KR20160141462A - Apparatus and method for managing data security - Google Patents
Apparatus and method for managing data security Download PDFInfo
- Publication number
- KR20160141462A KR20160141462A KR1020150077152A KR20150077152A KR20160141462A KR 20160141462 A KR20160141462 A KR 20160141462A KR 1020150077152 A KR1020150077152 A KR 1020150077152A KR 20150077152 A KR20150077152 A KR 20150077152A KR 20160141462 A KR20160141462 A KR 20160141462A
- Authority
- KR
- South Korea
- Prior art keywords
- data
- security
- file
- area
- present
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
The present invention relates to a security data management apparatus and method thereof, and more particularly, to a security data management apparatus and a security data management method for securely managing only a user and an application authenticated by using a security zone, Device and method thereof.
Security threats to various mobile terminals are rapidly increasing, and solutions are being developed in various aspects. Of these, software security is the majority. However, in a software-based security scheme, when memory in which user data is stored is lost or maliciously hacked from the outside, personal data stored in the memory is leaked intact.
Various cryptographic data system technologies proposed based on the existing PC have been proposed at various levels to protect the stored data. User space data system technique that utilizes virtual data system (VFS) to implement encryption / decryption only in user space without adding code at the kernel level, use of operating system level traffic based on NFS to user space A stackable filesystem technique that has the flexibility to operate on any data system, disk-based data that operates at a more abstract level and controls both directory, data metadata, and behavior. System techniques, and so on. However, all of them are proposed based on PC, and the operation overhead is high, so a lighter encryption and security algorithm is required to be applied to a mobile terminal.
In addition, recently, a number of security technologies that are operated in a virtual environment have been proposed, in which virtualization technology for logically dividing and distributing actual physical resources to a plurality of applications or operating systems is getting attention. The application of such virtualization technology to mobile terminal is not only in terms of cost, but also because it has strong strength in security. Therefore, utilization of virtualization technology is increasing, and therefore virtualization-based process processing techniques considering terminal characteristics are more demanded to be.
Accordingly, the application of the separation domain and the use of the cryptographic data system as a method for securely storing and managing the user's personal information and sensitive data in the mobile terminal can be presented as various solutions of the terminal security. It is required to provide a minimum of heads, robustness and flexibility of data security.
In this regard, Korean Patent Laid-Open Publication No. 2008-0041420 discloses "an apparatus and method for managing secure data ".
Disclosure of Invention Technical Problem [8] Accordingly, the present invention has been made to solve the above problems, and it is an object of the present invention to provide a security area separated from a general area using a virtualization technology to securely and efficiently store and manage sensitive data, The present invention is directed to a security data management apparatus and method for managing encrypted data using an application.
It is another object of the present invention to provide a secure data management apparatus and method for encrypting and storing data stored in a secure area and providing stored data to a user through integrity verification.
It is another object of the present invention to provide a security data management apparatus and method for simply storing and managing data for each application without using a directory structure.
According to another aspect of the present invention, there is provided an apparatus for managing security data of a terminal having a general area and a security area, the apparatus comprising: An authentication and access control unit for authenticating a user of the terminal; A file system unit included in the secure area and storing data transferred through authentication in a file format; And a key management and encryption / decryption unit included in the secure area for performing key management and encryption / decryption of data stored in a file format.
The key management and encryption / decryption unit may include a randomization unit for encryption / decryption of data using an encryption algorithm; A key management unit for performing key generation, discarding and updating used in encryption / decryption; And a data integrity verification unit that verifies data integrity using a hash function.
In addition, the structure of the file system unit may include a volume, a bitmap, an object, and a file area.
The security data management apparatus and method according to the present invention having the above-described structure encrypts and stores data stored in a security area, provides stored data to the user through integrity verification, and provides security from security threats by applications Even if data is exported to the outside due to malicious action, it is impossible to decrypt the data without a key generated in the terminal, thereby preventing data leakage.
In addition, the present invention has an effect of providing a file search efficiency by simply storing and managing data for each application without using a directory structure.
1 is a diagram for explaining a data storage structure of a terminal applied according to the present invention.
2 is a diagram for explaining a configuration of a secure data management apparatus according to the present invention.
3 is a diagram for explaining the structure of a file system according to the present invention.
4 is a flowchart illustrating a procedure of a security data management method according to the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to facilitate a person skilled in the art to easily carry out the technical idea of the present invention. . First, in adding reference numerals to the constituent elements of the drawings, it should be noted that the same constituent elements are denoted by the same reference numerals whenever possible even if they are displayed on other drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.
1 is a diagram for explaining a data storage structure of a terminal applied according to the present invention.
1, the
Virtualization software can be divided into hypervisor type virtualization (TYPE 1) in which the guest operating system operates directly on the physical hardware and host type virtualization (TYPE 2) in which the guest OS is operated on the host OS and is not directly accessible to the hardware. The present invention can be provided in both types. Important data managed in the security area (B) can be recorded in physical storage existing internally or externally, such as flash memory, USB memory or SD card, through H / W hardware drivers considering both types of virtualization methods .
The security area B is operated so as to minimize the load on the memory capacity and the CPU processing ability by utilizing the lightweight embedded OS in consideration of the characteristics of the
Therefore, the security area B of the
2 is a diagram for explaining a configuration of a secure data management apparatus according to the present invention.
Referring to FIG. 2, the
The authentication and
The
The key management and encryption /
Also, the key management and encryption /
As described above, the file system, which is executed in the security area OS, stores data in a physical storage, which is a storage area established by associating data managed by the file management apparatus with the file system driver.
3 is a diagram for explaining the structure of a file system according to the present invention.
Referring to FIG. 3, the file system of the present invention is composed of four areas in order to operate a storage space for safely managing data. The file system module includes a volume for handling system information such as a boot record function in a safe area, a bitmap for managing blocks constituting the file system, an object for storing information about the file as file metadata ), And a file area in which files / data are stored.
In particular, each object (Inode) constituting a file system is generated and managed by the number of files (N) that can be stored in the file system, and manages information about data stored in the file (File). Each object is stored and managed so that the directory of the existing file system is not structured and can be distinguished according to the application information and file name installed in the mobile terminal.
In addition, when searching through application information and file name, the object of the present invention is managed by using a linked list for each application in order to reduce the search time overhead caused by examination of the total number of objects, thereby shortening the search time . It is possible to efficiently search for files having the same application information by pointing to an object which is header information of the next file of the same application by using an inode linker existing in each inode node. The data that each application owns can be retrieved and accessed only by the corresponding application. Therefore, it can be seen that the access control function by the application is also provided in the file system module. When sharing the data among related applications, You can also expand the scope to search and access related applications.
An inode linker existing in a node (Inode) can selectively use a single linked list and a dual linked list, and has a corresponding structure. In the case of a double-linked list, it is possible to increase the search flexibility by additionally connecting the in-node of the previous file as well as the in-node of the next file.
In order to manage the file data for each application using the link list information of the node linker in the object, information such as the ID of the application, the application name, the number of files, the first node, and the last node must be managed for each application. This information can be stored in the file system and run in memory at the time of file system mount, or in a separate area.
Once again, the M installed applications can be managed as follows.
App α =
App β =
Each node that is an object is managed with a certain size, and it is managed with a file name, a file size, a block address where the file is actually stored, application information (ID or application name), file encryption, encryption seed value Key), an integrity verification value of the file, and file information such as an inode linker.
4 is a flowchart illustrating a procedure of a security data management method according to the present invention.
Referring to FIG. 4, the security data management method according to the present invention uses the security data management apparatus described above, and a duplicate description will be omitted.
First, the security data management apparatus is requested to access a security area of a user or an application through a general area (S100).
Next, the secure data management apparatus authenticates the user or application requesting access (S200).
Next, the secure data management apparatus receives data transmitted from the authenticated user or application (S300).
Next, the secure data management device converts the received data into a file format and stores it (S400).
Next, the secure data management apparatus performs encryption / decryption of the stored data (S500).
In this way, the data stored in the security area is encrypted and stored, and the stored data is provided to the user through integrity verification to provide security against security threats caused by the application. In addition, The data can not be decrypted without a key generated in the data area.
In addition, the present invention provides a file search efficiency by simply storing and managing data for each application without using a directory structure.
While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but many variations and modifications may be made without departing from the scope of the present invention. It will be understood that the invention may be practiced.
100: security data management device
110: Authentication and access control unit
120: File system part
130: Key management and encryption / decryption unit
Claims (1)
An authentication and access control part included in a first area of the device, the authentication and access control part authenticating an application accessing through a second area of the device and a user of the terminal;
A file system unit included in the first area and storing data transferred through authentication in a file format; And
A key management and encryption / decryption unit included in the first area and performing key management and encryption / decryption of data stored in a file format;
The security data management apparatus comprising:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150077152A KR101761799B1 (en) | 2015-06-01 | 2015-06-01 | Apparatus and method for managing data security of terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150077152A KR101761799B1 (en) | 2015-06-01 | 2015-06-01 | Apparatus and method for managing data security of terminal |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20160141462A true KR20160141462A (en) | 2016-12-09 |
KR101761799B1 KR101761799B1 (en) | 2017-07-26 |
Family
ID=57574666
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150077152A KR101761799B1 (en) | 2015-06-01 | 2015-06-01 | Apparatus and method for managing data security of terminal |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101761799B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101844534B1 (en) * | 2017-10-26 | 2018-04-02 | (주)지란지교소프트 | Method for securing electronic file |
WO2022182102A1 (en) * | 2021-02-23 | 2022-09-01 | 삼성전자 주식회사 | Method for performing user authentication and device for performing same |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102036256B1 (en) * | 2017-12-08 | 2019-11-26 | 젝스컴퍼니 주식회사 | Android embedded system with enhanced security |
-
2015
- 2015-06-01 KR KR1020150077152A patent/KR101761799B1/en active IP Right Grant
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101844534B1 (en) * | 2017-10-26 | 2018-04-02 | (주)지란지교소프트 | Method for securing electronic file |
WO2022182102A1 (en) * | 2021-02-23 | 2022-09-01 | 삼성전자 주식회사 | Method for performing user authentication and device for performing same |
Also Published As
Publication number | Publication date |
---|---|
KR101761799B1 (en) | 2017-07-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102254256B1 (en) | Anti-rollback version upgrade in secured memory chip | |
US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
US10007793B2 (en) | Secure object having protected region, integrity tree, and unprotected region | |
KR100678927B1 (en) | Method and portable storage device for allocating secure area in insecure area | |
JP4392241B2 (en) | Method and system for promoting safety protection in a computer system employing an attached storage device | |
AU2006205315B2 (en) | Method and portable storage device for allocating secure area in insecure area | |
US8433901B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
US8954752B2 (en) | Building and distributing secure object software | |
US20160110295A1 (en) | Secure data encryption in shared storage using namespaces | |
CN105993018B (en) | Content item encryption in mobile device | |
US20130145139A1 (en) | Regulating access using information regarding a host machine of a portable storage drive | |
US20080077807A1 (en) | Computer Hard Disk Security | |
US8750519B2 (en) | Data protection system, data protection method, and memory card | |
US20230177197A1 (en) | Persistent file system in a secure enclave | |
Chang et al. | User-friendly deniable storage for mobile devices | |
KR101761799B1 (en) | Apparatus and method for managing data security of terminal | |
US20190171841A1 (en) | Method and system for encrypting files and storing the encrypted files in a storage file system | |
US8667278B2 (en) | Information processing apparatus and data transmission method of information processing apparatus | |
Benadjila et al. | Secure storage—Confidentiality and authentication | |
TWI789291B (en) | Module and method for authenticating data transfer between a storage device and a host device | |
US11468159B2 (en) | Memory system | |
KR20150050899A (en) | Apparatus and method for security storage using re-encryption | |
JP2018169740A (en) | File system and file management method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |