CN115186309A - Data information security protection method - Google Patents

Data information security protection method Download PDF

Info

Publication number
CN115186309A
CN115186309A CN202210788937.4A CN202210788937A CN115186309A CN 115186309 A CN115186309 A CN 115186309A CN 202210788937 A CN202210788937 A CN 202210788937A CN 115186309 A CN115186309 A CN 115186309A
Authority
CN
China
Prior art keywords
server
authentication
client
data
disk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210788937.4A
Other languages
Chinese (zh)
Inventor
张敏
赵宁宁
崔焕�
管巫浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shenzhou Anfu Technology Co ltd
Original Assignee
Beijing Shenzhou Anfu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shenzhou Anfu Technology Co ltd filed Critical Beijing Shenzhou Anfu Technology Co ltd
Priority to CN202210788937.4A priority Critical patent/CN115186309A/en
Publication of CN115186309A publication Critical patent/CN115186309A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a data information security protection method, and relates to the field of information security. The method comprises hardware protection and software protection, wherein the hardware protection is realized by directly adding a new hardware unit to protect the data of the disk from a circuit level, the software protection is realized by directly adding a new hardware unit, and the safety protection is realized by an operating system or a file system on the upper layer of the hardware to read/write, access and the like of the disk from an application program level, a file system level or an operating system level. A fast hard disk encryption algorithm FastDiskEnc is designed and realized, the performance of the fast hard disk encryption algorithm FastDiskEnc is about 20% faster than that of an algorithm adopted by a Windows vista Bitlocker, and a safe stackable file system is realized on the basis of the algorithm on the basis of Linux2.4; the Hash function EHASH with the incremental computing property is designed, and has obvious performance advantage compared with the traditional Hash function SHA1 under the condition that a large amount of data is only slightly modified. In addition, an off-line integrity protection scheme aiming at backup disk data is provided, and the scheme can effectively solve the difficulty of resisting replay attack in integrity protection.

Description

Data information security protection method
Technical Field
The invention relates to the field of information security, in particular to a data information security protection method.
Background
Data security is the security protection of the technology and management established and employed for data processing systems, protecting computer hardware, software and data from being damaged, altered and revealed by casual and malicious causes. As more and more important data is stored on the disk, the security of the disk data is becoming a concern. Many security threats, such as illegal modification of disk data, disk data leakage, and disk theft, may cause an unpredictable loss to organizations that store important information, such as governments, businesses, and the like.
Unlike memory, magnetic disks store data that is non-volatile. As a direct carrier of data, the security threat faced by disks is even more severe. Especially, in the current popular Storage Area Network (SAN) Storage architecture, the disks are physically separated from the hosts, and different hosts access the same disk through the HUB or Switch device by using the Fiber Channel or i SCSI protocol. In this environment, the disk becomes a Single Point Failure attack Point of the whole application system. And due to the independent separation of the disks, the magnetic disk is more easily attacked by side channel physical attacks such as stealing, damage, monitoring and the like
Disclosure of Invention
The invention mainly aims to provide a data information security protection method which can effectively solve the problems mentioned in the background technology.
In order to achieve the purpose, the invention adopts the technical scheme that:
a data information safety protection method comprises hardware protection and software protection, wherein the hardware protection is realized by directly adding a new hardware unit to protect the data of a disk from a circuit level, the software protection is realized by directly adding a new hardware unit, and the safety protection is realized by an operating system or a file system on the upper layer of the hardware to read/write, access and the like of the disk from an application program level, a file system level or an operating system level.
Furthermore, the hardware protection is realized by buffering the data on the hard disk data line by a data buffer circuit, filtering command control signals, encrypting data signals, and realizing the safety protection of the hard disk data, and the system uses a smart card to store and manage keys and supports various encryption algorithms such as DES,3DES, AES, etc., the authentication mode of the system can be centralized authentication and is carried out by an authentication server (authentication server), wherein the authentication server is NASD [34] and AFS [32], and can also adopt a Self-authentication (Self-authentication) mode such as SFS [18], etc.
Furthermore, the software protection adopts an Encrypt-on-wire system which encrypts communication between the server and the client and verifies the authority of the client for accessing the server, when the user identity and the authority are confirmed, the user is allowed to interact data with the server, the Encrypt-on-wire system excludes the server from a trust domain, only trusts the running environment of the client, and performs encryption operation before writing data into a disk of the server to ensure that the data stored in the server exists in a form of ciphertext.
Further, the NASD [34] system is composed of a client, a file server, an authentication server and a disk, when a user first sends a request to the file server, the request is transferred to the authentication server, the NASD does not specify an authentication mechanism, the authentication server can be a Kerberos server or other authentication servers, after the authentication of the authentication server, the file server responds to the client with a capability object, the authority of the client is specified in the capability object, and then the client can directly access the disk by using the capability object during the session.
Further, the capabilityobject in the NASD comprises a Capabilitytoken and a capabilitykey, wherein the Capabilitytoken contains the access right information granted to the user; the capability is a message authentication code (messageauthentiticcode) including access right information and a key which is determined in advance by the file server and the disk, and the client authenticates and obtains the capability object returned by the file server, and then sends the capability object to the disk, and the disk drive verifies the capability object by using the key determined in advance by the file server and obtains the access right of the client.
Further, the SFS [18] system comprises three parts, namely an SFS file server, an SFS client and an SFS authentication server, wherein the authentication server of the SFS is not used for authenticating the legal identity of the client but used for storing group information and public key information of a client user, the SFS adopts a self-authentication path (self-authentication paths) to complete the bidirectional authentication of the server and the client, the SFS file system accesses through a mount point/SFS/location/home, the location is the address of the file server and can be the DNS host name or IP address of the file server, the home is the hash value of the server address and the public key of the server address, when the user requests a file on the file server, the SFS client firstly generates a public and private key pair, and then the authentication service server authenticates the file server and the client to obtain the public and private key pair
The device obtains a public key of the file server, compares the hash value with the hotid value to verify the identity of the file server, after the identity authentication of the server is passed, the client and the file server negotiate to create a session key, a security channel is established, then the client signs a request with a private key thereof and sends the request to the file server to obtain the authentication of the server, and after the bidirectional authentication of the server and the client is finished, the server and the client communicate in the security channel established in advance.
Compared with the prior art, the invention has the following beneficial effects:
the invention researches the safety protection of disk data from two aspects of data confidentiality and integrity, designs and realizes a fast hard disk encryption algorithm FastDiskEnc on the aspect of confidentiality protection, has the performance about 20 percent faster than that of an algorithm adopted by a Windows vista bitbaker, and realizes a safe stackable file system on the basis of the algorithm on the basis of Linux 2.4; in the aspect of integrity protection, a Hash function EHASH with increasable computation property is designed, and under the condition that a large amount of data is only slightly modified, the EHASH has a remarkable performance advantage compared with the traditional Hash function SHA 1. In addition, an offline integrity protection scheme aiming at backup disk data is provided based on an incremental verification technology, and the scheme can effectively solve the difficulty of resisting replay attack in integrity protection.
Drawings
FIG. 1 is a flow chart of data storage and retrieval according to the present invention;
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained by combining the specific embodiments.
As shown in fig. 1, a method for protecting data information security is characterized in that: the method comprises hardware protection and software protection, wherein the hardware protection is realized by directly adding a new hardware unit to protect the data of the disk from a circuit level, the software protection is realized by directly adding a new hardware unit, and the safety protection is realized by an operating system or a file system on the upper layer of the hardware to read/write, access and the like of the disk from an application program level, a file system level or an operating system level. A method of securing data information according to claim 1, characterized by: the hardware protection is realized by buffering the data on the data line of the hard disk by the data buffer circuit, filtering the command control signal, encrypting the data signal, realizing the safety protection of the hard disk data, and the system uses the smart card to store and manage the key, and supports various encryption algorithms such as DES,3DES, AES, etc., the authentication mode of the system can be centralized authentication, and the authentication can be performed by adopting an authentication server (authentication server), wherein the authentication server is NASD [34] and AFS [32], or can adopt a Self-authentication (Self-authentication) mode such as SFS [18], etc., the access of the application program to the disk is generally realized by sending INT13H interrupt to BIOS through an operating system (Windows, etc.), and then accessing the disk through the disk controller. The HDPS interrupts INT13H interrupt request for directly reading and writing the hard disk through the protection program support module, and then executes read-write operation on the hard disk through the access control module.
The software protection adopts an Encrypt-on-wire system which encrypts communication between a server and a client and verifies the authority of the client for accessing the server, when the user identity and the authority are confirmed, the user is allowed to interact data with the server, the Encrypt-on-wire system excludes the server from a trust domain, only trusts the running environment of the client, and performs encryption operation before writing the data into a disk of the server to ensure that the data stored in the server exists in a ciphertext form. The NASD [34] system consists of a client, a file server, an authentication server and a disk, when a user sends a request to the file server for the first time, the request is transferred to the authentication server, the NASD does not specify an authentication mechanism, the authentication server can be a Kerberos server or other authentication servers, after the authentication is carried out by the authentication server, the file server responds to the client with a capability object, the authority of the client is specified in the capability object, then the client can directly access the disk by using the capability key during the session, the capability object in the NASD comprises a capability key and a capability key, and the capability key comprises access authority information granted to the user; the capacity authentication is a message authentication code (message authentication code) containing access authority information and a key, the key is determined by a file server and a disk in advance, a client side authenticates and obtains a capacity authentication object returned by the file server and then sends the capacity authentication object to the disk, the disk drive verifies the capacity authentication object by using the key determined by the file server in advance and obtains the access authority of the client side, an SFS [18] system is composed of three parts, an SFS file server, an SFS client side and an SFS authentication server, the authentication server of the SFS is not used for authenticating the legal identity of the client side but used for storing the group information and the public key information of the client side user, the SFS adopts a self-authentication path (self-authentication paths) to complete the bidirectional authentication of the server and the client side, the SFS file system accesses through a mount point/SFS/location/home, the location is the address of the file server, which can be the DNS host name or IP address, the home is the hash value of the server address and the public key thereof, when the user requests the file on the file server, the SFS client firstly generates a public and private key pair, then obtains the public key of the file server from the authentication server, compares the hash value with the home value to verify the identity of the file server, after the identity authentication of the server, the client and the file server negotiate to create a session key, establish a security channel, then the client signs a request with the private key thereof and sends the request to the file server to obtain the verification of the server, after the bidirectional authentication of the server and the client is finished, the two parties communicate in the pre-established security channel,
finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described above, or equivalents may be substituted for elements thereof. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. A data information security protection method is characterized in that: the method comprises hardware protection and software protection, wherein the hardware protection is realized by directly adding a new hardware unit to protect the data of the disk from a circuit level, the software protection is realized by directly adding a new hardware unit, and the safety protection is realized by an operating system or a file system on the upper layer of the hardware to read/write, access and the like of the disk from an application program level, a file system level or an operating system level.
2. A data information security protection method according to claim 1, characterized in that: the hardware protection is realized by buffering data on a hard disk data line by a data buffer circuit, filtering command control signals and encrypting data signals, and the safety protection of the hard disk data is realized, the system uses a smart card to store and manage keys and supports various encryption algorithms such as DES,3DES, AES and the like, the authentication mode of the system can be centralized authentication and is carried out by adopting an authentication server (authentication server), wherein the authentication server is NASD [34] and AFS [32], and can also adopt a Self-authentication (Self-authentication) mode such as SFS [18] and the like.
3. A data information security protection method according to claim 2, characterized in that: the software protection adopts an Encrypt-on-wire system which encrypts communication between a server and a client and verifies the authority of the client for accessing the server, when the user identity and the authority are confirmed, the user is allowed to interact data with the server, the Encrypt-on-wire system excludes the server from a trust domain, only trusts the running environment of the client, and performs encryption operation before writing the data into a disk of the server to ensure that the data stored on the server exists in a ciphertext form, wherein the core part of the algorithm is a FastDiskEnc function, and interface parameters of the FastDiskEnc function are input plainText PlanText, plainText length h (taking Byte as a unit), disturbed value blockIndex and structure cryptoInfo. The algorithm takes 128 bits as a unit and carries out encryption operation on the input plain text sequence; and after the encryption is finished, scrambling operation is carried out on the input plaintext by taking sector as a unit.
4. A data information security protection method according to claim 3, characterized in that: the NASD [34] system consists of a client, a file server, an authentication server and a disk, when a user sends a request to the file server for the first time, the request is transferred to the authentication server, the NASD does not specify an authentication mechanism, the authentication server can be a Kerberos server or other authentication servers, after the authentication of the authentication server, the file server responds to the client with a capability object, the authority of the client is specified in the capability object, and then the client can directly access the disk by using the capability key during the session.
5. The data information security protection method according to claim 4, wherein: the capabilityobject in the NASD comprises a Capabilitytoken and a capabilitykey, wherein the Capabilitytoken comprises the access right information granted to the user; the capability is a message authentication code (messageauthentiticcode) including access right information and a key which is determined in advance by the file server and the disk, and the client authenticates and obtains the capability object returned by the file server, and then sends the capability object to the disk, and the disk drive verifies the capability object by using the key determined in advance by the file server and obtains the access right of the client.
6. A data information security protection method according to claim 5, characterized in that: the SFS [18] system comprises an SFS file server, an SFS client and an SFS authentication server, wherein the authentication server of the SFS is not used for authenticating the legal identity of the client but used for storing group information and public key information of a client user, the SFS adopts a self-authentication path (self-certification pathnames) to finish bidirectional authentication of the server and the client, the SFS file system accesses through a mount point/SFS/location/home, the location is the address of the file server and can be a DNS host name or an IP address, the home is the hash value of the server address and a public key thereof, when a user requests a file on the file server, the SFS client firstly generates a public and private key pair, then obtains the public key of the file server from the authentication server, compares the hash value with the hash value to verify the identity of the file server, after the identity of the server passes through, the client and the file server establish a session key, establish a secure channel, then sign a request is sent to the authentication server by using the private key of the authentication server, the client and the authentication server to verify the identity of the file server, and establish a bidirectional communication channel after the client and the server completes the bidirectional authentication.
CN202210788937.4A 2022-07-06 2022-07-06 Data information security protection method Pending CN115186309A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210788937.4A CN115186309A (en) 2022-07-06 2022-07-06 Data information security protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210788937.4A CN115186309A (en) 2022-07-06 2022-07-06 Data information security protection method

Publications (1)

Publication Number Publication Date
CN115186309A true CN115186309A (en) 2022-10-14

Family

ID=83518146

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210788937.4A Pending CN115186309A (en) 2022-07-06 2022-07-06 Data information security protection method

Country Status (1)

Country Link
CN (1) CN115186309A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115391845A (en) * 2022-10-28 2022-11-25 摩尔线程智能科技(北京)有限责任公司 Key management apparatus and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115391845A (en) * 2022-10-28 2022-11-25 摩尔线程智能科技(北京)有限责任公司 Key management apparatus and method
CN115391845B (en) * 2022-10-28 2023-01-06 摩尔线程智能科技(北京)有限责任公司 Key management apparatus and method

Similar Documents

Publication Publication Date Title
US9722977B2 (en) Secure host authentication using symmetric key crytography
Riedel et al. A framework for evaluating storage system security
Miller et al. Strong security for distributed file systems
US7036020B2 (en) Methods and systems for promoting security in a computer system employing attached storage devices
Miller et al. Strong Security for {Network-Attached} Storage
US9135464B2 (en) Secure storage system for distributed data
US20050262361A1 (en) System and method for magnetic storage disposal
US8195724B2 (en) Providing a virtual binding for a worm storage system on rewritable media
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
CN102948114A (en) Single-use authentication methods for accessing encrypted data
JP2021022393A (en) Method and system for blocking phishing or ransomware attack
CN105141593A (en) Private cloud platform secure computation method
WO2021129003A1 (en) Password management method and related device
CN112560058A (en) SSD partition encryption storage system based on intelligent password key and implementation method thereof
CN110837634B (en) Electronic signature method based on hardware encryption machine
CN110543775B (en) Data security protection method and system based on super-fusion concept
CN115186309A (en) Data information security protection method
US20040243828A1 (en) Method and system for securing block-based storage with capability data
US20130145145A1 (en) System and method of securing data using a server-resident key
CN105809043A (en) Data security protection method of computer
US8874907B1 (en) Controlling access to an NFS share
Zhu et al. SNARE: A strong security scheme for network-attached storage
US20220123932A1 (en) Data storage device encryption
US11870906B1 (en) Providing a secure isolated account for cloud-based storage services
CN113342896B (en) Scientific research data safety protection system based on cloud fusion and working method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination