KR20160141462A - Apparatus and method for managing data security - Google Patents

Apparatus and method for managing data security Download PDF

Info

Publication number
KR20160141462A
KR20160141462A KR1020150077152A KR20150077152A KR20160141462A KR 20160141462 A KR20160141462 A KR 20160141462A KR 1020150077152 A KR1020150077152 A KR 1020150077152A KR 20150077152 A KR20150077152 A KR 20150077152A KR 20160141462 A KR20160141462 A KR 20160141462A
Authority
KR
South Korea
Prior art keywords
data
security
file
area
present
Prior art date
Application number
KR1020150077152A
Other languages
Korean (ko)
Other versions
KR101761799B1 (en
Inventor
박수완
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020150077152A priority Critical patent/KR101761799B1/en
Publication of KR20160141462A publication Critical patent/KR20160141462A/en
Application granted granted Critical
Publication of KR101761799B1 publication Critical patent/KR101761799B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a security data managing apparatus and a method thereof. In the security data managing apparatus of a terminal including a general region and a security region, the security data managing apparatus includes: an authentication and access control unit which is included in the security region and authenticates a user of the terminal and an application accessing through the general region; a file system unit which is included in the security region and stores data transmitted through authentication as a file type; and a key management and encryption/decryption unit which is included in the security region and performs the key management and encryption/decryption of the data stored as the file type. Accordingly, the present invention can prevent the data from being leaked.

Description

TECHNICAL FIELD [0001] The present invention relates to a security data management apparatus,

The present invention relates to a security data management apparatus and method thereof, and more particularly, to a security data management apparatus and a security data management method for securely managing only a user and an application authenticated by using a security zone, Device and method thereof.

Security threats to various mobile terminals are rapidly increasing, and solutions are being developed in various aspects. Of these, software security is the majority. However, in a software-based security scheme, when memory in which user data is stored is lost or maliciously hacked from the outside, personal data stored in the memory is leaked intact.

Various cryptographic data system technologies proposed based on the existing PC have been proposed at various levels to protect the stored data. User space data system technique that utilizes virtual data system (VFS) to implement encryption / decryption only in user space without adding code at the kernel level, use of operating system level traffic based on NFS to user space A stackable filesystem technique that has the flexibility to operate on any data system, disk-based data that operates at a more abstract level and controls both directory, data metadata, and behavior. System techniques, and so on. However, all of them are proposed based on PC, and the operation overhead is high, so a lighter encryption and security algorithm is required to be applied to a mobile terminal.

In addition, recently, a number of security technologies that are operated in a virtual environment have been proposed, in which virtualization technology for logically dividing and distributing actual physical resources to a plurality of applications or operating systems is getting attention. The application of such virtualization technology to mobile terminal is not only in terms of cost, but also because it has strong strength in security. Therefore, utilization of virtualization technology is increasing, and therefore virtualization-based process processing techniques considering terminal characteristics are more demanded to be.

Accordingly, the application of the separation domain and the use of the cryptographic data system as a method for securely storing and managing the user's personal information and sensitive data in the mobile terminal can be presented as various solutions of the terminal security. It is required to provide a minimum of heads, robustness and flexibility of data security.

In this regard, Korean Patent Laid-Open Publication No. 2008-0041420 discloses "an apparatus and method for managing secure data ".

Disclosure of Invention Technical Problem [8] Accordingly, the present invention has been made to solve the above problems, and it is an object of the present invention to provide a security area separated from a general area using a virtualization technology to securely and efficiently store and manage sensitive data, The present invention is directed to a security data management apparatus and method for managing encrypted data using an application.

It is another object of the present invention to provide a secure data management apparatus and method for encrypting and storing data stored in a secure area and providing stored data to a user through integrity verification.

It is another object of the present invention to provide a security data management apparatus and method for simply storing and managing data for each application without using a directory structure.

According to another aspect of the present invention, there is provided an apparatus for managing security data of a terminal having a general area and a security area, the apparatus comprising: An authentication and access control unit for authenticating a user of the terminal; A file system unit included in the secure area and storing data transferred through authentication in a file format; And a key management and encryption / decryption unit included in the secure area for performing key management and encryption / decryption of data stored in a file format.

The key management and encryption / decryption unit may include a randomization unit for encryption / decryption of data using an encryption algorithm; A key management unit for performing key generation, discarding and updating used in encryption / decryption; And a data integrity verification unit that verifies data integrity using a hash function.

In addition, the structure of the file system unit may include a volume, a bitmap, an object, and a file area.

The security data management apparatus and method according to the present invention having the above-described structure encrypts and stores data stored in a security area, provides stored data to the user through integrity verification, and provides security from security threats by applications Even if data is exported to the outside due to malicious action, it is impossible to decrypt the data without a key generated in the terminal, thereby preventing data leakage.

In addition, the present invention has an effect of providing a file search efficiency by simply storing and managing data for each application without using a directory structure.

1 is a diagram for explaining a data storage structure of a terminal applied according to the present invention.
2 is a diagram for explaining a configuration of a secure data management apparatus according to the present invention.
3 is a diagram for explaining the structure of a file system according to the present invention.
4 is a flowchart illustrating a procedure of a security data management method according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to facilitate a person skilled in the art to easily carry out the technical idea of the present invention. . First, in adding reference numerals to the constituent elements of the drawings, it should be noted that the same constituent elements are denoted by the same reference numerals whenever possible even if they are displayed on other drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

1 is a diagram for explaining a data storage structure of a terminal applied according to the present invention.

1, the terminal 10 according to the present invention uses various virtualization software (S / W) such as a hypervisor, a virtual OS (OS), and a virtual machine monitor (VMM) And provides virtualization capabilities to run the guest operating system within it. In other words, it provides a security area B in which a separate OS separated from the general area A in which an existing operating system such as Android is executed can be executed.

Virtualization software can be divided into hypervisor type virtualization (TYPE 1) in which the guest operating system operates directly on the physical hardware and host type virtualization (TYPE 2) in which the guest OS is operated on the host OS and is not directly accessible to the hardware. The present invention can be provided in both types. Important data managed in the security area (B) can be recorded in physical storage existing internally or externally, such as flash memory, USB memory or SD card, through H / W hardware drivers considering both types of virtualization methods .

The security area B is operated so as to minimize the load on the memory capacity and the CPU processing ability by utilizing the lightweight embedded OS in consideration of the characteristics of the terminal 10 as well as the commonly used Linux OS.

Therefore, the security area B of the terminal 10 can only be accessed through authentication for the authorized application and the authorized user existing in the general area A, and the data in the general area A is based on the authentication And only through inter-domain communication (IPC). That is, the security area B can transmit the data to be protected by the user to the security area B through the application existing only in the general area A without providing the user application, Can be delivered to the security area B only through the set security API and the IPC.

2 is a diagram for explaining a configuration of a secure data management apparatus according to the present invention.

Referring to FIG. 2, the file management apparatus 100 according to the present invention is intended to provide a lightweight file system operating in a separate domain, and to provide a security function for safely storing and managing sensitive data therein . The file management apparatus basically forms a file system structure, and provides a function of reading, writing, and deleting data in accordance with the transmitted command. At this time, for the lightened file system, the directory structure using a tree or the like is excluded and the data is simply managed for each application. This will be described in detail later with reference to FIG.

The authentication and access control unit 110 is a module for authenticating an application and authenticating a user. The application authentication is for confirming whether an application existing in a general area is an application permitted to transmit and store data in a secure area, And confirms whether the owner of the terminal is correct. The policy and authentication information for the authentication and access control unit 110 are in the security zone, and they can be stored and managed by the file system.

The file system unit 120 permits access only to users and applications authorized by the authentication and access control module. Data transmitted through authentication from the general area is stored in the file system in the form of a file. The stored data is encrypted and stored through the key management and encryption module, and the data integrity verification value is also generated and stored in the object do.

The key management and encryption / decryption unit 130 provides a function of encrypting / decrypting data using various encryption algorithms and operating modes, and generates an integrity verification value using a hash function such as a message authentication code (MAC) Provides the ability to verify that the data has not changed.

Also, the key management and encryption / decryption unit 130 has a key management function used for the encryption function. It performs key generation function for keys used for security function and periodically discards and updates keys.

As described above, the file system, which is executed in the security area OS, stores data in a physical storage, which is a storage area established by associating data managed by the file management apparatus with the file system driver.

3 is a diagram for explaining the structure of a file system according to the present invention.

Referring to FIG. 3, the file system of the present invention is composed of four areas in order to operate a storage space for safely managing data. The file system module includes a volume for handling system information such as a boot record function in a safe area, a bitmap for managing blocks constituting the file system, an object for storing information about the file as file metadata ), And a file area in which files / data are stored.

In particular, each object (Inode) constituting a file system is generated and managed by the number of files (N) that can be stored in the file system, and manages information about data stored in the file (File). Each object is stored and managed so that the directory of the existing file system is not structured and can be distinguished according to the application information and file name installed in the mobile terminal.

In addition, when searching through application information and file name, the object of the present invention is managed by using a linked list for each application in order to reduce the search time overhead caused by examination of the total number of objects, thereby shortening the search time . It is possible to efficiently search for files having the same application information by pointing to an object which is header information of the next file of the same application by using an inode linker existing in each inode node. The data that each application owns can be retrieved and accessed only by the corresponding application. Therefore, it can be seen that the access control function by the application is also provided in the file system module. When sharing the data among related applications, You can also expand the scope to search and access related applications.

An inode linker existing in a node (Inode) can selectively use a single linked list and a dual linked list, and has a corresponding structure. In the case of a double-linked list, it is possible to increase the search flexibility by additionally connecting the in-node of the previous file as well as the in-node of the next file.

In order to manage the file data for each application using the link list information of the node linker in the object, information such as the ID of the application, the application name, the number of files, the first node, and the last node must be managed for each application. This information can be stored in the file system and run in memory at the time of file system mount, or in a separate area.

Once again, the M installed applications can be managed as follows.

App α = Inode 1 ↔ Inode 2 ↔ Inode 4

App β = Inode 3 ↔ Inode 3 ↔ ... ↔ Inode N

Each node that is an object is managed with a certain size, and it is managed with a file name, a file size, a block address where the file is actually stored, application information (ID or application name), file encryption, encryption seed value Key), an integrity verification value of the file, and file information such as an inode linker.

4 is a flowchart illustrating a procedure of a security data management method according to the present invention.

Referring to FIG. 4, the security data management method according to the present invention uses the security data management apparatus described above, and a duplicate description will be omitted.

First, the security data management apparatus is requested to access a security area of a user or an application through a general area (S100).

Next, the secure data management apparatus authenticates the user or application requesting access (S200).

Next, the secure data management apparatus receives data transmitted from the authenticated user or application (S300).

Next, the secure data management device converts the received data into a file format and stores it (S400).

Next, the secure data management apparatus performs encryption / decryption of the stored data (S500).

In this way, the data stored in the security area is encrypted and stored, and the stored data is provided to the user through integrity verification to provide security against security threats caused by the application. In addition, The data can not be decrypted without a key generated in the data area.

In addition, the present invention provides a file search efficiency by simply storing and managing data for each application without using a directory structure.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but many variations and modifications may be made without departing from the scope of the present invention. It will be understood that the invention may be practiced.

100: security data management device
110: Authentication and access control unit
120: File system part
130: Key management and encryption / decryption unit

Claims (1)

A security data management apparatus comprising:
An authentication and access control part included in a first area of the device, the authentication and access control part authenticating an application accessing through a second area of the device and a user of the terminal;
A file system unit included in the first area and storing data transferred through authentication in a file format; And
A key management and encryption / decryption unit included in the first area and performing key management and encryption / decryption of data stored in a file format;
The security data management apparatus comprising:
KR1020150077152A 2015-06-01 2015-06-01 Apparatus and method for managing data security of terminal KR101761799B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150077152A KR101761799B1 (en) 2015-06-01 2015-06-01 Apparatus and method for managing data security of terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150077152A KR101761799B1 (en) 2015-06-01 2015-06-01 Apparatus and method for managing data security of terminal

Publications (2)

Publication Number Publication Date
KR20160141462A true KR20160141462A (en) 2016-12-09
KR101761799B1 KR101761799B1 (en) 2017-07-26

Family

ID=57574666

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150077152A KR101761799B1 (en) 2015-06-01 2015-06-01 Apparatus and method for managing data security of terminal

Country Status (1)

Country Link
KR (1) KR101761799B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101844534B1 (en) * 2017-10-26 2018-04-02 (주)지란지교소프트 Method for securing electronic file
WO2022182102A1 (en) * 2021-02-23 2022-09-01 삼성전자 주식회사 Method for performing user authentication and device for performing same

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102036256B1 (en) * 2017-12-08 2019-11-26 젝스컴퍼니 주식회사 Android embedded system with enhanced security

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101844534B1 (en) * 2017-10-26 2018-04-02 (주)지란지교소프트 Method for securing electronic file
WO2022182102A1 (en) * 2021-02-23 2022-09-01 삼성전자 주식회사 Method for performing user authentication and device for performing same

Also Published As

Publication number Publication date
KR101761799B1 (en) 2017-07-26

Similar Documents

Publication Publication Date Title
KR102254256B1 (en) Anti-rollback version upgrade in secured memory chip
US11263020B2 (en) System and method for wiping encrypted data on a device having file-level content protection
US10007793B2 (en) Secure object having protected region, integrity tree, and unprotected region
KR100678927B1 (en) Method and portable storage device for allocating secure area in insecure area
JP4392241B2 (en) Method and system for promoting safety protection in a computer system employing an attached storage device
AU2006205315B2 (en) Method and portable storage device for allocating secure area in insecure area
US8433901B2 (en) System and method for wiping encrypted data on a device having file-level content protection
US8954752B2 (en) Building and distributing secure object software
US20160110295A1 (en) Secure data encryption in shared storage using namespaces
CN105993018B (en) Content item encryption in mobile device
US20130145139A1 (en) Regulating access using information regarding a host machine of a portable storage drive
US20080077807A1 (en) Computer Hard Disk Security
US8750519B2 (en) Data protection system, data protection method, and memory card
US20230177197A1 (en) Persistent file system in a secure enclave
Chang et al. User-friendly deniable storage for mobile devices
KR101761799B1 (en) Apparatus and method for managing data security of terminal
US20190171841A1 (en) Method and system for encrypting files and storing the encrypted files in a storage file system
US8667278B2 (en) Information processing apparatus and data transmission method of information processing apparatus
Benadjila et al. Secure storage—Confidentiality and authentication
TWI789291B (en) Module and method for authenticating data transfer between a storage device and a host device
US11468159B2 (en) Memory system
KR20150050899A (en) Apparatus and method for security storage using re-encryption
JP2018169740A (en) File system and file management method

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant