RU2584755C2 - Method of protecting availability and security of stored data and system for adjustable protection of stored data - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: group of inventions relates to protection of data recorded in storage with long-term memory, and can be used for protection of availability and security of data. Method of protecting availability and security of stored data for each information unit of plurality of reversible random conversions is selected randomly or pseudo-randomly number r one encoding rule, which is then used to code unit; received code word is broken into t parts, each of which is filled by part secret obtained on number of r using suitable separation circuit secretion, then produced parts are combined.

EFFECT: high data security.

9 cl, 20 dwg

Description

A way to protect the availability and confidentiality of stored data and a system for custom protection of stored data

1 Technical field

The present invention relates to the field of data protection, and in particular to the field of customizable protection of data availability, confidentiality and integrity.

2 prior art

Currently, users of desktop computers, servers, laptops, tablets, smartphones (hereinafter referred to as the general term - computers) have various tasks to protect the stored data. Among the protection tasks, the task of protecting data availability (protection against data loss), the task of protecting data privacy and integrity protection (protection against unauthorized or accidental changes) are especially notable. The object of protection (protected data) and the degree of relevance of one or another of the indicated tasks are determined, as a rule, by the owner of the protected data on the basis of their own experience, existing standards and practices in the field of data protection and information security, or based on legal requirements. For example, for ordinary users (individuals), objects of protection are usually data such as a list of contacts with addresses and telephones, bank card numbers, PIN codes, account numbers,

personal photos, credentials for access to Internet banking and other WEB services. For organizations (legal entities), objects of protection are, for example, data constituting a trade secret, personal data of employees, customers, etc. Further, computer users are understood as individuals and legal entities. Regarding the same type of data for different users, the degree of relevance of protection tasks can be different. For example, with regard to bank plastic card numbers, for some users - individuals, protection of confidentiality and accessibility is relevant, for other users - individuals, only protection of the confidentiality of card numbers is enough, and for a legal entity transferring salaries to plastic cards, data integrity protection is especially important .

For computer users, typical causes of violation of the availability of stored data are usually: accidental data erasure, intentional data erasure as a result of unauthorized access to a computer, loss of data carrier, data carrier theft, failure of data carrier, data encryption by malware. The reasons for violation of confidentiality include unauthorized copying of data, loss of data carrier, theft of data carrier, improper erasure of data during disposal of media or during their service (repair). The integrity of the data is usually violated as a result of a deliberate unauthorized modification of the data (for example, through the action of malicious code) or the failure of a part of the medium (for example, individual cells, sectors).

As a rule, the above data protection tasks are solved with the help of various protection tools, and sometimes with the help of various protection methods. The following is a brief description of the existing methods for protecting data from loss, protecting confidentiality and integrity in order to disclose the essence of the invention.

Existing ways to protect against data loss. Data protection against loss is ensured by means of data backup, for example, using software-hardware or exclusively software implementation of RAID technology (Redundant Array of Independent Disks), described in various patent documents, for example, US patents No. 7392458 (publ. 24.06 .2008), 7437658 (publ. 10/14/2008), 7600176 (publ. 10/06/2009); in applications for US patent No. 2009/0132851 (publ. 21.05.2009), 20100229033, (publ. 09/09/2010), 201101145677 (publ. 06/16/2011), 20110167294 (publ. 07/07/2011), 20110264949 (publ. 10/27/2011). In RAID technology, in modes designed to protect data from partial loss, a pre-selected error-correcting code is used: in RAID-1 mode, for example, a double-repeat code is used, and in RAID-6 mode, the Reed-Solomon code is used. In this case, the encoded data is distributed between the media (disks), usually located in the same structural unit (RAID-array). Depending on the implementation of the RAID technology, one set of media included in the RAID array can be used to create storage in only one mode, or to create several storages, each of which can have its own RAID mode. Patent RU 2502124 C1 (publ. 12/20/2013) proposes a method for distributed storage of data on several media, characterized in that it allows to build a storage device (storage) based on a set of data carriers (hard drives, flash drives, etc.) Resistant to data loss even when a large number of parts of the storage device fail. According to the description of RU 2502124 C1, the memory of data carriers that are part of a secure storage device is fully utilized, and the media themselves are located in one structural unit.

In addition to the methods described above, where a secure storage (ZX) is built on the basis of carriers located preferably in one structural unit or in close proximity to each other, there are also

ways to build network storage. So, in patent RU 2501072 C2 (publ. 10.12.2013), in order to protect data from loss, a method for distributed data storage is proposed, according to which, the storage is a network of nodes (network storage), in which the failure of a node is monitored by a special node (group nodes), and based on the data from the available nodes, data is generated for the new node. In this case, the nodes that make up the network secure storage can be geographically dispersed. Note that in RU 2501072 C2 network nodes can only be used to create one network storage.

US Pat. No. 7,418,439 B2 (published August 26, 2008) proposes a method for constructing a hybrid system that is protected from data loss, which allows protecting data from loss on the basis of both local storage media and network storage media. US 7418439 B2 specifically proposes a virtual file system designed to create repositories that are protected against data loss. The invention of US 7418439 B2 is based on a method of constructing a file system on file systems of existing media (both local and network) in such a way that any request to the virtual file system for changing data in a file is duplicated (mirrored) for underlying file systems. Due to this, an identical copy of the file is stored on different media. This method allows you to create an arbitrary number of storages based on a single set of media with support for mirroring. The disadvantage of the method described in US 7418439 B2 is that only mirroring is used to protect data from loss, which, as noted, for example, in RU 2501072 C2, is often not an optimal and cheap strategy to protect data from loss.

Existing ways to protect against confidentiality and data integrity. The protection of confidentiality and data integrity is usually ensured by applying cryptographic transformations to data, such as GOST 21147-89, AES, 3DES, RSA, GOST R 34.11-2012, SHA. In addition to software implementations of these algorithms, there are also

and hardware solutions. In particular, to protect data privacy, in US 8239690 B2 (publ. 08/07/2013) the design of a secure removable Flash-media is proposed, which highlights a special protected area in which information for user authentication is stored and access to which can only be obtained in a special way developed program stored on the device. Data on the Flash media is encrypted using the key obtained by computing the hash function of the password that the owner of the Flash media enters when authenticating on the device. Ways to protect the confidentiality and integrity of data, in particular, the tool described in US 8239690 B2, in turn, do not solve the problem of protecting data availability.

Confidentiality and integrity protection tools based on a software or hardware implementation, in particular, the algorithms noted above, use secret keys or secret passwords, on the basis of which secret keys are generated. The reliability of protecting confidentiality and integrity in such decisions is based on the assumption that the secret key is always kept secret, and the password is selected by the user in such a way that it is computationally difficult to select. However, in practice, users do not always fulfill the requirements for securing keys or choosing complex passwords, which can lead to weakening of the protection of confidentiality and data integrity. In particular, if the password authentication system is configured to use only complex passwords, for example, in accordance with the recommendations from [?], Then the user often does not remember the password, but writes it [?]. At the same time, in a corporate environment, the user is less motivated to protect corporate data, so the password recorded by him is usually left, for example, glued to the monitor screen, or under the keyboard. In the case of their own information assets (credentials for access to Internet banking, correspondence with partners, etc.), the user is interested in protecting them and, thus, either remembers a complex password or protects the recorded password:

stores a password, for example, in a personal wallet or in a personal phone. Thus, the use of cryptographic transformations to reliably protect confidentiality and integrity leads to the need to manage the life cycle of cryptographic keys or passwords, which leads to the need for users to remember complex passwords. This in turn leads to a weakening of protection, because due to the inconvenience associated with remembering a complex password, the user usually chooses a simple and thus easily matched password. At the same time, the user is ready to experience inconvenience when using a complex password, usually with his own interest in data protection.

Existing solutions for comprehensive protection of accessibility, confidentiality and data integrity. The simultaneous solution of the problems of protecting accessibility, confidentiality and integrity is usually achieved by sequentially applying cryptographic conversion to the data first, and then applying the technology of data backup. Protection of confidentiality and data integrity is relevant both for systems such as RAID, where all media are located in one structural unit, and for distributed storage systems, that is, for network attached storage. So in US Pat. PCI bus. The encryption / decryption key is read from the external storage device and / or requested from the user. In US patent US 8209551 B2 (publ. 06/26/2012), a method for protecting information for RAID arrays is proposed, according to which before writing to the array, the data is divided into several segments, some of which are encrypted, and some remain open, and then from encrypted and unencrypted data checksums are calculated. Encrypted segments, clear segments and checksums more

distributed across RAID disks. At the same time, recovery of unencrypted data is impossible without knowing the secret key known to the legal user. In US patent US 7752676 B2 (publ. 07/06/2010) a method for protecting data in a network storage is proposed, according to which, a user request to read (write) data first goes through the authorization procedure, and only if the operation is allowed, the data is decrypted (encrypted) accordingly on network attached storage. Encryption / decryption keys are stored on the client side.

Another combination protection option is proposed in US 20110107103 A1 (publ. 05/05/2011), according to which the data is stored in the cloud, and the encryption module is stored not on the client side, but on the cloud storage provider side. This solution is usually intended to protect data backups in the cloud, although the original data is stored on the client side in its original form. At the same time, to protect data privacy, the data file is first divided into parts, and then each part is converted using a cryptographic algorithm and written to one or more media in the cloud. Loss protection is provided when data is lost on the client side. In this case, the backup is restored from the cloud. The disadvantage of this solution is that the encryption module is located on the side of the provider, thereby potentially the provider has the ability to access user data. In addition, on the client side, data is not protected from privacy violations.

Note that confidentiality in the combined solutions noted above is also ensured through the use of encryption based on secret keys that are generated or protected with passwords, the problems of using which are noted above. Thus, ensuring confidentiality of data in such combined solutions involves the use of cryptographic keys or

passwords, which leads to the introduction of additional organizational measures regarding either the use of media on which cryptographic keys are stored, or regarding the complexity of passwords. However, remembering complex passwords creates inconvenience for users of security systems, which leads to weakening of the security system, as users often ignore the complexity requirements when choosing a password.

The problem of remembering a complex password or cryptographic key can be solved, for example, using secret distribution methods, when a secret (in this case, a password or cryptographic key) is distributed between devices belonging to the user.

Systems for secure data storage without the use of secret keys are proposed, for example, in patents US 6363481 B1 (publ. March 26, 2002), US 7945784 B1 (publ. 05.17.2011) and US 8345861 B2 (publ. 01.01.2013). The general principle of constructing such systems is the use of (n, k) -security sharing schemes. The data to be protected using the selected (n, k) secret sharing scheme is divided into n parts, which are recorded on n data carriers. Moreover, for any k-1 parts it is impossible to obtain any information about the protected data, and any k parts make it possible to unambiguously restore the protected data. Thus, such protection systems make it possible to simultaneously solve the problems of protecting the availability and confidentiality of data: the loss of no more than nk carriers (parts) allows you to uniquely restore data from the remaining k parts, and unauthorized access (unauthorized familiarization, copying) to no more than k-1 media does not allow recovery of protected data. The general principle of constructing such distributed systems without reference to specific secret sharing schemes is described in US 6363481 B1, and in US 7945784 B1 and US 8345861 B2 some modifications of this system are described and specific (n, k) secret sharing schemes are proposed. Note that in US 6363481 B1 various construction options are considered.

distributed storage using secret keys: 1) encryption of protected data before applying a secret sharing scheme, 2) encryption of individual parts after applying a secret sharing scheme, 3) encryption of protected data and use of a secret sharing scheme for an encryption key, 4) encryption of protected data followed by applying a secret sharing scheme to encrypted data; and using a secret sharing scheme for an encryption key. The distributed storage systems described in US Pat. The disadvantage of these systems is their applicability mainly for the protection of static data, for example, archival copies of documents (see US 7945784 B1). In particular, the procedure for writing data to a secure distributed storage described in US Pat. No. 6,336,481 B1 is suitable for writing a new file (data block). However, the procedure for updating data in a file (in a data block) is not described and seems nontrivial. Since in US 6363481 B1 it is allowed to use different (n, k) -security sharing schemes for different parts of one file, the update procedure becomes even more non-trivial when it is necessary to update a part of a file that partially overlaps with parts to which different ( n, k) -schemes of secret sharing. Note that in systems using (n, k) -security distribution schemes, n carriers are required, which, however, is not always feasible with a large value of n. Also note that these distributed, secure storage systems are designed only to protect the confidentiality and availability of data, and do not provide data integrity protection.

In the patent RU 2485584 C2 (publ. 06/20/2013) another method is proposed for building combined protection that does not require the life cycle management of secret keys or passwords. This method is the closest to the proposed method for simultaneously protecting accessibility.

and confidentiality of stored data. The method described in patent RU 2485584 C2 provides simultaneous protection of data accessibility and confidentiality by dividing the code word into two parts, one of which (confidential), consisting of useful data characters and random characters, is placed in a protected area (for example, in a smart chip card), and the second part - the checksum - is placed in an unprotected area. According to RU 2485584 C2, unauthorized access to a checksum in an unprotected area does not carry any information by inserting random data blocks into the payload block before encoding. The method of organizing protection described in RU 2485584 C2 preferably provides for the explicit allocation of a protected (and thereby more expensive) area and an unprotected area, which does not allow this method to be applied in an environment where it is not known in advance which storage area is protected and which is not is such. For example, this method is not suitable when two identically used ("equal") Flash media should be selected as storage areas for confidential information and checksum. The use of the method described in RU 2485584 C2, in this case, leads to the need for special organizational protective measures when handling a Flash media on which confidential information is stored, which changes its status of "equal rights" in the media used. Also, according to the description of RU 2485584 C2, the encoding method is suitable for devices in which individual memory cells fail. Thus, the failure of a completely unprotected area does not allow the detection and correction of errors in a protected area, and the failure of a fully protected area leads to a complete loss of useful data.

The common disadvantage of combined solutions is the fact that combined solutions are applicable when the user knows in advance what information will be stored in protected storages and what requirements are presented to each of these storages.

However, often in advance the user cannot predict what information will be stored and what requirements are imposed on it. Typically, heterogeneous information is stored on a computer, to which various protection requirements are presented. For example, in relation to a video library collected on a computer, a requirement is made to ensure that only data availability is protected (protection against loss); with regard to bank account / PIN information, confidentiality protection is necessary, and with photographs it is usually necessary to provide data access protection and privacy protection, possibly less strict than with bank accounts / PIN codes. If in advance the user can determine the types of information stored, the requirements for protection, then in this case one of the combined security measures based on RAID technology would be a suitable option. But such solutions are suitable when the stored amounts of information are large enough to allocate protected sections for them in RAID arrays. If the information is small, then allocating a whole section for such information does not make sense. In this case, it is preferable to use the encryption of individual files. Also, if you want to ensure guaranteed deletion of certain data, it is preferable to use the means of guaranteed deletion of individual files, rather than encrypted sections of RAID arrays. This problem is usually solved by special tools that implement algorithms for guaranteed file deletion, for example, the algorithm described in GOST R 50739-95.

All this leads to the fact that if the data owner needs to use backup for some data, for others - encryption and / or integrity control, and for the third - guaranteed deletion, then to solve the tasks it is necessary to use three means of protection that implement respectively, the functions of the RAID array, the functions of computing cryptographic conversions and the functions of guaranteed deletion. Thus, the unsolved problem is the development of a single technical solution that allows

depending on his needs, the user is protected from loss of data, the degree of protection of confidentiality and data integrity, depending on the available storage media, as well as depending on ease of use to flexibly manage protected storage. At the same time, the solution is relevant, firstly, to ensure data confidentiality, without using secret keys for cryptographic conversion, thus, not requiring the cost of managing the life cycle of cryptographic keys, and, secondly, not imposing strict restrictions on the type and quantity media on the basis of which the secure storage is built.

An analysis of the prior art and the possibilities that arise when sharing existing technical solutions allows us to obtain a new result: a way to protect the availability, confidentiality and integrity of stored data (SZDiKHD) and a system of customizable protection of stored data (SNZHD).

3 Disclosure of invention

3.1 Summary of invention

A method is proposed for protecting the accessibility and confidentiality of stored data (SZDiKHD), based on preliminary random coding of data, the division of code words into parts and the distribution of parts on existing data carriers. As a random coding method, a generalized code noise method is used [2]. In order to increase data confidentiality, it is proposed to regularly change codecs by selecting the codec to be used from a previously known set of codecs using a pseudo-random or random number generator. This allows you to strengthen the protection against statistical attacks (see, for example, [4], [5]) and multiple interception attacks (see [6], [7]), which are subject to the classical method of code noise (see, for example, [ 12]). After encoding, the resulting codewords are separated

on an arbitrary number of parts, each of which is recorded on the appropriate medium.

It also offers a system of customizable protection of stored data (SNZHD) based on the consistent application of data conversion, separation of the converted data into parts and distribution of parts across data carriers. The system can use any data conversion algorithm, both to protect data availability and to protect data privacy and integrity. The converted data can be divided into an arbitrary number of parts, which is limited only by the number of available storage media. At the same time, the system allows creating various protected distributed storages on the basis of a single set of storage media in which heterogeneous data conversion algorithms are used.

3.2 Technical result

The technical result of SZDiKHD is to increase the security of data confidentiality through the use of random coding with regular pseudorandom codecs and by distributing parts of code words across multiple data carriers. The technical result of SZKhD is to increase data confidentiality when using the enhanced protection unit, and to optimize the use of data carriers due to the possibility of creating several protected storages on the basis of one set of carriers with different requirements for the availability, confidentiality and data integrity.

4 Brief Description of the Drawings

The invention is illustrated by drawings:

In FIG. 1 shows the functional blocks involved in the SZDiKHD.

In FIG. 2 shows a data coding scheme in SZDiKHD.

In FIG. 3 shows a data decoding scheme in SZDiKHD.

In FIG. 4 shows a computer with a typical set of pluggable storage media.

In FIG. Figure 5 shows the structure of the tree-based file storage system on the protected storage and auxiliary storages, on the basis of which the protected storage is built.

In FIG. Figure 6 shows the structure of SZHKD.

In FIG. 7 illustrates some examples of codeword partitioning.

In FIG. 8 depicts the functional blocks of the SNCHD distributed protection agent.

In FIG. 9 shows the sequence of writing data to the secure storage.

In FIG. 10 shows the sequence of reading data from the secure storage.

In FIG. 11 shows the correspondence between the data being read / written and the data representation in the secure storage as a sequence of information blocks.

In FIG. 12 depicts the application of SNZHD for the organization of secure storage.

In FIG. 13 shows a diagram of a typical computer, on the basis of which SZDiKHD and SNZHD can be implemented.

In FIG. 14 depicts a process for opening a secure vault.

In FIG. 15 depicts a process for closing a secure vault.

In FIG. 16 shows a flow of data from the cache.

In FIG. 17 shows a flowchart of opening a file on a secure storage.

In FIG. 18 shows a flowchart for closing a file on a secure vault.

In FIG. 19 depicts a process for reading data from a file on a secure storage.

In FIG. 20 depicts a process for writing data to a file on a secure storage.

4.1 Detailed Description of the Invention

4.1.1 Method of protecting the availability and confidentiality of stored data

- линейный [n, l,

]-код длины n, размерности l (над полем Галуа F, |F|=q, q - степень простого числа) с кодовым расстоянием

; С - линейный [n, m, d]-код, являющийся подкодом кода

. Кодирование выполняется блоками по k:=l-m символов поля F в блоки по n символов того же поля. В дальнейшем предполагается, что в памяти компьютера, где адресуемой ячейкой памяти обычно является байт (восемь двоичных разрядов), k символов поля F занимают k₁ байтов, а n символов поля F занимают n₁ байтов. Для простоты реализации на компьютере предпочтительно использовать линейные коды

и С над полями Галуа характеристики 2 такие, для которых размерности соответственно m и l и длина n в битовом представлении кратны 8. Не ограничивая список вариантов, примерами подходящих пар кодов (

, С) являются: пара (RM(5,5), RM(2,5)), где RM(r,w) - двоичный код Рида-Маллера, размерности

и длины 2^w; множество пар

, где

- код Рида-Соломона длины N и размерности L над полем F мощности 256, а

- его подкод размерности М.A variant of the use of code noise for data distribution among carriers is described in [8]. This method provides protection against partial data observation and partial data loss. To complete the disclosure of the essence of the invention, we give a description of the code noise method, which, unlike classical encryption algorithms, such as GOST 21147-89, AES, 3DES, RSA, is not used in practice for secure data storage. Let be

- linear [n, l,

] -code of length n, dimension l (over the Galois field F, | F | = q, q is the prime power) with a code distance

; C - linear [n, m, d] -code, which is a subcode of the code

. Encoding is performed in blocks of k: = lm characters of the field F into blocks of n characters of the same field. It is further assumed that in the computer memory, where the addressable memory cell is usually a byte (eight binary bits), k characters of the field F occupy k ₁ bytes, and n characters of the field F occupy n ₁ bytes. For ease of implementation on a computer, it is preferable to use linear codes

and C over Galois fields of characteristic 2 are such for which the dimensions m and l, respectively, and the length n in the bit representation are multiples of 8. Without limiting the list of options, examples of suitable pairs of codes (

, C) are: a pair (RM (5.5), RM (2.5)), where RM (r, w) is the Reed-Muller binary code, dimensions

and length 2 ^w ; many pairs

where

- Reed-Solomon code of length N and dimension L over field F of power 256, and

- its subcode of dimension M.

- порождающая матрица кода

,

- соответствующая проверочная матрица, G и Н - соответственно порождающая и проверочная матрицы базового кода С. Так как С - подкод кода

, то, без потери общности, матрицы

и Н представимы в виде:We describe the rules for encoding and decoding data. Let be

- generating code matrix

,

is the corresponding verification matrix, G and H are the generating and verification matrices of the base code C, respectively. Since C is the code subcode

, then, without loss of generality, the matrices

and H are representable in the form:

- (k×n)-матрица. Кодирование информационного вектора S=(s₁, …, s_k)∈F^k выполняется по правилу:where G * is the (k × n) -matrix,

- (k × n) -matrix. The coding of the information vector S = (s ₁ , ..., s _k ) ∈F ^k is performed according to the rule:

,С) - факторным кодом [факторным, кодеком) [9]. Матрицу

будем называть порождающей матрицей факторного кода (

,С). Генерация псевдослучайного вектора V длины m выполняется любым криптографически стойким генератором псевдослучайных чисел, например, проходящим все тесты NIST [3] на проверку случайности генерируемой последовательности. Предпочтительными в использовании являются генераторы, требующие небольшое число тактов процессора для генерации очередного значения псевдослучайной последовательности. Не ограничивая список вариантов, возможными генераторами могут быть алгоритмы ISAAK, ISAAK+, RC4. Так как для декодирования данных в методе кодового зашумления не используется генерируемая псевдослучайная последовательность, то ре-инициализация (повторная инициализация) генератора псевдослучайных чисел может производиться в любое время по усмотрению кодирующей стороны. Это позволяет повысить стойкость кодового зашумления и исключить возможную атаку анализа данных, закодированных периодической последовательностью.where V∈F ^m is a random (or pseudo-random) vector, and the notation (a, b) for vectors over one field means assigning the vector b to the vector a to the right. The code C is usually called the base code, and the pair (

, C) - factor code [factor codec) [9]. Matrix

will be called the generating matrix of the factor code (

,FROM). A pseudo-random vector V of length m is generated by any cryptographically robust pseudo-random number generator, for example, passing all the NIST tests [3] to check the randomness of the generated sequence. Generators that require a small number of processor clocks to generate the next pseudo-random sequence value are preferred. Without limiting the list of options, ISAAK, ISAAK +, RC4 algorithms can be possible generators. Since the generated pseudo-random sequence is not used to decode data in the code noise method, the reinitialization (reinitialization) of the pseudo-random number generator can be performed at any time at the discretion of the coding side. This makes it possible to increase the robustness of code noise and to eliminate a possible attack on the analysis of data encoded by a periodic sequence.

, то исходное кодовое слово может быть восстановлено однозначно. В общем случае для декодирования имеющегося слова С′, возможно испорченного, сначала применяется алгоритм декодирования кода

для восстановления по слову С′ истинного кодового слова С. Далее, согласно [7], матрицу Н вида (1) всегда можно выбрать так, что извлечение информационного вектора S из соответствующего декодированного кодового вектора С выполняется по правилу:When transmitting over a channel, the codeword C may be corrupted, that is, the recipient will receive the corrupted word C ′ instead of C. Hereinafter, a data transmission channel refers to both spatio-temporal data transmission channels (communication systems) and temporary channels (storage systems). In storage systems, for example, individual memory cells may fail, which can be considered as an obstacle such as erasure. If the number of erased characters of the code word does not exceed

, then the original codeword can be unambiguously restored. In general, to decode an existing word C, possibly corrupted, the code decoding algorithm is first applied

to restore the true code word C. from the word С ′. Further, according to [7], a matrix H of the form (1) can always be chosen so that the extraction of the information vector S from the corresponding decoded code vector C is performed according to the rule:

The indicator of protection from partial observation is the number of possible information words that an observer can receive from the overheard data. This quantity is determined as follows. For the code K and its subcode L, the sequence

, i=0, …, n

, i = 0, ..., n

, то по нестертым данным восстановить данные невозможно в теоретико-информационном смысле, где С^⊥ и

- дуальные коды соответственно к кодам С и

. В общем случае количество претендентов при подслушивании не более µ символов определяется как

.is called the relative inverse dimension / length profile [10], where P _J [M] is the projection of the code M onto the set of coordinate numbers J. It is known that if the number of non-erased characters µ is such that

, then from non-erased data it is impossible to restore data in the information-theoretical sense, where С ^⊥ and

- dual codes respectively to codes C and

. In the general case, the number of applicants when eavesdropping is not more than µ characters is defined as

.

может быть размерности n, тогда матрица

будет квадратной, и, согласно,Note that if data protection against partial loss is not required (for example, the probability of erasing a character is negligible), the code

can be of dimension n, then the matrix

will be square, and according to

[1], data protection in the information-theoretical sense will be provided if the attacker has access to less than d (C ^⊥ ) characters of each codeword, where d (C ^⊥ ) is the code distance for the code C ^⊥ .

The code noise method in some cases is subject to statistical attack and multiple interception attacks (see [4], [5], [6], [7]). In order to protect against such attacks to increase confidentiality, a generalization of the code noise method is proposed. Let FC _q (n, k, µ, ν) be a finite set of factor codecs of cardinality L that transform information vectors of length k (over the field F) into code vectors of length n so that the loss of at most ν characters of the code word allows us to uniquely recover the information word , and eavesdropping on no more than µ characters of the code word does not give the observer any information about the encoded message. An example of a set of FC _q (n, k, µ, ν) can be a subset of codecs corresponding to codes that are combinatorially equivalent (obtained by rearranging the columns in the check matrix) to some noise-resistant code. The difference from the classical code noise method is that in the proposed method, for each information block of length k, the factor codec is not fixed, but is selected randomly or pseudo-randomly from the set FC _q (n, k, μ, ν). Next, this idea is explained to build a way to protect the availability and confidentiality of data in storage systems.

Let there be t (> 0) data carriers (storages), from which an unauthorized observer has access to any t _tap (≥0) (i.e. data can be spied on these storages) and from which any t _err (≥0) may fail (i.e., data on these storages may be lost).

On the basis of triples (t, t _tap, t _err) is selected such codecs _{FC q (n, k, μ} , ν) and the rule partitioning codewords t pieces to:

- the union of t parts made it possible to unambiguously restore the entire codeword;

- any t _tap parts together contained no more than µ different

code characters;

- any t _err parts in total contained no more than ν different code symbols.

It is preferable to speed up operations using such codecs (and, accordingly, such a field F) and such partitioning rules that the length of the codeword, as well as the lengths of the parts of the codeword (after the splitting), are machine multiples of 8. However, others the values of these parameters should not be difficult for specialists competent in the field of applied programming.

Without limiting other splitting options, it is possible to split into equal parts by

. В случае, если n не делится нацело на w, то

частей будут иметь длину w символов, а одна часть будет иметь длину

символов. Отметим, что если t_tap=0 и/или t_err=0, то это означает, что угрозы нарушения конфиденциальности нет и/или нет угрозы утраты данных. В частности, если t_tap=t_err=0, то w=n.characters of field F if

. If n is not completely divisible by w, then

parts will have length w characters, and one part will have length

characters. Note that if t _tap = 0 and / or t _err = 0, then this means that there is no threat of privacy violation and / or there is no threat of data loss. In particular, if t _tap = t _err = 0, then w = n.

The set of codecs FC _q (n, k, µ, ν) is shown in FIG. 1 as a block 100; codecs in this set can be implemented both at the software level and at the software and hardware level. The specific parameters n, k, µ, ν and codecs in the set are configured based on the configuration of the codecs 108 received from the user. Note that all components of the protection block 111 are configured through the control module 112. Codecs must implement a single interface for encoding a data block (encode_data), decoding a data block (decode_data), reading (get_codec_config) and setting codec parameters (set_codec_config). Unity of the interface is preferable for the purpose of universality of the factor coding module 102. Let factor codecs be uniquely numbered by natural numbers from the range [1, L]: FC _q (n, k, µ, ν) = {ƒ ₁ ; ...; ƒ _L }. Before coding the next information

of the word S (∈F ^k ) (101.1 in Fig. 2) received from the input / output request source 101, the factor coding module 102 requests the pseudo random number generator (PSC) 103 the number r (103.1 in Fig. 2) from the range of natural numbers [1, L]. Based on the received number r, the module 102 selects the codec ƒ _r with number r in the set 100 and encodes the information block S with the codec ƒ _r into the code block C. The code word C (102.1 in Fig. 2) is sent to the data splitting block 104, and the factor codec number r goes to the secret sharing unit 105, where any (t, tt _err ) secret sharing scheme is implemented. The algorithm for the secret sharing scheme can be any, for example, it can be a Shamir scheme (the algorithm 109 for the secret sharing scheme is set by the user). In block 104, the codeword is divided into t parts: C ₁ , ..., C _t (104.1 in Fig. 2). Splitting can be performed both in equal parts, and into parts of different lengths. In the general case, splitting into partially intersecting parts is also allowed. Split parameters are configured based on a user-defined configuration 110. In block 105, using the (t, tt _err ) secret separation scheme, the factor codec number r is assigned t parts: R ₁ , ..., R _t (105.1 in Fig. 2), while it is preferable that each part in the bit representation R _i had a length that is a multiple of 8. Parts C ₁ , ..., C _t and parts R ₁ , ..., R _t go to the merger 106, the output of which is a vector of the form: (C ₁ , R ₁ , C ₂ , R ₂ , ..., C _t , R _t ) (106.1 in Fig. 2). which is obtained by attributing bit representations of the parts C _i and R _{i to} each other, i = 1, ..., t. Further, in the distribution module for the storages 107, pairs of the form (C _i , R _i ) (i = 1, ..., n) (107.1-107.t in Fig. 2) are recorded respectively on t storages 113.1, ..., 113.t.

When reading data (see Fig. 3), pairs (C _i , R _i ) [i = 1, ..., t) are read from the storages 113.1, ..., 113.t. For any minimum tt _err parts of a set of R _1, ..., R _t in module 105 recovers number r factorial codec, and then in module 102 the number r is selected factor codec ƒ _r, which is subsequently used to retrieve information vector of words, assembled from the corresponding read parts C _i ,

i∈ {1; ...; t}.

, С), где

- код Рида-Соломона

размерности 160 и длины 240 над полем

, С - код Рида-Соломона

размерности 80 и длины 240 над тем же полем. В этом случае n=240, k=80, µ=80, ν=80, L=100. Если t=2, при этом t_tap=1 или t_err=1, то указанное множество FC_q(n, k, µ, ν) не подходит для данной тройки (t, t_tap, t_err), так как кодовое слово длины 240 нельзя разбить на две части так, чтобы кража любой из них не несла какой-либо информации укравшему о закодированном слове. Зато множество FC_q(n, k, µ, ν) подходит, например, для тройки (3, 1, 1): в этом случае кодовое слово можно разбить на 3 части по 80 символов, и потеря одной части или несанкционированное ознакомление с одной частью не приведут соответственно к утрате данных или нарушению конфиденциальности данных. Так как L=100, то для схемы разделения секрета можно использовать, например, (3,2)-схему Шамира, при этом каждая часть будет представлена не более чем одним символом поля

, для представления которого в памяти требуется не более одного байта.For example, let FC _q (n, k, µ, ν) be a set of one hundred codecs combinatorially equivalent to factor (

, C), where

- Reed-Solomon code

dimension 160 and length 240 over the field

, С - Reed-Solomon code

dimension 80 and length 240 over the same field. In this case, n = 240, k = 80, μ = 80, ν = 80, L = 100. If t = 2, while t _tap = 1 or t _err = 1, then the indicated set FC _q (n, k, μ, ν) is not suitable for this triple (t, t _tap , t _err ), since the codeword length 240 cannot be divided into two parts so that the theft of any of them does not carry any information to the stolen about the encoded word. But a plurality of _{FC q (n, k, μ} , ν) is suitable, e.g., for the triple (3, 1, 1) in this case, the code word can be divided into 3 parts of 80 characters, and loss of one part or unauthorized introduction to one part will not lead respectively to loss of data or violation of data privacy. Since L = 100, for the secret sharing scheme it is possible to use, for example, the (3,2) -shamir scheme, with each part being represented by no more than one symbol of the field

, to represent which in memory requires no more than one byte.

4.1.2 Custom Protected Storage System

Further, as before, a computer is understood to mean any device that has at least one programmable processor, a memory device for long-term and operational storage of the program and intermediate results, as well as interfaces for connecting storage media and network interfaces for connecting to a transmission network data. In FIG. 4. As an example, a desktop computer 400 is shown including, in addition to peripheral data input devices (not shown in FIG. 4), a monitor 401 and system unit 402. The storage devices connected to the computer 400 are conventionally divided into integrated storage devices 403, removable storage devices 405, not connected via network devices 411, one of the functions of which

is data storage and network storage 414. The set of built-in devices 403, as a rule, consists of internal hard drives 404, connected, for example, via ATA, SATA, SAS, Fiber Channel interfaces, etc. The built-in storage devices also include built-in memory, which is not supposed to be removed during normal operation of the computer (built-in memory of a tablet computer, smartphone, etc.). Removable devices 405, in particular, include removable hard drives 406, connected, in particular, via USB, eSATA, SCSI, FireWire; Flash drives connected via USB-interface 407, but SD-interface 408 and mini- or microSD-interfaces (not shown in Fig. 4); floppy disks 409; optical disks 410. The above list of removable devices is not final and can be expanded by storage devices that are connected to external computer interfaces. Non-network connected devices 411 include devices for which data storage is not the only function. Such devices may include, for example, smartphones 412, tablet computers 413, e-readers, audio players (not shown in FIG. 4). A set of network storages, for example, includes file servers (NAS - network area storage) 415, storage networks (SAN - storage area network, not shown in Fig. 4), cloud storages 416, accessible via a local data network or a network public data transmission.

On the basis of a computer and an existing set of storage media, it is proposed to build a system of customizable protection of stored data (SNZHD). To build some kind of secure storage, which we denote SStor, you need T _SStor (≥1) storage media. Storage media is further understood, without limiting the use of other options, storage systems such as local file systems, network file systems, the Windows operating system registry and other systems in which storage is organized on the basis of structures that logically coincide with the structure of storing data in file systems. At

This registry of the operating system is considered as a built-in storage medium (included in group 403). Each SStor protected storage is associated with t _SStor (≥1) storages, each of which represents a dedicated area on one of the T _SStor storage media. Each such area is addressed by a structure specific to the data carrier. For example, if the storage medium is a local or network file system, then such a structure may be a directory. If the storage medium is, for example, the registry of the Windows operating system, then such a structure may be a registry branch. The address of the selected area on the media will be called the mount point of the storage. Within one SStor protected storage, from one t _SStor storage, one storage is selected, hereinafter referred to as the basic storage of SStor protected storage), which will address the SStor protected storage. In other words, from the point of view of the user, work with the protected data in the SStor protected storage is performed by sending I / O requests to the base storage. The remaining t _SStor -1 storages are called auxiliary storage of the SStor protected storage. The numbers t _SStor and T _SStor are related only by the inequality T _SStor ≤t _SStor . Thus, on the basis of one data carrier several storages can be allocated. In this case, the areas addressed by the mounted mount points within the same SStor protected storage should not overlap.

Further, protected storage means a system consisting of a mount point for the basic storage and mount points for auxiliary storage, in which user I / O requests are sent to the address of the basic storage, and data is converted and distributed to auxiliary storage in accordance with the configuration that describes the protected storage .

When placing the protected file in the SStor protected storage, the data of the protected file is converted using the conversion algorithm specified in the protected storage configuration,

splitting the converted data into parts of a selected size and distributing the parts to auxiliary repositories (and, possibly, to the basic repository). Reading data from a protected file located in a protected storage is performed in the reverse order: reading partial data on auxiliary storages (and, possibly, from the basic storage), collecting parts of the data into a single whole, reverse data conversion. Typically, data conversion algorithms in storage systems perform block conversion. However, algorithms that are not block-oriented data conversion algorithms can be applied in SZKhD. For simplicity, but not limiting the other options for the conversion algorithms, the invention is further disclosed in relation to block algorithms. Thus, the protected file can be represented as a sequence of information blocks. The converted information blocks using the selected conversion algorithm will be called code blocks.

The preferred option for organizing data on auxiliary storages is the implementation in which, on auxiliary storages 500.2-500.t _SStor (see Fig. 5), starting from mount points 501.2-501.t _SStor , _respectively , the structure of the file system (or its analogue) is completely repeated ), available on the base storage 500.1, starting at mount point 501.1. Thus, each file located in the protected storage corresponds to one file in the basic storage, starting from the mount point 501.1 and one file per auxiliary storage. Files placed in a protected storage (but before being placed in a protected storage) are called protected files here; files located in the secure storage are called protected files; files located in the basic storage of the SStor protected storage are called basic files, and the corresponding files on auxiliary storages are called auxiliary files. Thus, each protected file corresponds to one base file and several auxiliary files.

In the base file can be stored either only metadata, or metadata and data subjected to conversion. Metadata is ancillary data, for example, about the true size of the protected file, time of the last modification, etc. File size metadata is needed, for example, when the conversion is performed in blocks that are larger than one byte in size. If you do not store the true file size, then the size of the protected file will always be a multiple of the length of the code word, that is, data about the true file size will be lost (if it would not be located in the protected storage). The preferred implementation is when a fixed-size area is allocated for storing metadata at the beginning of the base file on the protected storage.

If the underlying repository does not act as one of the auxiliary repositories, then the base files contain only metadata. If the underlying repository acts as one of the auxiliary repositories, then the base files, in addition to metadata, contain data that has been converted.

It is allowed to implement secure storage when the storage medium for storage 500.1-500.t _{SStor is} the same (i.e., T _SStor = 1). Such an implementation, for example, makes sense when duplication of data in several directories on the same storage medium is necessary.

Further, for simplicity, but without limiting generality, it is assumed that the mount points of the protected and auxiliary stores are directories of file systems.

SNZHD consists of two subsystems (see Fig. 6): a client agent 600 and a distributed protection agent 601. Each of the subsystems 600 and 601 is a software tool installed on a computer. Two options are possible: both subsystems are installed on one computer, or each of the subsystems is installed on a separate computer. Subsystems 600 and 601 interact via communication channel 602. Communication channel 602, in the case of installing subsystems on different computers, can

represent any communication channel through which two computers can exchange data, for example, via Wi-Fi, Bluetooth, a USB cable, through a wired LAN. In the case of installing subsystems: on one computer, the role of the communication channel 602 can be performed by an application program interface through which subsystems 600 and 601 interact. Client agent 600 includes a data capture module 603 and a control module 604. Module 603 intercepts read / write requests 606 of protected data, they are addressed to the secure store SStor and sends them via the communication channel 602 to the distributed protection agent 601. Module 603 can be implemented as a software component (for example, as a driver) embedded in an implemented opera ion processing system I / O request process, or implemented as a software component, using an application programming interface for the operating system, storage systems and implements custom graphics and / or command line interface to work with files on secure storage. The control module 604 obtains the SStor secure storage configuration 605, based on which the data capture module 603 and the distributed protection agent 601 are configured.

In the distributed protection agent, the data receiving module 607 (during the write operation to the SStor secure storage) receives I / O requests from the data interception module 603 and then passes them to the protection module 608, where the request is processed using the security algorithm specified in configuration 605. Data, depending on configuration 605, may also be subject to enhanced protection at block 609. At block 610, a data distribution scheme for t _SStor repositories is _implemented . In the case when the subsystems 600 and 601 are installed on different computers, then the subsystem 600 requires a module 613 that receives requests for reading / writing data from the distributed protection agent 601 in the protected storage, since the basic storage of the protected storage SStor is preferably located on the computer where client installed

agent.

SStor Secure Store Configuration 605 contains five main sections:

- parameters of the basic storage 605.1, which describes such parameters as the mount point of the basic storage, a sign of whether the basic storage can act as auxiliary storage (contain parts of code blocks);

- data conversion parameters 605.2, which describes such parameters as the name of the conversion algorithm, the length of the information block k; code block length n; key length, key container, if the conversion algorithm uses secret keys; in general, the present invention allows the use of any method that converts an information block of data of length k (k≥1) into a code block of data of length n (n≥k) regardless of other blocks with or without a key; in particular, such transformation algorithms can be traditional symmetric or asymmetric transformation algorithms, such as GOST 21147-89, AES, 3DES, RSA, SHA type integrity control algorithms, GOST R 34.11-2012 and others, error protection and data loss protection algorithms , for example, based on noise-resistant Reed-Solomon codes, and others;

- enhanced protection parameter 605.3: the number Q is the number of permutations of bits in a byte (Q≤250), the algorithm P generates permutations based on an integer from the range from 0 to Q, and the algorithm G generates n pseudorandom characters of the field F by an integer from the range from 0 to Q; enhanced protection can be used to protect against statistical attacks; if the input parameter of the algorithm P is the number 0, then the algorithm P generates permutations that do not lead to a change in the order of the bits, i.e. identical permutations.

- parameters of the secret sharing scheme 605.4, which describes the algorithm for the secret sharing scheme (for example, the schemes described in US Pat. Nos. 7,945,784 B1, US 8,345,861 B2 and others can be used);

- data splitting parameters 605.5, which describes the number of auxiliary storages t _SStor , rule П of breaking code blocks into parts, and also the mounting points of auxiliary storages.

In the protection module 608 there is a set (base) 608.1 of data protection algorithms (see. Fig. 8). Each of these algorithms is characterized by a quadruple (n, k, µ, ν), where k is the length (in characters of the field F) of the information block, n is the length of the code block after applying protection, µ is the maximum number of characters of the code block that cannot be obtained any information about the initial information block, ν is the maximum number such that for any n-ν code symbols, the information block is uniquely restored in polynomial time (from n).

The user creating the SStor secure store has t _SStor stores from which any t _tap can be stolen / copied and t _err can fail or be lost (the probabilities of these events are such that they cannot be neglected). Then, for the user with his set of conditions (t _SStor , t _tap , t _err ), the appropriate protection algorithm is one of the algorithms in the set 608.1 with parameters (n, k, μ, ν) such that when breaking the code vector into t _SStor parts:

- the union of t _SStor parts made it possible to uniquely recover the entire codeword of length n;

- any t _tap parts in the aggregate contain no more than µ different code symbols;

- any t _err parts in the aggregate contain no more than ν different code symbols.

It is preferable to speed up operations using such codecs (and, accordingly, the F field) and such partitioning rules that the length of the codeword, as well as the lengths of the parts of the codeword (after the splitting), are machine multiples of 8. However, other values these parameters should not present difficulties for specialists competent in the field of applied programming.

For a given triple (t _SStor , t _tap , t _err ), the user can choose the appropriate protection algorithm. For example, when forming SStor storage parameters after setting triplets _{(t SStor, t tap, t} err), the module 601 may form a list of suitable algorithms and passed to module 600 where the user selects one from the list of security algorithm. The selected algorithm is stored in section 605.2 of configuration 605 when creating SStor secure storage. Note that implementation is possible when parts of different lengths are stored on different storages, if the number of storages t _SStor allows this. After selecting the appropriate protection algorithm, the codeword partitioning scheme is selected and stored in section 605.5 of configuration 605. The partitioning parameters, in particular, describe the composition of each part, namely, the symbol code numbers of the codeword are determined, from the values of which each part is formed. If, for example, t _SStor = 4, t _tap = 1, t _err = 0, then a suitable transformation algorithm can be, for example, an algorithm for which n = 8, k = 4, μ = 4, ν = 0. In this case, the splitting of the codeword without limiting other possible options, for example, can be performed as shown in FIG. 7. Both of these options will not violate the condition that unauthorized access to any t _tap repositories does not provide any information to the attacker about the information block. In particular, in FIG. 7a, the codeword 700 is divided into two disjoint parts: one auxiliary storage corresponds to a part 700.1 consisting of the first, third, fourth and sixth code symbols; the second repository corresponds to part 700.2, consisting of the second, fifth, seventh and eighth code symbols. The splitting of the same codeword in FIG. 7b is designed in such a way that all three parts 701.1, 701.2 and 701.3 have one common code symbol, while part 701.2 is longer than the rest by one code symbol. The partition parameters in configuration 605 are preferably described in the description section of each involved auxiliary storage and define the partition rule P. Thus. for the partition shown in FIG. 7A, in a secure configuration

storages for the first auxiliary storages the set {1; 3; four; 6}, and for the second - {2; 5; 7; 8}. Using the tiling shown in FIG. 7B, in the configuration of the secure storage for the first, second and third auxiliary storage, the sets {1; 3; 4}, {2; four; 5; 8} and {4; 6; 7}.

, каждая из которых имеет длину l_i байт при представлении частей в виде последовательностей нулей и единиц, i=1, …, t_SStor. Далее выполняется проверка на равенство нулю параметра Q из раздела 605.3 конфигурации 605. Если Q=0, то блок усиленной защиты не применяется. Например, блок усиленной защиты не имеет смысла применять, если алгоритм A реализует СЗДиКХД, в который защита от статистических атак уже заложена. Если Q>0, то в модуле 609.1 с помощью генератора 601.1 генерируется случайно или псевдослучайно число r из диапазона от 0 до 250 (занимает в памяти 1 байт), по которому однозначным образом генерируется t_SStor перестановок

, каждая из которых переставляющая биты внутри l_i байтов частей

(стадия 804 на блок-схеме). К каждому байту (в машинном представлении) блока C_i применяется перестановка π_r,i, i=1, …, t_SStor (стадия 805 на блок-схеме). Применение перестановки π_r,i к байтам части C_i будем обозначать π_r,i(C_i). На выходе стадии 805 получаем блок

, i=1, …, t_SStor.We describe the data protection scheme. All functional blocks of the distributed protection agent are configured for parameters from configuration 605 via the control module 611. When data is written to a protected file, each information block S 800 (see Fig. 9) received by module 607 is transmitted to data protection module 608. Based on the parameters 605.2 from the configuration 605, the conversion module 608.2 is configured to one of the protection algorithms A from the set 608.1. The information block S goes through the security procedure 801 and, thus, is converted to a code block C, which then goes on to the partitioning module 608.3 on the basis of the data splitting parameters 605.5 the step of splitting 802 into t _SStor parts:

, each of which has a length l _i bytes when representing parts in the form of sequences of zeros and ones, i = 1, ..., t _SStor . Next, a check is made that the parameter Q from section 605.3 of configuration 605 is equal to zero. If Q = 0, then the enhanced protection block is not applied. For example, the enhanced protection unit does not make sense to apply if Algorithm A implements SZDiKHD, in which protection against statistical attacks is already in place. If Q> 0, then in module 609.1, using generator 601.1, randomly or pseudo-randomly generates a number r from the range from 0 to 250 (it occupies 1 byte in memory), according to which t _SStor permutations are uniquely generated

, each of which permutes bits inside l _i bytes of parts

(step 804 in a flowchart). For each byte (in the machine representation) of the block C _i , a permutation π _{r, i} , i = 1, ..., t _{SStor is applied} (stage 805 in the block diagram). The application of the permutation π _{r, i} to the bytes of the part C _i will be denoted by π _{r, i} (C _i ). At the output of stage 805, we obtain a block

, i = 1, ..., t _SStor .

, состоящей из l_i байт:

в модулеFor each piece

consisting of l _i bytes:

in the module

байт, где каждый блок Г(r)_i имеет длину l_i байтов, i=1, …, t_SStor. Затем выполняется побитовая операция XOR векторов (

) и Г(r), образуя при этом вектор вида:609.2, the gamming stage 805 is performed. Namely, according to the number r, using the algorithm Г, a pseudo-random sequence Г (r) = (Г (r) _1, ..., F (r) _tSStor ) of length

byte, where each block G (r) _i has a length l _i bytes, i = 1, ..., t _SStor . Then the bitwise operation of XOR vectors (

) and Г (r), thus forming a vector of the form:

.

.

, каждая из которых в модуле 609.4 на этапе 808 приписывается справа к соответствующему вектору

XOR Г(r)_i, образуя пару вида

длиной l_i+1 байтов, i=1, …, t_SStor.According to the number r, in the secret separation module 609.3, the secret separation stage 807 is performed (implementing, for example, the Shamir algorithm over the field F ₂₅₁ ), where t _SStor parts are generated (each 1 byte long):

, each of which in module 609.4 at step 808 is assigned to the right of the corresponding vector

XOR G (r) _i , forming a pair of the form

length l _i +1 bytes, i = 1, ..., t _SStor .

передаются в модуль распределения по вспомогательным хранилищам 610, где выполняется процедура 809 записи частей на хранилища.After this, as well as after it was established in test 803 that Q = 0, the final parts

transferred to the distribution module for auxiliary storages 610, where the procedure 809 of writing parts to storages is performed.

Note that the use of enhanced protection module 609 is especially useful when, in the set of protection algorithms 608.1, none of the algorithms provides adequate protection against a statistical attack. For example, if the set 608.1 contains only a simple factor coding algorithm (which, as shown, for example, in [6] and [7], is not resistant to multiple interception attacks), then using the enhanced protection module, where for each codeword its own a set of permutations of bits, you can strengthen the protection of data privacy from statistical attacks. At the same time, the use of a secret sharing scheme does not allow for unauthorized access to t _tap parts (repositories) to restore the number by which a set of permutations is generated. This configuration of SZKhD is actually one version of the implementation of SZDiKHD. To an attacker, in the case of using the enhanced module

protection, for carrying out a statistical attack it will be necessary to accumulate (intercept) a significantly larger volume, which complicates the statistical attack.

Without limiting the possible variants of the P generation algorithms by the number r of a set of permutations of bits, the following simple algorithm P is presented here. Let r = (r ₁ , ..., r ₈ ) be a bit notation of the number r. Then in byte b = (b ₁ , ..., b ₈ ) bits b _i and b _{i + 1} are interchanged if r _{i is} not equal to r _{i + 1} ; otherwise, bits b _i and b _{i + 1} remain in place, i∈ {1; 3; 5; 8}. Note that this algorithm permutes bits only within each byte, but does not rearrange bits between bytes within the same part C _i , i = 1, ..., t _SStor . For a specialist competent in the field of programming, the development of other algorithms for swapping bits, including swapping bits between bytes, should not cause difficulties.

(этап 903 на, блок-схеме фиг. 9), по которым в модуле разделения секрета 609.3 восстанавливается число r (этап 904 на блок-схеме). По полученному числу r в модуле гаммирования 609.2 снимается гамма с частей кодовых слов (стадия 905 на блок-схеме) и применяются обратные перестановки бит в первых байтах частей C_i, i=1, …, t′ (этапы 906 и 907 на блок-схеме). Далее на этапеDecoding when reading data from a protected file is performed according to the following algorithm (see Fig. 10). When a request is made to read an information block from a protected file, the data distribution module for storages 610 performs a read procedure 901, as a result of which parts of the codeword are read from t ′ (≥t _SStor -t _err ) storages. Without loss of generality, we assume that the first t ′ parts are read: C ₁ , ..., C _t ′. (Although, if possible, reading should be performed from all t _SStor storages to speed up the unprotecting operation.) The sizes of the parts and their serial numbers are set in section 605.5 of configuration 605. Based on the Q value from section 605.3 of configuration 605, a check 902 is performed regarding the use enhanced protection module 609. If enhanced protection is used (Q> 0), then the assigned parts are separated from the parts C ₁ , ..., C _t ′

(step 903 on, the block diagram of FIG. 9), by which the number r is restored in the secret sharing module 609.3 (step 904 on the block diagram). Using the obtained number r in gamma module 609.2, the gamma is removed from the parts of the code words (step 905 in the block diagram) and the reverse permutations of bits in the first bytes of the parts C _i , i = 1, ..., t ′ are applied (steps 906 and 907 to the block scheme). Further on stage

(кодовое слово может быть при этом восстановлено не полностью из-за отсутствия части хранилищ) и на основе алгоритма защиты в блоке 608.2 на этапе 909 восстанавливается информационный блок S (если стерто не более ν символов).908, in block 608.3, codeword is collected from the received parts

(the code word may not be completely restored due to the lack of some storage) and, based on the protection algorithm, in block 608.2, at step 909, the information block S is restored (if no more than ν characters are deleted).

Writing and reading data can be performed not only on one information block, but also on sequences of information blocks. In this case, when writing, the data protection operation 801 is performed iteratively for all information words from the sequence, forming a set of code words. For each codeword from the generated codeword sequence, operations 802 through ₈₀₈ are iteratively performed. The result of this is t _SStor sets of codeword parts. Each of the sets is written to the corresponding auxiliary storage during step 809. When reading a set of information words, first, sets of parts of code words are read from auxiliary stores (procedure 901), then, by iteratively applying operations from 902 to 908, a set of code words is generated, and then for each codeword from this set, the deprotection unit 909 is iteratively applied to form a set of information words.

Read / write operations in the data storage system are performed in blocks. Therefore, read or write requests received from the initiator of the request and addressed to the secure storage should be subjected to the procedure of aligning data to the block boundary (see Fig. 11). On the protected storage, addressed by the mount point 1106 of the base storage, the work with the protected file represented within the protected storage by the base file 1100 is organized in such a way that, from the point of view of the initiator of data input / output requests (which, without limiting other options, may be for example, a user-level program), working with such a file is no different from working with a file using the application program interface of the operating system. Although in this case, in fact, in the base file 1100, located in

basic storage 1106, the data in its original form may not be stored. The base file 1100 actually contains metadata and possibly transformed data, if the base store can act as a secondary store. The following is a case where the base file contains only metadata. The work of converting data read from auxiliary files or written to auxiliary files is performed invisibly to the user. If the recordable data block 1104 is not aligned with the border of the information block, then information blocks 1102 and 1103 are read from the protected file before reading. The information blocks 1102 and 1103 are read by reading the corresponding parts of the code words: to obtain the information block 1102 from auxiliary stores addressed by points mount 1108.1, ..., 1108.t _SStor, from the corresponding auxiliary file 1107.1, ..., 1107.t _SStor respectively read portion 1109.1, ..., 1109.t _SStor code block corresponding to the information b CCCH 1102 and then assembled codeword is converted (decoded) into the information word; to obtain the information word 1103 from auxiliary stores addressed by mount points 1108.1, ..., 1108.t _SStor from the corresponding auxiliary files 1107.1, ..., 1107.t _SStor, respectively, parts 1110.1, ..., 1110.t _{SStor of the} code block corresponding to information word 1103 are read and then the collected codeword is converted into an information word. To block 1104, at the beginning, part 1105 from block 1102 is assigned, and at the end of block 1104, part 1101 from block 1103 is added. A data block consisting of series-linked blocks 1105, 1104, and 1101 is further converted (possibly using enhanced protection) and distributed parts of code words for the corresponding auxiliary files. When reading from a secure storage with a mount point 1106 of a data block 1104 that is not aligned with the boundary of an information word, blocks 1102, 1103, as well as blocks placed between them are read. Reading information blocks is performed as described above

the reading scheme of block 1102 or 1103. Only the data section 1104 required in the request is returned to the requestor for reading data; blocks 1105 and 1101 are not returned.

Consider the example of organizing secure repositories for a detailed disclosure of the invention. We will consider an example for the case when the basic storage may also contain encoded data. The software-implemented SNCHD in the form of modules 600 and 601 is completely copied to the long-term memory of the computer 400. After starting, the client agent 600 intercepts the I / O requests addressed to the secure storages and transfers it to the distributed protection agent 601. If the computer 400 has stored video films, for example, in If you need to back up the C: \ films directory, then you can organize a loss-free storage 1200 (see Fig. 12), where the C: \ films directory on the built-in storage is used ohm hard drive 404 of computer 400, and as a backup storage, for example, the \\ server \ films_copy directory on the server 415 file server is used. The protection algorithm in this case is the data mirroring algorithm (double repetition code) and enhanced protection for such storage not used. If it is also necessary to ensure the confidentiality of authentication data (for example, access passwords to Internet banking services, personal mail, etc.) stored on a computer, then this data can be encrypted and stored on any storage device, and the password / encryption key is reliable store, for example, in a hardware cryptographically secure token. For these purposes, a secure storage 1202 can be organized based on the directory selected on the medium 406, for example, C: \ auth_data. In this case, for example, one of the classical algorithms, such as GOST 21147-89, AES, 3DES, RSA, can be used as a security algorithm, while the enhanced protection unit 609 does not make sense, since there is only one storage. If the user is not able to use the encryptor for any reason (for example,

if there is no hardware protected token and / or it is inconvenient to remember a complex key / password), then it (the user) can, for example, be based on a 412 smartphone (represented in the Windows operating system, for example, drive letter D), Flash media 407 (represented in the operating room) Windows, for example, the drive letter E) and the built-in hard drive 404 using code noise [2] or SZDiKHD to organize distributed tamper-proof storage 1201, in which the encoded data is divided into parts distributed by auxiliary tion storage. (In particular, if classical code-based noise is used for protection, then it is reasonable to use the enhanced protection block 609 to protect against statistical attacks.) In this case, for example, the C: \ auth_data_dist directory is assumed to be the base storage, and on the smartphone 412 and Flash media 407 auxiliary stores are selected, for example, D: \ auth_data and E: \ auth_data. Since the user is interested in the careful handling of their devices (Flash-media 407 and smartphone 412), their loss or their uncontrolled abandonment is unlikely. And unauthorized access to partial data, for example, stored on the built-in hard drive 404 of computer 400, either on a smartphone 412, or on a flash media 407, with a suitable choice of code noise or SZDiKHD storage options will not allow you to get useful information about the encoded data. For the same reasons, the loss of one of the media does not violate data privacy. The simultaneous loss of two media (Flash-media 407 and smartphone 412) seems extremely unlikely, so this storage protects data privacy. A distinctive feature of using the described method for ensuring confidentiality based on code data noise (or based on SZDiKHD) with subsequent distribution of data across storages on different data carriers is the absence of the need for cryptographic keys and passwords, which does not create additional burdens on the user,

often arising when using passwords. Confidential data can be decoded when the minimum required number of storages is connected, among which the encoded data is distributed. Note that the parameters of the code noise method (as well as SZDiKHD) can be selected so that the theft / loss of some media does not violate the confidentiality of the data in general, but the legal user is given the opportunity to recover the encoded data from the remaining data.

,С), где

- код Рида-Соломона

, С - код Рида-Соломона

. Выходом кодека будет кодовое слово длины 240 байт, поставленное в соответствие информационному блоку длины 80 байт. Первые 80 байт кодового слова, например, записываются на вспомогательное хранилище С:\auth_data_dist, вторые 80 байт - на вспомогательное хранилище Е:\auth_data, а оставшиеся 80 байт - на вспомогательное хранилище D:\auth_data. Так как

, то утрата (потеря/кража) любого одного вспомогательного хранилища (носителя данных) дает возможность владельцу оставшихся двух вспомогательных хранилищ восстановить закодированные данные. При этом по данным любого одного хранилища приThus, for the configuration considered in the example, without limiting the codec options, for organizing the secure storage 1200, a double-repeat codec with the length of the encoded block of 1 byte can be selected. The output of such a codec will be a codeword of length 2 bytes, each of which repeats the input data byte; the first byte, for example, is written to a file on the base storage C: \ films, and the second byte is written to the file on the auxiliary storage \\ server \ films_soru. Storage 1202 (directory C: \ auth_data) is assumed to be basic and in its files, in addition to data useful to the user, metadata about protected files is also stored; as a protection algorithm, for example, the algorithm GOST 21147-89 can be selected. To organize a secure storage 1201, without limiting the codec options, a code noise codec can be selected based on a pair of codes (

, C), where

- Reed-Solomon code

, С - Reed-Solomon code

. The output of the codec will be a code word of length 240 bytes, which is mapped to an information block of length 80 bytes. The first 80 bytes of the codeword, for example, are written to the auxiliary storage C: \ auth_data_dist, the second 80 bytes to the auxiliary storage E: \ auth_data, and the remaining 80 bytes to the auxiliary storage D: \ auth_data. As

, the loss (loss / theft) of any one auxiliary storage (data carrier) enables the owner of the remaining two auxiliary storage to recover the encoded data. Moreover, according to the data of any one storage at

the specified partition cannot restore the encoded data [8]. Thus, the loss of one of the auxiliary repositories does not violate the confidentiality of the data, and at the same time, protection against the loss of one repository is provided. If an enhanced protection unit is used to organize the secure storage 1201, then, for example, the (3.2) -sharing scheme for sharing Shamir's secret is suitable. The tiling indicated in the example is not the only possible one and does not limit other tiling options. The division can be either equal parts, or not equal. The size of a part of the code word for auxiliary storage, for example, can be determined based on the probability of loss (loss / theft) of this auxiliary storage or auxiliary storage of this type. The possibility of such a choice shows flexibility in setting the degree of data protection using a system of customizable protection of stored data.

размерности и длины n. Тогда восстановление данных по испорченным кодовым словам может быть крайне затруднено при подборе параметров кодового зашумления [2]. Согласно [12], вероятность правильного восстановления стертого бита примерно равна 0,92, поэтомуConsider another example of the use of NWSS. Let the user have frequently created / deleted data that does not make sense to encrypt (for example, because of the extremely low probability of unauthorized access to the computer, or because of the reluctance of the user to remember passwords / keys), but which should not be restored after they are deleted regular means of the operating system. In this case, using SNZHD, it is possible to organize a secure storage with guaranteed deletion of unencrypted data in one rewrite. Such secure storage can be organized on the basis of one auxiliary storage (it is also the base); for example, on media 406, allocate the C: \ sensative_data directory for such data. Since it is known that the recovery of overwritten data occurs with errors [12], it is proposed to use a code noise codec with a code as a protection algorithm

dimension and length n. Then data recovery from corrupted code words can be extremely difficult when selecting code noise parameters [2]. According to [12], the probability of correct recovery of the erased bit is approximately 0.92, therefore

с базовым кодом С Рида-Маллера RM(2,5).to ensure reliable erasure of data in one iteration, it is possible to encode them using a factor code before writing data to a medium

with Reed-Muller base code C RM (2.5).

Note that SZHD can be distributed between two computers 400 and 1203 (see Fig. 12), when only the client agent 600 is installed on the computer 400, and the distributed protection agent 601 is installed on the computer 1203. Any device can act as the computer 1203, supporting interfaces for connecting removable storage devices, network interfaces, as well as supporting working with local and network file systems. Such a computer 1203 may not have data display devices (e.g., no display).

We also note that in SZHKD auxiliary storage can in turn be a protected storage built on the basis of SZKhD. Thus, a cascade (hierarchy) of an arbitrary number of protected repositories can be organized.

5 The implementation of the invention

In FIG. 13 shows a typical diagram of a computer 400. Based on such computers, SZDiKHD and SNZHD can be implemented. A computer is a system of functional blocks — a processor 400.1, random access memory 400.3, static memory 400.7, network interfaces 400.8, a data display device 400.9, data input devices 400.10, and media connection interfaces 400.11 - interacting using algorithms known to a person skilled in the art by system bus 400.12. The processor 400.1 executes instructions 400.2 loaded from random access memory 400.3. Instructions are loaded into RAM either from static memory 400.7 (for example, during loading of the operating system) or from storage media (not shown) connected via interfaces in set 400.11. The operating system is loaded (partially or fully) into the RAM

400.4 (for example, Windows, Linux, QNX), and other software modules 400.5 (file system drivers, device drivers, user-level applications, etc.). Also, in memory 400.3, data 400.6 used by program modules is stored. The set of network interfaces 400.8 can include, for example, interfaces such as RJ-45, Wi-Fi module, COM port, USB and other interfaces through which data can be transmitted / received between computers.

5.1 Implementation of CPA & QCD

In the embodiment shown in FIG. 1 of the SZDiKHD scheme, components 100, 102-107, 112 of block 111 can be implemented both hardware (for example, using programmable hardware logic) and programmatically in the form of software modules running on computer 400. Configuration data 108-110, which is preferred implementations are a structured file with parameters (for example, in XML format), are loaded into block 111 either through a hardware interface (with a hardware implementation), through which block 111 is connected to a query source 101, or through an application software inter face provided by block 111 (in software implementation). In a hardware implementation, block 111 is connected to a query source 101, for example, via a USB interface. Note that the connection interface can be any other standard interface: COM, LPT, RJ-45, SCSI, PCI, etc. As a source of requests 101, in one exemplary embodiment, there may be a computer 400. In this case, the device 111, from the point of view of the computer 400, is a storage medium, for example, a Flash medium. The operation of the device 111 is performed as with a conventional Flash-drive. The control unit 112 is responsible for the implementation of the logic of representing block 111 as a storage medium. To the block 111 (with its hardware implementation), storage media are also connected via standard interfaces, for example, via USB interfaces. Block 107 is responsible for the distribution of data on these media. The same block 107 interacts with block 112 and signals

About connected storage media. For example, if all the necessary storage media are connected, then block 111 is presented to the requester (in the example, computer 400) as one storage medium. If not all storage media are connected, then block 111 should not be defined as a storage medium.

With a software implementation in Windows environment version 4.0 or later, block 111 can be implemented as, for example, a filtering file system driver that intercepts requests from an operating system I / O manager. In this case, the I / O manager appears as the source of requests 101. Module 107 in this case can also be implemented as a driver using file system interfaces, network subsystem interfaces, and interfaces of other systems that make it possible to organize data storage by the type of file systems. Codecs 100 can be implemented as kernel-level or user-level software services with an access interface from kernel mode. For a specialist in this field, the software implementation of block 111 should not be difficult at the application level (not at the kernel level), as well as in another operating environment.

5.2 Implementation of NWSS

Modules 600 and 601 are software modules executable on a type 400 computer. It was previously noted that these modules can be located on different computers. Note that for module 601, computer 400 may not include a display 400.9 and / or data input devices 400.10. Each of the modules 603, 604, and 613 can be implemented as one of the software modules 400.5, both at the application level and at the kernel level of the operating system. For transparent operation of Agent 600, the preferred implementation option is to implement module 603 as a driver that intercepts file operations of creating, writing, reading, closing, deleting, renaming a file, for example, as a filtering driver for the Windows operating system

not lower than 4.0. Another embodiment of module 603 may be an application-level software component that uses the application program interface of the operating system for working with data storage systems and implements a user graphic and / or command interface for working with files on protected storages. The local storage access module 613 is preferably implemented as a network module that receives and transmits data via a protocol, for example, TCP / IP, and interacts via a software interface (application or kernel level) with local file system drivers and other modules that allow organizing storage data.

The set of security algorithms 608.1 may include any number of codecs that implement any data conversion algorithms over a predefined interface. The codec interface consists of the functions of performing forward and reverse data conversion, the key loading function, and the functions of creating an encoder and decoder according to the parameters specified in the 605 configuration.

SStor secure storage configuration 605 contains the following required parameters: secure storage mount point - basic storage; number t _SStor auxiliary storage; auxiliary storage mount points; transformation algorithm parameters; parameters for splitting the code word into parts; secret sharing scheme parameters; parameters of the data gamma algorithm.

SNZKhD allows to create any number of protected storages with various protection algorithms on the basis of one set of storage media. Module 600 connects to the I / O request initiator using the data input / output software interface used on the computer. At the time of connecting or loading module 600, module 603 initializes the list of open protected storages 603.1, as well as the cache 603.2 for storing metadata about recently opened / recently created files on basic storages. The purpose of the cache is explained

Further.

Information about the new protection algorithm is added to the set of protection algorithms 608.1 at the time the module 608 receives the registration request protection algorithm implementation module from the corresponding module. If there is no such module in the 608.1 set, then the interface of the new algorithm is added to the list. The request to register the algorithm interface is initiated by the module that implements this interface, after this module determines that the module 608 is loaded and ready to receive requests. The search for the security algorithm in module 608 in list 608.1 can be performed by any set of properties of the algorithm that uniquely identifies it, preferably by the name of the algorithm (for example, RM_CODEC is the name of the codec for the Reed-Muller code), the length of the information block, the length of the code block.

The list of protected vaults 603.1 includes newly opened vaults, each of which must have a unique set of properties for uniquely finding the vault, for example, a unique vault name. Module 603, when intercepting I / O requests, uses list 603.1 to determine which store the request is addressed to. In the structure that describes the protected storage, in addition to the list, auxiliary stores of which it consists, contains a sign that indicates whether the protected storage is in read-only or read / write mode. Based on the value of this feature, a decision is made in module 603 about the possibility of writing to the secure storage. The data recording operation may be prohibited in the case when not all auxiliary stores are connected, however, the parameters of the codec used are such that data can be unambiguously restored (read) from the existing set of auxiliary stores. The cache module 603.2 is designed to speed up the processing of requests for opening files. Since it is necessary to read metadata when opening a file, and file open operations can be performed quite often, it is preferable to have metadata for some time

store in cache 603.2. Cache 603.2 is preferably implemented as storage in RAM 400.3, for example, in the form of a unidirectional list, each element of which, in addition to a link to the next element in the list, contains metadata about the corresponding file. To increase the speed of work, cached data can be stored in the form of a tree repeating the tree-like structure of placing files on the protected storage, starting from the mount point of the base storage.

The creation or opening of an existing secure storage is initiated by sending the configuration 605 to the control module 604 of the SZKhD, which analyzes the configuration parameters and performs a series of checks before creating a secure storage (see Fig. 14). Among the main checks should be a check 1402 for the presence of a mount point for a secure vault on the underlying vault. In the absence of such a mount point, an error of creating / opening a secure storage is signaled. Otherwise, verification is performed 1404 of the presence of the protection algorithm specified in the configuration in the list of algorithms 608.1 registered in the system. If the corresponding module is not available, an error is reported about the creation / opening of the protected storage. Otherwise, a check is performed 1403 about the availability of auxiliary storages specified in the configuration and access interfaces to them. In the absence of at least one repository, the user should be sent a message about the error of opening the repository in normal mode. At the same time, based on the parameters of the protection algorithm from the configuration, a check is performed 1410 on whether the data can be restored without missing auxiliary storage. In fact, it checks that the number of missing repositories is at most t _err . If the data can be restored, the read-only flag is set for the secure storage (block 1409) and then preferably in the memory 400.3 of the computer 400 on which the client agent 600 is installed, a structure is created that describes the parameters of the secure storage and is added to the open / created secure vaults

603.1. In this mode, the user is given the opportunity to recover all the data that was previously recorded on the protected storage. If, during verification 1403, it turns out that all auxiliary repositories and their interfaces are available, then a secure repository is created / opened with the ability to read and write data (block 1405). After adding the storage to the list of open / created storages, the user is informed about the success of opening / creating the storage (block 1406) and the opening of the storage is completed 1408. A message about the creation error and the reason for the creation error is sent in block 1407.

Closing a secure vault begins by sending a close request 1501 (see FIG. 15). The SNCHD control module 604 determines in check 1502 whether there is a locked secure storage in the list of open / created secure vaults. At the same time, the search for the storage is performed by the mount point, although the unique set of features of the storage used to search can be different. Before deletion, depending on the implementation, operations can also be performed to complete all current file operations and check 1507 whether the protected storage is auxiliary to any other open / created storage. Closing a vault is preferred only when it is not auxiliary to some other open vaults. If the storage is found and it is not auxiliary to others, then the corresponding structure of the protected storage is deleted (block 1503) from the list 603.1 located in the main memory, and the result of the successful removal of the storage is returned to the user. If the repository to be closed is not in the list or it is auxiliary to some other repository, then at step 1504 a message is returned to the user about the repository closing error and the cause of the error; The closed vault closing algorithm ends 1506.

Since the open / create operation with respect to a single file is often performed, then, as indicated above, reading and writing

metadata can slow down the operation of files on protected storage. In SZKHD, namely in the module for intercepting I / O requests 603 to reduce read / write operations of metadata, a cache block 603.2 of metadata about opened files is provided. The algorithm of its operation is shown in FIG. 16. During the file open operation (this operation is described below in detail), the I / O request interception module 603 first checks whether metadata is in the cache for the corresponding file, and only if there is no such data in the cache, metadata is read from the base file. Each opened / created file on the secure storage has a cache entry that stores metadata (for example, the true file size, time of the last modification, etc.). In addition to metadata, an entry about a file in the cache contains a counter of links to this file. This counter is incremented by one each time the corresponding file is opened, and decreases when the file is closed. The lifetime of each cache entry is specified (for example, in seconds) by the parameter from the configuration 605 of the secure storage and is defined as the time interval during which the file was not accessed. Periodically, the I / O request intercept module 603, preferably in the background, searches the cache for expired entries and flushes them. In a software implementation, such a periodic check can be implemented as a kernel-level or application-level thread. Without limiting other implementation options, the start of a 1600 stream is initiated, for example, when creating / opening a secure store. A thread in a loop starting at 1601 and ending at 1610 searches 1602 in the cache of all records with an expired lifetime. Without limiting the implementation options, the cache can be organized in accordance with the structure of placing files in the file system, for example, in the form of a tree. For each such record found, in a loop 1603, a check 1604 is performed of the vanishing of the number of references to the record. If the number of links is not equal to zero, then go to the next record. Otherwise from

entries in the cache to the base file on the protected storage are dumped (recorded) metadata (phase 1605) and the corresponding record is deleted from the cache (phase 1606). After running cycle 1603, a check 1607 is performed: whether a signal has been received to close the protected storage. If such a signal is received, then a forced reset of all entries from the cache is performed and the loop is exited with boundaries 1601 and 1610; the work of flushing data from the cache ends 1611. If there is no signal to close the secure storage, the flow is suspended for the time specified in configuration 605 when creating / opening the secure storage; then the data reset procedure is repeated.

Further, without limiting the implementation options, we consider algorithms for creating / opening and closing files on protected storages, when the basic files contain only metadata in the basic repository. That is, the base files do not contain converted data or parts thereof.

When processing opening / creating a file (see Fig. 17), the I / O request interception module 603 analyzes the request 1701 and performs a check 1702: whether the request is addressed to any protected storage. For example, in a Windows environment version no lower than 4.0, where module 603 is implemented, for example, as a filter driver, request 1701 is presented as an IRP request (Input / output Request Packet). In this case, the protected storage is actually searched in the list 603.1. If the request is not addressed to any protected storage, the request is sent further without intermediate processing (for example, to the next driver in the driver stack). Otherwise, an attempt is made on the underlying storage 1704 to open / create a file. Creating / opening a file is preferably performed using the standard functions of the operating environment (operating system). If the file in the basic storage is not created or is not open, then opening / creating a file in the protected storage fails. If the file is created / opened, then it is checked

1706 cache entry with metadata about the file being opened. If there is no such entry in the cache, then such an entry is created (phase 1707) and the reference count for the entry is set to 0. Next, check 1709 is performed, where it is determined whether an existing file is opened or a new one is created. If an existing file is opened, the metadata is read from the base file in the base storage and stored in the previously created cache entry. If, when checking 1709, it was determined that a new file was being created, or if checking 1706 it turned out that there was an entry in the cache, then block 1708 was created and sent requests to create / open the corresponding auxiliary files on auxiliary storages. Block 1708 is executed in module 601. After a signal is received in block 1710 that requests to auxiliary stores have been processed, a check 1713 is performed, where the status of completion of processing of these requests is determined. If files are not successfully opened / created on all auxiliary storages, then check 1717 is performed, during which it is determined whether the protection algorithm used in the protected vault can restore the original data using the existing data set. If the protection algorithm cannot unambiguously recover the data (for each codeword, the number of missing code characters is greater than ν), then it is necessary to close / delete the file (block 1716) on the basic storage and auxiliary storages (deletion is performed when a new file was created) and complete (in block 1712) processing the request with an error, return the reason for the failure to open / create the file on auxiliary storages. Note that the functions of block 1716 are partially performed in module 600 (when closing / deleting the base file), and partially in module 601 (when closing / deleting auxiliary files). When creating / opening a file on the protected storage, a special structure is preferably created that describes this file. Such a structure is created every time in the module for intercepting 603 input / output requests when a request to create / open a file arrives, and is deleted when a request to close a file is received; structure contains

A link to an object that describes an open file on protected storage. If the protection algorithm can restore the original data from an incomplete set of auxiliary files, then mark the structure that describes the file opened on the protected storage with the read-only attribute and increase the number of cache write links by one. If during the verification of 1713 it was established that the files were created / opened successfully on all auxiliary storages, then increase the number of links to the cache entry by one and complete the processing of the request (phase 1715).

When a file is closed (see Fig. 18), the I / O request interception module 603 for the request 1801 to close the file performs a check 1802: whether the request is addressed to any protected storage. If the request is not addressed to the secure storage, the request is sent in block 1803 further without processing in the I / O request interception module. If the request is addressed to the secure vault, then requests for closing the corresponding files are created in block 1804 (executed in module 601) for all auxiliary vaults. After sending the requests, in block 1705, completion of processing of requests by auxiliary repositories is expected. Next, in block 1808, the basic file on the basic storage is closed and the number of references to the cache entry decreases by one in block 1809. If the closure is successful at all storages (both auxiliary and basic), complete the request processing with success. Otherwise, to signal that the files were not closed successfully on all storages, return the reason for the failure and complete the request processing (phase 1810).

Upon receipt of a request for reading data 1901 (see FIG. 19), a check 1902 is performed in module 603, during which it is determined whether the request is addressed to any secure storage. If the request is not addressed to any protected storage, the request is sent in block 1903 without further processing further (along the request processing stack). If the request is addressed to some basic file on some protected storage, then for each corresponding auxiliary file in

block 1904 creates a request to read data: in this case, the read data on auxiliary storages are aligned accordingly, if necessary; block 1904 is executed in module 601. Next, in block 1905, processing of these requests is expected to complete. Check 1906 checks the status of the completion of request processing. If not all the auxiliary files have been read successfully, then in test 1908 (based on configuration 605.2), the ability to extract data (information blocks) from existing data is checked. If this is not possible, then in block 1910, an error is returned to the requestor indicating the cause of the error; processing of the read request completes 1913. If the data was successfully read from all the auxiliary files (check 1906), then the block 1907 is transferred to the same block. If the expression is true in the check 1908. In block 1907, the read data is combined into an array code words (possibly partial code words) in accordance with the parameters of the partition information blocks are further extracted (the protection is removed from the code blocks). If during the check 1911 it turns out that the decoding was performed with an error, then a transition is made to block 1910, in which the processing of the read request ends with an error and the cause of the error is returned; the reading request processing algorithm ends 1913. If, during the verification of 1911, it turns out that the data is decoded correctly, then in block 1912 a buffer is generated from the decoded data (of the required size and placed at the required offset from the beginning of the file) and returned to the requestor; the read request processing algorithm ends (phase 1913).

Without limiting the options for implementing data recording, the following describes an example of an algorithm for recording data (see Fig. 20) without supporting atomicity of the write operation: if there is an error in writing data to any auxiliary file in auxiliary files to which data was written successfully, the overwritten data not restored. It is believed that the occurrence of an error while writing to any auxiliary

file is unlikely. To mitigate the consequences of the occurrence of such an error, the SZKhD provides, as shown in algorithm 2000, a mechanism for creating backup copies of auxiliary files on auxiliary repositories.

Upon receipt by the interception module of 603 I / O requests for a write request 2001, the 2002 check reveals to whom the request is addressed. If the request is addressed to no protected storage, then in block 2003 the request is sent further along the request processing stack and the algorithm ends (phase 2013). If the request is addressed to some secure storage, then the 2008 check is performed, during which it is determined how much time Δ _backup (in seconds) has passed since the last backup of auxiliary files corresponding to the base file to which the data change request is addressed. If Δ _{backup is} longer than the backup period specified in configuration 605 when creating a secure storage, then in block 2009 the operation of creating backup copies of the corresponding auxiliary files is performed. The backup period is selected by the user based on the degree of criticality of the data and the amount of data stored in the secure storage. Large amounts of data can lead to noticeable delays in creating backups, so the backup period should preferably be chosen so that such delays do not create inconvenience to the user. On auxiliary storages, without limiting the implementation options, the name of the backup file consists of the name of the file to be copied, the date / time of the copy, and the true amount of data on the protected storage at the time of copying. This format of file names allows you to restore data that was in protected storage at the time of the backup. In another implementation of the backup, metadata from the base file is entered into backup copies of auxiliary files, and the date and time of the backup creation are added to the name of auxiliary files. After creating the backups, the transition to block 2004 is performed.

the same block is executed after the 2008 check, if during it it turned out that the time for creating backups had not arrived. In block 2004, information blocks are converted (encoded) into code blocks according to the algorithm specified in the secure storage configuration G05. Then, in block 2005, the encoded data is divided into t _SStor -1 arrays in accordance with the configuration specified when creating the secure storage. In block 2006, requests are created to record the received data arrays in t _SStor -1 of the corresponding auxiliary files. After the wait in block 2007 for processing requests on auxiliary storages ends, in 2010 check it is found out whether the records were successfully written to all storages: if so, then in block 2012 the request processing completes successfully, if not, then in block 2011 the processing fails and the cause of the error is indicated: the algorithm for processing the request for data burden ends 2013.

Bibliography

[1] Ozarov N., Wyner A.D. Wire-Tar Channel II. // BLTj, 63, - 1984, - pp. 2135-2157.

[2] Yakovlev V.A. Information protection based on code noise. Ed. IN AND. Korzhika. - SPb., 1993 .-- 244 p.

[3] A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. // http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP800-22rev1a.pdf. Last appeal 06/17/2016.

[4] Ivanov V.A. Statistical methods for evaluating the effectiveness of code noise // Transactions in discrete mathematics. M .: FIZMATLIT, 2002. Volume 6. ss. 48-63.

[5] Deundyak V.M., Kosolapov Yu.V. On the resistance of code noise to statistical analysis of observed data of repeated repetition.

// Modeling and analysis of information systems. T. 19, No. 4 (2012), ss. 110-127.

[6] Gazaryan Yu.O., Vinnichuk II, Kosolapov Yu.V. Code noise immunity in the framework of the model of multiple partial observation of code messages. // Sat "Materials of the XII International scientific-practical conference" Information Security ", part 3, Taganrog: SFU, 2012., pp. 258-263.

[7] Deundyak V.M., Kosolapov Yu.V. About one method of removing uncertainty in a channel with interference in the case of code noise. II Izvestia SFU. Technical science. No. 2 (151), - 2014, ss. 197-208.

[8] Arunkumar Subramanian, Steven W. McLaughlin. MDS codes on the erasure-erasure wiretap channel. // arXv: 0902.3286v1 [cs.IT] 19 Feb. 2009.P. 1-4. Last appeal 11/13/2013.

[9] Deundyak B.M., Kosolapov Yu.V. The mathematical model of the channel with the interception of the second type. // Proceedings of higher educational institutions, North Caucasian region, a series of Natural Sciences, 3 (145), - 2008, ss. 3-8.

[10] Yuan Luo, Chaichana Mitrpant, A.J. Hav Vinck, Kefei Chen. Some New characters on the wire-tap channel of type II. // IEEE Transactions on information theory, vol. 51, No. 3, 2005. P. 1222-1229.

[11] Mihir Bellare, Stefano Tessaro, Alexander Vardy A Cryptographic Treatment of the Wiretap Channel. // arXiv: 1201.2205, http://arxiv.org/abs/1201.2205, 2012. Last appeal 01/10/2014.

[12] Wright C, Kleiman D., Shyaam Sundhar R.S. Overwriting Hard Drive Data: The Great Wiping Controversy. // ICISS ′08 Proceedings of the 4th International Conference on Information Systems Security, - 2008, pp. 243-257.

Claims (9)

1. A method of protecting the availability and confidentiality of stored data, characterized in that during the data recording operation:
• each information block S of length k characters of the final field F is encoded into a code block C of length n characters of the field F using the codec ƒ _r randomly or pseudo-randomly selected from a numbered set of codecs FC _q (n, k, µ, ν) that transform the information vectors of length k (over the field F) into code vectors of length n (over the same field F) so that the loss of no more than ν characters of the code word allows the information word to be uniquely restored, and eavesdropping (observation) of no more than µ characters of the code word does not give the observer any information about encoded message;
• code block C is divided into T parts (C ₁ , ..., C _T ) so that the combination of any t _err parts together gives no more than ν different code symbols, and the union of any t _tap parts together gives no more than µ different code characters
• by the number r of the selected codec, using the (T, Tt _err ) secret sharing scheme, T parts are obtained: R ₁ , ..., R _T ;
• pairs (C _i, R _i), where i = 1, ..., T, are combined in order unit (G _1, R _{1, ..., C T, R T} );
• each pair (C _i , R _i ), where i = 1, ..., T, is written to one of T storages so that only one pair of the specified type is recorded on one store,
while reading protected data
• with at least Tt _err storages read pairs of the form (C _i , R _i ), where i∈ {1; ...; T};
• for the read parts of R _i , using the (T, T-t _err ) secret sharing scheme, get the number r of the codec при _r used for encoding;
• on the read parts C _i form (in the order of occurrence of code symbols) a partial code block C ′, in which, at most, ν code symbols are unknown;
• from block C, using the inverse transformation k ƒ _r (∈FC _q (n, k, µ, ν)), the information block S is extracted 2. A way to protect the accessibility and confidentiality of stored data according to claim 1, in which the set of FC _q (n, k, µ, ν) is a set of codecs constructed by various permutations of the columns of the generating matrix $$\tilde{G}$$

factor code, with the help of which information blocks of length k characters of the final field F are encoded into code blocks of length n characters of the final field F and with which protection from observation is not more than µ of any characters of the code block and protection from loss (erasure) of not more than ν code block characters. 3. The system of customizable protection of stored data, characterized in that it consists of:
• a computer on which a client agent is installed, including a data interception submodule, a control submodule, and an access module to the storage media connected to the computer;
• a computer on which an agent-based distributed protection module is installed, including a data protection submodule (containing a database of protection algorithms), a data protection enhanced submodule (including a set of secret sharing algorithms, sequence generation algorithms and permutation generation algorithms) and a data distribution module for data carriers;
• a channel connecting the client agent and the distributed protection agent;
• many secure storage configurations, where the configuration of each SStor secure storage includes:
- mount points (directories) t _SStor ( _∈N ) of storages on data carriers;
- numbering of storages with numbers from 1 to t _SStor ;
- basic storage lockbox SStor (t _SStor one of storage);
- the number t _{tap of} storages for which unauthorized access to which should not compromise the encoded data;
- the number t _{err of} storages, the loss of which should not lead to the loss of encoded data;
- the name of the algorithm S for (t _SStor , t _SStor -t _err ) -secret sharing scheme;
- the name of the algorithm A for converting information blocks of length k characters of the field F (in the machine representation k ₁ bytes) into code blocks of length n characters of the field F (in the machine representation n ₁ bytes) suitable for the three parameters (t _SStor , t _tap , t _err );
- the number of permutations Q (∈ {0; 250}) used to enhance protection against statistical attacks;
- the name of the generation algorithm P by the number r (∈ {0; ...; Q}) t _SStor permutations of bits in a byte; in this case, the algorithm P for Q = 0 generates permutations that do not lead to a change in the order of bits in bytes (identical permutations);
- rule P of breaking code blocks of length n characters of the field F (n ₁ bytes, respectively) into t _SStor parts, each of which in the machine representation occupies l _i bytes, i = 1, ..., t _SStor .
- the name of the algorithm G for generating a sequence of pseudo-random numbers, which generates a pseudo-random sequence G (r) of length r (∈ {0; ...; Q}) $${\displaystyle {\sum }_{i=\mathrm{one}}^{t_{SStor}}{l}_i}$$

bytes algorithm G for Q = 0 generates a zero sequence;
and that each FILE file located in the SStor protected storage is assigned t _SStor files: one FILE _m file on the basic storage (base file), and one file on each of the remaining t _SStor -1 storages (auxiliary files); at the same time, at the beginning of the base file, a fixed-length area is reserved for metadata about the FILE file to be protected (about the true file size, time of the last modification); 4. The system of customizable protection of stored data according to claim 3, characterized in that when writing a file to the SStor secure storage (or when writing a data block to a file located in the SStor secure storage):
• if necessary, the recorded data is aligned to the border of the information block of length k ₁ bytes;
• the recorded data is represented as a sequence of k _1- byte information blocks (k ₁ ≥1);
• each information block S is transformed using algorithm A into the corresponding n _1- byte code block (n ₁ ≥k ₁ );
• for each code block C:
- using the partition rule P, break block C into t _SStor parts:
$$C_{\mathrm{one}},\mathrm{...,}{C}_{t_{SStor}}$$

, each of which in machine representation occupies l _i bytes, i = 1, ..., t _SStor ;
- randomly or pseudo-randomly select the number r (∈ {0; ...; Q}), by which t _SStor permutations are generated: $${\pi }_{r\mathrm{,one}},\mathrm{...,}{\pi }_{r,t_{SStor}}$$

;
- using the permutation π _{r, i} permutes the bits of all l _i bytes of the part C _i , i = 1, ..., t _SStor , as a result, the block π _{r, i} (C _i ) is obtained;
- perform the operation of bitwise XOR vectors $$({\pi }_{r\mathrm{,one}}(C_{\mathrm{one}}),\mathrm{...,}{\pi }_{r,t_{SStor}}(C_{t_{SStor}}))$$

and G (r) represented as binary vectors;
- according to the number r, using the secret secretion scheme S, t _SStor parts are generated, each of which occupies one byte: $$P_{\mathrm{one}},\mathrm{...,}{P}_{t_{SStor}}$$

which are attributed on the right to the corresponding parts π _{r, i} (C _i ) XOR Г (r) _i , i = 1, ..., t _SStor , thus forming the pairs (π _{r, i} (C _i ) XOR Г (r) _i , P _i ) of length l _i + 1 bytes in the machine representation, where Г (r) _i is the part of the pseudo-random sequence Г (r) superimposed on π _{r, i} (C _i ), i = 1, ..., t _SStor ;
- the corresponding pair (π _{r, i} (C _i ) XOR Г (r) _i , P _i ) is written to the file on the i-th storage (i = 1, ..., t _SStor ); 5. The system for configuring the protection of stored data according to claim 3, characterized in that when reading data from a FILE file located in the SStor secure storage:
• the boundaries of the buffer of read data are aligned to the border of the information block of length k ₁ bytes;
• for each information block S of length k with a field symbol F (k ₁ bytes in the machine representation) read in a aligned buffer:
- from at least t′≥t _SStor -t _err files located in the storages, the pairs (π _{r, i} (C _i ) XOR Г (r) _i , P _i ) in the machine representation occupying respectively l _i +1 bytes, i∈ {1; ...; t _SStor };
- from the set of at least t ′ parts P _i , using the secret secretion scheme S, find the number r;
- by the number r, using the algorithm G, find the sequence of pseudo-random numbers G (r), with which the gamma is removed and blocks π _{r, i} (C _i ), i∈ {1; ...; t _SStor };
- by the number r, using the algorithm P, find the necessary permutation π _{r, i} bits in bytes and receive blocks C _i ;
- using algorithm A and partitioning algorithm P, information block S is restored from the existing set of parts of the code block;
• a buffer of read data is formed from decoded information blocks S, and a buffer is returned to the initiator within the boundaries specified by the initiator. 6. A system of customizable protection of stored data according to any one of paragraphs. 3-5, characterized in that it uses (t _SStor -1, t _SStor -1-t _err ) -second secret sharing scheme S, algorithm P generates t _SStor -1 permutations, rule P splits the codeword into t _SStor -1 parts, algorithm D generates a sequence of length $${\displaystyle {\sum }_{i=\mathrm{one}}^{t_{SStor}-\mathrm{one}}{l}_i}$$

, only metadata is written to the base file. 7. The system of customizable protection of stored data according to claim 3, characterized in that when creating a secure storage, a time period in seconds is set, after which, from the moment of the last modification of the protected FILE file, backup copies of the corresponding files on the base and auxiliary stores should be created. 8. A machine-readable medium on which a computer program product is stored, which, when executed by a processor with program control, causes the processor to implement the method according to one of claims. 1-2. 9. A machine-readable medium on which a computer program product is stored, which, when executed by a processor with program control, causes the processor to implement the system according to one of claims. 3-7.

Images