RU2533061C1 - System for controlling access to created encrypted files - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: system comprises: a unit for storing rules for accessing created encrypted files, a unit for automatic mark-up of created encrypted files, a unit for selecting and analysing access rules, wherein the first input of the unit for automatic mark-up of created encrypted files is connected to the first input of the access control unit, the second input is connected to the first output of the unit for selecting and analysing access rules, the third input is connected to the output of a unit for storing file attributes, the first output is connected to the first input of the unit for storing file attributes, the second output is connected to the second input of the unit for storing file attributes, the third output is connected to the first input of the unit for selecting and analysing access rules, the second input of which is connected to the output of the unit for storing rules for accessing the created encrypted files, the second output is connected to the second input of a unit for controlling encryption/decryption, the third output is connected to the second input of the unit for controlling access, the input of the unit for storing rules for accessing the created encrypted files is connected to the second input of the system.

EFFECT: simplifying the task of managing an access control system.

2 dwg

Description

The invention relates to the field of computer technology, and in particular to the field of protection against unauthorized access (unauthorized access) to information created and stored in computer systems (CS).

One of the key tasks of protecting information processed in the CS is the encryption / decryption of files created by users during the operation of the CS that are designed to store information processed in the CS, respectively, the implementation of access control (delimiting access policy) to encrypted files being created.

Analysis of literary sources allows us to note the following. Despite the fact that the most urgent modern task of protecting the information processed in the CS is the implementation of encryption / decryption of files created by certain access subjects (the subject determines the criticality of the information processed by him, taking into account his role and access to categorized information), in practice, the encryption policy accordingly, the delineation policy is implemented through the object (disk or folder). Those. When assigning differentiation of encryption rights and access rights to encrypted files in the known access control methods, the object is primary; the access rights of subjects are assigned and delimited to it, including automatic encryption of files created in these objects. Moreover, in known methods, the implementation of access control to static and to created file objects does not differ. In any case, access control is implemented for static (created prior to the system administration - assignment of access rights to subjects' objects) objects by assigning attributes to an object (access rights of subjects to an object, including encryption attributes, for example, in NTFS and EFS file systems (encryption file system), which is an add-on for NTFS). T.O. To store encrypted information, an appropriate container (disk or folder) is created, to which the corresponding encryption attributes are set. All files created by users that are stored in such a container are automatically "transparently" encrypted for the user during writing and decrypted during reading.

This approach implies the additional creation by the administrator of an inclusive object (with the assignment of access rights to subjects for it) for each subject (group of equal subjects) of access, which in itself is a complex administrative task. The administration task is complicated many times if the subject of access should be not only an account, but also a process (application) itself, which, for example, is important when implementing encrypted processing of data created within an information system (in a particular case application).

The second problem is that in modern conditions it is the interactive user that is considered as a potential attacker, which puts forward the most important requirement for the implementation of the encryption forced for the user to create files in modern CS. All files created by certain users must be encrypted when stored in the CS or on external drives. This many times complicates the implementation of a differentiating access policy (administration of a security tool) and does not guarantee that all information stored in the CS will be encrypted. This is also due to the presence of folders (shared access objects) in modern OS and applications that are not shared between users. For example, these are folders for storing temporary files. It is impossible to differentiate access to such folders between users, as a result, there is a “channel” for leakage of critical information.

Currently, various access control systems for encrypted generated files are known. Creating a protected (virtual) disk, for example, is implemented in systems such as Secret Disk 4 (www.aladdin-rd.ru), ViPNet SafeDisk (http://www.infotecs.ru), etc. A protected disk can be created for an individual or for collective access (in this case, a single encryption key is used). The owner of the disk assigns access rights to the disk to users. All contents of a virtual disk are stored in a single container file in encrypted form. The operating system perceives the connected virtual disk as a regular disk. For each user, a virtual disk must be created.

Folder encryption (automatic encryption of files located in a folder), for example, is implemented in systems such as Folder Lock 6.2.1 (http://www.newsoftwares.net). Encrypted Magic Folders, PC-Magic Software (http://www.pc-magic.com), etc.

Closest to the technical solution and chosen by the authors for the prototype is a file access control system implemented in Microsoft Windows with the NTFS file system and the EFS encryption file system, which use file attributes, including encryption attributes, to store access rights to files [M. Russinovich, D. Solomon. Microsoft Windows internal device. - St. Petersburg: Peter, 2005 - 992 p. (Chapter 8, Fig. 8-5. An example of access control; Chapter 12, Fig. 12-60. The EFS workflow)]. With regard to the protection of files created in the CS files are used attributes that are installed on folders, including the attribute of automatic encryption / decryption of files created in the folder.

The access control system for encrypted generated files is presented in FIG. The system comprises an access control unit 1, an encryption / decryption control unit 2, a file attribute storage unit 3, and the first input of the access control unit 1 is connected to the first input of the encryption / decryption control unit 2, with the first input of the system 4, the second input of the access control unit 1 - with the first output of the file attribute storage unit 3, the first output - with the first output of the file attribute storage unit 3, the second output - with the first output of the system 5, the first output of the encryption / decryption control unit 2 - with the second input of the attribute storage unit s file 3, the second input - to the second output attribute file storing unit 3, the second output - with the second system output 6, the third input file attribute storage unit 3 is connected to the second input 7 of the system.

The system works as follows. The administrator or the “Owner” of the file object from the second input of the system 7 (from the input of the file access attributes setting) to the file attributes storage unit 3 sets the attributes (rights) of access to the files (to the objects) of the subjects, in which for each file it is indicated which subjects have access right and what access rights to the file are allowed to them (read, write, execute, rename, delete, etc.). For created files, these attributes are set for folders; inheritance of delimitation to files from a folder is implemented. In addition, from input 7, for folders intended for storing encrypted files in them, encryption attributes are set. When requesting access, containing in its composition the name of the subject (the name of the user (account) and the name of the process requesting access, as well as the requested access rights - read, write, etc.) to the file, request access from the first input of the system 4 (from the input of the file access request) it goes to blocks 1 and 2. To process the access request, block 1 from the first output requests the file attributes storage block 3 for the attributes of the file to which access is requested, receives them at the second input and compares the requested access rights to file with permissions na to the file specified in the file attributes. As a result of the comparison, the decisive unit issues a control signal to the first output of system 5 (to the control output of the access control) that allows (if the request does not contradict the permissions) or rejects the access requested from the system from the first input of system 4. Block 2 from the first output requests from the file attribute storage block 3 file encryption attributes to which access is requested (inherited from the folder). Block 2 receives them at the second input and analyzes the need for automatic encryption or decryption of the file to which access is requested. As a result of this analysis, block 2 generates a control signal to the second output of system 6, indicating whether it is necessary to automatically encrypt or decrypt (depending on the request to create / write or read) the file to which access is requested.

The disadvantage of the prototype is that it allows you to implement a delimiting access policy, including the encryption policy of created files, exclusively to static objects (to objects created by the administrator before assigning access rights to folders), to files created in them only indirectly , through static objects - folders. The entire demarcation policy is implemented for two equal entities - the subject and the access object; access rights, including encryption, to the objects of the subjects are established. In the general case, this requires the creation of many container folders (for each user of his own folder on the hard disk, external drives shared on the network, etc.) with the differentiation of access rights to them. This is due to the fact that, again, it is impossible to implement the correct forced access control policy, because not all folders can be divided between users (in the CS there are folders that are not shared between OS users and applications). The entity “user” acts as the subject of access, while in practice the tasks of encrypting information processed within the information system (ie, applications) are relevant. All this limits the functionality of the access control system for encrypted files and significantly complicates its administration.

The present invention solves the problem of expanding the functionality of access control to encrypted generated files and simplifying the task of administering an access control system.

To achieve a technical result, an access control system for encrypted generated files, comprising an access control unit, an encryption / decryption control unit, a file attribute storage unit, the first input of the access control unit being connected to the first input of the encryption / decryption control unit, with the first input of the system, access control unit output - with the first system output, encryption / decryption control unit output - with the second system output, an additional block for storing access rules to the created cipher has been introduced to my files, the block for automatically marking up the encrypted files being created, the block for selecting and analyzing access rules, the first input of the block for automatically marking up the encrypting files being created is connected to the first input of the access control block, the second input is for the first output of the block for selecting and analyzing access rules, the third with the output of the file attribute storage unit, the first output with the first input of the file attribute storage unit, the second output with the second input of the file attribute storage unit, the third output with the first input of the selection and analysis unit access rule, the second input of which is with the output of the access control block for the encrypted files being created, the second output is with the second input of the encryption / decryption control unit, the third output is with the second input of the access control unit, the input of the access rule storage block for encrypted files is with the second input of the system.

New in the present invention is the provision of an access control system for encrypted generated files with a storage unit for access rules for created encrypted files, an automatic marking unit for created encrypted files, a selection and analysis unit for access rules and their relationships.

As a result of the analysis of the prior art by the applicant, including a search by patent and scientific and technical sources of information and identification of sources containing information about analogues of the claimed technical solution, no source was found characterized by features identical to all the essential features of the claimed technical solution. The determination from the list of identified analogues of the prototype as the closest analogue in terms of the totality of features made it possible to establish a set of essential distinguishing features of the claimed access control system for encrypted generated files with respect to the technical result perceived by the applicant. Therefore, the claimed technical solution meets the criterion of "novelty."

An additional search carried out by the applicant did not reveal known solutions containing features that match the distinctive features of the claimed system for controlling access to encrypted generated files. The claimed technical solution does not follow for the specialist explicitly from the prior art and is not based on a change in quantitative characteristics. Therefore, the claimed technical solution meets the criterion of "inventive step".

The combination of essential features in the present invention allowed to expand the functionality of access control to encrypted generated files, as well as to simplify the task of administering an access control system.

As a result, we can conclude that

- the proposed technical solution has an inventive step, because it does not explicitly follow from the prior art;

- the invention is new, since the prior art on available sources of information did not reveal analogues with a similar set of features;

- the invention is industrially applicable, as it can be used in all areas where implementation of access control to encrypted generated files is required.

The invention is illustrated by the drawing shown in Fig.2.

The inventive access control system for encrypted generated files contains: access control unit 1, encryption / decryption control unit 2, automatic markup unit for created encrypted files 3, storage block for access rules for created encrypted files 4, file attribute storage unit 5, selection and analysis unit access rules 6, and the first input of the access control unit 1 is connected to the first input of the encryption / decryption control unit 2, with the first input of the block for automatic marking of the created encrypted files 3, with the first input m of system 7, the output of the access control unit 1 - with the first output of the system 8, the output of the encryption / decryption control unit 2 - with the second output of the system 9, the second input of the block for automatically marking the created encrypted files 3 - with the first output of the block for selecting and analyzing access rules 6 , the third input - with the output of the file attribute storage unit 5, the first output - with the first input of the file attribute storage unit 5, the second output - with the second input of the file attribute storage unit 5, the third output - with the first input of the access rule selection and analysis unit 6, second input One of which - with the output of the block for storing access rules for the created encrypted files 4, the second output - with the second input of the block for encryption / decryption 2, the third output - with the second input of the block for access control 1, the input of the block for storing rules for access to the created encrypted files 4 - with the second input of the system 10.

Let's consider the operation of the access control system for encrypted generated files using various examples

Example 1. Access rights to encrypted generated files are implemented for the user access subject.

From the input 10, the administrator in block 4 sets the rules for access to encrypted generated files. Access to encrypted generated files can be individual for the user or collective. Individual access implies that only this user has the right to access encrypted files created by the user. At the same time, for each user in the encryption system (to which a control signal is issued from system output 9), a file encryption / decryption key is created. The assignment of access rights in this case in block 4 is reduced to listing the accounts by which the created files will be automatically encrypted (subsequently decrypted when accessed for reading), for example, User 1, User 2.

Access request from input 7 (containing the user name and full path name of the executable file of the process that requested access, as well as the requested access type - write / read, etc.) is received in blocks 1, 2, 3.

The purpose of block 3 is the automatic markup of newly created files (or the automatic markup of previously unmodified modified files), as well as the presence of markup on a file when it is accessed again. The user’s account information is used as a markup of the file (in general, the user, the process, there may be a security label, in this example, the user account (the SID of the user is correctly identified). Block 3 based on the access request received from input 7, s the first output requests block 5 for attributes — the markup of the file to which access is requested (if the file is re-created, the file attributes for block 5 are not requested from block 5), and receives them to the third input. for example, block 3 has accounting information - the SID of the user who created the file that is being accessed (either information about the absence of markup on the file is created again or not previously marked) and information information is the SID of the user accessing this file. block 3 is passed to block 6 with a request to select the last rule from block 4 of a suitable rule, and to analyze it.

The choice of the rule is necessary because access subjects in the general case (we will see in the following examples) can be specified by both exact pointers and masks (moreover, one access request in the general case can be covered by several rules, from which you need to choose the one that is most suitable for the process request - according to a more accurate description of the subjects), the analysis is necessary in view of the fact that this block must give the corresponding (different) information to blocks 1, 2, 3, for them to take appropriate actions.

In block 3, block 6 gives information about the need to record attributes (user account information that requested access) for the file whose access request is being analyzed. Attributes should be recorded if the user creates them, the files being created are encrypted based on the rules specified in block 4 (in our example, these are files created by User 1 or User 2) when he creates a new file or when he modifies a file that was not marked up before (for example created by User 3). Based on this, block 3 requests the record of attributes for the corresponding file in block 5 from the first output; attributes are recorded from the second output (user account information in this example) for the corresponding file.

In block 1, block 6 provides information on the permission / prohibition of access requested from the system from input 7. For this example, access should be denied if any user except User 1 accesses the files created by User 1, respectively, any user except User 2 accesses the files created by User 2. Based on this information, block 1 is generated a signal to output 8, allowing / denying the requested access.

In block 2, block 6 gives information about the need to encrypt / decrypt a file to which access has been requested from the system from input 7. For the considered example, the file should be encrypted / decrypted if the access request is made by User 1 or User 2. Based on this information, block 2 generates a signal to output 9, indicating whether it is necessary to automatically encrypt or decrypt (depending on the request, creation / write or read) the file to which access is requested.

The rules may also provide for collective access of users to the created files. Consider an example. Suppose again that users User 1, User 2 have individual access to the files they create, and users User 3, User 4, User 5, User 6 have collective access to the files created by these users (naturally, in the encryption system for all these users ( users of one encryption group) the same encryption / decryption key for files must be set). At the same time, let the following rules for collective access to encrypted generated files be set in block 4: User 3 has the right to write / read to files created by User 3, User 4 has the right to write / read to files created by User 4, User 5 has the right to write / read to the files created by User 5, User 6 has the right to write / read to files created by User 6, User 5 has the right to write / read to files created by User 4, User 6 has the right to read to files created by User 3, User 4 . As you can see, in this case, there is a task of access control among users of one encryption group - to call Encrypted Generated Files).

The system works in the same way as it was considered in the previous case. The difference is as follows. In block 4, input 10 contains the rules that take into account access control for collectively used encrypted files being created (for each encryption group).

In relation to individually used files and encryption groups (a group already acts as an individual here), the request is analyzed as described above. Access control within a group is as follows. Let's look at examples. Let User 6 request reading the file created (which follows when block 3 reads its attributes from block 5) by User 3. Based on the analysis of the rule selected by block 6 from block 4 (and a rule will be selected indicating that User 6 has the right reading to files created by User 3, User 4, User 6) this access from output 8 will be allowed, from output 9 a signal will be issued to decrypt the file when reading it. The markup of the stored file will not change. Let User 6 request the reading of the file created (which follows when block 3 reads its attributes from block 5) by User 5. Based on the analysis of the rule selected by block 6 from block 4 (a rule will be selected indicating that User 6 has the right reading to files created by User 3, User 4, User 6) this access from output 8 will be denied. Let User 5 request a record / modification of the file created (which follows when block 3 reads its attributes from block 5) by User 4. Based on the analysis of the rule selected by block 6 from block 4 (a rule will be selected indicating that User 5 has the right to write / modify files created by User 4, User 5) this access from output 8 will be allowed, from output 9 a signal will be issued to encrypt the file when it is written. It is very important that in this case the markup of the stored file will not change (since the file was originally created by User 4 and it was marked up).

Consider the advantages of the proposed solution.

1. The task of administering an access control system for encrypted generated files is radically simplified. It is not required to create any virtual disks or container folders with differentiated access to them. It is enough to set in block 4 the simplest rules for access to the created encrypted files.

2. Fully implemented forced access control to create encrypted files. All files that will be created regardless of where they are recorded on the hard drive, external file drives, in file objects shared on the network by users who encrypt the created files according to the access control rules specified in block 4, will be encrypted without fail. In this case, the owner of the created file is completely excluded from the administration scheme. The ability to correctly enforce access control to created encrypted files is also due to the fact that it is not necessary to encrypt folders shared between the system and applications in any way between users (in known solutions, this is not possible because all interactive users must be allowed access to such folders, i.e. The encryption key for the folder should be the same for them), because files created by users in such folders are encrypted directly.

Example 2. Access rights to encrypted generated files are exercised for the “user” subject, taking into account the security labels (mandates) of users assigned to them based on the categorization of the information processed by users in accordance with its confidentiality levels.

Mandatory access control in the general case is understood as a method of processing requests for access to file objects based on a formal comparison, in accordance with specified rules, of security labels (credentials) assigned to subjects and access objects (in general, groups of subjects and objects). Security labels, as a rule, are elements of a linearly ordered set M = {M1, ..., Mk} and serve to formalize any properties of subjects and objects.

Access control is implemented based on the rules that define the linear order relation on the set M, where for any pair of elements from the set M, one of the types of relations is set: more, less, equal (in practice, the choice is made of a subset of M isomorphic to a finite subset of natural numbers - such a choice makes arithmetic comparison of security labels natural). Rules for comparing labels are also assigned from any properties of subjects and objects as applied to the task of protecting information.

The widest practical use of the credential method has been found to be the practice of secret paperwork in computer information processing. The basis for the implementation of the processing of categorized information is the classification of information by level of confidentiality. Object security labels reflect the confidentiality category of information that can be stored in the respective objects. The security labels of the subjects reflect the powers (by analogy with the admission form) of the subjects, in terms of access to information of various privacy levels.

We assume that the higher the subject’s authority and the level of confidentiality of the object, the lower their sequence number in the linearly authorized sets of subjects and objects - C = {C1, ..., Ck} and O = {O1, ..., Ok}), the smaller the value of the security label Mi, i = 1, ..., k is assigned to them, i.e.: M1 is less than M2 less than M3 is less ... less than Mk.

Thus, as the accounting information of subjects and access objects, in addition to their identifiers - names, each subject and object are assigned security labels from the set M.

We introduce the following notation:

- Ms - security label of the subject (group of subjects) of access;

- Mo - security label of the access object (group of objects).

In practice, the following access control rules are widely used for mandatory access control, which is used to protect against information privacy violations:

1. Subject C has access to object O in the "Read" mode if the condition is met: Ms is not more than Mo.

2. Subject C has access to object O in the "Record" mode if the condition is met: Ms is Mo.

3. In other cases, access of subject C to object O is prohibited.

However, other rules are also possible, for example, rules for completely isolating the processing of information at various levels of confidentiality or when users perform various roles in the CS (non-hierarchical labels):

1. Subject C has access to object O in the "Read", "Write" mode if the condition is met: Ms is Mo.

2. In other cases, access of subject C to object O is prohibited.

The task of a delimiting policy of access to encrypted generated files during the implementation of mandatory access control for the proposed technical solution consists solely in assigning security labels to MS entities.

Access control is as follows. When a subject creates a new encrypted file, the file will inherit the access subject's credentials - its security label Мс (we will denote the inherited label МСО, when creating the file МСО is taken equal to Мс of the subject creating the file). When requesting access to any file, the presence is analyzed, and if available, the actual value of the MCO security label inherited by this file is analyzed. If the MCO file has a label, this label is compared with the label of the subject who requested access to the file. Me - analyzes the implementation of specified access control rules. As a result of the analysis of this information, taking into account the implemented access control rules, the access to the file requested by the subject is either allowed or denied.

The rules aimed at protecting against downgrading the category of processed information with regard to the use of the claimed technical solution (security labels are assigned only to access entities) are as follows:

1. Subject C has access to object O in the "Read" mode if the condition is met: Мс not more than МСО.

2. Subject C has access to object O in the "Record" mode if the condition is met: Ms is equal to Mso.

The system, in fact, works in this case in the same way as in the example considered earlier. Consider only the differences, which are as follows. From input 10, in block 4, confidentiality levels are set - security labels of MS information (for example, secret information, confidential information), which should be encrypted when writing to a file, and also the correspondence of security labels to access subjects is entered (MS security labels are assigned to users, and only those users who process the information protected in the CS, as a result, the created files that should be automatically encrypted). In addition, in block 4, rules for comparing the labels Мс and МСО are set, on the relation: more, less, equal.

When creating an encrypted file or when modifying a previously unallocated file (with its encryption) in block 3, the attributes of the file are entered in the file attributes (in block 5), which becomes the Mso mark of the marked encrypted file. When accessing the marked-up file by block 3, the label of the MCO file to which access is requested is read from the file attributes stored in block 5, or information that the file is not marked (no label). This information, as well as information about the user (from the access request), comes to block 6. Block 6 receives from block 4 the security label MS for the user determined from the access request, as well as the access control rule. Based on the comparison of the marks Мс and Мсо (obtained from block 3) according to this rule, block 6 forms a decision on the necessity of marking the file with block 3 (if necessary, it gives out in block 3 the security label of the user who has requested access, allowing access (about which block 1 informs ), the need to encrypt / decrypt the file (as reported by block 2.) As a result, the corresponding signals are generated to outputs 8 and 9.

As we see, the proposed technical solution allows implementing a mandatory (using security labels) access control scheme for the encrypted files being created.

In this case, the administration task is even more simplified, in block 4 you only need to assign security labels (numbers) to the categories of information to be processed, which should be encrypted when saving, assign security labels to users and assign rules for their comparison for more, less, equal. That's all. At the same time, users from the same encryption group must be assigned one label. Encryption keys are assigned in the encryption system, respectively, not to users, but to security labels.

Example 3. Access rights to encrypted generated files are implemented for the subject “process”.

The system’s operation is completely analogous to that described in Example 1. The difference is that the subject of access to the created encrypted files is the essence of the process (not the user), identified by the full path name of its executable file. The name of the process requesting access to the file by block 3 is determined from the access request received at input 7.

In block 4, access rules are already set not for users, but for processes that can also have both individual and collective access to encrypted generated files. With collective access, the distinctions between the subjects (processes) of one encryption group can be set.

At the same time, as the accounting information of the access subject that created or modified the previously unallocated file, the access attributes in block 3 (in block 5) do not record the user's SID (name), but the full path name of the process (full path name of its executable file).

The encryption key in the encryption system is already mapped not with the user (group of users), but with the process (group of processes).

Otherwise, the system works in the same way as in the case of controlling access to created encrypted files for users, which is described in example 1.

Using the essence of the “process” as the subject of access to encrypted files being created dramatically expands the functionality of the protection system, allowing cryptographic protection of information processed not by specific users, but within specific information systems (specific processes, including system and applications) .

In this case, again, the system is extremely easy to administer (all system administration is carried out by analogy with example 1, only for the subject of access is “process”).

Example 4. Access rights to encrypted generated files are implemented for the subject “user, process”.

At its core, this example combines Example 1 and Example 3. The access subject is defined by the entity “user, process”, which has a physical meaning - which user creates the encrypted file by which process. The operation of the system is completely similar to the work described in examples 1, 3, but already in relation to the task of the access subject by the entity “user, process”.

The use of the “user, process” entity as the subject of access to encrypted generated files further expands the functionality of the protection system, allowing cryptographic protection of information processed not by specific users and not specific processes, but by specific users within specific information systems.

In this case, again, the system is extremely easy to administer (all system administration is carried out by analogy with examples 1, 2, only for the “user, process” access subject).

Thus, the examples considered illustrate the achievement of the goal - the solution to the problem of expanding the functionality of access control to encrypted files being created, as well as simplifying the task of administering the access control system.

The invention is industrially applicable in terms of the possibility of technical implementation included in the system block automatic markup files and block storage rules for accessing files.

The technical implementation of the block for storing access rules for the encrypted files being created, the block for selecting and analyzing access rules is a fairly standard solution for storing and processing data (access table (matrix)).

The technical implementation of the block for automatic marking of the created encrypted files depends on which file system and how the claimed solution interacts. Consider an example of a technical implementation when the system works with the Microsoft Windows NTFS file system (other technical implementations are possible here).

This decision was tested by the applicant when building a prototype of a means of information protection.

In order for the claimed system not to conflict with the delimitation policy implemented by the OS, the system does not directly use the attributes used by the OS to store data for automatic file marking. To store the file attributes created by the system that are used by the system to implement access control (for automatically writing / reading file markup credentials), so-called “alternative data streams” are used.

An alternative stream is a memory area created “rigidly” attached to a specific file, into which it is possible to write, respectively, from which information can be read. An alternative stream can be deleted and deleted when the file for which it is created is deleted.

NTFS implemented and documented (described the native OS feature) support for alternative data streams (Alternate Data Streams) - it was added to NTFS for compatibility with the Macintosh HFS file system, which used a resource stream to store icons and other file information. Using alternative streams allows you to store data about the file discreetly from the user and not accessible by conventional means. Explorer and other applications work with a standard stream (file) and cannot read data from alternative streams.

Creating alternative threads is a documented opportunity. You can create them, for example, as follows from the command line. First you need to create a base file to which the stream will be attached.

Create a file: C: \> echo Just a plan text file> sample.txt

Next, using the colon as the operator, create an alternative stream:

C: \> echo You can't see me> sample.txt: secret.txt

You can use the following commands to view the contents:

C: \ more <sample.txt: secret.txt

or

C: \ notepad sample.txt: secret.txt

If everything is done correctly, then we will see the text: You can't see me, when you open it from the explorer, this text will not be visible.

An alternative stream allows you to write an unlimited amount of information into it, while it is "rigidly" connected to the base file (to which the stream is attached) - it can be deleted and will be deleted only when the file is deleted.

Comment. Alternative data streams can be attached not only to a file, but also to a folder.

Thus, an alternative stream is a memory area created “rigidly” connected with a particular file into which it is possible to write, from which information can be read (by known, described methods), while the data recorded in the alternative stream are stored secretly from the user and not available by conventional means.

As a result, this documented feature - the described ability to create an alternative stream (protected from users) for a file with the ability to store service information in it (for the claimed system - for storing markup data for encrypted files created), is described, technically feasible and can be used in implementation the claimed technical solution, which was tested by the applicant when creating a prototype of a means of information protection.

All used blocks are technically feasible and their implementation is achieved by standard means.

Thus, in the present invention solved the problem of expanding the functionality of access control to encrypted generated files and simplifying the task of administering the access control system. Given the current level of development of computer technology, it is technically feasible.

Claims (1)

An access control system for encrypted generated files, comprising an access control unit, an encryption / decryption control unit, a file attribute storage unit, the first input of the access control unit being connected to the first input of the encryption / decryption control unit, with the first input of the system, the output of the access control unit is with the first output of the system, the output of the encryption / decryption control unit - with the second output of the system, characterized in that it is additionally entered into it: a block for storing access rules for created encrypted files, bl ok, the automatic markup of the created encrypted files, the selection and analysis of access rules block, the first input of the automatic encryption markup of the created encrypted files is connected to the first input of the access control unit, the second input is the first output of the access rule selection and analysis block, the third input is the output of the block storage of file attributes, the first output - with the first input of the file attribute storage unit, the second output - with the second input of the file attribute storage unit, the third output - with the first input of the access rule selection and analysis unit , the second input of which is with the output of the block for storing access rules for the created encrypted files, the second output is with the second input of the block for encryption / decryption, the third output is with the second input of the block for access control, the input of the block for storing rules for access to the created encrypted files is with the second system input.

Images