CN111291429B - Data protection method and system - Google Patents

Data protection method and system Download PDF

Info

Publication number
CN111291429B
CN111291429B CN202010071900.0A CN202010071900A CN111291429B CN 111291429 B CN111291429 B CN 111291429B CN 202010071900 A CN202010071900 A CN 202010071900A CN 111291429 B CN111291429 B CN 111291429B
Authority
CN
China
Prior art keywords
user
user client
remote server
storage system
virtual storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010071900.0A
Other languages
Chinese (zh)
Other versions
CN111291429A (en
Inventor
李岗
王金鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202010071900.0A priority Critical patent/CN111291429B/en
Publication of CN111291429A publication Critical patent/CN111291429A/en
Application granted granted Critical
Publication of CN111291429B publication Critical patent/CN111291429B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances

Abstract

The invention relates to a data protection method and a device, the system comprises at least one user client, a remote server and at least one access gateway device, the method comprises the steps that the user client authenticates the user identity, the remote server authenticates the user client, if the two authentications are successful, the remote server loads a virtual storage system, and the user client sends a data operation instruction of the user to the remote server. The invention can perform real-time credible authentication on the hard disk data, ensure that the hard disk data cannot be intercepted illegally when the hard disk is started and shut down, and ensure the safety of data storage.

Description

Data protection method and system
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data protection method and system.
Background
With the rapid rise of technologies such as internet of things, cloud computing and big data, in order to convert rapidly growing information into value, various enterprises and public institutions often store sensitive information such as personal, financial and medical information in a special server and even integrate the sensitive information into a unified big data system. The centralized storage of a large amount of sensitive information can certainly become an ideal target for an attacker, and factors such as computer viruses, hacking invasion damage, misoperation of users and the like threaten the security of data on a hard disk at any moment. Hard disks serve as the most important storage devices for data, and play an extremely important role in information systems, and are also facing serious security threats. Therefore, how to use a safe, universal, convenient and efficient way to protect the security of sensitive data on a hard disk is an important issue that needs to be solved currently.
Currently, some hard disk data protection schemes are already available, specifically including:
1) The hard disk partition is hidden. The method comprises the steps of modifying hard disk partition table information through a software method, so that an unauthorized user cannot see a hard disk in an operating system; only the authorized user passing the identity verification can see the hard disk partition and operate the hard disk partition;
2) Hard disk software is encrypted. The method intercepts system read-write operation through a special software module in a kernel in an operating system, and can encrypt and decrypt data in a transparent mode for a user;
3) The hard disk is internally provided with an encryption chip. According to the method, an internal encryption chip is added into the hard disk, identity authentication is carried out on a user in a password or USB-Key mode, only an authorized user is allowed to access and read and write the hard disk, encryption and decryption are carried out on data, and data leakage is prevented;
through the analysis, the fact that the hard disk partition is hidden and the data in the hard disk is not encrypted is found, the safety is not high, and the data in the hard disk can be read out through professional hardware; the software encryption method occupies system resources and affects efficiency; the method for embedding the encryption chip in the hard disk has high efficiency and is transparent to users, but at present, the encryption and decryption functions can be used only by using special software tools under the operating system, and how to effectively protect data has become a technical problem to be solved.
Disclosure of Invention
In view of this, the application provides a data protection method and system, which can perform real-time trusted authentication on hard disk data, ensure that the hard disk data cannot be illegally intercepted both when the hard disk is started and when the hard disk is shut down, and ensure the security of data storage.
In order to achieve the purpose, the application is realized by the following technical scheme:
a data protection method, applied in a data protection system, the system comprising at least one user client, a remote server and at least one access gateway device, the method comprising the steps of:
step 101, a user client authenticates a user identity, a remote server authenticates the user client, and if both authentications are successful, step 102 is executed;
step 102, loading a virtual storage system by the remote server;
and step 103, the user client sends the data operation instruction of the user to the remote server.
Further, the user client authenticates the user identity, which specifically includes:
the user client side pre-stores the user name and the password of the registered user, the user inputs the user name and the password through an interactive interface on the user client side, the user client side compares the input user name and the password of the user with the locally stored user name and password, if the comparison result is the same, the user authentication is successful, and the user is allowed to enter an operating system of the user client side; if the comparison results are different, prompting the user to input again, and closing the user client when the input again times exceed a preset threshold.
Further, the user client authenticates the user identity, which specifically includes:
the user client side pre-stores fingerprint characteristic information of registered users, the users input user fingerprints through an interactive interface on the user client side, the user client side compares the input user fingerprints with the locally stored fingerprint characteristic information, if the comparison results are the same, the user identity authentication is successful, and the users are allowed to enter an operating system of the user client side; if the comparison results are different, prompting the user to input again, and closing the user client when the input again times exceed a preset threshold.
Further, the remote server authenticates the user client, which specifically includes:
and the remote server performs identity authentication on the MAC address of the user client, and the user client can be connected to a server program after the authentication is passed.
Further, before step 101, an initialization step of the user client is further included, where the initialization step specifically includes:
the user client initiates an initialization request to a remote server, wherein the initialization request carries an identification ID of the user client, a user password key and a user client MAC address, and the remote server stores the received user password key, the received user client MAC address and the identification ID of the user client in a database in a correlated manner;
and the remote server searches a user client configuration file corresponding to the identification ID in a database according to the identification ID, and sends the user client configuration file to an access gateway device, and the access gateway device configures the user client according to the user client configuration file to establish connection between the user client and the remote server.
Further, before step 101, the method further includes an initialization step of the remote server, specifically including:
acquiring a user password key and a user client identification ID from an initialization request of the user client; encrypting the user password key for 2 times by using a DES algorithm to obtain 2 times of encrypted data;
the resulting 2-time encrypted data, user password key, and acquired user client identification ID association are saved to a database to provide password authentication and decrypt the key used to encrypt the content when the virtual storage system is loaded.
Further, the initializing step of the remote server further includes a step of creating a virtual storage system, which specifically includes:
step 301, obtaining a user client identification ID;
step 302, initializing a virtual storage system driver, creating a virtual storage system, and associating the user client identification ID with the created virtual storage system;
the virtual storage system Driver comprises an initialization process Driver Entry, a clearing process Driver Unload, an opening and closing handle request process, a read-write equipment request process and an I/O control request processing.
Further, in step 102, the loading of the virtual storage system by the remote server specifically includes:
step 401, receiving a virtual storage system loading request sent by a user client, wherein the virtual storage system loading request carries a user client Identification (ID) and a user password key, and inquiring in a database according to the obtained user client Identification (ID) to obtain 2 times of encrypted data;
step 402, encrypting the user password key by using a DES algorithm, and obtaining encrypted key data;
step 403, comparing the 2 times of encrypted data with the encrypted key data, if the comparison result is the same, the user password key is correct, the password authentication is passed, and continuing to execute step 404; if the comparison results are different, the user password key is wrong, password authentication fails, and authentication failure information is returned to the user client;
and step 404, loading a corresponding virtual storage system according to the user client identification ID.
Further, the method for sending the data operation instruction of the user to the remote server specifically includes:
step 501, a user client queries a locally stored user password key and acquires a data operation instruction;
step 502, the user client encrypts the data operation instruction by using the user password key;
step 503, the user client sends the encrypted data operation instruction to the remote server;
the data obtaining operation instruction specifically includes:
and the user client acquires the data pointer file, and maps the data operation instruction of the user into data operation on a storage space in a virtual storage system corresponding to the user client in the remote server through the data pointer file. For example, the number of the cells to be processed,
the data protection system is used for realizing the method, and comprises at least one user client, a remote server and at least one access gateway device, wherein the user client establishes communication connection with the remote server through the access gateway device and is used for establishing a virtual storage system corresponding to the user client in the remote server, the user client detects data operation instructions of a user in real time and sends the data operation instructions of the user to the remote server, and the data operation instructions of the user are data operations for the virtual storage system;
the access gateway equipment is respectively connected with the user client and the remote server, sends a configuration file acquisition request to the remote server, and receives a configuration file stored in the remote server in advance so that at least one access gateway equipment generates a corresponding sub-network according to the configuration file;
the remote server is used for establishing a virtual storage system corresponding to the user client.
Compared with the prior art, the invention has the advantages that: because the storage of the virtual storage system is based on files, the virtual storage system has the characteristics of flexible creation, simple deletion and loading and unloading at any time, and a user can even copy, move and the like the image files of the virtual encrypted hard disk. More importantly, the virtual encryption hard disk system provides security guarantee of password authentication and encryption storage for users, and no password exists, so that even if the image file of the virtual encryption hard disk is stolen by others, the data in the middle cannot be obtained. And the encryption does not depend on system installation information, and after the system is reinstalled, the virtual encryption hard disk system can be used for normally using the created virtual encryption hard disk without losing any data. The user can also choose to load the virtual encrypted hard disk in a read-only manner, preventing it from infecting viruses.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention.
FIG. 1 is a flow chart of a data protection method of the present invention;
fig. 2 is a schematic diagram of the composition structure of the data protection system of the present invention.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
Fig. 1 is a schematic flow chart of the data protection method of the present invention, fig. 2 is a schematic structural diagram of the data protection system of the present invention, and the present invention will be further described in detail with reference to the accompanying drawings and examples.
The data protection method is applied to a data protection system, and the system comprises at least one user client, a remote server and at least one access gateway device.
The remote server is used for establishing a virtual storage system corresponding to the user client. The virtual storage system is a hard disk that virtualizes one or more functions of the scalable physical hard disk device on the physical hard disk. In contrast to the hierarchical structure of typical physical hard disks and drivers, virtual storage systems differ only in the function of the underlying drivers. Second, the virtual storage system accesses a volume file that is virtualized to a hard disk in a manner that accesses the physical hard disk, and the physical hard disk driver directly accesses the physical hard disk device. The virtual storage system stores preset operating system and application system information.
The user client establishes communication connection with the remote server through the access gateway equipment, and is used for establishing a virtual storage system corresponding to the user client in the remote server, detecting the data operation instruction of the user in real time, and sending the data operation instruction of the user to the remote server, wherein the data operation instruction of the user is data operation aiming at the virtual storage system.
The virtual storage system adopts a filedsk bottom layer drive, takes files as storage bodies, enables all data stored in the loaded hard disk to be stored in the virtual storage system image files, and enables a user to operate the relevant virtual storage system like a normal hard disk through data operation instructions. In some embodiments, the virtual storage system may be considered a virtual hard disk that may be booted by the BIOS. Therefore, the BIOS and the operating system would be the virtual hard disk to make a way for themselves. But in fact this virtual disk is composed of many elements together, some source data in the PIM resource pool of the server, the data pointer table, some sector data of the local disk, corresponding policy files, etc., but this part is transparent to the BIOS and the operating system.
After receiving a data operation instruction request to a virtual storage system, which is transmitted by an application layer, an operating system of the remote server generates an input/output request packet (IRP) corresponding to the data operation instruction, transmits the IRP to a file system driver for processing, and transmits the IRP to a bottom layer driver of the virtual storage system after processing, and the IRP is correspondingly processed in the driver: when the IRP is a read-write IRP or an IRP request to operate a virtual storage system image file, a function beginning with Zw is called to call a corresponding routine in the WIN32 subsystem, so that the function provided by the file system is utilized for corresponding processing.
The access gateway equipment is respectively connected with the user client and the remote server, sends a configuration file acquisition request to the remote server, and receives a configuration file stored in the remote server in advance, so that at least one access gateway equipment generates a corresponding sub-network according to the configuration file.
The remote server is used for establishing a virtual storage system corresponding to the user client.
The data protection method specifically comprises the following steps:
step 101, a user client authenticates a user identity, a remote server authenticates the user client, and if both authentications are successful, step 102 is executed;
step 102, loading a virtual storage system by the remote server;
and step 103, the user client sends the data operation instruction of the user to the remote server.
The user client side authenticates the user identity, and specifically comprises the following steps:
in some embodiments, a user name and a password of a registered user are pre-stored in a user client, the user inputs the user name and the password through an interactive interface on the user client, the user client compares the input user name and the password of the user with the user name and the password stored locally, if the comparison result is the same, the user identity authentication is successful, and the user is allowed to enter an operating system of the user client; if the comparison results are different, prompting the user to input again, and closing the user client when the input again times exceed a preset threshold.
In some embodiments, fingerprint feature information of a registered user is pre-stored in a user client, the user inputs a user fingerprint through an interactive interface on the user client, the user client compares the input user fingerprint with the locally stored fingerprint feature information, if the comparison result is the same, user identity authentication is successful, and the user is allowed to enter an operating system of the user client; if the comparison results are different, prompting the user to input again, and closing the user client when the input again times exceed a preset threshold.
The whole fingerprint authentication process takes a USB serial port as a connecting channel, realizes data transmission and processing, greatly facilitates the process of identity authentication, and comprises the following specific processing steps:
1) And (5) fingerprint collection. EZUSBAN2131QC is used as a device processing unit, and the unit is provided with a USB interface for controlling peripheral equipment, image preprocessing and fingerprint image data transmission with a USB host through a communication protocol. And the CMOS adopts OV7620, and the FPGA controls image acquisition, so that the implementation function is finger_capture.
2) And extracting fingerprint characteristic information. The preprocessing of fingerprints generally involves 4 processes: gray level filtering, binarization, binary denoising and refinement. The purpose of the preprocessing is to improve the quality of the input image to increase the accuracy of feature extraction. The feature extraction is to record the feature points after preprocessing, namely the number of fingerprint terminal points and the number of bifurcation points, as templates for subsequent comparison. The implementation functions are finger_ setparamet, finger _getparameter, finger_template and the like.
3) And (5) comparing the characteristic values. And storing the extracted fingerprint characteristic information as a comparison template, and automatically comparing the fingerprint characteristic information with the fingerprint characteristic information by a system after the fingerprint head extracts the fingerprint to be identified. The implementation function is finger_verify.
4) And (5) system verification and management. Comparing the extracted fingerprint to be identified with pre-stored fingerprint characteristic information, and if the comparison is passed, allowing the user to log in and distributing access rights; otherwise, the user is refused to access the login, and the comparison processing is carried out again.
The remote server authenticates the user client, and specifically comprises the following steps:
and the remote server performs identity authentication on the MAC address of the user client, and the user client can be connected to a server program after the authentication is passed.
Before step 101, the method further comprises an initialization step of the user client, wherein the initialization step specifically comprises the following steps:
the user client initiates an initialization request to a remote server, wherein the initialization request carries an identification ID of the user client, a user password key and a user client MAC address, and the remote server stores the received user password key, the received user client MAC address and the identification ID of the user client in a database in a correlated manner;
and the remote server searches a user client configuration file corresponding to the identification ID in a database according to the identification ID, and sends the user client configuration file to an access gateway device, and the access gateway device configures the user client according to the user client configuration file to establish connection between the user client and the remote server.
Before step 101, the method further includes an initialization step of the remote server, specifically including:
acquiring a user password key and a user client identification ID from an initialization request of the user client; encrypting the user password key for 2 times by using a DES algorithm to obtain 2 times of encrypted data;
the resulting 2-time encrypted data, user password key, and acquired user client identification ID association are saved to a database to provide password authentication and decrypt the key used to encrypt the content when the virtual storage system is loaded.
The initialization step of the remote server further comprises a virtual storage system creation step, and specifically comprises the following steps:
step 301, obtaining a user client identification ID;
step 302, initializing a virtual storage system driver, creating a virtual storage system, and associating the user client identification ID with the created virtual storage system;
the virtual storage system Driver comprises an initialization process Driver Entry, a clearing process Driver Unload, an opening and closing handle request process, a read-write equipment request process and an I/O control request processing.
The specific functions of the above process are as follows:
1) Initialization process Driver Entry
When loading the virtual storage system driver, the initialization process maps the image of the virtual storage system driver into the virtual memory, relocates the memory reference, generates a driver object as described above that resides in the memory, initializes the domain therein, and finally invokes the main entry point of the driver to perform some initialization work. And the method is responsible for calling the Io Create Device function to Create a virtual storage system object, calling API functions such as Read File, write File and Device Io Control and the like to send requests to a driver so as to control access to the virtual storage system.
2) Cleaning process Driver Unload
The function of the clearing process is to release any resources that the Driver Entry process applies for in the global initialization process. The effect of this process in the virtual storage system Driver is to delete the device object created in the Driver Entry and the resource applied at the time of device extension, and end the system thread created for each device object.
3) Opening and closing handle request processes
The process Virtual Disk Create Close that handles open and close handle requests, because the virtual storage system driver is the lowest driver in the system, is here required to directly call function Io Complete Request to complete the corresponding IRP and return status_success.
4) Read-write equipment request process
The process Virtual Disk Read/Write that handles read-Write device requests. The process is to process requests that require reading from and writing to a virtual storage system. If the image file of the virtual storage system object is not opened, corresponding data cannot be read and written, and operation failure information without media in the equipment is directly returned; if the request is a read request and the read length is zero, only the information that the request completed successfully needs to be returned directly, as no additional operations are required; otherwise, because the image file stored on the actual hard disk needs to be read and written (relatively long time is needed), the IRP is simply set to the pending state, and the IRP is put into the IRP linked list managed by the driver itself, so as to wait for the system thread of the device to specifically process them, and set the synchronization event for activating the system thread to the signal state.
5) Processing I/O control request processes
I/O control request process Virtual Disk Device Control is used to process control operations or interrogation requests directed to virtual storage system devices. Since any operation on the virtual storage system eventually becomes an operation on the image file, it is checked whether the image file corresponding to the device is opened or not before processing the specific request, and if not, it is checked whether the operation request is a request for opening the image file; if both are not, the process will return operation failure information directly to the device without the medium.
The loading step of the virtual storage system specifically comprises the following steps:
step 401, receiving a virtual storage system loading request sent by a user client, wherein the virtual storage system loading request carries a user client Identification (ID) and a user password key, and inquiring in a database according to the obtained user client Identification (ID) to obtain 2 times of encrypted data;
step 402, encrypting the user password key by using a DES algorithm, and obtaining encrypted key data;
step 403, comparing the 2 times of encrypted data with the encrypted key data, if the comparison result is the same, the user password key is correct, the password authentication is passed, and continuing to execute step 404; if the comparison results are different, the user password key is wrong, password authentication fails, and authentication failure information is returned to the user client;
and step 404, loading a corresponding virtual storage system according to the user client identification ID.
The method for transmitting the data operation instruction of the user to the remote server specifically comprises the following steps:
step 501, a user client queries a locally stored user password key and acquires a data operation instruction;
step 502, the user client encrypts the data operation instruction by using the user password key;
in step 503, the user client sends the encrypted data operation instruction to the remote server.
The data obtaining operation instruction specifically includes:
and the user client acquires the data pointer file, and maps the data operation instruction of the user into data operation on a storage space in a virtual storage system corresponding to the user client in the remote server through the data pointer file.
In some embodiments, when a new user client is added, the specific flow is as follows:
the remote server uses a network card drive extraction tool to acquire a network card drive of a new user client, uploads the network card drive of the new user client to a network card PNP (plug and play) drive pool of the remote server, and generates a configuration file of the new user client.
The access gateway device can establish a connection between the new user client and the remote server according to the configuration file of the new user client.
Because the storage of the virtual storage system is based on files, the virtual storage system has the characteristics of flexible creation, simple deletion and loading and unloading at any time, and a user can even copy, move and the like the image files of the virtual encrypted hard disk. More importantly, the virtual encryption hard disk system provides security guarantee of password authentication and encryption storage for users, and no password exists, so that even if the image file of the virtual encryption hard disk is stolen by others, the data in the middle cannot be obtained. And the encryption does not depend on system installation information, and after the system is reinstalled, the virtual encryption hard disk system can be used for normally using the created virtual encryption hard disk without losing any data. The user can also choose to load the virtual encrypted hard disk in a read-only manner, preventing it from infecting viruses.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the methods described above may be implemented by a program that instructs associated hardware, and the program may be stored on a computer readable storage medium such as a read-only memory, a magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits, and accordingly, each module/unit in the above embodiments may be implemented in hardware or may be implemented in a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
It is to be understood that various other embodiments of the present invention may be made by those skilled in the art without departing from the spirit and scope of the invention, and that various changes and modifications may be made in accordance with the invention without departing from the scope of the invention as defined in the following claims.

Claims (9)

1. A data protection method, applied in a data protection system, the system comprising at least one user client, a remote server and at least one access gateway device, characterized in that the method comprises the following steps:
step 101, a user client authenticates a user identity, a remote server authenticates the user client, and if both authentications are successful, step 102 is executed;
step 102, loading a virtual storage system by the remote server;
step 103, the user client sends a data operation instruction of a user to the remote server so that the remote server performs data operation on the virtual storage system;
the virtual storage system is a hard disk with the function of the expandable physical hard disk device, which is virtually formed on a physical hard disk of the remote server, and takes files as storage bodies, so that data stored in all loaded hard disks are stored in virtual storage system image files;
the remote server performs data operation on the virtual storage system, and the method comprises the following steps:
after receiving a data operation instruction request to a virtual storage system, which is transmitted by an application layer, an operating system of the remote server generates an input/output request packet (IRP) corresponding to the data operation instruction, transmits the IRP to a file system driver for processing, and transmits the IRP to a bottom layer driver of the virtual storage system after processing, and the IRP is correspondingly processed in the driver: when the IRP is read-write IRP or IRP request for operating the virtual storage system image file, calling a function beginning with Zw to call a corresponding routine in the WIN32 subsystem, so that corresponding processing is performed by utilizing the function provided by the file system;
before step 101, the method further includes an initialization step of the user client, where the initialization step specifically includes:
the user client initiates an initialization request to a remote server, wherein the initialization request carries an identification ID of the user client, a user password key and a user client MAC address, and the remote server stores the received user password key, the received user client MAC address and the identification ID of the user client in a database in a correlated manner;
the remote server searches a user client configuration file corresponding to the identification ID in a database according to the identification ID, and sends the user client configuration file to an access gateway device, and the access gateway device configures a user client according to the user client configuration file to establish connection between the user client and the remote server;
the generation of the user client configuration file comprises the following steps:
and the remote server acquires the network card drive of the user client by using a network card drive extraction tool, uploads the network card drive of the user client to a network card PNP drive pool of the remote server, and generates a configuration file of the user client.
2. The data protection method according to claim 1, wherein the user client authenticates a user identity, specifically comprising:
the user client side pre-stores the user name and the password of the registered user, the user inputs the user name and the password through an interactive interface on the user client side, the user client side compares the input user name and the password of the user with the locally stored user name and password, if the comparison result is the same, the user authentication is successful, and the user is allowed to enter an operating system of the user client side; if the comparison results are different, prompting the user to input again, and closing the user client when the number of times of input again exceeds a preset threshold.
3. The data protection method according to claim 1, wherein the user client authenticates a user identity, specifically comprising:
the user client side pre-stores fingerprint characteristic information of registered users, the users input user fingerprints through an interactive interface on the user client side, the user client side compares the input user fingerprints with the locally stored fingerprint characteristic information, if the comparison results are the same, the user identity authentication is successful, and the users are allowed to enter an operating system of the user client side; if the comparison results are different, prompting the user to input again, and closing the user client when the number of times of input again exceeds a preset threshold.
4. A data protection method according to one of claims 1 to 3, wherein the remote server authenticates the user client, in particular comprising:
and the remote server performs identity authentication on the MAC address of the user client, and the user client can be connected to a server program after the authentication is passed.
5. The data protection method according to claim 1, further comprising, before step 101, an initialization step of the remote server, specifically comprising:
acquiring a user password key and a user client identification ID from an initialization request of the user client; encrypting the user password key for 2 times by using a DES algorithm to obtain 2 times of encrypted data;
the resulting 2-time encrypted data, user password key, and acquired user client identification ID association are saved to a database to provide password authentication and decrypt the key used to encrypt the content when the virtual storage system is loaded.
6. The data protection method according to claim 5, wherein the initialization step of the remote server further includes a step of creating a virtual storage system, specifically including:
step 301, obtaining a user client identification ID;
step 302, initializing a virtual storage system driver, creating a virtual storage system, and associating the user client identification ID with the created virtual storage system;
the virtual storage system Driver comprises an initialization process Driver Entry, a clearing process Driver Unload, an opening and closing handle request process, a read-write equipment request process and an I/O control request processing.
7. The method according to claim 1, wherein in step 102, the remote server loads a virtual storage system, specifically comprising:
step 401, receiving a virtual storage system loading request sent by a user client, wherein the virtual storage system loading request carries a user client Identification (ID) and a user password key, and inquiring in a database according to the obtained user client Identification (ID) to obtain 2 times of encrypted data;
step 402, encrypting the user password key by using a DES algorithm, and obtaining encrypted key data;
step 403, comparing the 2 times of encrypted data with the encrypted key data, if the comparison result is the same, the user password key is correct, the password authentication is passed, and continuing to execute step 404; if the comparison results are different, the user password key is wrong, password authentication fails, and authentication failure information is returned to the user client;
and step 404, loading a corresponding virtual storage system according to the user client identification ID.
8. The data protection method according to claim 1, wherein the step of sending the data operation instruction of the user to the remote server comprises:
step 501, a user client queries a locally stored user password key and acquires a data operation instruction;
step 502, the user client encrypts the data operation instruction by using the user password key;
step 503, the user client sends the encrypted data operation instruction to the remote server;
the data obtaining operation instruction specifically includes:
and the user client acquires the data pointer file, and maps the data operation instruction of the user into data operation on a storage space in a virtual storage system corresponding to the user client in the remote server through the data pointer file.
9. A data protection system for implementing the method according to one of claims 1 to 8, the system comprising at least one user client, a remote server and at least one access gateway device, characterized in that:
the user client establishes communication connection with the remote server through the access gateway equipment, and is used for establishing a virtual storage system corresponding to the user client in the remote server, detecting a data operation instruction of a user in real time by the user client, and sending the data operation instruction of the user to the remote server, wherein the data operation instruction of the user is data operation aiming at the virtual storage system;
the access gateway equipment is respectively connected with the user client and the remote server, sends a configuration file acquisition request to the remote server, and receives a configuration file stored in the remote server in advance so that at least one access gateway equipment generates a corresponding sub-network according to the configuration file;
the remote server is used for establishing a virtual storage system corresponding to the user client;
the virtual storage system is a hard disk with the function of the expandable physical hard disk device, which is virtually formed on a physical hard disk of the remote server, and takes files as storage bodies, so that data stored in all loaded hard disks are stored in virtual storage system image files;
the remote server is specifically configured to:
after receiving a data operation instruction request to a virtual storage system, which is transmitted by an application layer, an operating system of the remote server generates an input/output request packet (IRP) corresponding to the data operation instruction, transmits the IRP to a file system driver for processing, and transmits the IRP to a bottom layer driver of the virtual storage system after processing, and the IRP is correspondingly processed in the driver: when the IRP is a read-write IRP or an IRP request for operating the virtual storage system image file, a function beginning with Zw is called to call a corresponding routine in the WIN32 subsystem, so that corresponding processing is performed by utilizing the function provided by the file system.
CN202010071900.0A 2020-01-21 2020-01-21 Data protection method and system Active CN111291429B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010071900.0A CN111291429B (en) 2020-01-21 2020-01-21 Data protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010071900.0A CN111291429B (en) 2020-01-21 2020-01-21 Data protection method and system

Publications (2)

Publication Number Publication Date
CN111291429A CN111291429A (en) 2020-06-16
CN111291429B true CN111291429B (en) 2023-04-25

Family

ID=71017612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010071900.0A Active CN111291429B (en) 2020-01-21 2020-01-21 Data protection method and system

Country Status (1)

Country Link
CN (1) CN111291429B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112770144B (en) * 2020-12-22 2023-07-25 未来电视有限公司 Video file downloading method, video file playing method, device and terminal equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2352948A1 (en) * 1999-10-01 2001-04-12 Carlos Murdock System and method for providing data security
CN102123143A (en) * 2011-01-21 2011-07-13 宁波市胜源技术转移有限公司 Method for storing data in network safely
CN103118053A (en) * 2011-08-17 2013-05-22 国际商业机器公司 Building data security in a networked computing environment
CN106156640A (en) * 2016-07-01 2016-11-23 何钟柱 Information O&M service knowledge sharing method based on big data trust computing
CN107526595A (en) * 2017-08-28 2017-12-29 中南大学 A kind of method for supporting multiple operating system remote loading
CN110088743A (en) * 2016-12-16 2019-08-02 国际商业机器公司 Tape processing is unloaded to object storage

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291452B (en) * 2011-08-09 2013-11-20 北京星网锐捷网络技术有限公司 Virtual machine management method, cloud management server and cloud system based on cloud strategy
CN102577315A (en) * 2011-12-21 2012-07-11 华为技术有限公司 Method, device and system for setting user access to virtual machine
US10990688B2 (en) * 2013-01-28 2021-04-27 Virtual Strongbox, Inc. Virtual storage system and method of sharing electronic documents within the virtual storage system
CN103259785B (en) * 2013-04-11 2015-11-18 深圳市深信服电子科技有限公司 The authentication method of virtual token and system
CN104144172A (en) * 2013-05-06 2014-11-12 上海宏第网络科技有限公司 Cloud platform system and method based on desktop virtualization technology
US9996679B2 (en) * 2016-05-03 2018-06-12 Pegasus Media Security, Llc Methods and apparatus for device authentication and secure data exchange between a server application and a device
CN106549976B (en) * 2016-12-09 2019-11-12 中南大学 A kind of method for authenticating user identity and ' In System Reconfiguration Method suitable for transparent computing system
CN107196932A (en) * 2017-05-18 2017-09-22 北京计算机技术及应用研究所 Managing and control system in a kind of document sets based on virtualization

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2352948A1 (en) * 1999-10-01 2001-04-12 Carlos Murdock System and method for providing data security
US7484245B1 (en) * 1999-10-01 2009-01-27 Gigatrust System and method for providing data security
CN102123143A (en) * 2011-01-21 2011-07-13 宁波市胜源技术转移有限公司 Method for storing data in network safely
CN103118053A (en) * 2011-08-17 2013-05-22 国际商业机器公司 Building data security in a networked computing environment
CN106156640A (en) * 2016-07-01 2016-11-23 何钟柱 Information O&M service knowledge sharing method based on big data trust computing
CN110088743A (en) * 2016-12-16 2019-08-02 国际商业机器公司 Tape processing is unloaded to object storage
CN107526595A (en) * 2017-08-28 2017-12-29 中南大学 A kind of method for supporting multiple operating system remote loading

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Jinxin Ma 等.A novel secure virtual storage device scheme.《2010 IEEE International Conference on Intelligent Computing and Intelligent Systems》.2010,271-275. *
Yiannis Verdinadis 等.password:a holistic data Privacy and Security by design framework for cloud services.《Journal of Grid Computing》.2017,219-234. *
李亮 等.一种支持持续数据保护的虚拟存储设备的设计与实现.《计算机研究与发展》.2011,第48卷(第S1期),278-282. *
牛超 等.基于虚拟存储技术的持续数据保护机制.《计算机工程与设计》.2013,第34卷(第04期),1207-1211. *

Also Published As

Publication number Publication date
CN111291429A (en) 2020-06-16

Similar Documents

Publication Publication Date Title
US10268827B2 (en) Method and system for securing data
KR101314514B1 (en) Cloud system enhanced security and Security management method thereby
US8261320B1 (en) Systems and methods for securely managing access to data
US8555083B1 (en) Systems and methods for protecting against unauthorized access of encrypted data during power-management modes
US8171287B2 (en) Access control system for information services based on a hardware and software signature of a requesting device
CN112513857A (en) Personalized cryptographic security access control in a trusted execution environment
CN106575342B (en) Kernel program including relational database and the method and apparatus for performing described program
US20140068270A1 (en) Systems And Methods For Device Based Secure Access Control Using Encryption
US9053313B2 (en) Method and system for providing continued access to authentication and encryption services
US20070237366A1 (en) Secure biometric processing system and method of use
KR20080071528A (en) System and method of storage device data encryption and data access
Jo et al. Security analysis and improvement of fingerprint authentication for smartphones
US20120030475A1 (en) Machine-machine authentication method and human-machine authentication method for cloud computing
US20070226514A1 (en) Secure biometric processing system and method of use
WO2012156785A1 (en) Systems and methods for device based password-less user authentication using encryption
US20070226515A1 (en) Secure biometric processing system and method of use
CN111797441A (en) Partition authority encryption management solid state disk based on fingerprint unlocking and method
CN111291429B (en) Data protection method and system
WO2001073533A1 (en) System and method for safeguarding electronic files and digital information in a network environment
CN105279453A (en) Separate storage management-supporting file partition hiding system and method thereof
CN110807186A (en) Method, device, equipment and storage medium for safe storage of storage equipment
JP2023525461A (en) Access authentication using obfuscated biometrics
US9177160B1 (en) Key management in full disk and file-level encryption
KR20170038340A (en) Data leakage prevention apparatus and method thereof
US20200169581A1 (en) Endpoint security client embedded in storage drive firmware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant