CN117454412A - Encryption and decryption file system and method - Google Patents

Encryption and decryption file system and method Download PDF

Info

Publication number
CN117454412A
CN117454412A CN202311189339.6A CN202311189339A CN117454412A CN 117454412 A CN117454412 A CN 117454412A CN 202311189339 A CN202311189339 A CN 202311189339A CN 117454412 A CN117454412 A CN 117454412A
Authority
CN
China
Prior art keywords
file
file information
key
information
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311189339.6A
Other languages
Chinese (zh)
Inventor
尤紫云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD
Original Assignee
WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD filed Critical WUHAN HONGXU INFORMATION TECHNOLOGY CO LTD
Priority to CN202311189339.6A priority Critical patent/CN117454412A/en
Publication of CN117454412A publication Critical patent/CN117454412A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/188Virtual file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention provides an encryption and decryption file system and method, comprising a plurality of program modules constructed in a stack mode, wherein the program modules are used for acquiring file information from a virtual file system, encrypting the file information to obtain ciphertext of the file information, and sending the ciphertext of the file information to a bottom file system for storage; and acquiring ciphertext of the file information from the bottom file system, decrypting the ciphertext of the file information to obtain plaintext of the file information, and sending the plaintext of the file information to a virtual file system for display. The invention realizes the data interaction processing between the virtual file system and the bottom file system through the encryption and decryption file system, and ensures that users can hardly feel the existence of the encryption and decryption file system in the using process under the condition of ensuring the data security in the disk.

Description

Encryption and decryption file system and method
Technical Field
The invention relates to the technical field of information security, in particular to an encryption and decryption file system and method.
Background
With the accelerated development of information technology, electronic documents are widely used in various industries, and the way of storing information is gradually changed into electronic documents, so that the information is stored in a computer to save space and facilitate the searching and reading of the information. The information security problem brought by the method is not ignored, and how to ensure that the important electronic information is not leaked is an increasingly focused problem.
The advent of encrypted file systems has greatly reduced the possibility of theft of sensitive data by an unauthorized user and is therefore favored by users, even if multiple users share a system to protect the user's private data.
While some encrypted file systems already exist that can provide a degree of protection to data in an operating system, it is generally difficult for these encrypted file systems to guarantee the security of data storage in the underlying disk.
Disclosure of Invention
The invention provides an encryption and decryption file system and a method, which are used for solving the defect that the security of data stored in the bottom layer of a magnetic disk is difficult to ensure in the encryption and decryption file system in the prior art, and realizing the encryption and decryption file system and the method with high reliability.
The invention provides an encryption and decryption file system, which comprises:
the system comprises a plurality of program modules constructed in a stack mode, a plurality of file information management modules and a plurality of file information management modules, wherein the program modules are used for acquiring file information from a virtual file system, encrypting the file information to obtain ciphertext of the file information, and sending the ciphertext of the file information to a bottom file system for storage; and acquiring ciphertext of the file information from the bottom file system, decrypting the ciphertext of the file information to obtain plaintext of the file information, and sending the plaintext of the file information to a virtual file system for display.
According to the encryption and decryption file system provided by the invention, the program module comprises an encryption and decryption file module, and the encryption and decryption file module is used for:
generating a file key corresponding to a plaintext of the file information;
encrypting a plaintext of the file information by adopting an AES algorithm through the file key to obtain a ciphertext of the file information;
generating a public key of the user and a private key of the user;
encrypting the file key by using an ECC algorithm through the public key to obtain a ciphertext of the file key;
decrypting ciphertext of the file key through the private key by adopting an ECC algorithm to obtain plaintext of the file key;
and decrypting the ciphertext of the file information by adopting an AES algorithm through the plaintext of the file key to obtain the plaintext of the file information.
According to the encryption and decryption file system provided by the invention, the encryption and decryption file module is further used for:
and performing HMAC calculation and digest verification on the file information, and performing digital signature.
The encryption and decryption file system provided by the invention further comprises a backup module, wherein the backup module is used for backing up the file key, the public key of the user, the private key of the user and the ciphertext of the file key.
According to the encryption and decryption file system provided by the invention, the program module further comprises an identity authentication and access control module, and the identity authentication and access control module is used for:
generating an access control linked list of each file information according to the user information of all users and the access authority of each file information;
inquiring the access authority of the current user from the access control linked list according to the user information of the current user;
and decrypting the ciphertext of the file information according to the access authority of the current user.
The invention also provides a method for encrypting the file, which comprises the following steps:
acquiring file information from a virtual file system;
encrypting the file information to obtain a ciphertext of the file information;
and sending the ciphertext of the file information to a bottom file system for storage.
According to the method for encrypting the file provided by the invention, the step of encrypting the file information to obtain the ciphertext of the file information comprises the following steps:
generating a file key corresponding to a plaintext of the file information;
encrypting a plaintext of the file information by adopting an AES algorithm through the file key to obtain a ciphertext of the file information;
further comprises:
generating a public key of the user and a private key of the user;
and encrypting the file key by adopting an ECC algorithm through the public key to obtain the ciphertext of the file key.
According to the method for encrypting the file provided by the invention, after the step of encrypting the file information to obtain the ciphertext of the file information, the method further comprises the following steps:
and backing up the file key, the public key of the user, the private key of the user and the ciphertext of the file key.
The invention also provides a method for decrypting the file, which comprises the following steps:
acquiring ciphertext of file information from a bottom file system;
decrypting the ciphertext of the file information to obtain a plaintext of the file information;
and sending the plaintext of the file information to a virtual file system for display.
According to the method for decrypting the file provided by the invention, before the step of obtaining the ciphertext of the file information from the underlying file system, the method further comprises the following steps:
generating an access control linked list of each file information according to the user information of all users and the access authority of each file information;
inquiring the access authority of the current user from the access control linked list according to the user information of the current user;
and decrypting the ciphertext of the file information according to the access authority of the current user.
According to the encryption and decryption file system and the encryption and decryption method provided by the invention, the program modules are arranged in the kernel in a stack structure, the encrypted ciphertext of the encrypted file information is stored in the bottom file system through the encryption and decryption file system, the plaintext of the decrypted file information is sent to the virtual file system for display, so that the data interaction processing between the virtual file system and the bottom file system is realized, and under the condition of ensuring the data security in a disk, a user can hardly feel the existence of the encryption and decryption file system in the use process.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of the overall structure of an encryption and decryption file system provided by the invention;
FIG. 2 is a schematic diagram of an encryption and decryption module in the encryption and decryption file system provided by the invention;
FIG. 3 is a schematic diagram of an encryption and decryption flow of an encryption and decryption module in an encryption and decryption file system according to the present invention;
FIG. 4 is a schematic diagram of a backup process of an encryption and decryption module in an encryption and decryption file system according to the present invention;
FIG. 5 is a schematic flow chart of an encryption method according to the present invention;
FIG. 6 is a second flow chart of the encryption method according to the present invention;
FIG. 7 is a third flow chart of the encryption method according to the present invention;
FIG. 8 is a flow chart of a decryption method according to the present invention;
FIG. 9 is a second flow chart of the decryption method according to the present invention;
FIG. 10 is a third flow chart of the decryption method according to the present invention;
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The encryption and decryption file system of the present invention is described below with reference to fig. 1 to 4, as shown in fig. 1, the encryption and decryption file system includes a plurality of program modules configured in a stack manner, where the program modules are configured to obtain file information from a virtual file system, encrypt the file information to obtain ciphertext of the file information, and send the ciphertext of the file information to a bottom file system for storage; and acquiring ciphertext of the file information from the bottom file system, decrypting the ciphertext of the file information to obtain plaintext of the file information, and sending the plaintext of the file information to a virtual file system for display.
The encryption and decryption file system is applied to a linux system, is constructed by adopting a stack type structure for a plurality of program modules, is positioned between a bottom file system and a virtual file system of the system, is upwards interfaced with the virtual file system, is downwards interfaced with the bottom file system, and is used for processing data interaction between the bottom file system and the virtual file system.
Specifically, when encrypting the file information, a program module in the encryption and decryption file system encrypts the file information uploaded by a user through the virtual file system to obtain ciphertext of the file information, sends the ciphertext of the file information to the bottom file system, and stores the ciphertext of the file information in a disk through the bottom file system.
When decrypting the file information, a program module in the encryption and decryption file system reads ciphertext of the file information stored in the disk through the bottom file system, decrypts the ciphertext and sends the decrypted ciphertext to the virtual file system, and the virtual file system displays the decrypted file information to a user.
The virtual file system, the encryption and decryption file system and the bottom file system are all positioned in the kernel of the operating system, and the bottom file system needs to interact with a specific device driver to finish operations such as file reading and writing.
On the basis, for the virtual file system, the encryption and decryption file system with the stack structure is a specific file system, and can realize the operation on the file for the virtual file system. For the underlying file system, the encrypted and decrypted file system of the stack structure acts as a virtual file system, and the underlying file system operates on files for the underlying file system. Furthermore, the file system with encryption and decryption functions is increased and decreased on the basis of the bottom file system, so that the safety of data storage in a disk is ensured.
Because the program module in the encryption and decryption file system is positioned in the kernel, the process influence on the user space is less when the program module is used, so that the user has little difference between accessing the encryption and decryption file system and using the common file system, and the user can hardly feel the existence of the encryption and decryption file system in the using process.
It should be noted that the encryption and decryption file system in the invention is only used for the linux system as an example, but the system is constructed by only slightly modifying the existing kernel, the file structure of the original linux system is not changed, the virtual file system frame is kept unchanged, and the virtual file system can be transplanted among other unix systems by simply modifying the virtual file system frame, so that the method has higher universality and shareability.
The invention stores the ciphertext of the encrypted file information in the bottom file system through the encryption and decryption file system by the program module arranged in the kernel in a stack structure, sends the plaintext of the decrypted file information to the virtual file system for display, realizes the data interaction processing between the virtual file system and the bottom file system, and ensures that a user can hardly feel the existence of the encryption and decryption file system in the use process under the condition of ensuring the data security in a disk.
In the encryption and decryption file system, the program module comprises an encryption and decryption file module, and the encryption and decryption file module is used for:
generating a file key corresponding to a plaintext of the file information;
encrypting a plaintext of the file information by adopting an AES algorithm through the file key to obtain a ciphertext of the file information;
generating a public key of the user and a private key of the user;
encrypting the file key by using an ECC algorithm through the public key to obtain a ciphertext of the file key;
the encryption and decryption file module is firstly used for encrypting the file information. The file information to be encrypted is file information uploaded by a user through a virtual file system.
As shown in fig. 2, the encryption and decryption file module includes a key management sub-module, which is used for implementing generation, import, backup and recovery of various keys.
Specifically, the Key management submodule is used for generating a related Key corresponding to the file information when the file information is encrypted, and the related Key comprises a file Key F_Key corresponding to a plaintext of the file information, a public Key EA_Key of a user and a private Key EB_Key of the user. It should be noted that, when the key is generated, a corresponding random value is generated at the same time as the initial vector IV.
The file Key f_key is a symmetric Key, and may be a random number with a preset length. Each file information has a file Key f_key uniquely corresponding to the file information to enhance the security of the file system and strictly perform access control.
As shown in the upper diagram of fig. 4, when encrypting file information, a corresponding f_key is generated for the file information to be encrypted, and the plaintext of the file information is encrypted by using an AES algorithm (Advanced Encryption Standard, a symmetric encryption algorithm) through the f_key, so as to obtain the ciphertext of the file information.
Each user has its corresponding public and private keys, the public and private keys of the user being a pair of key pairs.
The file Key F_Key is encrypted by the public Key EA_Key through an ECC algorithm (Elliptic Curve Cryptography, a public Key encryption algorithm) to obtain a ciphertext FM_Key of the file Key.
The ECC algorithm has high complexity, but has complex operation and low speed, and is not suitable for encrypting a large amount of data, so that the file key is encrypted and decrypted by adopting the ECC algorithm, and the security of the file key is further improved.
When the file information is encrypted, the advantages of two different system encryption algorithms are fully exerted by combining an AES symmetric encryption algorithm and an ECC public key algorithm, and a complementary design is formed so as to improve the security of the encrypted file information.
Decrypting ciphertext of the file key through the private key by adopting an ECC algorithm to obtain plaintext of the file key;
and decrypting the ciphertext of the file information by adopting an AES algorithm through the plaintext of the file key to obtain the plaintext of the file information.
The encryption and decryption file module decrypts the file information through the private key of the user.
Specifically, as shown in the lower diagram of fig. 4, when a user needs to decrypt to read file information, firstly, through a private Key eb_key, a decryption process is performed by adopting a ciphertext fm_key of an ECC algorithm file Key, so as to obtain a plaintext f_key of the file Key.
And decrypting the ciphertext of the file information by adopting an AES algorithm through the plaintext F_key of the file key to obtain the plaintext of the file information.
According to the invention, the encryption and decryption processing is carried out on the file information by adopting the AES algorithm, and the encryption and decryption processing is carried out on the file secret key by adopting the ECC algorithm, so that a complementary design is formed, the security of the ciphertext of the file information is further improved, and the file information is prevented from being tampered as much as possible.
In the encryption and decryption file system, the encryption and decryption file module is also used for:
and performing HMAC calculation and digest verification on the file information, and performing digital signature.
As shown in fig. 2, the encryption and decryption file module further includes an integrity protection sub-module, configured to perform integrity verification on the stored file information.
Firstly, performing HMAC calculation (Hash-based Message Authentication Code, message authentication code calculation method based on Hash function) on file information in an underlying file system, and verifying the integrity and authenticity of data corresponding to the file information to determine whether the file information is illegally tampered.
Specifically, when the file is encrypted and stored in the disk through the encryption and decryption file system, an HMAC Key is randomly generated for each file information, namely an H_Key, and the HMAC value of the corresponding file information is calculated through the H_Key and stored in the system.
When the integrity of the file information needs to be verified, calculating a current HMAC value of the file information through Hkey, and if the current HMAC value is equal to the HMAC value stored by the system, indicating that the file data is not tampered or destroyed; if the current HMAC value is not equal to the HMAC value stored by the system, the file data is destroyed.
Further, digest verification is performed on the file information to verify the integrity and authenticity of the file.
Optionally, when the file information is encrypted and stored in the disk through the encryption and decryption file system, a fixed-length abstract is randomly generated for the file data corresponding to each piece of file information, and the fixed-length abstract is stored in the system.
When the integrity of the file information needs to be verified, calculating the current abstract of the file information, comparing the current abstract with the abstract stored in the system, and if the current abstract is the same, indicating that the file data is not destroyed; if the data are different, the file data are destroyed.
Further, the file information is digitally signed, and the abstract of the file information is further encrypted, so that the security of the file data is improved.
Optionally, when the file information is encrypted and stored in the disk through the encryption and decryption file system, an asymmetric encryption algorithm is used to encrypt the abstract of the file information through the private key of the user, so as to generate a digital signature corresponding to the file information.
When the integrity of the file information needs to be verified, determining the digital signature of the file information to be verified, and decrypting the digital signature through the public key of the user to obtain the abstract of the file.
According to the invention, through HMAC calculation and abstract verification of the file information, the authenticity and the integrity of the file information are verified before the file information which is requested to be accessed by a user is decrypted, so that the authenticity of the file information acquired by the user in a virtual file system is improved; and meanwhile, the digest is further encrypted by digital signature so as to improve the authenticity of the step of verifying the file integrity.
The encryption and decryption file system also comprises a backup module, wherein the backup module is used for backing up the file key, the public key of the user, the private key of the user and the ciphertext of the file key.
The file key, the HMAC key and the ciphertext of the file information are uniformly stored in an encryption and decryption file system, the public key is stored in a special server, and the private key is stored in a memory card of each user.
Because the memory card has higher security, the memory card can be read and written only after various password input checks are correct, and therefore, the security of storing the private key is improved by storing the private key of the user in the memory card, and meanwhile, the user does not need to memorize a large number of keys or passwords.
Before using the keys, the keys need to be imported into the encryption and decryption file module through the key management sub-module, and if a new key is generated or an original key is modified, the new key needs to be exported to the encryption and decryption file module after modification.
On this basis, the keys are also required to be backed up by a key backup and recovery sub-module.
Specifically, when the file key, the initial vector IV, the HMAC key and other encryption metadata related to encryption and decryption are stored in the encryption and decryption file system together, the encryption metadata of the file information needs to be backed up because the encryption metadata is likely to be stolen by an illegal user.
As shown in fig. 4, users are classified into general users and administrators.
The file key, the initial vector IV and the HMAC key are encrypted by an ECC algorithm through the public key of an administrator, and then the file key, the initial vector IV and the HMAC key and other parts of encrypted metadata are backed up into a secure storage device which can be accessed by the administrator only.
If the encrypted metadata stored in the encrypted and decrypted file system is illegally tampered or destroyed, an administrator can carry out ECC algorithm decryption on the F_key, the initial vector IV and the H_key of the ciphertext through the private Key of the administrator, and the F_key, the initial vector IV and the H_key are recovered so as to normally encrypt and decrypt the file information.
The invention backs up the encryption metadata related to encryption and decryption such as the file key, the initial vector IV, the HMAC key and the like, so that an administrator can recover the encryption metadata in the encryption and decryption file system through the backed-up encryption metadata after the encryption metadata stored in the encryption and decryption file system is destroyed, thereby ensuring the encryption and decryption processing of the file information.
