KR20160146623A - A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal - Google Patents

Abstract

The present invention relates to a method for protecting a plurality of content in a mobile terminal. The method for protecting the plurality of content in the mobile terminal includes: separating and storing a header part having an entry of a file and folder structure of the plurality of content stored therein, and a body part having a file binary value of the plurality of content stored therein when the plurality of content is stored in the mobile terminal; and partially encoding the plurality of file binaries.

Description

TECHNICAL FIELD [0001] The present invention relates to a method for protecting content in a portable terminal, a recording medium for recording the method in a computer program, and a security system for mobile terminal,

The present invention relates to a method for securing a plurality of content files in a portable terminal.

Recently, as the information society is developed, the use of portable terminals such as smart phones is increasing rapidly. Accordingly, there is a growing demand for a method for securing various contents in a portable terminal.

For example, a problem can be particularly severe in a work environment where an environment is provided in which a cloud service is provided. Therefore, the environment in which the cloud service is provided for the security problem of the portable terminal will be described as an example.

Cloud service is an environment that can distribute large data base in internet virtual space by utilizing web based application and import / process the data from various terminals such as desktop PC, mobile phone, notebook PC, PDA.

At this time, the user does not install and use necessary resources such as an operating system, a storage, an application, security, and the like directly on the user's own terminal but uses the virtual space The user selects the desired guest machine (which can be understood as a kind of virtual machine including the operating system and security as the concept of the logical equipment in the virtual space) at a desired point in time, It is economical because you pay the price based on usage rather than paying.

In addition, the user has the advantage of accessing the cloud network through a terminal performing network connection and basic computation functions at any place, performing tasks requiring a large-capacity storage device, high-performance computing resource, and providing advanced services .

However, in such a cloud computing environment, security threats such as an external hacking attack on contents temporarily stored in a portable terminal are highlighted as the most important issue. In addition, security is a crucial issue in a portable terminal environment even if it is not a cloud environment.

Nevertheless, there is no effective method for security in portable terminals, and much research is needed.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a security file for protecting various contents from various portable terminals such as a mobile phone, a tablet PC and the like.

As a technical means for solving the above problems, one aspect of the present invention is a security file for protecting and storing a plurality of contents in a portable terminal, the security file comprising: a header part storing entries of a file and a folder structure of the plurality of contents; And a body portion storing a file binary value of the plurality of contents, wherein the plurality of file binaries are partially encrypted.

Preferably, each of the plurality of contents includes an intermediate portion and an end portion of the beginning portion.

Also. The file binaries of the plurality of contents may be mixed with different file binaries to achieve both security and operation speed.

According to another aspect of the present invention, there is provided a method for protecting a plurality of contents in a portable terminal, the method comprising: when a plurality of contents are stored in the portable terminal, The method comprising: storing a file binary value of a content in a body part storing the file binary value, wherein the plurality of file binaries are partially encrypted.

Another aspect of the present invention is to provide a recording medium for recording the above-described method by a computer program.

According to the present invention, there is an effect that a user can easily use a file stored in a user terminal while maintaining a security state effectively.

According to the present invention, even in a portable terminal equipped with an Android, an IOS operating, or the like, the security effect can be effectively promoted without using the same function as the virtual disk driver of Windows.

In addition, according to the present invention, security can be maintained by suffixing file binaries of contents while improving encryption speed by partially encrypting a security file.

FIG. 1 is a schematic configuration diagram of a whole portable terminal security system to which an embodiment of the present invention is applied.
2 is a schematic configuration diagram of a mobile application 1100 mounted in a portable terminal in a cloud computing system of the present invention.
FIG. 3 is a flowchart illustrating a process of installing the mobile application 1100 of FIG. 2 in a portable terminal.
4 is a diagram for explaining the structure of the security file of the present invention.
5 is a diagram illustrating a method of partially encrypting a security file according to the present invention.
FIG. 6 is a flowchart illustrating a process of reading a file using the mobile application 1100 of FIG.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the following embodiments of the present invention may be modified into various other forms, and the scope of the present invention is not limited to the embodiments described below. The embodiments of the present invention are provided to enable those skilled in the art to more fully understand the present invention.

FIG. 1 is a schematic configuration diagram of a whole portable terminal security system to which an embodiment of the present invention is applied.

Referring to FIG. 1, a portable terminal security system includes a plurality of portable terminals 1000 and 2000 connected to a server 10 via a network.

The mobile terminals 1000 and 2000 are illustrated as having mobile applications 1100 and 2100 as a subject using resources of the server 10 on a network in a network environment.

The server 10 is connected to a plurality of portable terminals 1000 and 2000 on a network and provides services such as providing various contents and providing a cloud service to the portable terminals 1000 and 2000.

For example, in a clouding service environment, a server is a physical device that provides system resources (which include OS, CPU, memory, storage device, etc.) to a portable terminal, and a plurality of servers are connected to a plurality of portable terminals (1000, 2000). At this time, the cloud server 10 is shown as including a plurality of servers. For example, the mobile terminals 1000 and 2000 distribute system resources through a guest machine on a virtual space created through virtualization technology. These may be understood as general notions.

2 is a schematic configuration diagram of a mobile application 1100 mounted in a portable terminal in a cloud computing system of the present invention.

Referring to FIG. 2, the mobile application 1100 includes an authentication module 1110, a communication module 1120, a control module 1130, a security module 1140, a display module 1150, and the like. The communication module 1120 performs a function of communicating with the server 10.

The control module 1130 is a module for performing main functions of various applications. For example, if the mobile application is an email application, it can be understood that it performs general functions such as sending, receiving, editing, and displaying an email.

 In addition, if the mobile application is an application for providing a cloud service, it has various functions for performing a cloud service including a function of downloading data from the cloud server, a function of storing data, and a function of performing various edits.

The security module 1140 is a module that performs the main security function of the present invention and creates a security file by fetching the file name and binary data of the file to the portable terminal.

The authentication module 1110 is a module for authenticating a user by communicating with the server 10 in the course of a login.

The display module 1150 is a module for providing a UI to the user terminal. For example, when the user clicks and executes the execution icon, a screen for login is provided.

FIG. 3 is a flowchart illustrating a process of installing the mobile application 1100 of FIG. 2 in a portable terminal.

The user downloads the installation application to the user terminal 1000 and starts installation of the mobile application (S1110). When the installation of the mobile application 1100 is completed, an icon is created in the user terminal 1000 (S1120). When the user clicks the corresponding icon and executes it, a screen for login is provided (S1130). When the user proceeds to log in, the authentication module 1110 of the mobile application 1100 communicates with the server 10 through the communication unit 1131 to authenticate the user (S1140). When the authentication of the user is completed, the mobile application 1100 executes the mobile application. In this process, a security file is generated (S1150). Then, the mobile application 1100 is executed and an execution screen is provided (S1160).

4 is a diagram for explaining the structure of the security file of the present invention.

Referring to FIG. 4, the security file has a header portion and a body portion. In the header portion (a region), an entry of a file and folder structure, and the body portion (b region) has a file binary value.

On the other hand, both the header area and the body area of the security file are encrypted and stored. Specific information in the header section is metadata (file name, logical structure path, binary location, binary size before encryption, hash value of encrypted binary, etc.).

In addition, the encryption can use the Advanced Encryption Standard (AES) algorithm as a US federal standard algorithm, but various types of encryption algorithms can be introduced without limitation.

Creating a security file with this structure is to protect it when downloading and storing contents such as document, video, and e-mail information.

For example, a mobile application is an email application, and the emails are stored as content in a security file. In this case, if the user desires to view the e-mail list, the security file is decrypted and the file header area is read and displayed to the user. Also, when the user requests to open the file, the header area of the file is read, the position of the file binary area is obtained, and the file is accessed and opened.

On the other hand, the security file can be separately used in addition to a built-in and used with a program such as a normal viewer program, a mail program, a moving picture, and a content reproduction program existing in a smart phone device. For example, if a separate content security file is created and various applications are required, it is possible to retrieve the content from the security file.

There is an advantage that security file can be implemented without using Microsoft's Windows virtual disk driver technology. Microsoft's Windows virtual driver is a driver that performs encryption and conversion to show the security file in the window EXPLORER. In the present invention, for example, since a security file is arbitrarily read in a predetermined format in a mobile OS such as Android and IOS, the MS virtual disk driver function may not be used. This makes it possible to apply the above-described security file structure and security function to an OS system that can not use the MS virtual disk driver function.

Other details such as the encryption and decryption method according to the embodiment of the present invention are disclosed in Korean Patent Application No. 2013-23961 (filed on March 3, 2013) and No. 2013-48330 ) May be incorporated herein.

According to the present embodiment, file binaries, which are a plurality of contents, are stored in a body part (area b). In addition, (a) area and (b) area may be encrypted with different encryption keys to provide copy protection for the keys. In this case, a file created using two keys It can be safe.

In the PKI (Pubic Key Infrastructure) method, a separate certificate (for example, a public certificate) is generated and a key is exchanged. Here, a key means a constant that opens and locks a message. This method is problematic due to the increased risk due to the recently reported risk of key exchange. Recently, Korean government agencies are asking for ways to generate and manage keys without going through a certificate exchange process. The key generation method of the present invention can solve such a problem.

In a user terminal (for example, a mobile application), two prime numbers are generated using authentication information (ID, PW, device unique value, MAC, telephone number, etc.). These two prime numbers are used to generate RSA key pair public key and private key. Then, the generated public key and the private key are merged to generate Advanced Encryption Standard (AES) private key 1. Alternatively, the Advanced Encryption Standard (AES) private key 1 may be authenticated using the RSA private key and authentication information. Also, the RSA private key and the AES private key 1 are merged to generate the AES private key 2.

The AES private key 1 is used for encrypting the header of the above-mentioned security file, and the AES private key 2 is used for encrypting the body of the security file. At this time, since the vulnerability of the key of the symmetric key algorithm may be exposed, encryption is performed with the RSA public key. This is to cope with key change and loss.

Meanwhile, a method of managing keys in a cloud server manages keys by generating two prime numbers of the requested information (ID, PW, device unique value, MAC, telephone number, etc.) in the same manner as a user terminal in authentication of a mobile application.

In the cloud server (key management server), the administrator sets the password management period. Assuming that the value is set to the period, for example, one month, the password is changed by the user or the other person, and the authentication request information is also changed and decrypted to the previously encrypted AES private key 1, 2 . Then, it is re-encrypted with newly created AES keys in the above-described manner. The revocation of the key is discarded when the authentication information is revoked.

The reason for storing the AES key in the user terminal is that it must be restored when the key is changed. In addition, the reason for generating the RSA key pair is to encrypt the stored key.

According to the above method, no key exchange is required, and no certificate exchange is required. This has a strong security effect against key exposures due to network sniffing or spoofing. Also, security incidents such as the recently discovered HeartBleed issue are not vulnerable.

On the other hand, since the security file does not belong to a specific OS, it can be applied to various kinds of OS. In addition, the above-described security file can be created without requiring root admin privilege (rooting). Therefore, a security file can be generated by a simple installation process without complicated installation process.

5 is a diagram illustrating a method of partially encrypting a security file according to the present invention.

When an arbitrary file is stored in the security file, the metadata associated with the file is collected and stored in the header area (a). Also, file binaries are separated into beginning, middle, and end, and perform partial encryption at a ratio of about 10% to 100%. When performing partial encryption, the encryption / decryption rate can be significantly improved. When encryption is performed, the body area (b) is updated by the encrypted file binary.

Referring to FIG. 5, contents 1 and 2 have a beginning, a middle, and an end, respectively, each of which is partially encrypted. Preferably, the encryption can be partially performed at 10% to 90%. If the degree of encryption is small, the speed can be improved but there is a possibility of security problems. If there are many parts to be encrypted, the speed is slower but the security is improved. Therefore, it is preferable to perform proper encryption as necessary, and partial encryption of about 30 to 70% is preferable.

On the other hand, partial encryption can potentially expose unencrypted portions of the file. To solve this problem, file binaries are shuffled with different file binaries. With this process, the level of security can be increased.

Hereinafter, a method of shuffling will be described in detail. There is a separate S-BOX required for shuffling, and shuffling is performed using this. Shuffle can be applied by changing the S-BOX and method in the cipher-block chaining (CBC) algorithm, which is an encryption operation mode. This is to eliminate the delay in speed when using cryptographic operation mode.

Also, the reason for using a separate S-BOX is that it can be decrypted when the algorithm is exposed, so it is desirable to create it for the purpose of hiding the algorithm. This S-BOX is also generated with the authentication information of the terminal and the server. Therefore, if the authentication information is changed, the S-BOX is changed, and each terminal has a different S-BOX, so that even if one terminal is cracked, the other terminals need to analyze again so that the confidentiality is high.

Referring to FIG. 5, the shuffling process shuffles in units of blocks, and in the case of the end point of the content 1, the content 2 and the shuffle are performed. After the shuffle, the buffer value is replaced using a separate S-BOX.

On the other hand, when the file is deleted by the user, the meta information of the file is removed from the header area (a) of the security file. At the same time, in the body area (b), the file binaries are empty and the body area (b) is updated. If the file binary is partially encrypted, the scrambled file binary part is restored and the corresponding stored file is deleted.

When a file is changed to a new name, only the metadata information of the header is changed. On the other hand, in the case of modification, a binary region can be newly changed.

The logic structure in the header area is read for listing without having to decode the entire file body. Listener file headers can increase the speed at which files / folders are listed, since viewer behavior is not a process of opening a file.

When security is implemented using a security file, there may be a portion where additional security work is required.

First, when a file is opened, for example, copying by a document file, a screen capture and a clipboard is prohibited.

Second, in the case of file sharing, it is desirable to prevent the file from being stored outside the security file under a different name.

Third, in the case of file sharing, you should prevent files from being shared via email or other online means.

To meet the first requirement, a separate service needs to be provided to prevent screen capture and clipboard activity. Each smartphone manufacturer has a special system for screen capture. Both Android and IOS, which are typical OS, provide screen capture by default. Hardware manufacturers support such capture methods.

To protect your content from the various ways of screen capture, you activate a transparent "Activity" by driving an app's extra service type. More specifically, in the case of Android, users can register an activity associated with the window viewer and extend the activity to almost the same size as the smartphone display. According to this method, when the users perform the capture operation, the already registered view image is captured and the content information to be protected is not screen-captured.

Hereinafter, the capture prevention code is as follows.

In a mobile environment, the manner in which the clipboard operates is such that when the content is copied, the copied content is sent to the manager of the clipboard, and the manager transmits the copied content to the mobile device's app. If we use the data from the clipboard, we use the data sent by the clipboard manager. Security must be introduced for copying by the clipboard.

When it is necessary to protect the content copied to the clipboard, the following method is used. Once you receive a copy from the clipboard manager to be transferred to another app, the mobile application responds to the clipboard with an empty buffer or warning message. When sending data to the clipboard, it is recommended to send data 3-7 times consecutively. There are devices that store multiple clipboards. If you want to use the clipboard in other apps, you will receive the data that we replaced, not the data copied from the clipboard.

For the second condition, continuous monitoring is required to monitor and protect files stored in internal or external memory. When such an event occurs, the file is deleted by the observation means.

For the third condition, files can not be shared via e-mail or online because they are embedded inside the security file. The only way to access secure files is through a secure file interface.

In order to confirm the security of the system according to the present invention, an attempt was made to access the security file after disabling the web sandbox of the OS. When attempting to access the security file, it is confirmed that the file binary space or the virtual file path of the virtual space can not be accessed. Security is maintained. On the other hand, the rate of partial encryption / decryption was measured. Table 1 shows the speed comparison between the proposed scheme and the proposed scheme.

Table 1.

The encryption speed was compared using 10, 20, and 30 files under the same conditions. The existing method for key generation per file was less effective than the proposed method. As more files can be created, a bigger difference has occurred. The maximum time gap between the old and proposed schemes was 38 seconds, as 50 different files were encrypted at the same time. This means that the encryption speed is improved.

FIG. 6 is a flowchart illustrating a process of reading a file using the mobile application 1100 of FIG.

Referring to FIG. 6, after confirming the corresponding folder (S1210), the user can select an arbitrary file in the folder. The folder is configured to check the contents list by processing the information of the header area of the security file.

Here, it is assumed that an arbitrary document file (111.doc) is clicked (S1230). In this case, the mobile application 1100 may launch an event for selecting whether to open the file or not (S1240).

First, if the user has selected to open the file, for example, Android will be in the "data / data / xxx.xxxx (Application File name) /" area and if the iPhone is in the "xxx.xxxxprivate / var / (Application File name) / Document ". Since temporary files are not encrypted, they are stored in the system area to prevent hacking.

Then, the mobile application 1100 performs a function of opening the document file 111.doc. If necessary, the mobile application 1100 may operate in conjunction with an application corresponding to the format of the file to be opened (S1260).

That is, when opening the document file 111.doc, the mobile application 1100 operates in conjunction with the document application installed in the portable terminal of the user. The user will be able to view the document using the document application.

If the document that needs to be opened is a doc file, you can implement it using the following code.

File_extend.equals, intent. setDataAndType Are commands of Java, and if the extension of the file is doc or docx, it shows the viewer which can be linked with msword.

Meanwhile, while the document application is running, the security module 1140 of the mobile application 1100 monitors in real time whether or not the corresponding document application is stored or terminated (S1270). As a result of the monitoring, if the document application performs storage and termination, necessary action is taken (S1280).

Real-time monitoring uses Android's "FileObserver" class as an example. The code below is illustrated.

fileobserver (NotifyEvent, watchdog path)

After setting as above, OnEvent () function is called from Android OS. This method is called CallBack.

OnEvent (NotifyEvent, changed file path)

Through the above function, you will receive notification of the changed path and the above event type.

 After setting as above, OnEvent () function is called from Android OS. This method is called CallBack.

OnEvent (NotifyEvent, changed file path)

On the other hand, if the document application is terminated, the temporary file stored in the system area is deleted. In the case where the document application tries to store at a certain place of the corresponding user terminal, the mobile application 1100 implements such that it can not be stored in another place, or stores the stored file, and deletes the temporary file when the document application is terminated , And if the open document has been modified, you can update the security file and ask the server to synchronize. Alternatively, if the document application is stored in a security file, the document application can be stored so that it can be stored.

Although the present embodiment has been described on the basis that the mobile application downloads and protects the content through the cloud server, the present invention can be applied to various forms not limited to the mobile terminal, as long as it protects a plurality of contents.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit of the invention as set forth in the appended claims. The present invention can be variously modified and changed by those skilled in the art, and it is also within the scope of the present invention.

Claims (5)

A portable terminal security system in which at least one portable terminal is connected to a server via a network,
Wherein the mobile terminal comprises a mobile application, the mobile application has a security file,
The security file includes:
A header portion in which metadata including a file name and a folder structure of a plurality of contents are stored; And a body part storing a file binary value of the plurality of contents, wherein the plurality of file binaries are partially encrypted and mixed with different file binaries.
The method according to claim 1,
Wherein each of the plurality of contents includes a start portion, an intermediate portion, and a terminal portion.
A method for protecting a plurality of contents in a mobile terminal,
When storing the plurality of contents in the mobile terminal, separating the header part in which the metadata including the file name and the folder structure of the contents of the plurality of contents are stored and the body part in which the file binary values of the plurality of contents are stored, However,
Wherein the plurality of file binaries are partially encrypted and interleaved with different file binaries.
The method of claim 3,
Wherein each of the plurality of contents includes a start portion, an intermediate portion, and a terminal portion.
A computer program for carrying out the method according to any one of claims 3 and 4,

Images