in cipher key list 111 Add TCP quaternary group information, user information and key, in this, as a new record of cipher key list 111.
Document stage is uploaded or downloads in user to be advised by encryption and decryption first after this TCP data packet enters processing module 103 Then matching unit 105 judges whether this TCP data packet contains http protocol.For HTTP data packet, by HTTP command resolution unit 107 parse the critical field in HTTP requests and obtain user information and link information, 108 basis of encryption and decryption regulation management unit User information and TCP quaternary group information add a new record, the foundation as encryption and decryption in encryption and decryption list of rules 110. For TCP data packet, the quaternary group information and critical field of TCP data packet, TCP tetra- are obtained by Transmission Control Protocol resolution unit 106 Tuple information is matched with the information in list of rules 110, if successful match and include upload document keyword section, this TCP data stream starts to be encrypted by data encrypting and deciphering unit 112, if successful match and include downloading document keyword Section, then this TCP data stream starts to be decrypted by data encrypting and deciphering unit 112.Encryption and decryption are both for TCP's The part payload.
Finally, output module 104 is according to the rule of correspondence on each input port predetermined and each output port, TCP data packet and treated TCP data packet by non-TCP data packet, mismatch without http protocol are output to S3 service Device, and the data packet length exported does not change.
The embodiment of the present invention has unloaded user and server by the way that encrypting and deciphering system is arranged between user and server Load is encrypted, realizes the encryption and decryption frame of stability and high efficiency.
Professional should further appreciate that, described in conjunction with the examples disclosed in the embodiments of the present disclosure Unit and algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, hard in order to clearly demonstrate The interchangeability of part and software generally describes each exemplary composition and step according to function in the above description. These functions are implemented in hardware or software actually, the specific application and design constraint depending on technical solution. Professional technician can use different methods to achieve the described function each specific application, but this realization It should not be considered as beyond the scope of the present invention.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include Within protection scope of the present invention.

Claims (8)

1. a kind of transparent file encrypting and deciphering system towards simple storage service, which is characterized in that including initialization module, input Module, processing module and output module;Wherein,
The initialization module, for completing the initialization process to the file encryption-decryption system, specifically, completing to described The initialization of the memory, network interface, Encryption Algorithm, encryption and decryption list of rules and cipher key list of file encryption-decryption system, according to data The quaternary group information of packet establishes transmission control protocol TCP link information, to distinguish different data flows, according in TCP data packet Hyper text transfer http protocol generate encryption and decryption rule, and initialization key list and encryption and decryption list of rules respectively;
The input module carries out classification processing to the data packet for being input to the file encryption-decryption system for completing, by the One type data packets are sent to the processing module, and Second Type data packet is sent to the output module;
The processing module, for carrying out matching treatment to the first kind data packet;If successful match, to described first Type data packets carry out encryption and decryption processing;If matching is unsuccessful, to the first kind data packet without encryption and decryption processing; First kind data packet after matching treatment is sent to the output module;
The output module, for sending the received first kind data packet or the Second Type data packet to accordingly The network port on.
2. system according to claim 1, which is characterized in that the initialization module includes that cipher key list initialization is single In member, internal memory initialization unit, network interface initialization unit, encryption and decryption rule initialization unit and Encryption Algorithm initialization unit It is one or more.
3. system according to claim 1, which is characterized in that the first kind data packet is TCP data packet, described the Two type data packets are non-TCP data packet;The input module classifies the data packet of the input by TCP, by non-TCP Data packet is sent to the output module, and TCP data packet is sent to the processing module.
4. system according to claim 3, which is characterized in that the processing module is specifically used for, according to TCP data packet Four-tuple is matched in encryption and decryption list of rules;If successful match, according to the Encryption Algorithm and key of encryption and decryption rule Encryption and decryption processing is carried out to data;If matching is unsuccessful, to TCP data packet without encryption and decryption processing;After matching treatment TCP data packet is sent to the output module.
5. system according to claim 4, which is characterized in that the encryption and decryption rule is generated according to http protocol, for The data upload command and user information of http protocol generate encryption rule, data download command and user for http protocol Information generates decryption rule.
6. system according to claim 1, which is characterized in that the processing module includes encryption and decryption matching unit, TCP association Discuss resolution unit, HTTP command resolution unit, encryption and decryption regulation management unit, cipher key management unit, encryption and decryption list of rules, close One of key list and data encrypting and deciphering unit are a variety of.
7. system according to claim 4, which is characterized in that the processing module is also used to,
Whether the TCP data packet for analyzing non-successful match includes http protocol:
For logging in the data packet with log-off message comprising user comprising http protocol, and in http protocol, then key column is updated Table;Or
For then needing to update described comprising file download/upload command data packet comprising http protocol, and in http protocol Encryption and decryption list of rules.
8. a kind of transparent file encipher-decipher method towards simple storage service, which is characterized in that
Initialization process is carried out to file encryption-decryption system;
Classification processing is carried out to the data packet for being input to the file encryption-decryption system, first kind data packet is sent to processing Second Type data packet is sent to output module by module;
Matching treatment is carried out to the first kind data packet, the first kind data packet is TCP data packet, according to described The four-tuple of TCP data packet is matched in encryption and decryption list of rules;If successful match, to the first kind data packet Encryption and decryption processing is carried out according to the Encryption Algorithm of encryption and decryption rule and data key;If matching is unsuccessful, to described first Type data packets are without encryption and decryption processing;First kind data packet after matching treatment is sent to the output module;
It sends the received first kind data packet or the Second Type data packet on the corresponding network port.
CN201510415809.5A 2015-07-15 2015-07-15 A kind of transparent file encrypting and deciphering system and its method towards simple storage service Active CN106355101B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510415809.5A CN106355101B (en) 2015-07-15 2015-07-15 A kind of transparent file encrypting and deciphering system and its method towards simple storage service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510415809.5A CN106355101B (en) 2015-07-15 2015-07-15 A kind of transparent file encrypting and deciphering system and its method towards simple storage service

Publications (2)

Publication Number Publication Date
CN106355101A CN106355101A (en) 2017-01-25
CN106355101B true CN106355101B (en) 2019-04-26

Family

ID=57842364

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510415809.5A Active CN106355101B (en) 2015-07-15 2015-07-15 A kind of transparent file encrypting and deciphering system and its method towards simple storage service

Country Status (1)

Country Link
CN (1) CN106355101B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108199863B (en) * 2017-11-27 2021-01-22 中国科学院声学研究所 Network traffic classification method and system based on two-stage sequence feature learning
CN107948208A (en) * 2018-01-05 2018-04-20 宝牧科技(天津)有限公司 A kind of method and device of network application layer transparent encryption

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141243A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Device and method for carrying out security check and content filtering on communication data
CN103701592A (en) * 2013-12-18 2014-04-02 上海普华诚信软件技术有限公司 Method and system for intercepting, encrypting and decrypting data
CN104753925A (en) * 2015-03-11 2015-07-01 华中科技大学 Gateway system and method for encrypting and decoding files

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141243A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 Device and method for carrying out security check and content filtering on communication data
CN103701592A (en) * 2013-12-18 2014-04-02 上海普华诚信软件技术有限公司 Method and system for intercepting, encrypting and decrypting data
CN104753925A (en) * 2015-03-11 2015-07-01 华中科技大学 Gateway system and method for encrypting and decoding files

Also Published As

Publication number Publication date
CN106355101A (en) 2017-01-25

Similar Documents

Publication Publication Date Title
US9491201B2 (en) Highly scalable architecture for application network appliances
US7496750B2 (en) Performing security functions on a message payload in a network element
US11252071B2 (en) Sandbox environment for testing integration between a content provider origin and a content delivery network
US9800556B2 (en) Systems and methods for providing data security services
US10110575B2 (en) Systems and methods for secure data exchange
US11671413B2 (en) Caching content securely within an edge environment, with pre-positioning
Recabarren et al. Tithonus: A bitcoin based censorship resilient system
US11659033B2 (en) Caching content securely within an edge environment
US20210271776A1 (en) System and method for privacy policy enforcement
CN106355101B (en) A kind of transparent file encrypting and deciphering system and its method towards simple storage service
CN107276996A (en) The transmission method and system of a kind of journal file
US10798187B2 (en) Secure service chaining
US20080028044A1 (en) System and method for file transfer
Bergen Dynamic data exfiltration over common protocols via socket layer protocol customization
US20230403345A1 (en) Third party gateway
Al-Hakeem et al. Development of Fast Reliable Secure File Transfer Protocol (FRS-FTP)
CN106464684A (en) Service processing method and apparatus
Radwan et al. Policy-driven and Content-based Web Services Security Gateway.
Kale et al. Securing Remote Procedure Calls over HTTPS
Radwan et al. XPRIDE: policy-driven Web services security based on XML content
Ahmed et al. SSL Accelerator SAPI Implementation Agreement

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210823

Address after: Room 1601, 16th floor, East Tower, Ximei building, No. 6, Changchun Road, high tech Industrial Development Zone, Zhengzhou, Henan 450001

Patentee after: Zhengzhou xinrand Network Technology Co.,Ltd.

Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District

Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES

Effective date of registration: 20210823

Address after: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District

Patentee after: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES

Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District

Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES

Patentee before: BEIJING INTELLIX TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right