In the encryption and decryption file system, the program module further comprises an identity authentication and access control module, wherein the identity authentication and access control module is used for:
generating an access control linked list of each file information according to the user information of all users and the access authority of each file information;
the identity authentication and access control module is used for carrying out identity authentication on a user accessing the file information so as to confirm whether the user has the access right of the file information.
Specifically, access control linked list ACL of each file information is generated in advance according to user information of all users and access authority of the users to each file information, so as to realize autonomous access control.
It should be noted that, the access control linked list ACL also belongs to encryption metadata related to encryption and decryption, so that the access control linked list ACL needs to be backed up, and the backup mode is the same as that of the encryption metadata, so that no further description is given.
Alternatively, the access control linked list may be composed of a plurality of items to represent the access rights corresponding to each user.
In one possible embodiment, the access control chain table is < uid, perm >, where uid represents the id number of the user and perm represents the rights possessed by the user. In this case, the user information of the user is the user's uid.
Optionally, the rights possessed by the user include all rights and part of the rights. Users with all rights can access all contents of the file information; the user having the partial rights can access only the contents given to the corresponding portion of the file information.
Further, each file information has a file master authority to modify the access control linked list of the file information. If the file owner needs to share the file information, the file owner adds the user uid of the sharing object and the corresponding specific access right item into an access control linked list of the file information.
On the basis, the access authority of each file corresponding to the user is determined, and the finer control granularity of the access authority is realized.
Inquiring the access authority of the current user from the access control linked list according to the user information of the current user;
when a user needs to access certain file information, the identity authentication and access control module analyzes an access control linked list corresponding to the file information, and searches a corresponding item in the access control linked list corresponding to the file information according to the user uid.
If found, access is allowed; if not, the user is refused to access if the user does not have the authority to access the file information.
And decrypting the ciphertext of the file information according to the access authority of the current user.
Further, when a user's uid is present in the access control link list of the file information, the user's access right is confirmed according to perm corresponding to the uid in the access control link list.
And if the access authority of the user currently applied does not exceed the access authority of the user recorded in the perm, allowing the user to continue to access.
And if the access authority of the user currently applied exceeds the access authority of the user recorded in the perm, rejecting the user to continue to access.
By setting the identity authentication and access control module, when a user logs in to access the file information, the invention authenticates the legitimacy of the user, determines the access authority of the user, and refuses the user without the authority to access the corresponding file information, so that each user can only access the file information within the authority range of the user, thereby avoiding unauthorized access, realizing an encryption and decryption file system with dual functions of encryption and decryption processing and access control, and further improving the security of the file information.
On this basis, as shown in fig. 1, the encrypted file system further includes a plug-in interface module and an auxiliary tool module.
The plug-in interface module is used for providing operation interfaces for other modules, and the interfaces mainly comprise a cryptographic algorithm and an identity authentication interface.
The cryptographic algorithm interface provides various implementation interfaces comprising AES cryptographic algorithm, ECC cryptographic algorithm and other cryptographic algorithms for the cryptographic file module, and the cryptographic algorithm provided by the plug-in of the interface is used for realizing the cryptographic processing function.
The identity authentication interface also provides various identity authentication interfaces in the same way, and the specific authentication process is realized by the plug-in.
The auxiliary tool module is used for providing the function of controlling the file encryption module, and a user can configure various functions in the kernel through the auxiliary tool. The system provides the functions of login, error reporting condition processing, system manager operation and the like for the user.
The method for encrypting the file provided by the invention is described below, and the method for encrypting the file described below and the system for encrypting and decrypting the file described above can be referred to correspondingly.
As shown in fig. 5, the method of encrypting a file includes:
step 501, obtaining file information from a virtual file system;
the encryption and decryption file system is applied to a linux system, is constructed by adopting a stack type structure for a plurality of program modules, is positioned between a bottom file system and a virtual file system of the system, is upwards interfaced with the virtual file system, is downwards interfaced with the bottom file system, and is used for processing data interaction between the bottom file system and the virtual file system.
The virtual file system is the original virtual file system of the linux system.
File information which needs to be encrypted by a user is obtained from a virtual file system.
Step 502, encrypting the file information to obtain ciphertext of the file information;
and step 503, sending the ciphertext of the file information to an underlying file system for storage.
When encrypting the file information, a program module in the encryption and decryption file system encrypts the file information uploaded by a user through the virtual file system to obtain ciphertext of the file information, sends the ciphertext of the file information to the bottom file system, and stores the ciphertext of the file information in a disk through the bottom file system.
In a specific embodiment, as shown in fig. 6, a user inputs file information to be encrypted into a virtual file system through a user space.
A FiST input file is written by using a FiST development stack type encryption file system. The main operations of a user on a file when using an encrypted file system include opening, closing, reading and writing, creating and deleting, and the like.
The encryption and decryption file system obtains file information to be encrypted from the virtual file system, and then encrypts data pages of file information data page by page through a file key by adopting an AES algorithm to obtain ciphertext of the file information. The ciphertext of the file information is a ciphertext data page corresponding to each page of data.
And carrying out integrity protection on the encrypted data, calculating an HMAC value of each page of ciphertext data page through an HMAC key for file information needing to be subjected to integrity protection, writing the HMAC value into encryption metadata of the file information, and writing ciphertext of the encrypted file information into a disk through a bottom file system for storage.
And encrypting the file information which does not need to be subjected to integrity protection, and directly writing the encrypted file information into a disk through a bottom file system for storage.
The invention stores the ciphertext of the encrypted file information in the bottom file system through the encryption and decryption file system by the program module arranged in the kernel in a stack structure, sends the plaintext of the decrypted file information to the virtual file system for display, realizes the data interaction processing between the virtual file system and the bottom file system, and ensures that a user can hardly feel the existence of the encryption and decryption file system in the use process under the condition of ensuring the data security in a disk.
In the method for encrypting the file, the step of encrypting the file information to obtain the ciphertext of the file information comprises the following steps:
generating a file key corresponding to a plaintext of the file information;
encrypting a plaintext of the file information by adopting an AES algorithm through the file key to obtain a ciphertext of the file information;
further comprises:
generating a public key of the user and a private key of the user;
and encrypting the file key by adopting an ECC algorithm through the public key to obtain the ciphertext of the file key.
The encryption and decryption file module is firstly used for encrypting the file information. The file information to be encrypted is file information uploaded by a user through a virtual file system.
Specifically, the Key management submodule is used for generating a related Key corresponding to the file information when the file information is encrypted, and the related Key comprises a file Key F_Key corresponding to a plaintext of the file information, a public Key EA_Key of a user and a private Key EB_Key of the user. It should be noted that, when the key is generated, a corresponding random value is generated at the same time as the initial vector IV.
As shown in the upper diagram of fig. 4, when encrypting file information, a corresponding f_key is generated for the file information to be encrypted, and the plaintext of the file information is encrypted by using an AES algorithm (Advanced Encryption Standard, a symmetric encryption algorithm) through the f_key, so as to obtain the ciphertext of the file information.
Each user has its corresponding public and private keys, the public and private keys of the user being a pair of key pairs.
The file Key F_Key is encrypted by the public Key EA_Key through an ECC algorithm (Elliptic Curve Cryptography, a public Key encryption algorithm) to obtain a ciphertext FM_Key of the file Key.
In the method for encrypting the file, after the step of encrypting the file information to obtain the ciphertext of the file information, the method further comprises the following steps:
and backing up the file key, the public key of the user, the private key of the user and the ciphertext of the file key.
Since the file key, the initial vector IV and the encrypted metadata related to encryption and decryption such as the HMAC key are stored in the encrypted and decrypted file system together, the encrypted metadata of the file information needs to be backed up when the file is encrypted.
In a specific embodiment, as shown in fig. 7, when encrypting the file information, the create function is called, and the file key, the initial vector IV, and the HMAC key are randomly generated.
The file key, the initial vector IV, and the HMAC key are encrypted using the public key of the file master of the file information.
Constructing an encryption metadata header: by setting an access control list ACL, a password id and an integrity protection mark, signing by using a private key of a file owner, and storing signed data into an encrypted metadata file.
The head of the file encryption metadata is encrypted by an ECC algorithm through a public key of a system administrator, and then the encrypted metadata is backed up and stored for starting when the encryption metadata in the encryption and decryption file system is destroyed, and the backup data is only accessible to the system administrator.
The method for decrypting the file provided by the invention is described below, and the method for decrypting the file described below and the encryption and decryption file system described above can be correspondingly referred to each other.
As shown in fig. 8, the method for decrypting a file includes:
step 801, obtaining ciphertext of file information from a bottom file system;
step 802, decrypting the ciphertext of the file information to obtain a plaintext of the file information;
and 803, sending the plaintext of the file information to a virtual file system for display.
The bottom file system is the original bottom file system of the linux system.
When decrypting the file information, a program module in the encryption and decryption file system reads ciphertext of the file information stored in the disk through the bottom file system, decrypts the ciphertext and sends the decrypted ciphertext to the virtual file system, and the virtual file system displays the decrypted file information to a user.
The virtual file system, the encryption and decryption file system and the bottom file system are all positioned in the kernel of the operating system, and the bottom file system needs to interact with a specific device driver to finish operations such as file reading and writing.
In one embodiment, as shown in FIG. 9, the location may be less expensive than the location when unencrypted, as the file information is encrypted.
And therefore, judging whether a data page of the file information to be read is already positioned in the page cache according to the offset of the file information to be read and the data quantity of the file information to be read.
If yes, the file information to be read does not generate offset, and belongs to the unencrypted plaintext file information, so that the system directly returns the plaintext data of the file information to the user space through the virtual file system for the user to read.
If not, the file information is shifted, and the data is encrypted. At this time, the encryption and decryption file module reads the data page corresponding to the file information from the disk, adopts the HMAC key to verify whether the integrity of the read data page is damaged, and if the integrity is damaged, the reading fails; if the data page is not destroyed, the data page is continuously decrypted by using the file key, the plaintext of the file information is obtained, and the decrypted data page is put into a page cache for the user to read.
And after the file information is returned, if the unread data still exists, continuing to verify and read according to the offset and the data quantity of the unread file information.
In the method for decrypting the file, before the step of obtaining the ciphertext of the file information from the bottom file system, the method further comprises the following steps:
generating an access control linked list of each file information according to the user information of all users and the access authority of each file information;
inquiring the access authority of the current user from the access control linked list according to the user information of the current user;
and decrypting the ciphertext of the file information according to the access authority of the current user.
In the process of decrypting the file information, the encryption and decryption system needs to verify the access authority of the current user before decrypting the file so as to determine whether the current user can read the accessed file information.
In a specific embodiment, as shown in fig. 10, when determining whether a user has authority to access file information, a corresponding file encryption metadata structure is searched for according to an index number (index node) of a file. Wherein each file has an inode number uniquely corresponding thereto.
If not, the encrypted metadata needs to be read in from the disk, then the public key of the file owner is used for signature verification to judge whether the encrypted metadata is tampered, if so, the user is refused to access, and if not, the backup encrypted metadata is imported, and the access authority of the user is continuously verified. It should be noted that the file owner therein belongs to the administrator.
If the user id is found, searching in an access control linked list ACL of the file information according to the user id, and if the access control linked list does not have the user id, rejecting the user access; if so, continuing to determine the access authority range of the user according to the perm corresponding to the user uid.
If the access right called by the user through the open system is outside the right range specified by the ACL, rejecting the access of the user; otherwise, the user is considered to have legal access rights.
On the basis, after determining that the user has the access authority of the file information, if the encrypted metadata is newly imported data in the disk, the user encrypts the file key, the initial vector and the HMAC key by using the public key of the user, constructs a file encrypted metadata structure body, and allows the user to access after inserting the encrypted metadata into the encrypted metadata cache.
If the encrypted metadata structure has been inserted into the encrypted metadata cache, user access is directly allowed.
When closing the file, only the inode information of the file system in the file inode structure is required to be emptied, and the file encryption metadata structure is still stored in the encryption metadata cache.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An encrypted and decrypted file system, comprising:
the system comprises a plurality of program modules constructed in a stack mode, a plurality of file information management modules and a plurality of file information management modules, wherein the program modules are used for acquiring file information from a virtual file system, encrypting the file information to obtain ciphertext of the file information, and sending the ciphertext of the file information to a bottom file system for storage; and acquiring ciphertext of the file information from the bottom file system, decrypting the ciphertext of the file information to obtain plaintext of the file information, and sending the plaintext of the file information to the virtual file system for display.
2. The encrypted and decrypted file system according to claim 1, wherein the program module comprises an encrypted and decrypted file module configured to:
generating a file key corresponding to a plaintext of the file information;
encrypting a plaintext of the file information by adopting an AES algorithm through the file key to obtain a ciphertext of the file information;
generating a public key of the user and a private key of the user;
encrypting the file key by using an ECC algorithm through the public key to obtain a ciphertext of the file key;
decrypting ciphertext of the file key through the private key by adopting an ECC algorithm to obtain plaintext of the file key;
and decrypting the ciphertext of the file information by adopting an AES algorithm through the plaintext of the file key to obtain the plaintext of the file information.
3. The encrypted and decrypted file system according to claim 2, wherein the encrypted and decrypted file module is further configured to:
and performing HMAC calculation and digest verification on the file information, and performing digital signature.
4. The cryptographic file system of claim 2, further comprising a backup module for backing up the file key, the public key of the user, the private key of the user, and ciphertext of the file key.
5. The encrypted and decrypted file system according to any one of claims 1 to 4, wherein the program module further comprises an identity authentication and access control module for:
generating an access control linked list of each file information according to the user information of all users and the access authority of each file information;
inquiring the access authority of the current user from the access control linked list according to the user information of the current user;
and decrypting the ciphertext of the file information according to the access authority of the current user.
6. A method for encrypting file is applied to the encryption and decryption file system according to any one of claims 1-5, characterized in that,
acquiring file information from a virtual file system;
encrypting the file information to obtain a ciphertext of the file information;
and sending the ciphertext of the file information to a bottom file system for storage.
7. The method of encrypting a file according to claim 6, wherein the step of encrypting the file information to obtain ciphertext of the file information comprises:
generating a file key corresponding to a plaintext of the file information;
encrypting a plaintext of the file information by adopting an AES algorithm through the file key to obtain a ciphertext of the file information;
further comprises:
generating a public key of the user and a private key of the user;
and encrypting the file key by adopting an ECC algorithm through the public key to obtain the ciphertext of the file key.
8. The method for encrypting a file according to claim 7, wherein after said step of encrypting said file information to obtain ciphertext of said file information, further comprising:
and backing up the file key, the public key of the user, the private key of the user and the ciphertext of the file key.
9. A method for decrypting a file, applied to the encrypted and decrypted file system according to any one of claims 1 to 5, comprising:
acquiring ciphertext of file information from a bottom file system;
decrypting the ciphertext of the file information to obtain a plaintext of the file information;
and sending the plaintext of the file information to a virtual file system for display.
10. The method of decrypting a file as recited in claim 9, wherein before the step of obtaining the ciphertext of the file information from the underlying file system, further comprises:
generating an access control linked list of each file information according to the user information of all users and the access authority of each file information;
inquiring the access authority of the current user from the access control linked list according to the user information of the current user;
and decrypting the ciphertext of the file information according to the access authority of the current user.
CN202311189339.6A 2023-09-14 2023-09-14 Encryption and decryption file system and method Pending CN117454412A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311189339.6A CN117454412A (en) 2023-09-14 2023-09-14 Encryption and decryption file system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311189339.6A CN117454412A (en) 2023-09-14 2023-09-14 Encryption and decryption file system and method

Publications (1)

Publication Number Publication Date
CN117454412A true CN117454412A (en) 2024-01-26

Family

ID=89589922

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311189339.6A Pending CN117454412A (en) 2023-09-14 2023-09-14 Encryption and decryption file system and method

Country Status (1)

Country Link
CN (1) CN117454412A (en)

Similar Documents

Publication Publication Date Title
US9043610B2 (en) Systems and methods for data security
US6976162B1 (en) Platform and method for establishing provable identities while maintaining privacy
US8010790B2 (en) Block-level storage device with content security
US7639819B2 (en) Method and apparatus for using an external security device to secure data in a database
US8312269B2 (en) Challenge and response access control providing data security in data storage devices
US6044155A (en) Method and system for securely archiving core data secrets
US9240883B2 (en) Multi-key cryptography for encrypting file system acceleration
US20080072066A1 (en) Method and apparatus for authenticating applications to secure services
US20100005318A1 (en) Process for securing data in a storage unit
US20080077807A1 (en) Computer Hard Disk Security
CN108768963B (en) Communication method and system of trusted application and secure element
US8200964B2 (en) Method and apparatus for accessing an encrypted file system using non-local keys
US20080235521A1 (en) Method and encryption tool for securing electronic data storage devices
US20120096280A1 (en) Secured storage device with two-stage symmetric-key algorithm
US20080098214A1 (en) Encryption/decryption method, method for safe data transfer across a network, computer program products and computer readable media
CN114175580B (en) Enhanced secure encryption and decryption system
CN110298186B (en) Non-key data encryption and decryption method based on dynamic reconfigurable cipher chip
US20150143107A1 (en) Data security tools for shared data
CN107911221B (en) Key management method for secure storage of solid-state disk data
CN110837634B (en) Electronic signature method based on hardware encryption machine
CN110233729B (en) Encrypted solid-state disk key management method based on PUF
CN111949999A (en) Apparatus and method for managing data
US8499357B1 (en) Signing a library file to verify a callback function
CN111523127B (en) Authority authentication method and system for password equipment
CN117454412A (en) Encryption and decryption file system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination