CN106685981B - Multi-system data encryption transmission method and device - Google Patents
Multi-system data encryption transmission method and device Download PDFInfo
- Publication number
- CN106685981B CN106685981B CN201710023717.1A CN201710023717A CN106685981B CN 106685981 B CN106685981 B CN 106685981B CN 201710023717 A CN201710023717 A CN 201710023717A CN 106685981 B CN106685981 B CN 106685981B
- Authority
- CN
- China
- Prior art keywords
- block storage
- storage device
- logical block
- application
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000005540 biological transmission Effects 0.000 title claims abstract description 21
- 238000013507 mapping Methods 0.000 claims abstract description 22
- 238000001514 detection method Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000015654 memory Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The embodiment of the invention provides a multi-system data encryption transmission method and a device, wherein the method comprises the following steps: generating a creation request of the logic block storage device to send based on the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logic block storage device and the master key; the kernel creates the logic block storage device according to the received creation request of the logic block storage device; and the logical block storage device encrypts or decrypts the data transmitted by the application through the file system mount point according to the master key, and then transmits the data between the physical block storage device mapped by the logical block storage device and the application. By using the embodiment of the invention, even if malicious software steals encrypted data in the physical block storage device of the user terminal device, the data is difficult to crack, so that the data in the terminal device can be prevented from being leaked.
Description
Technical Field
The invention relates to the technical field of terminals, in particular to a multi-system data encryption transmission method and device.
Background
At present, terminal devices such as smart phones, tablet computers, intelligent wearable devices, electronic readers or automobile data recorders and the like are increasingly popularized.
A considerable number of terminal devices have two operating systems installed therein. The data transmission method of each operating system comprises the following steps: when a user inputs data through an application and indicates to store the data into a designated file, the operating system writes the input data into a physical block storage device; when the user reads data from the specified file through the application instruction, the operating system reads the data from the physical block storage device and returns the data to the application, and the application displays the data to the user.
However, a large amount of private data or files are stored in plain text (unencrypted) on a physical block storage device in the terminal device. After a lawbreaker obtains the terminal device by an illegal means, plaintext data of a physical block of the terminal device on the device can be read, so that the leakage of privacy data in the terminal device with more than two operating systems is easily caused, the loss is easily brought to a user, and the user experience is poor.
Disclosure of Invention
The invention provides a multi-system data encryption transmission method and device aiming at the defects of the existing mode, and aims to solve the problem that data of terminal equipment with more than two operating systems are easy to leak in the prior art.
According to an aspect, an embodiment of the present invention provides a method for encrypted transmission of data in multiple systems, including:
generating a creation request of the logic block storage device to send based on the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logic block storage device and a master key;
the kernel creates the logic block storage device according to the received creation request of the logic block storage device;
and the logical block storage device encrypts or decrypts the data transmitted by the application through the file system mount point according to the master key, and then transmits the data between the physical block storage device mapped by the logical block storage device and the application.
According to another aspect, an embodiment of the present invention further provides a multi-system data encryption transmission apparatus, including: more than two operating systems and kernels;
each operating system includes:
the logical block storage device request module is used for generating a creation request of the logical block storage device and sending the creation request based on the physical block storage device corresponding to the determined file system mount point related to the application in the operating system to which the logical block storage device belongs, the mapping relation between the physical block storage device and the logical block storage device and a master key;
the kernel includes:
a logical block storage device creation module, configured to create the logical block storage device according to a received creation request of the logical block storage device;
and the logical block storage device is used for encrypting or decrypting data transmitted by the application through the file system mount point according to the master key and then transmitting the encrypted or decrypted data between the physical block storage device mapped by the logical block storage device and the application.
Preferably, the multi-system data encryption transmission apparatus according to the embodiment of the present invention further includes:
and the mounting module is used for mounting the logic block storage equipment on the corresponding file system mounting point before the logic block storage equipment encrypts or decrypts the data transmitted by the file system mounting point according to the master key.
Preferably, the mount module is specifically configured to, when a mount request of an application for the logical block storage device is received, detect whether an operating system to which the application sending the mount request belongs has an access right of the logical block storage device by the kernel; if the detection result is yes, mounting the logical block storage device to a file system mounting point corresponding to the physical block storage device mapped by the logical block storage device; otherwise, the mount is refused.
Preferably, the mount module is specifically configured to determine whether the operating system to which the application of the mount request belongs has the access right of the logical block storage device according to a predetermined correspondence between the multiple logical block storage devices and the access right of the operating system.
Preferably, the logical block storage device creating module is further configured to preselect and determine correspondence between the plurality of logical block storage devices and access rights of the operating system by: when the kernel creates each logic block storage device, determining that an operating system to which an application sending a creation request of the logic block storage device belongs has an access right of the logic block storage device; and establishing a corresponding relation between the access authority of the operating system to which the application sending the creation request of the logic block storage device belongs and the logic block storage device.
Preferably, the logical block storage device is specifically configured to, when it is detected that an application writes data into a file system mount point, encrypt, by the logical block storage device mounted at the file system mount point, the written data according to a master key in a creation request of the logical block storage device, and store the encrypted data into a physical block storage device mapped by the logical block storage device; when detecting that an application sends a data reading request to a file system mounting point, after reading data related to the data reading request from a physical block storage device mapped by the logical block storage device, a logical block storage device mounted by the file system mounting point decrypts the read data according to a master key in a creation request of the logical block storage device and returns to the application sending the data reading request.
Preferably, the logic block storage device request module is further configured to encrypt the determined master key according to the device unique number to obtain an encrypted master key; and
the logic block storage device is further used for decrypting the encrypted master key according to the device unique number to obtain the master key; and encrypting or decrypting the data transmitted by the application through the file system mounting point according to the master key.
In the embodiment of the invention, the logical block storage device which has a mapping relation with the physical block storage device is used for encrypting or decrypting and transmitting data. Private data of a user can be encrypted, and even if an illegal person steals the encrypted data in user terminal equipment in modes of malicious software and the like, the data is difficult to crack and obtain, so that data leakage in the terminal equipment can be prevented, and the safety of the data of the user is improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic frame diagram of an internal structure of a terminal device according to an embodiment of the present invention;
FIG. 2a is a flow chart illustrating a method for creating and mounting a logical block storage device according to an embodiment of the present invention;
FIG. 2b is a flowchart illustrating a specific method for mounting a logical block storage device to a corresponding mounting point of a file system according to an embodiment of the present invention;
FIG. 2c is a diagram illustrating a file system with a logical block storage device mounted thereon according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for encrypted data transmission of multiple systems based on a logical block storage device according to an embodiment of the present invention;
fig. 4 is a schematic frame diagram of an internal structure of a multi-system data encryption transmission apparatus according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative only and should not be construed as limiting the invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
As will be appreciated by those skilled in the art, a "terminal" as used herein includes both devices having a wireless signal receiver, which are devices having only a wireless signal receiver without transmit capability, and devices having receive and transmit hardware, which have devices having receive and transmit hardware capable of two-way communication over a two-way communication link. Such a device may include: a cellular or other communication device having a single line display or a multi-line display or a cellular or other communication device without a multi-line display; PCS (Personal Communications Service), which may combine voice, data processing, facsimile and/or data communication capabilities; a PDA (Personal Digital Assistant), which may include a radio frequency receiver, a pager, internet/intranet access, a web browser, a notepad, a calendar and/or a GPS (Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal" or "terminal device" may be portable, transportable, installed in a vehicle (aeronautical, maritime, and/or land-based), or situated and/or configured to operate locally and/or in a distributed fashion at any other location(s) on earth and/or in space. As used herein, a "terminal Device" may also be a communication terminal, a web terminal, a music/video playing terminal, such as a PDA, an MID (Mobile Internet Device) and/or a Mobile phone with music/video playing function, or a smart tv, a set-top box, etc.
The inventor of the present invention has noticed that the transparent encryption technology is a file encryption technology which has been brought about in recent years in response to the data security requirement of the terminal device for a single operating system. The data encryption transmission method of the single operating system comprises the following steps: when a user inputs data through application and indicates to store the data in a designated file, the operating system encrypts the input data and writes the encrypted data into physical block storage equipment; when a user reads data from a designated file through an application instruction, an operating system reads encrypted data from a physical block storage device, then decrypts the data, and finally returns the data to the application, and the application displays the data to the user. Since the user's data (including private data) is stored in the physical block storage device in the form of a ciphertext, even if a lawbreaker acquires encrypted data stored in the physical block storage device of the terminal device, the encrypted data cannot be decrypted.
However, the data encryption transmission method of the single operating system cannot be directly applied to a terminal device having more than two operating systems. At present, terminal equipment of more than two operating systems still lack an effective data encryption transmission method to protect privacy data of users; the method has the advantages that the privacy data in the terminal equipment of more than two operating systems are easy to leak, loss is easily brought to a user, and user experience is poor.
In the embodiment of the invention, a creation request of the logic block storage device is generated and sent based on the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logic block storage device and the master key; the kernel creates the logic block storage device according to the received creation request of the logic block storage device; and the logical block storage device encrypts or decrypts the data transmitted by the application through the file system mount point according to the master key, and then transmits the data between the physical block storage device mapped by the logical block storage device and the application. It can be seen that, in the embodiment of the present invention, the logical block storage device having a mapping relationship with the physical block storage device encrypts or decrypts data and transmits the encrypted or decrypted data. Private data of a user can be encrypted, and even if an illegal person steals the encrypted data in user terminal equipment in modes of malicious software and the like, the data is difficult to crack and obtain, so that data leakage in the terminal equipment can be prevented, and the safety of the data of the user is improved.
The technical solution of the embodiments of the present invention is specifically described below with reference to the accompanying drawings.
A frame schematic diagram of an internal structure of a terminal device according to an embodiment of the present invention is shown in fig. 1, and includes: a kernel and more than two operating systems.
The two or more operating systems include a first operating system, a second operating system, … … and an Nth operating system. N is a positive integer of 2 or more.
The operating system of an embodiment of the present invention includes a container system.
The operating system in the embodiment of the present invention is an operating system provided in a container created by the Linux container virtualization technology. The operating system may be a Linux operating system or a Unix operating system in the conventional sense, an Android system or an Ubuntu system derived from the Linux operating system, or a Windows system based on a Windows platform. In fact, the operating system in the present invention is not limited to the aforementioned exemplary operating systems, and may cover all operating systems that can run in a container. For convenience of description, the technical solution of the present invention is described below by taking an Android system as an operating system as an example.
Preferably, the operating system of the embodiment of the present invention includes: and (4) a master control system.
The terminal device of the embodiment of the present invention further includes a main control system, which may be the above-mentioned conventional operating system, or an operating system obtained by improving the conventional operating system. The kernel is a kernel, or an enhanced kernel obtained after a functional module is added on the basis of the kernel. Preferably, the master control system may include a kernel; the operating system calls or accesses the kernel through the master control system to realize various functions. Or the operating system and the master control system share the kernel; the operating system and the main control system comprise parts except the kernel in the existing operating system, such as parts of a framework layer and an application layer; the operating system and the master control system can independently call or access the kernel to realize various functions.
The main control system is mainly used for performing foreground and background management on a plurality of operating systems, interacting with each operating system and the like. Preferably, the host system may communicate with the operating system through the container channel. Similarly, the operating systems can communicate with each other through the container channel. Further, the container channel may be a socket channel.
The multi-system data encryption transmission method of the embodiment of the invention comprises the following steps: the method comprises a logical block storage device creating and mounting method and a logical block storage device-based multi-system data encryption transmission method.
In this embodiment of the present invention, a flow diagram of a logical block storage device creating and mounting method is shown in fig. 2a, and includes the following steps:
s201: and determining the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logic block storage device, and the master key.
Those skilled in the art can understand that in the Linux system or its derivative systems, hardware entities such as physical block storage devices are abstracted into corresponding device files, and mounted into a file system for system or application call. For ease of understanding, the physical block storage device files mounted to the file system are still referred to as physical block storage devices. The logical block storage device is similar and will not be described again.
The mounting position of the physical block storage device file in the file system is a mounting point, namely each file system mounting point corresponds to one physical block storage device.
For each application in the operating system, when detecting that data generated by the application needs to be stored or the stored data needs to be read, determining a file system mounting point related to the application as a data read-write interface of the application, and further determining a physical block storage device corresponding to the file system mounting point.
And determining parameters of the logical block storage device corresponding to the application and a mapping relation between the physical block storage device and the logical block storage device. The parameters of the logic block storage device comprise: the logical block stores the identification of the device, the starting address, the ending address, and so on.
Preferably, a Device-Mapper (Device mapping) mechanism is used to determine the mapping relationship between the physical block storage Device and the logical block storage Device. The Device-Mapper mechanism is a feature of the Linux kernel and is registered as a block Device driver. It contains three important object concepts: mappeddevice, mapping table, targetview (target device). mappeddevice is a logical abstraction, can be understood as a logical device provided outside the kernel, and establishes mapping through the mapping relationship described by the mapping table and targetview. The logical block storage device in the embodiment of the present invention may specifically be a mapped device, and the physical block storage device may specifically be a target device. The mapped device has various types, and each mapped device can realize different functions; for example, a dm-crypt (device map-cryptosystem) device in the mapped device can encrypt and decrypt data in the physical block storage device.
And generating a random number as a master key for each logic block storage device through a random number generation module of the terminal device or the operating system. One skilled in the art can determine the length of the master key according to experimental data, historical data, empirical data, and/or actual conditions; for example, the length of the master key is set to 128 bits.
Preferably, the determined master key is encrypted according to the unique device number to obtain an encrypted master key.
Preferably, according to the unique number of the device, the determined master key may be encrypted by using at least one of the following encryption algorithms to obtain an encrypted master key: symmetric encryption algorithm, asymmetric encryption algorithm.
Further, the outer key for encrypting the master key may be a serial number fixed in a CPU (central processing unit). Since the serial number in each CPU in the mobile terminal is unique, the serial number of the CPU can be used as the device unique number of the mobile terminal. The serial number is different from a number which is visible to all applications, some of which are not unique to the device, such as an IMEI (International Mobile Equipment Identity) or MAC (Media Access Control) address; such as the IMEI number, may be modified.
The application or service which is authorized in advance in the application layer can obtain the serial number through calling the kernel and the kernel through the related driver of the CPU; other applications or services in the application layer cannot obtain the string number. Therefore, the serial number cannot be acquired because the malicious program is not authorized; therefore, malicious programs can be prevented from impersonating the application to acquire the serial numbers, the safety of the outer-layer secret key serving as the serial numbers is improved, the safety of the main secret key encrypted by the outer-layer secret key is improved, and the safety of data encrypted by the main secret key can be improved.
Further, the master key and/or the encrypted master key may be stored in a trusted storage area of the terminal device or in a pre-designated physical block storage device. The trusted storage area may specifically be an encrypted storage area inside the terminal device; for example, an encrypted storage area that conforms to the trustzone architecture. The trusted storage area may specifically be an encrypted storage area outside the terminal device; for example, an encrypted storage area in a mobile memory connected to the terminal device by wire or wirelessly.
S202: and generating a creation request of the logical block storage device and sending the creation request based on the physical block storage device corresponding to the file system mount point related to the application in each operating system, the mapping relation between the physical block storage device and the logical block storage device and a master key.
And carrying the path of the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logical block storage device, the parameters of the logical block storage device and the master key into a creation request of the logical block storage device, and then sending the creation request to the kernel.
Preferably, an API (Application Programming Interface) related to a Device-Mapper mechanism provided by the kernel is called, and the creation request of the logical block storage Device is sent to the kernel through the API.
S203: and the kernel creates the logic block storage device according to the received creation request of the logic block storage device.
After receiving a creation request of the logic block storage device sent by an application, the kernel creates the logic block storage device according to parameters of the logic block storage device in the creation request, allocates paths for the logic block storage device, and numbers the created logic block storage device. The number of logical block storage devices is returned to the application that sent the create request.
Preferably, the kernel returns the number and handle of the created logical block storage device to the application that sent the request to create the logical block storage device.
And establishing a mapping relation between the path of the logical block storage device and the path of the physical block storage device in the creation request according to the mapping relation between the physical block storage device and the logical block storage device in the creation request.
Preferably, when the kernel receives a creation request of the logical block storage device sent by the application, the corresponding relationship between the access rights of the plurality of logical block storage devices and the operating system is pre-selected and determined by the following method:
when the kernel creates each logic block storage device, determining that an operating system to which an application sending a creation request of the logic block storage device belongs has an access right of the logic block storage device;
and establishing a corresponding relation between the access authority of the operating system to which the application sending the creation request of the logic block storage device belongs and the logic block storage device.
Specifically, when the kernel creates each logical block storage device, the identifier of the operating system to which the application sending the creation request of the logical block storage device belongs is determined, the operating system is determined to have the authority to access the logical block storage device, and then the access authority of the operating system for the logical block storage device is determined.
It is understood that, in practice, the correspondence between the access rights of the operating system and the logical block storage device includes: the operating system to which the application that sent the request to create the logical block storage device belongs has access to the logical block storage device. That is, the operating system has the right to access its own (indirectly) created logical block storage device, but not the right to access other operating system created logical block storage devices.
For example, table 1 below shows one example of correspondence of a plurality of logical block storage devices to access rights of an operating system.
TABLE 1
| dm-crypt equipment number | A first operating system | Second operating system |
| dm-0 | Visible, accessible | Invisible, inaccessible |
| dm-1 | Visible, accessible | Invisible, inaccessible |
| … | … | … |
| dm-M | Visible, accessible | Invisible, inaccessible |
| dm-(M+1) | Invisible, inaccessible | Visible, accessible |
| dm-(M+2) | Invisible, inaccessible | Visible, accessible |
| … | … | … |
| dm-N | Invisible, inaccessible | Visible, accessible |
In the above table 1, dm is an abbreviation of dm-crypt, which indicates a logical block storage device; n and M are both positive integers, and 127> -N > M > 0; dm-0 represents a logical block storage device numbered 0; dm-0 to dm-M are created indirectly by the first operating system, and thus are visible and accessible to the logical block storage devices represented by dm-0 to dm-M; however, the second operating system does not create dm-0 to dm-M, and therefore the second operating system is not visible and does not have access to the logical block storage devices represented by dm-0 to dm-M. Since dm- (M +1) to dm-N are created for the second operating system, the second operating system is visible to and has access to the logical block storage devices represented by dm- (M +1) to dm-N.
S204: and mounting the logical block storage device to a corresponding file system mounting point.
Preferably, the kernel mounts the logical block storage device to the corresponding file system mount point according to the request of the application.
In the above step S204, a flowchart of a specific method for mounting the logical block storage device to the corresponding file system mount point is shown in fig. 2b, and includes the following steps:
s2041: the kernel receives a mount request of an application for the logical block storage device.
And after receiving the serial number of the logical block storage device returned by the creation request sent by the application, sending a mounting request aiming at the logical block storage device to the kernel.
Preferably, the application sends a mount request for the logical block storage device to the kernel through a mount system call function.
S2042: the kernel detects whether an operating system to which the application sending the mount request belongs has access authority of the logic block storage device; if yes, go to step S2043; otherwise, the mount is refused.
The kernel determines the number of the logical storage device involved in the mount request and the identifier of the operating system to which the application sending the mount request belongs.
Determining whether the operating system to which the application of the mounting request belongs has the access authority of the logical block storage device or not according to the predetermined corresponding relation between the multiple logical block storage devices and the access authority of the operating system; if yes, go to step S2043; if the detection result is negative, the mounting is refused, and a corresponding error code is returned to the application sending the mounting request.
S2043: and mounting the logical block storage device to a file system mounting point corresponding to the physical block storage device mapped by the logical block storage device.
And the kernel mounts the logical block storage device related to the mount request to a file system mount point corresponding to the physical block storage device mapped by the logical block storage device.
For example, the kernel mounts a path of a dm-crypt device (i.e.,/dev/blocl/dm-x, where x is the number of the device) as a logical block storage device onto a/data partition as a corresponding mount point according to a mount request of an application.
FIG. 2c shows a schematic diagram of a file system mounting a logical block storage device.
Based on the above logical block storage device, a flow diagram of a method for encrypting and transmitting data of multiple systems based on the logical block storage device according to an embodiment of the present invention is shown in fig. 3, and includes:
s301: the logical block storage device detects whether an application writes data to a corresponding file system mount point or sends a data read request.
The logical block storage device detects whether an application writes data into the file system mounting point or sends a data reading request through the corresponding file system mounting point.
S302: when detecting that the application writes data into the mounting point of the file system, the logic block storage device encrypts the written data according to the master key in the creation request and stores the encrypted data into the physical block storage device mapped by the logic block storage device.
When detecting that the application writes data into the file system mounting point, the logic block storage device mounted by the file system mounting point encrypts the written data according to the master key in the creation request of the logic block storage device and stores the encrypted data into the physical block storage device mapped by the logic block storage device.
Preferably, the encrypted master key is decrypted according to the device unique number of the terminal device to obtain the master key; and according to the master key, encrypting the data transmitted (input) by the application through the file system mounting point, and storing the encrypted data into the physical block storage device mapped by the logical block storage device.
S303: when detecting that the application sends a data reading request to the file system mounting point, the logical block storage device reads corresponding data from the physical block storage device mapped by the logical block storage device, decrypts the read data according to the master key in the creation request, and returns the decrypted data to the application.
It is to be understood that, in the embodiment of the present invention, data stored in the physical block storage device of the terminal device is data encrypted by the master key.
When detecting that the application sends a data reading request to the file system mounting point, the logical block storage device mounted by the file system mounting point reads data related to the data reading request from the physical block storage device mapped by the logical block storage device, decrypts the read data according to the master key in the creation request of the logical block storage device, and returns to the application sending the data reading request.
Preferably, the encrypted master key is decrypted according to the device unique number of the terminal device to obtain the master key; and decrypting the data transmitted by the application through the file system mounting point according to the master key.
Specifically, the logic block storage device decrypts the encrypted master key according to the device unique number of the terminal device to obtain the master key; and according to the master key, after decrypting the data read from the physical block storage device mapped by the logical block storage device, returning to the application sending the data reading request.
Based on the foregoing multi-system data encryption transmission method, an embodiment of the present invention further provides a multi-system data encryption transmission apparatus, where the apparatus is disposed in a terminal device in the embodiment of the present invention, and a frame schematic diagram of an internal structure of the apparatus is shown in fig. 4, where the apparatus includes: more than two operating systems and kernels.
Wherein each operating system comprises: the logical block stores the device request module 411.
The logical block storage device request module 411 is configured to generate a creation request of the logical block storage device 402 based on the physical block storage device corresponding to the determined file system mount point related to the application in the operating system to which the logical block storage device belongs, the mapping relationship between the physical block storage device and the logical block storage device 402, and the master key, and send the creation request.
The kernel includes: a logical block storage device creation module 401 and a logical block storage device 402.
The logical block storage device creation module 401 is configured to create the logical block storage device 402 according to the received creation request of the logical block storage device 402.
The logical block storage device 402 is configured to encrypt or decrypt data transmitted by the application through the file system mount point according to the master key, and then transmit the encrypted data between the application and the physical block storage device mapped by the logical block storage device 402.
Preferably, as shown in fig. 4, the multi-system data encryption transmission apparatus according to the embodiment of the present invention further includes: and a mounting module 403.
The mount module 403 is configured to mount the logical block storage device 402 onto a corresponding file system mount point before the logical block storage device 402 encrypts or decrypts data transmitted by the file system mount point according to the master key.
Preferably, the mount module 403 is specifically configured to, when receiving a mount request of an application for the logical block storage device 402, detect whether an operating system to which the application sending the mount request belongs has an access right of the logical block storage device 402; if the detection result is yes, mounting the logical block storage device 402 to a file system mounting point corresponding to the physical block storage device mapped by the logical block storage device; otherwise, the mount is refused.
Preferably, the mount module 403 is specifically configured to determine whether the operating system to which the application of the mount request belongs has the access right of the logical block storage device 402 according to a predetermined correspondence relationship between the multiple logical block storage devices 402 and the access right of the operating system.
Preferably, the logical block storage device creation module 401 is further configured to preselect and determine correspondence between the plurality of logical block storage devices 402 and access rights of the operating system by: when the kernel creates each logical block storage device 402, it is determined that the operating system to which the application sending the creation request of the logical block storage device 402 belongs has the access right of the logical block storage device 402; the access right of the operating system to which the application that sent the creation request of the logical block storage device 402 belongs is established, and the corresponding relationship with the logical block storage device 402 is established.
Preferably, the logical block storage device 402 is specifically configured to, when it is detected that an application writes data to a file system mount point, encrypt the written data by the logical block storage device 402 mounted by the file system mount point according to a master key in a creation request of the logical block storage device 402, and store the encrypted data into a physical block storage device mapped by the logical block storage device 402; when it is detected that the application sends a data reading request to the file system mount point, the logical block storage device 402 mounted by the file system mount point reads data related to the data reading request from the physical block storage device mapped by the logical block storage device 402, decrypts the read data according to the master key in the creation request of the logical block storage device 402, and returns to the application sending the data reading request.
Further, the logical block storage device requesting module 411 is further configured to encrypt the determined master key according to the device unique number, so as to obtain an encrypted master key.
The logic block storage device 402 is further configured to decrypt the encrypted master key according to the device unique number to obtain a master key; and encrypting or decrypting the data transmitted by the application through the file system mounting point according to the master key.
For the above implementation methods of the functions of the logic block storage device request module 411 in the operating system, the logic block storage device creation module 401 in the kernel, the logic block storage device 402 and the mount module 403, reference may be made to the specific contents of the above flow steps in fig. 2a, fig. 2b and fig. 3, and details are not repeated here.
In the embodiment of the invention, the logical block storage device which has a mapping relation with the physical block storage device is used for encrypting or decrypting and transmitting data. Private data of a user can be encrypted, and even if an illegal person steals the encrypted data in user terminal equipment in modes of malicious software and the like, the data is difficult to crack and obtain, so that data leakage in the terminal equipment can be prevented, and the safety of the data of the user is improved.
In addition, in the embodiment of the present invention, by establishing the correspondence between the access rights of the plurality of logical block storage devices and the operating system, the operating system only has the access right of the logical block storage device created by itself, and does not have the access rights of the logical block storage devices created by other operating systems. Therefore, isolation among the operating systems is realized on the level of the logic block storage equipment, even if one operating system is invaded by a malicious program, the malicious program cannot invade other operating systems through the logic block storage equipment, so that the invasion range of the malicious program is limited, the safety of data in other operating systems is improved, and the safety of data containing user privacy data in a plurality of operating systems is integrally improved.
Furthermore, in the embodiment of the invention, the main secret key is encrypted according to the equipment unique number serving as the outer secret key, so that the probability of breaking the encrypted main secret key can be greatly reduced, the safety of the encrypted main secret key is improved, data is encrypted according to the safer main secret key, and the encrypted data is stored in the physical block storage equipment, thereby improving the safety of the data in the physical block storage equipment.
Those skilled in the art will appreciate that the present invention includes apparatus directed to performing one or more of the operations described in the present application. These devices may be specially designed and manufactured for the required purposes, or they may comprise known devices in general-purpose computers. These devices have stored therein computer programs that are selectively activated or reconfigured. Such a computer program may be stored in a device (e.g., computer) readable medium, including, but not limited to, any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magnetic-optical disks, ROMs (Read-Only memories), RAMs (Random Access memories), EPROMs (Erasable Programmable Read-Only memories), EEPROMs (Electrically Erasable Programmable Read-Only memories), flash memories, magnetic cards, or optical cards, or any type of media suitable for storing electronic instructions, and each coupled to a bus. That is, a readable medium includes any medium that stores or transmits information in a form readable by a device (e.g., a computer).
It will be understood by those within the art that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. Those skilled in the art will appreciate that the computer program instructions may be implemented by a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, implement the features specified in the block or blocks of the block diagrams and/or flowchart illustrations of the present disclosure.
Those of skill in the art will appreciate that various operations, methods, steps in the processes, acts, or solutions discussed in the present application may be alternated, modified, combined, or deleted. Further, various operations, methods, steps in the flows, which have been discussed in the present application, may be interchanged, modified, rearranged, decomposed, combined, or eliminated. Further, steps, measures, schemes in the various operations, methods, procedures disclosed in the prior art and the present invention can also be alternated, changed, rearranged, decomposed, combined, or deleted.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A multi-system data encryption transmission method is characterized by comprising the following steps:
generating a creation request of the logic block storage device to send based on the physical block storage device corresponding to the file system mounting point related to the application in each operating system, the mapping relation between the physical block storage device and the logic block storage device and a master key; mounting positions of the physical block storage devices in the file system are mounting points, and each file system mounting point corresponds to one physical block storage device;
the kernel creates the logic block storage device according to the received creation request of the logic block storage device;
and the logical block storage device encrypts or decrypts the data transmitted by the application through the file system mount point according to the master key, and then transmits the data between the physical block storage device mapped by the logical block storage device and the application.
2. The method of claim 1, wherein before encrypting or decrypting, by the logical block storage device, data transmitted by an application through a file system mount point based on the master key, further comprising:
and mounting the logic block storage device to a corresponding file system mounting point.
3. The method of claim 2, wherein mounting the logical block storage device to a corresponding file system mount point comprises:
when a mount request of an application for the logic block storage device is received, the kernel detects whether an operating system to which the application sending the mount request belongs has access right of the logic block storage device;
if the detection result is yes, mounting the logical block storage device to a file system mounting point corresponding to the physical block storage device mapped by the logical block storage device; otherwise, the mount is refused.
4. The method of claim 3, wherein the kernel detecting whether an operating system to which the application sending the mount request belongs has access rights of the logical block storage device comprises:
and determining whether the operating system to which the application of the mount request belongs has the access authority of the logic block storage device or not according to the predetermined corresponding relation between the access authorities of the plurality of logic block storage devices and the operating system.
5. The method of claim 4, wherein the correspondence between the plurality of logical block storage devices and the access rights of the operating system is determined by preselection according to the following method:
when the kernel creates each logic block storage device, determining that an operating system to which an application sending a creation request of the logic block storage device belongs has an access right of the logic block storage device;
and establishing a corresponding relation between the access authority of the operating system to which the application sending the creation request of the logic block storage device belongs and the logic block storage device.
6. The method according to claim 2, wherein the transmitting between the physical block storage device mapped by the logical block storage device and the application after encrypting and decrypting the data read and written by the application through the file system mount point according to the master key comprises:
when detecting that an application writes data into a file system mounting point, the logic block storage device mounted by the file system mounting point encrypts the written data according to a master key in a creation request of the logic block storage device and stores the encrypted data into a physical block storage device mapped by the logic block storage device;
when detecting that an application sends a data reading request to a file system mounting point, after reading data related to the data reading request from a physical block storage device mapped by the logical block storage device, a logical block storage device mounted by the file system mounting point decrypts the read data according to a master key in a creation request of the logical block storage device and returns to the application sending the data reading request.
7. The method of claim 1, wherein said determining the master key comprises:
encrypting the determined master key according to the unique equipment number to obtain an encrypted master key; and
the encrypting or decrypting the data transmitted by the application through the file system mount point according to the master key includes:
decrypting the encrypted main key according to the unique equipment number to obtain the main key; and encrypting or decrypting the data transmitted by the application through the file system mounting point according to the master key.
8. A multisystem data encryption transmission device is characterized by comprising: more than two operating systems and kernels;
each operating system includes:
the logical block storage device request module is used for generating a creation request of the logical block storage device and sending the creation request based on the physical block storage device corresponding to the determined file system mount point related to the application in the operating system to which the logical block storage device belongs, the mapping relation between the physical block storage device and the logical block storage device and a master key; mounting positions of the physical block storage devices in the file system are mounting points, and each file system mounting point corresponds to one physical block storage device;
the kernel includes:
a logical block storage device creation module, configured to create the logical block storage device according to a received creation request of the logical block storage device;
and the logical block storage device is used for encrypting or decrypting data transmitted by the application through the file system mount point according to the master key and then transmitting the encrypted or decrypted data between the physical block storage device mapped by the logical block storage device and the application.
9. The apparatus of claim 8, further comprising:
and the mounting module is used for mounting the logic block storage equipment on the corresponding file system mounting point before the logic block storage equipment encrypts or decrypts the data transmitted by the file system mounting point according to the master key.
10. The apparatus of claim 9,
the mount module is specifically configured to, when a mount request of an application for the logical block storage device is received, detect, by the kernel, whether an operating system to which the application that sent the mount request belongs has an access right of the logical block storage device; if the detection result is yes, mounting the logical block storage device to a file system mounting point corresponding to the physical block storage device mapped by the logical block storage device; otherwise, the mount is refused.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710023717.1A CN106685981B (en) | 2017-01-13 | 2017-01-13 | Multi-system data encryption transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710023717.1A CN106685981B (en) | 2017-01-13 | 2017-01-13 | Multi-system data encryption transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106685981A CN106685981A (en) | 2017-05-17 |
| CN106685981B true CN106685981B (en) | 2021-03-23 |
Family
ID=58858848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710023717.1A Active CN106685981B (en) | 2017-01-13 | 2017-01-13 | Multi-system data encryption transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106685981B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109002254A (en) * | 2017-06-07 | 2018-12-14 | 华为技术有限公司 | Storage processing method, device and relevant device |
| CN110336857B (en) * | 2019-06-03 | 2022-04-12 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for creating network block equipment |
| CN110399744B (en) * | 2019-07-31 | 2022-02-01 | 上海商米科技集团股份有限公司 | Data encryption method and device, mobile terminal and computer readable medium |
| CN114302085B (en) * | 2021-12-23 | 2024-02-20 | 云从科技集团股份有限公司 | Data storage method, device, electronic equipment and storage medium |
| CN114943091B (en) * | 2022-07-27 | 2022-10-11 | 成都中科合迅科技有限公司 | Elastic search encryption searching method based on linux kernel block device encryption function |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101615106A (en) * | 2008-06-23 | 2009-12-30 | 国际商业机器公司 | The method and system that is used for virtualizing SAS storage adapter |
| CN102214127A (en) * | 2010-11-15 | 2011-10-12 | 上海安纵信息科技有限公司 | Method for intensively storing and backing up data based on operating system virtualization theory |
| CN102567275A (en) * | 2010-12-08 | 2012-07-11 | 中国科学院声学研究所 | Method and system for memory access among multiple operation systems on multi-core processor |
| CN103020537A (en) * | 2011-09-22 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Data encrypting method, data encrypting device, data deciphering method and data deciphering device |
| CN103279308A (en) * | 2013-05-06 | 2013-09-04 | 深圳市深信服电子科技有限公司 | Cache method and device for remote application interface |
| CN104657193A (en) * | 2013-11-21 | 2015-05-27 | 华为技术有限公司 | Method and device for accessing to physical resources |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9405700B2 (en) * | 2010-11-04 | 2016-08-02 | Sonics, Inc. | Methods and apparatus for virtualization in an integrated circuit |
-
2017
- 2017-01-13 CN CN201710023717.1A patent/CN106685981B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101615106A (en) * | 2008-06-23 | 2009-12-30 | 国际商业机器公司 | The method and system that is used for virtualizing SAS storage adapter |
| CN102214127A (en) * | 2010-11-15 | 2011-10-12 | 上海安纵信息科技有限公司 | Method for intensively storing and backing up data based on operating system virtualization theory |
| CN102567275A (en) * | 2010-12-08 | 2012-07-11 | 中国科学院声学研究所 | Method and system for memory access among multiple operation systems on multi-core processor |
| CN103020537A (en) * | 2011-09-22 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Data encrypting method, data encrypting device, data deciphering method and data deciphering device |
| CN103279308A (en) * | 2013-05-06 | 2013-09-04 | 深圳市深信服电子科技有限公司 | Cache method and device for remote application interface |
| CN104657193A (en) * | 2013-11-21 | 2015-05-27 | 华为技术有限公司 | Method and device for accessing to physical resources |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106685981A (en) | 2017-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106685981B (en) | Multi-system data encryption transmission method and device | |
| CN106534148B (en) | Access control method and device for application | |
| CN106063183B (en) | Method and apparatus for cloud assisted cryptography | |
| KR100611628B1 (en) | A method for processing information in an electronic device, a system, an electronic device and a processing block | |
| CN100484159C (en) | Portable information terminal and data protecting method | |
| US10440111B2 (en) | Application execution program, application execution method, and information processing terminal device that executes application | |
| US20170208049A1 (en) | Key agreement method and device for verification information | |
| EP2249510A1 (en) | Key management server, terminal, key sharing system, key distribution program, key reception program, key distribution method, and key reception method | |
| US20120278611A1 (en) | Vpn-based method and system for mobile communication terminal to access data securely | |
| CN111563251B (en) | Encryption method and related device for private information in terminal equipment | |
| CN110881177B (en) | Anti-quantum computing distributed Internet of vehicles method and system based on identity secret sharing | |
| CN103067911A (en) | Method and equipment used for controlling hardware module | |
| WO2016045189A1 (en) | Data reading/writing method of dual-system terminal and dual-system terminal | |
| CN104010219A (en) | Mobile paytv DRM architecture | |
| WO2017166362A1 (en) | Esim number writing method, security system, esim number server, and terminal | |
| JP4962237B2 (en) | Program and method for managing information on location of portable device and file encryption key | |
| CN111475832B (en) | Data management method and related device | |
| WO2018049564A1 (en) | Anti-theft method and device for mobile terminal | |
| CN103107887A (en) | Method and device for controlling files based on position information | |
| CN110462620A (en) | Sensitive data is decomposed to be stored in different application environment | |
| US11637704B2 (en) | Method and apparatus for determining trust status of TPM, and storage medium | |
| CN106789928B (en) | Unlocking method and device based on system bidirectional authentication | |
| CN106776066B (en) | Multi-system function processing method and device | |
| CN114697007B (en) | Key management method, corresponding device and system | |
| CN104796262A (en) | Data encryption method and terminal system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230428 Address after: Room 401, Floor 4, No. 2, Haidian East Third Street, Haidian District, Beijing 100080 Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Beijing Patentee before: YUANXIN TECHNOLOGY |
|
| TR01 | Transfer of patent right |