CN109325355A - Mobile terminal data method for secure storing based on virtual disk - Google Patents
Mobile terminal data method for secure storing based on virtual disk Download PDFInfo
- Publication number
- CN109325355A CN109325355A CN201810024502.6A CN201810024502A CN109325355A CN 109325355 A CN109325355 A CN 109325355A CN 201810024502 A CN201810024502 A CN 201810024502A CN 109325355 A CN109325355 A CN 109325355A
- Authority
- CN
- China
- Prior art keywords
- disk
- user
- file
- data
- file system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0662—Virtualisation aspects
- G06F3/0664—Virtualisation aspects at device level, e.g. emulation of a storage device or system
Abstract
The present invention provides a kind of mobile terminal data method for secure storing based on virtual disk, belongs to information security field.Working method of the invention is to create independent disk subregion in a hard disk first, by the file analogy disk partition for creating a fixed size, then this document content format is turned into user-defined file system, one piece of disk, i.e. virtual disk can be modeled to.Real-time encrypted technology is finally combined, encipher-decipher method is added during reading and writing disk, so that it may guarantee the safety of data.The present invention is independent disk partition customization encrypted file system, constructs the encryption and decryption pipeline of the ciphertext on the plaintext and disk in memory, avoids disk from leaving plaintext trace, provide transparent data protection.Present invention safety with higher and flexibility, provide strong protection for the data in mobile terminal, can customize encrypted file system and Authentication mechanism, multiple encryption algorithms and operating mode can also be provided.
Description
Technical field
The invention belongs to information security fields, and in particular to the mobile terminal data method for secure storing based on virtual disk.
Background technique
While facilitating people to live, safety problem therein is got worse mobile phone.The intelligent hand led by android system
Target is also gradually concentrated one's gaze on mobile phone by the rise of machine upsurge, many Malwares.According to statistics, newly-increased Malware and wood in 2016
Horse disease poison etc. is up to 100,000 orders of magnitude.Wherein harm includes harassing call, malice short message, refuse messages, fraudulent call, further includes
The surfing flow at family is usurped to make a phone call from the background, sending refuse messages etc..Send short message etc..Especially with mobile memory capacity
Increase, information processing capability improves, and the personal information of handset processes increases, store in mobile phone important also more and more.It removes
The personal information of the secrets such as storage private photos, personal video, document, it is also possible to for facilitating factor to consider storage enterprise
Grade or the confidential information of country.On the other hand, it is opened because the platform of mobile phone is more next, more and more intelligently, mobile phone is increasingly becoming black
Objective, virus attack target.They can get personal or enterprise privacy information when not detectable, such as steal schedule peace
Row, address list, individual privacy information, online trading data etc..In addition, mobile phone is also faced with the danger lost or be stolen, user is not
Only can be by the loss of property, it is also possible to face more serious threat --- privacy leakage.If privacy information does not pass through
Data safety storage processing, once losing or poisoning, personal information is easy to reveal, privacy once reveal, along with as blog,
The rise of sharing model as microblogging, privacy information will be quickly transmitted away, this not only influences whether individual, also be had
Other people life at one's side may be influenced, company interest, even national security are damaged.
Therefore, certain measure is taken to guarantee that the confidentiality of data in mobile phone seems particularly necessary: so that whether mobile phone
By hacker attacks or after the loss, non-mobile phone user cannot get privacy information, and what mobile phone user can trust will be hidden
Private data are stored in mobile phone.
Existing data safety storage scheme is broadly divided into two classes, and one kind is software-based data safety storage side
Case, one kind are hardware based data safety storage schemes.Software-based data safety storage scheme does not need to be directed to because of it
Specific hardware, has been widely used.Such scheme can be data safety storage scheme file-based, be also possible to be based on
Data safety storage scheme of disk partition etc..From privacy, ease for use, the various aspects such as performance and flexibility consider, every kind of side
Case has its Pros and Cons.For mobile terminal, most of secret storage scheme is all based on file instantly
Secret storage scheme, this scheme by some file carry out the complete paired data confidentiality of cryptographic operation protection, make
It just needs file to be decrypted operation when with encryption file.This kind of scheme realizes simple, customizability height, but has very big
Security risk, wherein the problem of most important problem is to interim clear text file processing, if clear text file is not deleted in time
It removes, attacker is easily found and obtains information;Even if clear text file is deleted, the prestige of recovering disk data technology also will receive
The side of body.Hardware based data safety storage scheme is different with software-based data safety storage scheme, software-based data
The cipher processing method of the data of secure storage scheme is normally in the program or file system of user application layer, acts on Mr. Yu
A little files, catalogue or subregion.And the processing method of the data encryption of hardware based data safety storage scheme is then located at hard disk
In the firmware of controller, or using special DSP or FPGA realization, act on entire disk.In general, it is based on hardware
Data safety storage scheme be by special encryption chip or independent processing chip etc. realize cryptographic algorithm.Encryption chip handle
Encryption chip information, private key information, hard disk information are corresponded to and are done cryptographic calculation, while the main partition of hard disk is written
Table realizes full disk encryption.Encryption chip, proprietary electron key, hard disk are bound together, indispensable.This scheme is to data
There is high-intensitive protection, attacker is difficult to get significant information.However the protection of this high intensity generally requires additionally
Chip, hard disk itself is customized, could complete the protection to hard disk, realizes that cost is very big, cost is very high, and the party
The customization and scalability of case are poor.In addition, have the non-private data of the entertainment such as music, e-magazine in mobile phone, this
A little data do not need to expend additional protection of resources, while in view of the resource in mobile platform is although more and more abundant, but
It is limited after all, so unsuitable full disk encryption, expends excessive resource.Therefore, hardware based data safety storage scheme is uncomfortable
For the limited mobile platform of flexible and changeable, resource.
In conclusion mainly having the data based on file or folder in already present mobile phone data security storage scheme
Secure storage scheme and hardware based data safety storage scheme.Perhaps safety is not good enough or performance disappears for two schemes
Consumption is too big, can not fully meet the demand of the data safety storage in mobile phone.
Summary of the invention
In order to reduce data safety storage scheme to the dependence of kernel, increase customizability and the flexibility of scheme, the present invention
A little in conjunction with two schemes in the prior art, it is realized using FUSE technology combination real-time encryption and decryption technology and is based on virtual disk
Customized real-time encrypted file system.Propose the data safety storage scheme for being more suitable for cell phone platform --- based on virtual
The data safety storage scheme of disk.Wherein customized file system is that this solution provides very big flexibility and customizations
Property.Cryptographic algorithm is no longer dependent on kernel, can select to customize the cryptographic algorithms of a variety of varying strengths in user's space, therefore more
It is suitble to mobile platform.
For achieving the above object, the technical solution adopted by the present invention is that:
Secure storage method of data based on virtual disk, comprising the following steps:
Create virtual disk;
The disc information of user's input is received by human-computer interaction interface;
Container file is created according to disc information, and is formatted into specified encrypted file system;
Verifying field is added in the partition boot sector of file system, data existing in file system are encrypted, and
Random number is written in the blank area;
User selects carry or unloading virtual disk by human-computer interaction interface;
The identity of user is verified, being proved to be successful rear mount container file is virtual disk, and user can be to virtual disk
In secret file operated;
Encryption and decryption data during reading and writing disk.
The disc information includes size, position, password, cryptographic algorithm and the file system for creating disk.
After receiving instruction of the user about carry disk, the mount point of user's selection is further received;
If the mount point of selection, there is no any container file carry, user needs the container file for selecting to want carry, and
The instruction of carry disk is issued again.
The mode that the identity to user is verified is the access password for prompting user's input pod file.
When creating container file, write verification character string, is then encrypted in the superblock of respective file system, is encrypted close
Key password application one-way hash function input by user generates;When user's carry container file, need to input password, root
According to password generated key, the key decryption verification field, matching verifying character string, if matching correct, carry are then used
Container file;If matching error, without carry.
The present invention obtains following significant beneficial effect
It creates container file by virtual disk technology in a hard disk first, and private data will be stored in container file, real
Existing Information hiding.On this basis, and by container file it is virtually independent subregion, encryption and decryption is added to reading/writing method therein
Method can greatly improve the safety protection of data.
Second, using the data safety storage scheme based on virtual disk, it can be achieved that being encrypted to partial data in disk,
Selectively the data in hard disk are protected.Compared with hardware based data safety storage scheme, greatly reduces and add
Computing overhead is decrypted, also complies with and is not all of the requirement that data require encryption in mobile platform.Meanwhile the program is to fictionalizing
The entire independent partitions encryption come, also complying with a large amount of private datas needs requirement to be protected.
Third protects the disk partition of private data independent of entity hard disk, it is realized by creation container file, side
Just it backs up and transplants, and make it possible that PC cooperates with mobile platform.
4th, the flexibility of the program is fine, and during being mainly manifested in creation virtual disk, user can be virtual
Disk partition select file system, including user-defined file system;Secondly, the program also supports any cryptographic algorithm, it is obstructed
Cryptographic algorithm is different to the degree of protection of data, and performance is also different, and user can select suitable password to calculate according to their needs
Method;The flexibility of data safety storage scheme based on virtual disk is also embodied in flexible authentication scheme, due to can be with
User-defined file system, so the ways and means for the verifying field for needing to be added in file system in proof scheme are ok
Customization.
Finally, the encryption process of the data safe processing module of the program be to user it is transparent, user is in use
The process of encryption and decryption will not be perceived, so use process haves no need to change original use habit.Meanwhile transparent encryption and decryption
Solves the problems, such as interim clear text file.
Detailed description of the invention
Fig. 1 is secure storage method of data flow chart of the invention;
Fig. 2 is file system module structure chart of the present invention;
Fig. 3 is the hard disc data overall construction drawing based on FAT file system structure;
Fig. 4 is real-time encryption and decryption technical principle.
Specific embodiment
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.It should be appreciated that described herein
Specific embodiment is only used to explain the present invention, is not intended to limit the present invention.
Android provides the software development kit SDK and NDK of application program for developer.It can be developed using SDK
The application software of the basic layer on the upper side based on JAVA;NDK Android system developer that C/C++ can be used to open
The application of hair more bottom, is no longer limited to JAVA, is confined to upper layer application exploitation.The present invention uses NDK as phase
It is realized to the developing instrument of the file system of bottom, using SDK as the developing instrument of upper layer application interface and logic.
Workflow the present invention is based on the data safety storage scheme of virtual disk is as shown in Figure 1.It first has to establish
Container file, and the encrypted file system of customization is written, so that carry is virtual disk, after the completion of creation, before use, by container
File mount is virtual disk, and user can store private data wherein, after the completion of use, unloads virtual disk.
User can choose creation disk first, then need to input size, the position, mouth of creation disk in interface
It enables, the information such as cryptographic algorithm, file system, submits to the creation disk module on backstage, creation disk module is wanted according to user
Creation container file is sought, and is formatted into specified encrypted file system.While the authentication in order to realize user,
Verifying field is added in the partition boot sector of file system, finally data existing in file system are encrypted, and
Random number is written in white space.
Later, user can choose carry unloading disk, then user will select mount point, if selection mount point
There is no any container file carries, then user will select the container file to be hung over, and click carry button, hold by prompt input
Then information is given the carry module on backstage by the access password of device file, which can verify the identity of user,
Being proved to be successful rear mount container file is virtual disk, and user can operate the secret file in virtual disk, is operated
After the completion, off-loadable virtual disk;If the mount point of selection has a container file carry, carry unloading button will become and unload
It carries, user can unload the virtual disk by clicking button.
Wherein, assuring data security can be realized information in addition to virtual disk technology in the data safety storage scheme
Outside hiding, the protection that encrypted file system realizes data is relied primarily on.Encryption Algorithm is mainly dissolved by encrypted file system
In file system, encryption and decryption data is realized during reading and writing disk, can preferably protect the safety of data, and make
Enciphering and deciphering algorithm is transparent to user.The solution of the present invention is mainly manifested in file system and can be and appoint there are also enough flexibilities
Meaning, independently of the file system in former hard disk, user can select according to hobby and demand oneself, in addition, Encryption Algorithm can also
To be different, different Encryption Algorithm corresponds to different security levels, also corresponds to different performances, and usual security level is higher
Encryption Algorithm it is corresponding consumption be also it is bigger.User can calculate according to the encryption of handset capability and demand selection different stage
Method.
As shown in Fig. 2, file system of the invention is divided into five main functional modules --- UI module, creation virtual magnetic
Disk module, carry module, real-time encryption and decryption module and communication module.Wherein:
1. UI module is the interface in order to provide the user with, the interaction with user is completed.There are three the modules
Activity composition --- main interface, creation disk interface and file browsing interface.Creation magnetic may be selected in user in main interface
Disk, carry disk and unloading disk.
2. creating virtual disk module is mainly to complete the creation of container file, which can create according to the requirement of user
The file of fixed size is built, and establishes the file system that user specifies, and according to the cryptographic algorithm of user's selection to container file
In data handled.
3. the parsing for the encrypted file system that carry module mainly utilizes FUSE technology to complete in container file, and will
Its carry is virtual disk, and after user completes to operate, which is also responsible for unloading virtual disk.
4. real-time encryption and decryption module is the main method to guarantee data security, in conjunction with FUSE technology, by user-defined file
System improving is encrypted file system, i.e., encryption and decryption operation is realized during read-write, so that encryption process is transparent, and energy
Greatly improve safety.In real-time encryption and decryption module, by taking AES as an example, the cryptographic algorithm of protection data safety is realized.
5. the interaction between them is needed by communication module since UI module is different with the implementation of other modules
It completes, the request of user is passed to creation disk module and carry disk module by UI module by communication module.Pass through UI
Module can reduce the degree of coupling of program, increase the maintainability and portability of program.
The carry of container file is accessed moreover, it is desirable to control user, thus also need a set of authentication mechanism to
Family carries out identity validation.The authentication mechanism is broadly divided into two parts, first part be when creating container file, wherein plus
Enter verifying field, and be encrypted together in company with the initial encryption of file system, second part be when users use, it is right
Before container file is decrypted, parses carry, which is verified, carry can be parsed after being verified.
When concrete implementation process is creation container file, the write verification character string in the superblock of respective file system
" TRUE ", then encrypts, and encryption key password application one-way hash function input by user generates;When user's carry container
It when file, needs to input password, according to password generated key, then uses the key decryption verification field, matching verifying character
It goes here and there " TRUE ", if matching is correct, carry container file;If matching error, without carry.
In the present invention, the data safety storage scheme based on virtual disk is to fictionalize independent virtual magnetic in a hard disk
Disk regards virtual disk as an independent hard-disc storage space, provides data security protecting, secret for the independent memory space
Data may be stored in the independent memory space.Its working method is the file for creating fixed size in a hard disk, that is, is held
Device file, and the content format of this document is turned into user-defined file system, be then modeled to one piece of independent disk, i.e., it is empty
In conjunction with real-time encrypted technology encipher-decipher method is added during reading and writing disk, so that it may guarantee the safety of data in quasi- disk
Property.Due to the file system in virtual disk be it is customized, other than providing the user with more flexible selection, also help increasing
If authentication scheme increases the flexibility of overall plan.
Key technology of the present invention has virtual disk technology, user's space file system FUS technology and OTFE technology
Deng.It wherein can be implemented as user using virtual disk technology combination FUSE technology and hew out independent storage sky in a hard disk
Between, that is, establish virtual disk.FUSE technology combination OTFE technology may be implemented to be added during reading and writing virtual disk close
Code algorithm, guarantees the safety of data.Technical solution of the present invention description is clearer, should be readily appreciated that and realizes to make, in conjunction with
The present invention is described further above-mentioned key technology.
Virtual disk technology typically refers to the technology that one or more disk is fictionalized from the memory of computer, because
The speed of memory is more many fastly than the speed of hard disk, so fictionalizing multiple disks by virtual disk technology, can accelerate data
Exchange velocity, the speed of service of faster procedure and computer.In addition to this, protection text can also be played using virtual disk technology
The effect of part could read data therein, after unloading virtual disk, with regard to nothing only by verifying ability mount virtual disk
Method is seen by way of common file browser finds file, therefore can play the role of protecting data.
It is virtually a disk partition by a part in hard disk in the present embodiment.Because present invention is generally directed to data
Secure storage, does not need the speed of service of faster procedure and system, and in view of the memory resource limitation in mobile phone, and uncomfortable
It shares memory and carrys out virtual disk.Therefore disk is not instead of fictionalized from memory using virtual disk technology, draw from hard disk
The space of fixed size is separated, which usually exists in the form of a file, referred to as container file, is then the space
Set the file system structure independently of entire hard disk.It thus can be correct in user's input by using FUSE technology
After verifying password, by container file carry, have it in the form of disk partition, and be presented to the user, i.e. virtual disk.With
Private data can be stored in virtual disk by family, and after completing read-write operation, user's off-loadable virtual disk is virtual after unloading
Disk exists in disk in the form of a file again.This mode can hide private data, be not easily found attacker, belong to
In Information hiding strategy.But this mode does not ensure that the confidentiality of data, and attacker can be by directly reading in hard disk
The means such as data, the available private data therein not carry, therefore also need to take further strategy is right
File system in virtual disk is customized, using encryption technology to guarantee confidentiality.
Virtual disk technology can it is more flexible, more safely protect user data.With the private data stored in mobile phone
It is more and more, the demand of user is had been unable to meet for the data safety storage form of single file or file.Based on hard disk
The data safety storage scheme of encryption can be very good to solve this problem, and user only needs to store secret file or folder
In encryption disk.But the cost of entire disk encryption is relatively large, in particular for this resource of mobile phone and performance
Limited mobile terminal encrypts entire SDcard and unrealistic.And virtual disk technology not only can batch storage secret
Data in turn avoid full disk encryption, more more flexible than disk encryption, more low consumption, therefore more meet the demand of mobile platform.In addition,
Virtual disk is stored in disk in the form of a file before not by carry, is increased the concealment of information, is given user
The certain protection of private data.Meanwhile user need not change original application method and habit when using virtual disk,
User experience is as using ordinary magnetic disc subregion.
As previously mentioned, the present invention is needed in separate space --- file system is created in container file, it could be virtual by it
At independent disk partition.File system is primarily to the data such as file, catalogue in hyperdisk, more by file system
Storage, retrieval and the update of good organization and administration data are improved efficiency with simplifying disk management.Currently, common file system
There are FAT, NTFS, EXT2, EXT3, UFS etc..One of file system, such as VFS can be mentioned with packaging bottom layer file system
The unified interface of file system for enhancing, with feature-rich carries out unified pipe to the data in underlying file systems
Reason.For Linux system, creation, change file system format, which need to increase, to be changed kernel module and compiles kernel, to kernel
Operation so that become relative difficulty to the customization of file system, and user's space file system technology can make programmer with
The file system that complete function is created in the space of family, avoids change system kernel, this characteristic greatly facilitates file system
Deployment and use.It has the simple library API, can be accessed by non-privileged users.
By taking the FUSE in Linux as an example, user's space file system is briefly introduced.
FUSE is made of FUSE kernel module, the library libfuse of offer API and related carry tool.Its workflow
Journey is the interaction of FUSE kernel module realization and VFS, intercepts and captures user and is sent to the file request of VFS, and converts spy for request
Fixed format, is transmitted to the process processing of user's space, and developer can use the API of the library libfuse offer to user's sky
Between the file operation of process be customized, after the completion of request processing, user space processes return result to FUSE kernel module,
Kernel module is reduced to general format required for VFS again.So developer realizes the api interface of libfuse
Realize customized file system.
Calling path when FUSE file system works is as follows: when user is to the user-defined file system for applying FUSE
After the catalogue tmp/fuse of system executes ls operation, FUSE kernel module has intercepted and captured the request for reaching VFS, and is transmitted to
The user-defined file system of user's space, the process of user's space are returned to VFS after having handled request, are eventually displayed to user
As a result.
FUSE technology is mainly interactively communicated with VFS.VFS by for system kernel and underlying file systems such as FAT, NFS,
Ext3 specifies unified access interface, and different underlying file systems only need for access method to be added to unified access
The support to VFS can be realized in interface, such VFS can provide a virtual level with a variety of file system for bottom, should
Virtual level can unify the different file of bottom, provide unified access interface for the application on upper layer.By VFS, we
Accessible local file system can also access Network File System, and upper layer application can't perceive bottom document system
The difference of system, so what underlying file systems that upper layer application does not need to be concerned about that they are accessed are on earth by VFS, only
It needs to realize function using unified access interface.FUSE technology interacts the bottom document system meaned in container file with VFS
System can be the underlying file systems that any VFS is supported, this materially increases the flexibility of scheme.
By this scheme, may be implemented to define in container file entirely different with the file system in mobile phone memory card
File system.File system in mobile phone be not it is very general, used FUSE technology that can define more in container file
Add general, more common file system, a possibility that container file is transplanted in mobile phone and PC can be increased.
In the present embodiment, using more commonly used FAT file system as the file system of container file.FAT(File
Allocation Table) it is initially the file system designed for floppy disk, it is widely applied to DOS and Windows later
In the PC and industry of 9x series.Its advantages be it is relatively simple for structure, robustness is good, and performance is fine.FAT text
The development experience of part system FAT12, FAT16, FAT32, their naming method are all by using how many files distribution
Table and determine.
FAT12 can be described as most ancient file system, its file allocation table is 12, can only hyperdisk appearance
Amount is the disk of 8M.Since the capacity of hyperdisk is too small, nowadays seldom use.In mobile phone, if user's foundation is virtual
Disk is not more than 8M, we are exactly to use FAT12 file system.With the development of disk, the disk of 8M has been far from satisfying
Demand, the demand to bigger disk management ability also occur therewith, and FAT16 comes into being.Its file allocation table is 16
Position, can initially manage the disk of 32M, this disk in 32M at that time is sufficiently large.But with disk
Further development, the managerial ability of FAT16 are extended to 128M by 32M, further expand also with demand further expansion
Exhibition is 2G.The disk management ability of 2G far beyond demand at that time, but FAT16 have the defects that it is certain, especially
It is that it is very low to the utilization rate of the disk of large capacity, in order to solve this problem, Microsoft proposes FAT32.FAT32 with
FAT12, FAT16 use the same format, it uses 32 file allocation table, therefore the ability of disk management increases greatly
Add, it can manage bigger disk partition.Meanwhile FAT32 solves the problems, such as that FAT16 large capacity disc utilization rate is low,
Each cluster capacity of FAT32 is fixed as 4KB, can greatly reduce the waste of disk, improves disk utilization.
Hard disc data overall structure based on FAT file system structure is as shown in Fig. 2, mainly include master boot sector, the
One partition content, extension partition table, second partition content, extension subregion.Wherein each subregion by subregion boot sector,
The FAT1 and FAT2 of subregion, the root directory area of subregion, the data field composition of subregion.Wherein master boot sector extends subregion
Table, the size of the boot sector of each subregion is the size of a sector, and the FAT1's and FAT2 of each subregion is big
Small determined by FAT type and the size of disk.
MBR is master boot sector in Fig. 3, it is located at first sector of disk, that is, the 0th cylinder of disk
The 0th magnetic head first sector, by main bootstrap program MBR, hard disk partition table DPT and end of identification three parts group
At.When opening computer, BIOS program is first carried out to guide system in system, after having executed, will jump to disk
In MBR, the instruction of MBR is executed, MBR accounts for preceding 446 bytes in master boot record, and remaining 64 bytes are hard
Disk partition table information, most latter two byte are " 55 AA ".There is no the property of operating system in MBR, but different operations
System, MBR be not also identical.
It is exactly the particular content of each subregion in hard disk partition table after master boot sector, the virtual disk designed by us is just
A subregion as hard disk and existing, thus we be written in container file be a primary partition information,
Wherein boot sector DBR is generally the zero sector of subregion, totally 512 byte.MBR can will be executed instruction and is transferred to guidance
First three byte of sector DBR, DBR must be legal, executable CPU instructions, and usually jump instruction is skipped not
Executable byte.It is usually the version number information of manufacturer's mark and OS after jump instruction.In the file system that we are written
In system, using the field as the verifying field of Authentication mechanism.Subsequent BPB can provide phase for executable guidance code
The information of parameter is closed, disk size and geometry variable are typically stored in BPB.Next extension BPB with
The effect of BPB is similar.After above-mentioned three parts are skipped in jump instruction, boot code area is reached, instruction here is different
It is different in operating system and different guidance modes.The present embodiment will not modify the part, further retouch so not doing
It states.
In the inventive solutions, the data structure that FAT file system is written in container file, then customizes
FAT file system is realized the FAT file system of customization by FUSE technology, while also to be mentioned in conjunction with OTFE technology
It is upgraded to encrypted file system, this document system can use FUSE technology and realize carry, unloading etc..By in FAT file system
The API interface that FUSE is realized in system, OTFE technology is added during realization can realize a complete encryption
File system.
Real-time encrypted technology is also known as " On-The-Fly Encryption " (aerial encryption), and as its name suggests, which exists
Encryption and decryption is realized during read-write disk, and different from unconventional encryption file, it is not necessary to ciphertext being decrypted into clear text file
It could use.The technology substantially increases the safety of encryption and decryption operation, will not produce on the basis of assuring data security
Raw clear text file, at the same it is transparent to user, the participation of user is not needed, so as to avoid the unnecessary maloperation of user.
Traditional encryption technology needs first to be decrypted into clear text file and is stored in disk when checking or modifying encryption file
In, it needs to delete after the completion of checking in plain text, the generation of clear text file makes it there is very big security risk, and the leakage of information is past
Toward no safety deleting this link in plain text is appeared in, even if deleting clear text file, if attacker is also without safe erasing
Data therein can be obtained by means such as data recoveries.And the cost wiped safely is also high, so traditional encryption technology
Have the defects that very big, is not suitable for data safety storage scheme of the invention.
Real-time encrypted technology, which refers to, carries out encryption and decryption operation to data during the operation of user, and encryption and decryption operates meeting
It completes in memory, so temporary file will not be generated, also just there is no the operations for deleting plaintext.Encryption and decryption operation is automatic on demand
It carries out, user haves no need to change original mode of operation and habit can be using the secret file in encrypted file system.It should
Technology had not only improved the safety of data, but also provided good user experience.
The realization principle of real-time encrypted technology is that a pipeline is established between memory and disk, and data pass through pipe by disk
Road is decrypted during entering memory, enters disk by memory and just encrypts to data, in this way by real-time encrypted
Memory and disk can be isolated for pipeline, as shown in figure 4, ensure that the data into memory are all plaintexts, and be stored in magnetic
Data in disk are all ciphertexts.Since calculator memory can all clear data in system reboot or power-off, data are guaranteed with this
Safety.
While real-time encryption and decryption technology provides transparent operation experience for user, it is anti-on a storage medium to avoid data
It is added with the process of decryption, not only makes encryption and decryption operation simpler, it is more efficient, and also improve safety.
The method that the realization of real-time encryption and decryption technology needs some opposite bottoms needs custom file system, present invention benefit
It is user-defined file system in container file with FUSE technology, FUSE technology in file system but also can be added real
When encryption and decryption technology.During FUSE reading and writing of files, cryptographic algorithm is added, so that it may realize when user's carry container text
Part is after virtual disk, the read-write to virtual disk is all by encryption and decryption, to realize real-time encryption and decryption technology.
The read-write requests of application program reach FUSE kernel via VFS, and FUSE kernel can customize request, the behaviour
Work can be handed to the library FUSE by FUSE kernel module, pass through the knot with customized file system and real-time encryption and decryption method
It closes, the read-write requests and data of user is handled, data that treated are to have passed through the secret number of cryptographic algorithm processing
According to, then by processed data be written disk, can achieve the effect that secrecy.
Claims (5)
1. the mobile terminal data method for secure storing based on virtual disk, it is characterised in that the following steps are included:
Create virtual disk;
The disc information of user's input is received by human-computer interaction interface;
Container file is created according to disc information, and is formatted into specified encrypted file system;
Verifying field is added in the partition boot sector of file system, data existing in file system are encrypted, and
Random number is written in the blank area;
User selects carry or unloading virtual disk by human-computer interaction interface;
The identity of user is verified, being proved to be successful rear mount container file is virtual disk, and user can be to virtual disk
In secret file operated;
Encryption and decryption data during reading and writing disk.
2. according to the method described in claim 1, it is characterized by:
The disc information includes size, position, password, cryptographic algorithm and the file system for creating disk.
3. according to the method described in claim 1, it is characterized by:
After receiving instruction of the user about carry disk, the mount point of user's selection is further received;
If the mount point of selection, there is no any container file carry, user needs the container file for selecting to want carry, and
The instruction of carry disk is issued again.
4. according to the method described in claim 1, it is characterized by:
The mode that the identity to user is verified is the access password for prompting user's input pod file.
5. according to the method described in claim 1, it is characterized by:
Create container file when, write verification character string, then encrypts in the superblock of respective file system, encryption key by
The password application one-way hash function of user's input generates;When user's carry container file, need to input password, according to mouth
It enabling and generates key, then use the key decryption verification field, character string is verified in matching, if matching is correct, carry container
File;If matching error, without carry.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810024502.6A CN109325355A (en) | 2018-01-11 | 2018-01-11 | Mobile terminal data method for secure storing based on virtual disk |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810024502.6A CN109325355A (en) | 2018-01-11 | 2018-01-11 | Mobile terminal data method for secure storing based on virtual disk |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109325355A true CN109325355A (en) | 2019-02-12 |
Family
ID=65263379
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810024502.6A Pending CN109325355A (en) | 2018-01-11 | 2018-01-11 | Mobile terminal data method for secure storing based on virtual disk |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109325355A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109829324A (en) * | 2019-02-21 | 2019-05-31 | 青岛海信电子设备股份有限公司 | A kind of method and mobile terminal of data safety storage and quick calling |
CN110826099A (en) * | 2019-10-30 | 2020-02-21 | 上海华元创信软件有限公司 | Safe storage method and system suitable for embedded real-time operating system |
CN110933042A (en) * | 2019-11-06 | 2020-03-27 | 福建福链科技有限公司 | Data security messenger method and system suitable for alliance chain |
CN111045601A (en) * | 2019-11-07 | 2020-04-21 | 北京北信源软件股份有限公司 | Fuse-based virtual disk loading method and system |
CN111737771A (en) * | 2020-06-17 | 2020-10-02 | 山东大学 | Supervision place police service terminal system based on Android dual-system trusted operation framework |
CN111858511A (en) * | 2020-07-17 | 2020-10-30 | 武汉理工大学 | File storage and use method and file storage system |
CN112989396A (en) * | 2021-05-10 | 2021-06-18 | 中勍科技有限公司 | Software encryption implementation method based on virtual memory hard disk |
CN113316761A (en) * | 2019-12-08 | 2021-08-27 | 西部数据技术公司 | Self-formatting data storage device |
CN113672960A (en) * | 2021-08-26 | 2021-11-19 | 北京中安星云软件技术有限公司 | Database transparent encryption and decryption implementation method and system based on user mode file system |
CN117610060A (en) * | 2024-01-19 | 2024-02-27 | 成都理工大学 | Multi-core parallel-based multimedia file hybrid encryption and decryption method and system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1373424A (en) * | 2001-11-29 | 2002-10-09 | 上海格尔软件股份有限公司 | Virtual magnetic disk method under windows |
US20040199779A1 (en) * | 2003-04-01 | 2004-10-07 | Charles Huang | Method with the functions of virtual space and data encryption and invisibility |
CN101604296A (en) * | 2009-07-29 | 2009-12-16 | 福建伊时代信息科技股份有限公司 | Disk-data sector-level encryption method |
CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
CN103020537A (en) * | 2011-09-22 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Data encrypting method, data encrypting device, data deciphering method and data deciphering device |
CN103516722A (en) * | 2013-09-17 | 2014-01-15 | 亚欧宝龙信息安全技术(湖南)有限公司 | Subscriber stage file automatic encryption and decryption method and device |
CN104461698A (en) * | 2014-12-29 | 2015-03-25 | 成都致云科技有限公司 | Dynamic virtual disk mounting method, virtual disk management device and distributed storage system |
CN105740717A (en) * | 2016-01-29 | 2016-07-06 | 四川效率源信息安全技术股份有限公司 | Method and apparatus for performing electronic data file protection based on encrypted partition |
-
2018
- 2018-01-11 CN CN201810024502.6A patent/CN109325355A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1373424A (en) * | 2001-11-29 | 2002-10-09 | 上海格尔软件股份有限公司 | Virtual magnetic disk method under windows |
US20040199779A1 (en) * | 2003-04-01 | 2004-10-07 | Charles Huang | Method with the functions of virtual space and data encryption and invisibility |
CN101604296A (en) * | 2009-07-29 | 2009-12-16 | 福建伊时代信息科技股份有限公司 | Disk-data sector-level encryption method |
CN103020537A (en) * | 2011-09-22 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Data encrypting method, data encrypting device, data deciphering method and data deciphering device |
CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
CN103516722A (en) * | 2013-09-17 | 2014-01-15 | 亚欧宝龙信息安全技术(湖南)有限公司 | Subscriber stage file automatic encryption and decryption method and device |
CN104461698A (en) * | 2014-12-29 | 2015-03-25 | 成都致云科技有限公司 | Dynamic virtual disk mounting method, virtual disk management device and distributed storage system |
CN105740717A (en) * | 2016-01-29 | 2016-07-06 | 四川效率源信息安全技术股份有限公司 | Method and apparatus for performing electronic data file protection based on encrypted partition |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109829324B (en) * | 2019-02-21 | 2023-02-17 | 青岛海信电子设备股份有限公司 | Method for safely storing and quickly calling data and mobile terminal |
CN109829324A (en) * | 2019-02-21 | 2019-05-31 | 青岛海信电子设备股份有限公司 | A kind of method and mobile terminal of data safety storage and quick calling |
CN110826099A (en) * | 2019-10-30 | 2020-02-21 | 上海华元创信软件有限公司 | Safe storage method and system suitable for embedded real-time operating system |
CN110933042A (en) * | 2019-11-06 | 2020-03-27 | 福建福链科技有限公司 | Data security messenger method and system suitable for alliance chain |
CN110933042B (en) * | 2019-11-06 | 2021-09-14 | 福建福链科技有限公司 | Data security messenger method and system suitable for alliance chain |
CN111045601A (en) * | 2019-11-07 | 2020-04-21 | 北京北信源软件股份有限公司 | Fuse-based virtual disk loading method and system |
CN113316761A (en) * | 2019-12-08 | 2021-08-27 | 西部数据技术公司 | Self-formatting data storage device |
CN111737771A (en) * | 2020-06-17 | 2020-10-02 | 山东大学 | Supervision place police service terminal system based on Android dual-system trusted operation framework |
CN111858511A (en) * | 2020-07-17 | 2020-10-30 | 武汉理工大学 | File storage and use method and file storage system |
CN111858511B (en) * | 2020-07-17 | 2024-04-09 | 武汉理工大学 | File storage and use method and file storage system |
CN112989396A (en) * | 2021-05-10 | 2021-06-18 | 中勍科技有限公司 | Software encryption implementation method based on virtual memory hard disk |
CN112989396B (en) * | 2021-05-10 | 2021-09-21 | 中勍科技有限公司 | Software encryption implementation method based on virtual memory hard disk |
CN113672960A (en) * | 2021-08-26 | 2021-11-19 | 北京中安星云软件技术有限公司 | Database transparent encryption and decryption implementation method and system based on user mode file system |
CN117610060A (en) * | 2024-01-19 | 2024-02-27 | 成都理工大学 | Multi-core parallel-based multimedia file hybrid encryption and decryption method and system |
CN117610060B (en) * | 2024-01-19 | 2024-03-29 | 成都理工大学 | Multi-core parallel-based multimedia file hybrid encryption and decryption method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109325355A (en) | Mobile terminal data method for secure storing based on virtual disk | |
LU101903B1 (en) | System and method for storing and accessing private data of Hyperledger Fabric blockchain | |
CN103617399B (en) | A kind of data file guard method and device | |
US7840750B2 (en) | Electrical transmission system in secret environment between virtual disks and electrical transmission method thereof | |
WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
Mai et al. | Verifying security invariants in ExpressOS | |
CN101853363A (en) | File protection method and system | |
TWI496023B (en) | Software modification for partial secure memory processing | |
KR102030858B1 (en) | Digital signing authority dependent platform secret | |
US7818567B2 (en) | Method for protecting security accounts manager (SAM) files within windows operating systems | |
CA2773095A1 (en) | Computer with flexible operating system | |
CN104331644A (en) | Transparent encryption and decryption method for intelligent terminal file | |
TW201447759A (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
KR20080065661A (en) | A method for controlling access to file systems, related system, sim card and computer program product for use therein | |
CN110569651A (en) | file transparent encryption and decryption method and system based on domestic operating system | |
Hong et al. | Personal privacy protection framework based on hidden technology for smartphones | |
WO2024045407A1 (en) | Virtual disk-based secure storage method | |
CN103425938B (en) | The folder encryption method of one kind Unix operating system and device | |
CN109376119B (en) | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium | |
Benadjila et al. | Secure storage—Confidentiality and authentication | |
CN103605934A (en) | Protection method and device for executable files | |
KR20160117183A (en) | Method of encrypting dll file, system of encrypting dll file performing the same, and storage medium storing the same | |
CN109829324B (en) | Method for safely storing and quickly calling data and mobile terminal | |
US20170262640A1 (en) | Database operation method and device | |
US20130117550A1 (en) | Accessing secure volumes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190212 |