CN106685981A - Multi-system data encryption transmission method and device - Google Patents
Multi-system data encryption transmission method and device Download PDFInfo
- Publication number
- CN106685981A CN106685981A CN201710023717.1A CN201710023717A CN106685981A CN 106685981 A CN106685981 A CN 106685981A CN 201710023717 A CN201710023717 A CN 201710023717A CN 106685981 A CN106685981 A CN 106685981A
- Authority
- CN
- China
- Prior art keywords
- storage device
- block storage
- logical block
- data
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000005540 biological transmission Effects 0.000 title claims abstract description 43
- 238000003860 storage Methods 0.000 claims abstract description 294
- 238000013507 mapping Methods 0.000 claims abstract description 20
- 238000012360 testing method Methods 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 5
- 230000006854 communication Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000796 flavoring agent Substances 0.000 description 1
- 235000019634 flavors Nutrition 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The embodiment of the invention provides a multi-system data encryption transmission method and a device, wherein the method comprises the following steps: generating a creation request of the logic block storage device to send based on the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logic block storage device and the master key; the kernel creates the logic block storage device according to the received creation request of the logic block storage device; and the logical block storage device encrypts or decrypts the data transmitted by the application through the file system mount point according to the master key, and then transmits the data between the physical block storage device mapped by the logical block storage device and the application. By using the embodiment of the invention, even if malicious software steals encrypted data in the physical block storage device of the user terminal device, the data is difficult to crack, so that the data in the terminal device can be prevented from being leaked.
Description
Technical field
The present invention relates to field of terminal technology, specifically, the present invention relates to a kind of Data Encryption Transmission side of multisystem
Method and device.
Background technology
At present, the terminal unit such as smart mobile phone, panel computer, Intelligent worn device, electronic reader or drive recorder
Increasingly popularize.
Two operating systems are mounted with the terminal unit of quite a few quantity.The transmission side data of each operating system
Method, including:When user by using input data and indicate storage in specified file when, operating system writes the data of input
In entering physical block storage device;When user indicates to read data from specified file by application, operating system is first from physics
Data are read in block storage device and returns to application, from application to user's display data.
However, substantial amounts of private data or file, the physics being stored in the form of (unencryption) in plain text in terminal unit
In block storage device.Lawless person is obtained after terminal unit by illegal means, and the physical block that can read the terminal unit is deposited
Clear data on equipment, it is easy to cause the leakage of private data in the terminal unit of two or more operating system, easily
Loss is brought to user, causes Consumer's Experience not good.
The content of the invention
The present invention proposes the data encryption and transmission method and device of a kind of multisystem for the shortcoming of existing mode, to
Solve the problems, such as that the data that prior art has the terminal unit with two or more operating system are easily revealed.
Embodiments of the invention are according on one side, there is provided a kind of data encryption and transmission method of multisystem, including:
Based on a determination that the corresponding physical block storage of file system mounted point that the application in each operating system for going out is related to
Mapping relations and master key between equipment, the physical block storage device and logical block storage device, generate the logic
The request to create of block storage device is transmitted;
Kernel creates the logical block storage device according to the request to create of the logical block storage device for receiving;
By the logical block storage device according to the master key, the data for passing through the transmission of file system mounted point to application
After being encrypted or decrypting, carry out between the physical block storage device and the application that the logical block storage device is mapped
Transmission.
Embodiments of the invention additionally provide a kind of Data Encryption Transmission device of multisystem according on the other hand, wrap
Include:Two or more operating system and kernel;
Each operating system includes:
Logical block storage device requests module, for based on a determination that the text that is related to of the application in its affiliated operating system for going out
The corresponding physical block storage device of part system mount point, the mapping between the physical block storage device and logical block storage device
Relation and master key, the request to create for generating the logical block storage device is transmitted;
The kernel includes:
Logical block storage device creation module, for according to the request to create of the logical block storage device for receiving, wound
Build the logical block storage device;
Logical block storage device, for according to the master key, the data for passing through the transmission of file system mounted point to application
After being encrypted or decrypting, carry out between the physical block storage device and the application that the logical block storage device is mapped
Transmission.
It is preferred that the Data Encryption Transmission device of the multisystem of the embodiment of the present invention, also includes:
Carry module, for, according to the master key, to application file system being passed through by the logical block storage device
Before the data of mount point transmission are encrypted or decrypt, the logical block storage device is mounted to into corresponding file system and is hung
On loading point.
It is preferred that the carry module is asked specifically for working as to receive using the carry for the logical block storage device
When asking, the kernel detects whether the affiliated operating system of the application for sending the carry request there is the logical block storage to set
Standby access rights;If testing result is yes, the logical block storage device is mounted to into its physical block storage for being mapped
On the corresponding file system mounted point of equipment;Otherwise refuse carry.
It is preferred that the carry module is specifically for according to predetermined multiple logical block storage devices and operating system
Access rights corresponding relation, determine whether the affiliated operating system of the application of carry request has the logical block
The access rights of storage device.
It is preferred that the logical block storage device creation module is additionally operable to determine the plurality of patrolling by the pre-selection of following methods
Collect the corresponding relation of block storage device and the access rights of operating system:When the kernel creates each logical block storage device,
The affiliated operating system of application for determining the request to create for sending the logical block storage device has the logical block storage device
Access rights;The access rights of the affiliated operating system of application of the request to create for sending the logical block storage device are set up,
With the corresponding relation of the logical block storage device.
It is preferred that the logical block storage device is detected using to file system mounted point write data specifically for working as
When, the master of the logical block storage device of this document system mount point institute carry in the request to create of the logical block storage device
Key, after the data to writing are encrypted, in being stored in the physical block storage device that the logical block storage device is mapped;Work as inspection
When measuring using data read request is sent to file system mounted point, the logical block storage of this document system mount point institute carry
Equipment, reads the data that the data read request is related in the physical block storage device mapped from the logical block storage device
Afterwards, the master key in the request to create of the logical block storage device, the data to reading are returned after being decrypted and send institute
State the application of data read request.
It is preferred that the logical block storage device requests module is additionally operable to according to unique number master to determining of equipment
Key is encrypted, the master key after being encrypted;And
After the logical block storage device is additionally operable to be decrypted the master key after encryption according to unique number of the equipment,
Obtain the master key;According to the master key, application is encrypted or is solved by the data of file system mounted point transmission
It is close.
In the embodiment of the present invention, by the logical block storage device with physical block storage device with mapping relations, carry out logarithm
According to being encrypted or decrypt and transmit.The private data of user also can be encrypted, even if illegal molecule is by the side such as Malware
Formula has stolen in subscriber terminal equipment the data after encryption, it is also difficult to cracks and obtains data, such that it is able to prevent terminal unit in
Leaking data, lifts the safety of the data of user.
The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Description of the drawings
The above-mentioned and/or additional aspect of the present invention and advantage will become from the following description of the accompanying drawings of embodiments
It is substantially and easy to understand, wherein:
Fig. 1 is the block schematic illustration of the internal structure of the terminal unit of the embodiment of the present invention;
Fig. 2 a create the schematic flow sheet with hanging method for the logical block storage device of the embodiment of the present invention;
Fig. 2 b are the tool being mounted to logical block storage device on corresponding file system mounted point of the embodiment of the present invention
The schematic flow sheet of body method;
Fig. 2 c for the embodiment of the present invention the carry schematic diagram of the file system of logical block storage device;
Fig. 3 is the flow process of the data encryption and transmission method of the multisystem of the logic-based block storage device of the embodiment of the present invention
Schematic diagram;
Fig. 4 is the block schematic illustration of the internal structure of the Data Encryption Transmission device of the multisystem of the embodiment of the present invention.
Specific embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from start to finish
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " " used herein, "
It is individual ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that arranging used in the description of the present invention
Diction " including " refers to there is the feature, integer, step, operation, element and/or component, but it is not excluded that existing or adding
One or more other features, integer, step, operation, element, component and/or their group.It should be understood that when we claim unit
Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist
Intermediary element.Additionally, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange
Diction "and/or" includes the one or more associated wholes or any cell of listing item and all combination.
Those skilled in the art of the present technique are appreciated that unless otherwise defined all terms used herein are (including technology art
Language and scientific terminology), with art of the present invention in those of ordinary skill general understanding identical meaning.Should also
It is understood by, those terms defined in such as general dictionary, it should be understood that with the context with prior art
The consistent meaning of meaning, and unless by specific definitions as here, will not otherwise use idealization or excessively formal implication
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal unit " had both included wireless communication
The equipment of number receptor, it only possesses the equipment of the wireless signal receiver of non-emissive ability, and including receiving and launch hardware
Equipment, its equipment with reception that two-way communication on bidirectional communication link, can be carried out and transmitting hardware.This equipment
Can include:Honeycomb or other communication equipments, it has single line display or multi-line display or shows without multi-line
The honeycomb of device or other communication equipments;PCS (Personal Communications Service, PCS Personal Communications System), it can
With combine voice, data processing, fax and/or its communication ability;PDA (Personal Digital Assistant, it is personal
Digital assistants), it can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
Go through and/or GPS (Global Positioning System, global positioning system) receptor;Conventional laptop and/or palm
Type computer or other equipment, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or its
His equipment." terminal " used herein above, " terminal unit " they can be portable, can transport, installed in the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal unit " can also be communication terminal, on
Network termination, music/video playback terminal, for example, can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or the equipment such as mobile phone, or intelligent television, Set Top Box with music/video playing function.
Present inventors noted that transparent encryption technology is the terminal unit for being directed to single operating in recent years
A kind of file ciphering technology that data confidentiality demand is arisen at the historic moment.The data encryption and transmission method of single operating system, including:When with
Family by using input data and indicate storage in specified file when, operating system to be input into data be encrypted,
Then encrypted data is write in physical block storage device;When user indicates to read data from specified file by application
When, operating system first reads the data of encryption from physical block storage device, and then data are decrypted with process, finally returns to
To application, from application to user's display data.The data (including private data) of user are stored in physical block in the form of ciphertext
In storage device, even if therefore lawless person obtains the number after the encryption stored in the physical block storage device of terminal unit
According to, also cannot crack encryption after data.
However, the data encryption and transmission method of above-mentioned single operating system, it is impossible to be applied directly to two or more operation
In the terminal unit of system.At present, the terminal unit of two or more operating system still lacks effective Data Encryption Transmission side
Method is protecting the private data of user;Cause the private data in the terminal unit of two or more operating system easily to be revealed, hold
Easily loss is brought to user, cause Consumer's Experience not good.
In the embodiment of the present invention, based on a determination that the file system mounted point that the application in each operating system for going out is related to is right
Physical block storage device, the mapping relations between physical block storage device and logical block storage device and the master key answered, it is raw
Request to create into logical block storage device is transmitted;Kernel is created according to the request to create of the logical block storage device for receiving
Build logical block storage device;By logical block storage device according to master key, the number for passing through the transmission of file system mounted point to application
After being encrypted or decrypting, it is transmitted between the physical block storage device and application that logical block storage device is mapped.
It can be seen that, in the embodiment of the present invention, by the logical block storage device with physical block storage device with mapping relations, to enter to data
Row encryption is decrypted and transmitted.The private data of user also can be encrypted, even if illegal molecule is stolen by modes such as Malwares
Taken in subscriber terminal equipment the data after encryption, it is also difficult to crack and obtain data, such that it is able to prevent terminal unit in data
Reveal, lift the safety of the data of user.
The technical scheme of the embodiment of the present invention is specifically introduced below in conjunction with the accompanying drawings.
The block schematic illustration of the internal structure of the terminal unit of the embodiment of the present invention as shown in figure 1, including:Kernel and two
Above operating system.
Wherein, two or more operating system include the first operating system, the second operating system ..., N operating systems.N
For more than 2 positive integer.
The operating system of the embodiment of the present invention includes containment system.
Operating system in the embodiment of the present invention, is provided in Linux container (container) Intel Virtualization Technology wound
Operating system in the container built.Operating system can be traditional (SuSE) Linux OS or Unix operating systems,
Can be android system or Ubuntu systems for being derived based on (SuSE) Linux OS etc., can also be with Windows
Windows systems based on platform etc..In fact, the operating system in the present invention is not limited to the aforementioned operation system for enumerating
System, can cover all operating systems that can be run in a reservoir.For ease of description, below using android system as behaviour
Make to illustrate technical scheme as a example by system.
It is preferred that the operating system of the embodiment of the present invention includes:Master control system.
In the terminal unit of the embodiment of the present invention, also including master control system, the master control system can be above-mentioned traditional behaviour
Make system, or the operating system for obtaining is improved to traditional operating system.Kernel is kernel, Huo Zhe
Increase enhancement mode kernel obtained after functional module on the basis of kernel.It is preferred that master control system can include kernel;On
State operating system calls or accesses kernel to realize various functions by master control system.Or, operating system and master control system are common
Enjoy kernel;The operating system and master control system of the present invention is comprising the part outside kernel in existing operating system, such as framework
The part of layer and application layer;Kernel can independently be called or accessed to operating system and master control system to realize various functions.
Master control system is mainly used in carrying out AM/BAM management to multiple operating systems, interacts with each operating system.
It is preferred that master control system can be communicated by container path with operating system.In the same manner, can be by holding between operating system
Device passage is communicated.Further, container path can be socket (socket) passage.
The data encryption and transmission method of the multisystem of the embodiment of the present invention, including:Logical block storage device is created and carry
The data encryption and transmission method of the multisystem of method and logic-based block storage device.
In the embodiment of the present invention, the schematic flow sheet of the establishment of logical block storage device and hanging method is wrapped as shown in Figure 2 a
Include following step:
S201:Determine that the corresponding physical block storage of file system mounted point that the application in each operating system is related to sets
Mapping relations standby, between physical block storage device and logical block storage device and master key.
It will be understood by those skilled in the art that in linux system or its flavor, the hardware reality such as physical block storage device
Body is abstracted into corresponding device file, in being mounted to file system, for system or application call.For ease of understanding, by carry
Physical block storage device file in file system, still referred to as physical block storage device.Logical block storage device in the same manner, no
Repeat again.
Mount point is in place of carry of the physical block storage device file in file system, i.e., each is file system mounted
Point one physical block storage device of correspondence.
For the application in each operating system, need to store or need reading when application generation data are detected
During the data for having stored, the file system mounted point that the application of the data read and write interface as the application is related to is determined, entered
And determine the corresponding physical block storage device of this document system mount point.
Determine that this is stored using the parameter and physical block storage device of corresponding logical block storage device with logical block
Mapping relations between equipment.Logical block deposits the parameter of equipment to be included:The mark of logical block storage device, initial address and eventually
Only address etc..
Preferably, it is possible to use Device-Mapper (device map) mechanism determines physical block storage device and logic
Mapping relations between block storage device.Device-Mapper mechanism is a characteristic of linux kernel, is set as a block
Standby driving is registered.It includes three important objects concepts:Mappeddevice (mapped device), mapping table,
Targetdevice (target device).Mappeddevice is a logical abstraction, it is possible to understand that become what kernel was provided out
Logical device, the mapping relations and targetdevice that it is described by mapping table set up mapping.Patrolling in the embodiment of the present invention
Collecting block storage device can be specially mapped device, and physical block storage device can be specially target device.
Mapped device have many types, and each mapped device is capable of achieving different functions;Such as mapped device
In dm-crypt (device mapper-cryptograghy, device map cryptographic system) equipment can realize to physical block
The encryption and decryption of the data in storage device.
It is that each logical block storage device produces one by terminal unit or the random-number-generating module of operating system
Random number is used as master key.Those skilled in the art can be according to experimental data, historical data, empirical data and/or actual feelings
Condition, determines the length of the master key;For example the length of master key is set to into 128bit (position).
It is preferred that being encrypted to the master key determined according to unique number of equipment, the master key after being encrypted.
It is preferred that according to unique number of equipment, it is possible to use following at least one AES enter to the master key determined
Row encryption, the master key after being encrypted:Symmetric encipherment algorithm, rivest, shamir, adelman.
Further, the outer layer key being encrypted to master key, can be the string being solidificated in CPU (central processing unit)
Number.Because the string number in each CPU in mobile terminal is unique, therefore the string number of the CPU can be used as the mobile terminal
Unique number of equipment.The string number is different from IMEI (International Mobile Equipment Identity, mobile device
International identity code) or MAC (Media Access Control, media access control) address etc. it is all visible to all applications and
What is had is not the unique number of equipment;Such as IMEI number, can be changed.
The application or service that mandate is obtained ahead of time in application layer can be related by CPU by kernel by calling kernel
Drive and obtain the string number;Other application or service in application layer cannot obtain the string number.Therefore, because rogue program is not granted
Power, it is impossible to get the string number;Such that it is able to prevent rogue program from pretending to be using string number is obtained, the string number outer layer for serving as is lifted close
The safety of key, so as to lift the safety of the master key encrypted by outer layer key, such that it is able to be lifted master key encryption is utilized
Data safety.
Further, it is possible to the master key after master key and/or encryption is stored in the trusted storage area of terminal unit,
Or in preassigned physical block storage device.Trusted storage area can be specifically the memory block of the encryption inside terminal unit
Domain;For example, the memory area of the encryption of trustzone (trusted domain) framework is met.Trusted storage area can be specifically that terminal sets
The memory area of standby outside encryption;For example, it is connected in the mobile memory of terminal unit by wired or wireless way
The memory area of encryption.
S202:The corresponding physical block storage of file system mounted point being related to based on the application in each operating system is set
Mapping relations standby, between physical block storage device and logical block storage device and master key, generate logical block storage device
Request to create be transmitted.
The corresponding thing of file system mounted point that application in each operating system determined in above-mentioned steps is related to
The path of reason block storage device, the mapping relations between physical block storage device and logical block storage device, logical block storage set
Standby parameter and master key, after being carried in the request to create of logical block storage device, are transmitted to kernel.
It is preferred that calling the related API (Application of the Device-Mapper mechanism that kernel is provided
Programming Interface, application programming interface), by the request to create of logical block storage device by the API to
Kernel sends.
S203:Kernel creates logical block storage device according to the request to create of the logical block storage device for receiving.
Kernel is received after the request to create using the logical block storage device for sending, according to the logic in the request to create
The parameter of block device, creates logical block storage device, is logical block storage device distribution path, and the logical block storage to create
Device numbering.The numbering of logical block storage device is returned to the application for sending the request to create.
It is preferred that kernel by the numbering and handle of the logical block storage device for creating to sending the logical block storage device
The application of request to create is returned.
Physical block storage device in the request to create and the mapping relations of logical block storage device, set up the logic
Mapping relations between the path of the physical block storage device in the path of block storage device, with the request to create.
It is preferred that when kernel receives the request to create using the logical block storage device for sending, it is pre- by following methods
Choosing determines the corresponding relation of multiple logical block storage devices and the access rights of operating system:
When kernel creates each logical block storage device, answering for the request to create for sending the logical block storage device is determined
There are the access rights of the logical block storage device with affiliated operating system;
The access rights of the affiliated operating system of application of the request to create for sending the logical block storage device are set up, is patrolled with this
Collect the corresponding relation of block storage device.
Specifically, when kernel creates each logical block storage device, the establishment for sending the logical block storage device is determined
The mark of the affiliated operating system of application of request, and determine that the operating system has the power for accessing the logical block storage device
Limit, and then determine access rights of the operating system for the logical block storage device.
It is appreciated that the actually corresponding relation of the access rights of operating system and logical block storage device, including:Send
The affiliated operating system of the application of the request of logical block storage device is created, with the authority for accessing the logical block storage device.
That is, operating system possesses the authority of the logical block storage device for accessing itself (indirect) establishment, without accessing other
The authority of the logical block storage device that operating system is created.
For example, table 1 below shows the one of multiple logical block storage devices and the corresponding relation of the access rights of operating system
Individual example.
Table 1
Dm-crypt device numberings | First operating system | Second operating system |
dm-0 | It can be seen that, may have access to | It is invisible, inaccessible |
dm-1 | It can be seen that, may have access to | It is invisible, inaccessible |
… | … | … |
dm-M | It can be seen that, may have access to | It is invisible, inaccessible |
dm-(M+1) | It is invisible, inaccessible | It can be seen that, may have access to |
dm-(M+2) | It is invisible, inaccessible | It can be seen that, may have access to |
… | … | … |
dm-N | It is invisible, inaccessible | It can be seen that, may have access to |
Dm is the abbreviation of dm-crypt in above-mentioned table 1, represents logical block storage device;N and M are positive integer, and 127>
=N>M>0;Dm-0 represents the logical block storage device that numbering is 0;Dm-0 to dm-M is that the first operating system is created indirectly, because
Logical block storage device represented by this visible and addressable dm-0 to dm-M;But the second operating system does not create dm-0 extremely
Dm-M, thus the second operating system is invisible and inaccessible dm-0 to dm-M represented by logical block storage device.Due to dm-
(M+1) to dm-N is what the second operating system was created, therefore the second operating system visible and addressable dm- (M+1) to dm-N institutes
The logical block storage device of expression.
S204:Logical block storage device is mounted on corresponding file system mounted point.
It is preferred that request of the kernel according to application, by logical block storage device corresponding file system mounted point is mounted to
On.
In above-mentioned steps S204, logical block storage device is mounted to into the concrete grammar on corresponding file system mounted point
Schematic flow sheet as shown in Figure 2 b, comprise the steps:
S2041:Kernel receives application and asks for the carry of logical block storage device.
Deposit after the numbering of equipment using the logical block for receiving the request to create return sent for it, to kernel pin is sent
The carry of logical block storage device is asked.
It is preferred that using by mount (carry) system calling function, sending for logical block storage device to kernel
Carry is asked.
S2042:Whether the operating system that the application of kernel detection transmission carry request is affiliated has logical block storage device
Access rights;If testing result is yes, execution step S2043;Otherwise refuse carry.
Kernel determines the numbering of the involved logical memory device of carry request and sends the application of the carry request
The mark of affiliated operating system.
According to predetermined multiple logical block storage devices and the corresponding relation of the access rights of operating system, determine
Whether the affiliated operating system of application of carry request has the access rights of logical block storage device;If testing result is yes,
Then execution step S2043;If testing result is no, refuse carry, and return to the application for sending carry request corresponding wrong
Error code.
S2043:Logical block storage device is mounted to into its corresponding file system of physical block storage device for being mapped to hang
On loading point.
The involved logical block storage device of above-mentioned carry request is mounted to its physical block storage for being mapped and is set by kernel
On standby corresponding file system mounted point.
For example, kernel is asked according to the carry of application, using as the path of the dm-crypt equipment of logical block storage device
(i.e./dev/blocl/dm-x, x are the numbering of the equipment) be mounted to as corresponding mount point /data subregions on.
Fig. 2 c show the schematic diagram of the carry file system of logical block storage device.
Based on above-mentioned logical block storage device, the data of the multisystem of the logic-based block storage device of the embodiment of the present invention
The schematic flow sheet of encrypted transmission method as shown in figure 3, including:
S301:Logical block storage device has been detected whether using to corresponding file system mounted point write data or transmission
Data read request.
Logical block storage device is by its corresponding file system mounted point detection, if having using to this document system extension
Loading point writes data or sends data read request.
S302:When detecting using to file system mounted point write data, logical block storage device is created according to it
Master key in request, after the data to writing are encrypted, in being stored in the physical block storage device that it is mapped.
When detecting using to file system mounted point write data, the logical block of this document system mount point institute carry
Master key of the storage device in the request to create of the logical block storage device, after the data to writing are encrypted, is stored in
In the physical block storage device that the logical block storage device is mapped.
It is preferred that according to unique number of the equipment of terminal unit, after being decrypted the master key after encryption, obtain leading close
Key;According to master key, after being encrypted by the data that file system mounted point transmits (input) to application, the logical block is stored in
In the physical block storage device that storage device is mapped.
S303:When detect using to it is file system mounted point send data read request when, logical block storage device from
Read in the physical block storage device that it is mapped after corresponding data, according to the master key in its request to create, to what is read
Data return application after being decrypted.
In easy to understand, the data stored in the physical block storage device of the terminal unit of the embodiment of the present invention, are all Jing
The data crossed after master key encryption.
When detecting using data read request is sent to file system mounted point, this document system mount point institute carry
Logical block storage device, in the physical block storage device mapped from the logical block storage device read data read request relate to
And data after, according to the master key in the request to create of the logical block storage device, the data to reading are returned after being decrypted
Postback the application for sending data read request.
It is preferred that after being decrypted to the master key after encryption according to unique number of the equipment of terminal unit, obtaining master key;
According to master key, application is decrypted by the data of file system mounted point transmission.
Specifically, logical block storage device is decrypted according to unique number of the equipment of terminal unit to the master key after encryption
Afterwards, master key is obtained;According to master key, to the number read in the physical block storage device that mapped from the logical block storage device
After being decrypted, the application for sending data read request is returned.
Based on the data encryption and transmission method of above-mentioned multisystem, the embodiment of the present invention additionally provides a kind of data of multisystem
Encrypted transmission device, the device is arranged in the terminal unit of the embodiment of the present invention, and the framework of the internal structure of the device is illustrated
Figure as shown in figure 4, including:Two or more operating system and kernel.
Wherein, each operating system includes:Logical block storage device requests module 411.
Logical block storage device requests module 411 is used for based on a determination that what the application in its affiliated operating system for going out was related to
The corresponding physical block storage device of file system mounted point, reflecting between physical block storage device and logical block storage device 402
Relation and master key are penetrated, the request to create for generating logical block storage device 402 is transmitted.
Kernel includes:Logical block storage device creation module 401 and logical block storage device 402.
Logical block storage device creation module 401 is used for the request to create according to the logical block storage device 402 for receiving, wound
Build logical block storage device 402.
Logical block storage device 402 is used for according to master key, and application is entered by the data of file system mounted point transmission
After row encryption or decryption, it is transmitted between the physical block storage device and application that logical block storage device 402 is mapped.
More excellent, as shown in figure 4, the Data Encryption Transmission device of the multisystem of the embodiment of the present invention also includes:Carry mould
Block 403.
Carry module 403 is used to, according to master key, pass through file system mounted to application by logical block storage device 402
Before the data of point transmission are encrypted or decrypt, logical block storage device 402 is mounted to into corresponding file system mounted point
On.
It is preferred that carry module 403 is asked specifically for working as to receive using the carry for logical block storage device 402
When, whether the affiliated operating system of the application that kernel detection transmission carry is asked has the access right of logical block storage device 402
Limit;If testing result is yes, logical block storage device 402 is mounted to into its corresponding text of physical block storage device for being mapped
On part system mount point;Otherwise refuse carry.
It is preferred that carry module 403 is specifically for according to predetermined multiple logical block storage devices 402 and operation system
The corresponding relation of the access rights of system, determines whether the affiliated operating system of the application that carry is asked there is logical block storage to set
Standby 402 access rights.
It is preferred that logical block storage device creation module 401 is additionally operable to determine multiple logical blocks by the pre-selection of following methods
The corresponding relation of the access rights of storage device 402 and operating system:When kernel creates each logical block storage device 402, really
The affiliated operating system of application for making the request to create for sending the logical block storage device 402 has the logical block storage device
402 access rights;Set up the access right of the affiliated operating system of application of the request to create for sending the logical block storage device 402
Limit, the corresponding relation with the logical block storage device 402.
It is preferred that logical block storage device 402 is detected using to file system mounted point write data specifically for working as
When, the request to create of the logical block storage device 402 of this document system mount point institute carry according to the logical block storage device 402
In master key, after the data to writing are encrypted, are stored in the physical block storage that the logical block storage device 402 mapped and set
In standby;When detecting using data read request is sent to file system mounted point, this document system mount point institute carry
Logical block storage device 402, digital independent is read in the physical block storage device mapped from the logical block storage device 402 please
After seeking the data being related to, according to the master key in the request to create of the logical block storage device 402, the data to reading are solved
The application for sending data read request is returned after close.
Further, logical block storage device requests module 411 is additionally operable to according to unique number master key to determining of equipment
It is encrypted, the master key after being encrypted.
And, after logical block storage device 402 is additionally operable to be decrypted the master key after encryption according to unique number of equipment,
Obtain master key;According to master key, application is encrypted or is decrypted by the data of file system mounted point transmission.
Logical block storage device in logical block storage device requests module 411, kernel in aforesaid operations system is created
The implementation method of module 401, logical block storage device 402 and the function of carry module 403, may be referred to such as above-mentioned Fig. 2 a, Fig. 2 b
With the particular content of the process step of Fig. 3, here is omitted.
In the embodiment of the present invention, by the logical block storage device with physical block storage device with mapping relations, carry out logarithm
According to being encrypted or decrypt and transmit.The private data of user also can be encrypted, even if illegal molecule is by the side such as Malware
Formula has stolen in subscriber terminal equipment the data after encryption, it is also difficult to cracks and obtains data, such that it is able to prevent terminal unit in
Leaking data, lifts the safety of the data of user.
And, in the embodiment of the present invention, by set up multiple logical block storage devices and operating system access rights it
Between corresponding relation so that operating system only possess itself establishment logical block storage device access rights, and without other
The access rights of the logical block storage device that operating system is created.So as to realize operation system on logical block storage device level
Isolation between system, even if one of operating system is invaded by rogue program, the rogue program also cannot be deposited by logical block
Storage equipment invades other operating systems, and so as to limit rogue program scope is invaded, and improves the data in other operating systems
Safety, so as to improve multiple operating systems on the whole in comprising privacy of user data data safety.
Further, in the embodiment of the present invention, unique number master key is encrypted according to the equipment as outer layer key,
The probability that the master key after encryption is cracked can be substantially reduced, the safety of master key after encryption is lifted, according to safer
Master key encryption data, and by the data storage after encryption in physical block storage device, so as to improve physical block storage
The safety of data in equipment.
During those skilled in the art of the present technique are appreciated that the present invention includes being related to for performing operation described herein
One or more of equipment.These equipment can be for needed for purpose and specially design and manufacture, or can also include general
Known device in computer.These equipment have the computer program being stored in it, and these computer programs are optionally
Activation is reconstructed.Such computer program can be stored in equipment (for example, computer) computer-readable recording medium or be stored in
It is suitable to store and e-command and is coupled to respectively in any kind of medium of bus, the computer-readable medium is included but not
Be limited to any kind of disk (including floppy disk, hard disk, CD, CD-ROM and magneto-optic disk), ROM (Read-Only Memory, only
Read memorizer), RAM (Random Access Memory, immediately memorizer), EPROM (Erasable Programmable
Read-Only Memory, Erarable Programmable Read only Memory), EEPROM (Electrically Erasable
Programmable Read-Only Memory, EEPROM), flash memory, magnetic card or light line card
Piece.It is, computer-readable recording medium include being stored in the form of it can read by equipment (for example, computer) or transmission information any Jie
Matter.
Those skilled in the art of the present technique be appreciated that can be realized with computer program instructions these structure charts and/or
The combination of each frame and these structure charts and/or block diagram and/or the frame in flow graph in block diagram and/or flow graph.This technology is led
Field technique personnel be appreciated that can by these computer program instructions be supplied to general purpose computer, special purpose computer or other
The processor of programmable data processing method realizing, so as to pass through the process of computer or other programmable data processing methods
Device is come the scheme specified in the frame or multiple frames that perform structure chart disclosed by the invention and/or block diagram and/or flow graph.
Those skilled in the art of the present technique are appreciated that in various operations, method, the flow process discussed in the present invention
Step, measure, scheme can be replaced, changed, combined or deleted.Further, it is each with what is discussed in the present invention
Other steps, measure in kind operation, method, flow process, scheme can also be replaced, changed, reset, decomposed, combined or deleted.
Further, it is of the prior art with various operations, method, the flow process disclosed in the present invention in step, measure, scheme
Can also be replaced, changed, reset, decomposed, combined or deleted.
The above is only some embodiments of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of data encryption and transmission method of multisystem, it is characterised in that include:
Based on a determination that the application in each operating system for going out be related to the corresponding physical block storage device of file system mounted point,
Mapping relations and master key between the physical block storage device and logical block storage device, generate the logical block and deposit
The request to create of storage equipment is transmitted;
Kernel creates the logical block storage device according to the request to create of the logical block storage device for receiving;
By the logical block storage device according to the master key, application is carried out by the data of file system mounted point transmission
After encryption or decryption, passed between the physical block storage device and the application that the logical block storage device is mapped
It is defeated.
2. method according to claim 1, it is characterised in that described close according to the master by the logical block storage device
Key, before application is encrypted or is decrypted by the data of file system mounted point transmission, also includes:
The logical block storage device is mounted on corresponding file system mounted point.
3. method according to claim 2, it is characterised in that described to be mounted to the logical block storage device accordingly
On file system mounted point, including:
When receiving using the carry request for being directed to the logical block storage device, the kernel detection sends the carry please
Whether the affiliated operating system of the application asked has the access rights of the logical block storage device;
If testing result is yes, the logical block storage device is mounted to into the physical block storage device that it is mapped corresponding
On file system mounted point;Otherwise refuse carry.
4. method according to claim 3, it is characterised in that the kernel detection sends the application institute of the carry request
Whether the operating system of category has the access rights of the logical block storage device, including:
According to predetermined multiple logical block storage devices and the corresponding relation of the access rights of operating system, determine described
Whether the affiliated operating system of application of carry request has the access rights of the logical block storage device.
5. method according to claim 4, it is characterised in that the visit of the plurality of logical block storage device and operating system
The corresponding relation for asking authority is determined by the pre-selection of following methods:
When the kernel creates each logical block storage device, answering for the request to create for sending the logical block storage device is determined
There are the access rights of the logical block storage device with affiliated operating system;
The access rights of the affiliated operating system of application of the request to create for sending the logical block storage device are set up, is patrolled with this
Collect the corresponding relation of block storage device.
6. method according to claim 2, it is characterised in that described according to the master key, to the application by text
The data of part system mount point read-write are carried out after encryption and decryption, in the physical block storage device that the logical block storage device is mapped
It is transmitted between the application, including:
When detecting using to file system mounted point write data, the logical block storage of this document system mount point institute carry
Master key of the equipment in the request to create of the logical block storage device, after the data to writing are encrypted, are stored in this and patrol
In collecting the physical block storage device that block storage device is mapped;
When detecting using data read request is sent to file system mounted point, this document system mount point institute's carry is patrolled
Block storage device is collected, the data read request is read in the physical block storage device mapped from the logical block storage device and is related to
And data after, according to the master key in the request to create of the logical block storage device, the data to reading are returned after being decrypted
Postback the application for sending the data read request.
7. method according to claim 1, it is characterised in that described to determine the master key, including:
The master key determined is encrypted according to unique number of equipment, the master key after being encrypted;And
It is described according to the master key application to be encrypted or decrypted by the data of file system mounted point transmission, including:
After being decrypted to the master key after encryption according to unique number of the equipment, the master key is obtained;It is close according to the master
Key, is encrypted or is decrypted to application by the data of file system mounted point transmission.
8. the Data Encryption Transmission device of a kind of multisystem, it is characterised in that include:Two or more operating system and kernel;
Each operating system includes:
Logical block storage device requests module, for based on a determination that the file system that is related to of the application in its affiliated operating system for going out
The corresponding physical block storage device of system mount point, the mapping between the physical block storage device and logical block storage device are closed
System and master key, the request to create for generating the logical block storage device is transmitted;
The kernel includes:
Logical block storage device creation module, for according to the request to create of the logical block storage device for receiving, creating institute
State logical block storage device;
Logical block storage device, for according to the master key, being carried out by the data of file system mounted point transmission to application
After encryption or decryption, passed between the physical block storage device and the application that the logical block storage device is mapped
It is defeated.
9. device according to claim 8, it is characterised in that also include:
Carry module, for, according to the master key, passing through file system mounted to application by the logical block storage device
Before the data of point transmission are encrypted or decrypt, the logical block storage device is mounted to into corresponding file system mounted point
On.
10. device according to claim 9, it is characterised in that
The carry module is described interior specifically for when receiving using the carry request for being directed to the logical block storage device
Core detects whether the affiliated operating system of the application for sending the carry request has the access right of the logical block storage device
Limit;If testing result is yes, the logical block storage device is mounted to into the physical block storage device that it is mapped corresponding
On file system mounted point;Otherwise refuse carry.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710023717.1A CN106685981B (en) | 2017-01-13 | 2017-01-13 | Multi-system data encryption transmission method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710023717.1A CN106685981B (en) | 2017-01-13 | 2017-01-13 | Multi-system data encryption transmission method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106685981A true CN106685981A (en) | 2017-05-17 |
CN106685981B CN106685981B (en) | 2021-03-23 |
Family
ID=58858848
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710023717.1A Active CN106685981B (en) | 2017-01-13 | 2017-01-13 | Multi-system data encryption transmission method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106685981B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109002254A (en) * | 2017-06-07 | 2018-12-14 | 华为技术有限公司 | Storage processing method, device and relevant device |
CN110336857A (en) * | 2019-06-03 | 2019-10-15 | 平安科技(深圳)有限公司 | Creation method, device, equipment and the storage medium of network control techology |
CN110399744A (en) * | 2019-07-31 | 2019-11-01 | 上海商米科技集团股份有限公司 | Data ciphering method and device, mobile terminal and computer-readable medium |
CN114302085A (en) * | 2021-12-23 | 2022-04-08 | 云从科技集团股份有限公司 | Data storage method and device, electronic equipment and storage medium |
CN114943091A (en) * | 2022-07-27 | 2022-08-26 | 成都中科合迅科技有限公司 | Elastic search encryption searching method based on linux kernel block device encryption function |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101615106A (en) * | 2008-06-23 | 2009-12-30 | 国际商业机器公司 | The method and system that is used for virtualizing SAS storage adapter |
CN102214127A (en) * | 2010-11-15 | 2011-10-12 | 上海安纵信息科技有限公司 | Method for intensively storing and backing up data based on operating system virtualization theory |
US20120117301A1 (en) * | 2010-11-04 | 2012-05-10 | Sonics, Inc. | Methods and apparatus for virtualization in an integrated circuit |
CN102567275A (en) * | 2010-12-08 | 2012-07-11 | 中国科学院声学研究所 | Method and system for memory access among multiple operation systems on multi-core processor |
CN103020537A (en) * | 2011-09-22 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Data encrypting method, data encrypting device, data deciphering method and data deciphering device |
CN103279308A (en) * | 2013-05-06 | 2013-09-04 | 深圳市深信服电子科技有限公司 | Cache method and device for remote application interface |
CN104657193A (en) * | 2013-11-21 | 2015-05-27 | 华为技术有限公司 | Method and device for accessing to physical resources |
-
2017
- 2017-01-13 CN CN201710023717.1A patent/CN106685981B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101615106A (en) * | 2008-06-23 | 2009-12-30 | 国际商业机器公司 | The method and system that is used for virtualizing SAS storage adapter |
US20120117301A1 (en) * | 2010-11-04 | 2012-05-10 | Sonics, Inc. | Methods and apparatus for virtualization in an integrated circuit |
CN102214127A (en) * | 2010-11-15 | 2011-10-12 | 上海安纵信息科技有限公司 | Method for intensively storing and backing up data based on operating system virtualization theory |
CN102567275A (en) * | 2010-12-08 | 2012-07-11 | 中国科学院声学研究所 | Method and system for memory access among multiple operation systems on multi-core processor |
CN103020537A (en) * | 2011-09-22 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Data encrypting method, data encrypting device, data deciphering method and data deciphering device |
CN103279308A (en) * | 2013-05-06 | 2013-09-04 | 深圳市深信服电子科技有限公司 | Cache method and device for remote application interface |
CN104657193A (en) * | 2013-11-21 | 2015-05-27 | 华为技术有限公司 | Method and device for accessing to physical resources |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109002254A (en) * | 2017-06-07 | 2018-12-14 | 华为技术有限公司 | Storage processing method, device and relevant device |
CN110336857A (en) * | 2019-06-03 | 2019-10-15 | 平安科技(深圳)有限公司 | Creation method, device, equipment and the storage medium of network control techology |
CN110336857B (en) * | 2019-06-03 | 2022-04-12 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for creating network block equipment |
CN110399744A (en) * | 2019-07-31 | 2019-11-01 | 上海商米科技集团股份有限公司 | Data ciphering method and device, mobile terminal and computer-readable medium |
CN110399744B (en) * | 2019-07-31 | 2022-02-01 | 上海商米科技集团股份有限公司 | Data encryption method and device, mobile terminal and computer readable medium |
CN114302085A (en) * | 2021-12-23 | 2022-04-08 | 云从科技集团股份有限公司 | Data storage method and device, electronic equipment and storage medium |
CN114302085B (en) * | 2021-12-23 | 2024-02-20 | 云从科技集团股份有限公司 | Data storage method, device, electronic equipment and storage medium |
CN114943091A (en) * | 2022-07-27 | 2022-08-26 | 成都中科合迅科技有限公司 | Elastic search encryption searching method based on linux kernel block device encryption function |
CN114943091B (en) * | 2022-07-27 | 2022-10-11 | 成都中科合迅科技有限公司 | Elastic search encryption searching method based on linux kernel block device encryption function |
Also Published As
Publication number | Publication date |
---|---|
CN106685981B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109844751B (en) | Method and processor for providing information isolation | |
CN106685981A (en) | Multi-system data encryption transmission method and device | |
CN107438850B (en) | Use the address validation of signature | |
CN104683336B (en) | A kind of Android private data guard method and system based on security domain | |
CN105447406B (en) | A kind of method and apparatus for accessing memory space | |
CN106534148B (en) | Access control method and device for application | |
CN106778291B (en) | The partition method and isolating device of application program | |
US9141810B2 (en) | Architecture for virtual security module | |
CN105580027B (en) | For using not same area specific key to ensure the method for content safety | |
US20190102322A1 (en) | Cross-domain security in cryptographically partitioned cloud | |
KR20180026722A (en) | The memory caches for the method for isolating the software modules by controlled encryption key management and the security handling of the cached software module identities | |
CN102945355A (en) | Sector map-based rapid data encryption policy compliance | |
CN109726575B (en) | Data encryption method and device | |
US11288212B2 (en) | System, apparatus, and method for secure deduplication | |
WO2017166362A1 (en) | Esim number writing method, security system, esim number server, and terminal | |
CN107526974A (en) | A kind of information password protection device and method | |
CN100547598C (en) | Preserve and retrieve data based on symmetric key encryption | |
CN105809043A (en) | Data security protection method of computer | |
KR20150073567A (en) | The Method for Transmitting and Receiving the Secure Message Using the Terminal Including Secure Storage | |
CN105187207A (en) | Authority authentication method and device | |
CN107330336A (en) | The instant encryption and decryption method and system of (SuSE) Linux OS memory pages | |
CN108900595A (en) | Access method, apparatus, equipment and the calculation medium of cloud storage service device data | |
CN105791233A (en) | Anti-virus scanning method and device | |
CN104866761B (en) | A kind of high security Android intelligent terminal | |
CN100446016C (en) | System for realizing data security protecting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230428 Address after: Room 401, Floor 4, No. 2, Haidian East Third Street, Haidian District, Beijing 100080 Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Beijing Patentee before: YUANXIN TECHNOLOGY |
|
TR01 | Transfer of patent right |