KR20220033109A - Kernel module for excuting encryption function - Google Patents

Abstract

The present invention provides a kernel module performing an encryption function. The kernel module is executed through a preset encryption/decryption algorithm when an open function for data is called, is set to store file information including the data when the data is opened, and to perform encryption based on the stored file information, when a close function for the data is called.

Description

Kernel module that performs cryptographic functions {KERNEL MODULE FOR EXCUTING ENCRYPTION FUNCTION}

The present invention relates to a kernel module that performs an encryption function, and more particularly, to an encryption kernel module operating in a web application server.

In the case of corporate or business computers, important data related to technology development results or technology are stored. In addition, even in the case of a personal computer, data related to personal privacy is stored.

Management of such important data is being provided as a more thorough solution as the security system develops. In particular, it is possible to go through an encryption/decryption process when exporting electronic documents managed by a company.

In the case of the encryption module, especially in the case of unstructured data, encrypted/decrypted data may be stored in a new file format, and encryption policy information of unstructured data registered in the server is managed in an encrypted state.

The proportion of unstructured data among data that companies/institutions need to protect is expected to continue to increase, and the proportion of unstructured data has already exceeded 80%.

However, various types of encryption/decryption techniques may be applied to encryption/decryption of such unstructured data, and in the present invention, an encryption/decryption function according to an efficient encryption/decryption policy will be specifically disclosed.

The present invention is to solve the problems of the prior art described above, and can perform file encryption/decryption.

In an embodiment of the present invention, in a kernel module performing an encryption function, when an open function for data is called, the kernel module is executed through a preset encryption/decryption algorithm, and the data is opened when the data is opened. It is set to store the file information including, and to perform encryption based on the stored file information when the close function for the data is called.

In addition, the kernel module is characterized in that it is determined whether the open function is called after hooking the kernel library call command.

In addition, the stored file information, in the form of a hashmap, is characterized in that the key value and the value value of the file are matched and stored.

In addition, the kernel module is characterized in that it is executed through the preset encryption/decryption algorithm using LD_PRELOAD of Unix.

The present invention relates to a kernel module that performs an encryption function, and can provide an encryption/decryption function by minimizing system modifications.

According to the present invention, encryption/decryption can be performed only by setting the kernel module.

According to the present invention, there is an advantageous effect that the system is not affected when an error occurs in the kernel module.

1 is a diagram conceptually illustrating an encryption system according to an example of the present invention.
2 is a diagram illustrating encryption before encryption according to an embodiment of the present invention.
3 is a view showing after encryption according to an embodiment of the present invention.
4 is a view showing after decoding according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art can easily implement them. However, the present invention may be embodied in several different forms and is not limited to the embodiments described herein. And in order to clearly explain the present invention in the drawings, parts irrelevant to the description are omitted, and similar reference numerals are attached to similar parts throughout the specification.

Throughout the specification, when a part is "connected" with another part, this includes not only the case of being "directly connected" but also the case of being "electrically connected" with another element interposed therebetween. . Also, when a part "includes" a certain component, it means that other components may be further included, rather than excluding other components, unless otherwise stated.

In this specification, a "part" includes a unit realized by hardware, a unit realized by software, and a unit realized using both. In addition, one unit may be implemented using two or more hardware, and two or more units may be implemented by one hardware. Meanwhile, '~ unit' is not limited to software or hardware, and '~ unit' may be configured to be in an addressable storage medium or to reproduce one or more processors. Accordingly, as an example, '~' indicates components such as software components, object-oriented software components, class components, and task components, and processes, functions, properties, and procedures. , subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays and variables. The functions provided in the components and '~ units' may be combined into a smaller number of components and '~ units' or further separated into additional components and '~ units'. In addition, components and '~ units' may be implemented to play one or more CPUs in a device or secure multimedia card.

The "user terminal" referred to below may be implemented as a computer or portable terminal that can access a server or other terminal through a network. Here, the computer includes, for example, a laptop, a desktop, and a laptop equipped with a web browser (WEB Browser), and the portable terminal is, for example, a wireless communication device that ensures portability and mobility. , IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet), LTE (Long Term Evolution) communication-based terminal, smart It may include all types of handheld-based wireless communication devices such as a phone, a tablet PC, and the like. In addition, “network” means a wired network such as a local area network (LAN), a wide area network (WAN) or a value added network (VAN), or a mobile radio communication network or satellite It may be implemented in any kind of wireless network such as a communication network.

1 is a diagram conceptually illustrating an encryption system according to an example of the present invention.

1, in the encryption system, the security manager manages the encryption key management/policy server through the administrator server, and the encryption key management/policy server encrypts and manages data for the customer system.

The information security officer accesses the encryption/decryption policy setting server, inputs encryption/decryption information including the key, and allows encryption/decryption information to reach each server.

In the Web Application Server (WAS) filter, the unstructured data uploaded by the user is checked and policy information such as URI, request/response header, and directory information is reviewed to determine whether the data is an encryption target.

In the case of encryption/decryption target, the unstructured data is encrypted/decrypted through API, and the encrypted/decrypted data is stored in the server in the form of a new file.

Encryption policy information of unstructured data registered in the server is managed in an encrypted state.

When a general user checks the encrypted unstructured data stored in the server, in the case of general encryption, it is possible to check only unknown values.

In the case of image anonymization or selective image encryption, you can recognize that the file or unstructured data is encrypted by checking the defined image.

When an authorized user checks the encrypted unstructured data, the WAS filter module checks the encrypted data, decrypts the data according to the user's authority, and stores the original unstructured data in the user's PC.

Authorized users can check the decrypted unstructured data normally.

The kernel module according to the present invention is an encryption module and stores encryption/decryption policies according to a kernel policy defined by a user or an administrator.

The kernel module according to the present invention is performed through an open or close function of a file, and when the corresponding kernel module is called, the encryption module operates.

In the kernel module performing an encryption function, when the open function for data is called, the kernel module is executed through a preset encryption/decryption algorithm, and stores file information including the data when the data is opened, , when the close function for the data is called, it is set to perform encryption based on the stored file information.

Also, the kernel module determines whether the open function is called after hooking the kernel library call command.

In addition, the stored file information is stored in a hashmap format in which a key value and a value value of the file are matched.

In addition, the kernel module is executed through the preset encryption/decryption algorithm using LD_PRELOAD of Unix.

The above-mentioned kernel module may be set in the form of a solution as shown in Table 1 below.

division Contents note cert rootca.crt Used for SSL communication with KMS server sapi_root/conf sapi.cfg Smartguard configuration file ap-kernel.cfg Kernel configuration file sapi_root/data Location of encryption/decryption key file creation sapi__root/data/seed policySeed.so sapi_root/log where the logs are stacked lib/linux_x86_32 libap_smart.so client library Linux/32 bit libap_crypto.so Crypto library Linux/32 bit libap_kernel.so Kernel library Linux/32 bit lib/linux_x86_64 libap_smart.so client library Linux/64 bit libap_crypto.so Crypto library Linux/64 bit libap_kernel.so Kernel library Linux/64 bit

In addition, in order to use the kernel module according to the present invention, a sapi.cfg file must exist in the ${SAPI_ROOT}/conf directory, and the following library values must be set correctly.

Set explanation log level Sets the event logging level.
1. FATAL : Logs fatal errors.
2. WARNING : Logs warnings (business logic errors) including FATAL.
3. INFO: Logs brief information of error information.
4. TRACE : Logs errors, information, and additional processing status. logpath Set the path where the log file will be located. datapath Set the path where the key file will be located. updatetype Set whether to perform key update.
1. online : Performs an update.
2. offline : Update is not performed. updateinterval Set the key update interval (in seconds). UpdateAuth Set whether to include encryption/decryption permission when updating the key.
1. true : Update permission management settings.
2. false : Do not update permission management settings. Saved Set whether to save PolicySeed.
1. true : Save PolicySeed.
2. false : Do not save PolicySeed.
(If necessary, you can get it online.) Confrewrite Set whether to rewrite the configuration file.
1. true : Rewrite the password to clear it.
2. false : Only read the configuration file.

In this case, the settings for verifying the integrity of the encryption/decryption library may be defined as shown in Table 3 below.

Set explanation checkBinary α Set whether to check the integrity of the SmartGuard library.
1. true : Integrity verification is enabled.
2. false : Integrity verification is not used.

In addition, setting the key management system (Key Management System; KMS) access account information may be defined as shown in Table 4 below.

Set explanation accountID Set the KMS access ID. accountPW Set the account password.

In addition, the setting of key management server access information may be defined as shown in Table 5 below.

Set explanation IP Set the KMS server connection address. Port Set the KMS server connection port. Usessl Set whether to use SSL communication when connecting to the KMS server.
1. true : Use SSL communication.
2. false : SSL communication is not used. SSLHostname Set the registration server host name.
(It must be the same as the CN value of the registration server certificate.)
Both PEM and DER file formats are supported.
Ex) cn=alphabit.co.kr, o=apg, c=kr alphabit.co.kr SSLCAFile Set the registration server SSL CA certificate file path.
Both PEM and DER file formats are supported.
Ex) /certstore/alphabit_ca.crt SSLCAPath Set the registration server SSL CA certificate path.
All certificates in that directory are read and processed.
Both PEM and DER file formats are supported.
Ex) /certstore SSLCliCert Sets the client SSL certificate file path.
Both PEM and DER file formats are supported.
Ex) /certstore/alphabit_test_server.crt SSLCliKey Sets the client SSL certificate key file path.
Both PEM and DER file formats are supported.
Ex) /certstore/alphabit_test_server.key SSLPSKey Set the pre-shared key value. (HEX encoding) Timeout Set the policy server access timeout (in seconds).

In addition, the setting of the redundant key management server connection information may be defined as shown in Table 6 below.

Set explanation IP Set the KMS server connection address. Port Set the KMS server connection port. Usessl Set whether to use SSL communication when connecting to the KMS server.
1. true : Use SSL communication.
2. false : SSL communication is not used. SSLHostname Set the registration server host name.
(It must be the same as the CN value of the registration server certificate.)
Both PEM and DER file formats are supported.
Ex) cn=alphabit.co.kr, o=apg, c=kr alphabit.co.kr SSLCAFile Set the registration server SSL CA certificate file path.
Both PEM and DER file formats are supported.
Ex) /certstore/alphabit_ca.crt SSLCAPath Set the registration server SSL CA certificate path.
All certificates in that directory are read and processed.
Both PEM and DER file formats are supported.
Ex) /certstore SSLCliCert Sets the client SSL certificate file path.
Both PEM and DER file formats are supported.
Ex) /certstore/alphabit_test_server.crt SSLCliKey Sets the client SSL certificate key file path.
Both PEM and DER file formats are supported.
Ex) /certstore/alphabit_test_server.key SSLPSKey Set the pre-shared key value (HEX encoding) Timeout Set the policy server access timeout (in seconds).

In addition, general settings of the kernel library according to the present invention may be defined as shown in Table 7 below.

Set explanation log level Sets the event logging level.
1. FATAL : Logs fatal errors.
2. WARNING : Logs warnings (business logic errors) including FATAL.
3. INFO: Logs brief information of error information.
4. TRACE : Logs errors, information, and additional processing status. logpath Set the path where the log file will be located.

In addition, the encryption/decryption policy ID and monitoring directory settings according to the present invention may be defined as shown in Table 8 below.

Set explanation Confcount Set the number to be analyzed. policyID Set the ID of the policy to be applied. Directory Set the directory to be monitored.

In addition, the settings for the policy according to the present invention may be defined as shown in Table 9 below.

Set explanation Confcount Set the number of policies. policyID Set the policy ID. Mode Set the encryption or decryption mode.
1. encrypt : encryption mode
2. decrypt : Decryption mode extDelete Set whether to delete the extension of the original file after encryption/decryption is performed.
1. true : Delete the extension of the original file.
2. false : The extension of the original file is not deleted. extResult Set the extension of the result file after encryption/decryption is performed.
1. nop : Follows the extension of the original file. passprefix Pass if the file name begins with the string set in passprefix.
Multiple character strings can be registered, separated by commas (“”). passsuffix Pass if the file name ends with the string set in passsuffix.
Multiple character strings can be registered, separated by commas (“”). Matchprefix If the file name starts with the string set in matchprefix, encryption/decryption is performed.
Multiple character strings can be registered, separated by commas (“”). Matchsuffix If the file name ends with the string set in matchsuffix, encryption/decryption is performed.
Multiple character strings can be registered, separated by commas (“”). Limitsize Set the limit on the file size.

These encryption/decryption results can be confirmed through the drawings of FIGS. 2 to 4 .

FIG. 2 is a view of the original file before encryption/decryption of the present invention is performed, and FIG. 3 is a view showing the file after encryption is performed, and it can be confirmed that it has been converted into a form that is difficult for a general user to recognize.

4 is a view after the encrypted file is decrypted, and it can be seen that the encrypted file is displayed in the same form as the original file.

An embodiment of the present invention may also be implemented in the form of a recording medium including instructions executable by a computer, such as a program module to be executed by a computer. Computer-readable media can be any available media that can be accessed by a computer and includes both volatile and nonvolatile media, removable and non-removable media. In addition, computer-readable media may include both computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave, or other transport mechanism, and includes any information delivery media.

Although the methods and systems of the present invention have been described with reference to specific embodiments, some or all of their components or operations may be implemented using a computer system having a general purpose hardware architecture.

The description of the present invention described above is for illustration, and those of ordinary skill in the art to which the present invention pertains can understand that it can be easily modified into other specific forms without changing the technical spirit or essential features of the present invention. will be. Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive. For example, each component described as a single type may be implemented in a dispersed form, and likewise components described as distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the following claims rather than the above detailed description, and all changes or modifications derived from the meaning and scope of the claims and their equivalent concepts should be interpreted as being included in the scope of the present invention. do.

Claims (4)

In the kernel module performing an encryption function,
The kernel module is
When the open function for data is called, it is executed through a preset encryption/decryption algorithm,
When the data is opened, the file information including the data is stored,
When the close function for the data is called, the kernel module is set to perform encryption based on the stored file information. The method of claim 1,
The kernel module is
Kernel module, characterized in that it determines whether the open function is called after hooking the kernel library call command. The method of claim 1,
The stored file information is
As a hashmap format, the kernel module, characterized in that the key value and the value value of the file are matched and stored. The method of claim 1,
The kernel module is
A kernel module, characterized in that it is executed through the preset encryption/decryption algorithm using LD_PRELOAD of Unix.

Images