TW202119244A - Disc security system - Google Patents

Disc security system Download PDF

Info

Publication number
TW202119244A
TW202119244A TW108140686A TW108140686A TW202119244A TW 202119244 A TW202119244 A TW 202119244A TW 108140686 A TW108140686 A TW 108140686A TW 108140686 A TW108140686 A TW 108140686A TW 202119244 A TW202119244 A TW 202119244A
Authority
TW
Taiwan
Prior art keywords
bit
disk
module
lock
security system
Prior art date
Application number
TW108140686A
Other languages
Chinese (zh)
Other versions
TWI745784B (en
Inventor
劉雨芊
黃文昌
Original Assignee
精品科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 精品科技股份有限公司 filed Critical 精品科技股份有限公司
Priority to TW108140686A priority Critical patent/TWI745784B/en
Publication of TW202119244A publication Critical patent/TW202119244A/en
Application granted granted Critical
Publication of TWI745784B publication Critical patent/TWI745784B/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention proposes a novel disc security system, the system structure comprises: processor module, providing the management and operation of computing resources between the system elements; bitlocker disc administer module, providing for the administration of the bitlocker discs and the confidential documents; bitlocker disc drive module, coupling with the bitlocker disc administer module and connecting the bitlocker disc on the processor module, which make the processor module could access the confidential documents; security drive module, coupling with the bitlocker disc drive module, preventing the unpermitted access of confidential documents stored in the bitlocker disc, and, bitlocker disc authentication module, coupling with the bitlocker disc administer module to authenticate the virtual disk or the confidential file when the virtual disk is booted or accessed.

Description

磁碟資安系統 Disk Information Security System

本發明涉及一種資安系統,更詳而言之,為一種藉由將檔案儲存於位元鎖磁碟,並在存取時須通過軟、硬體加密認證,以避免檔案遭到非法備份、破壞,或旁道攻擊的資安防護系統。 The present invention relates to an information security system. In more detail, it is a method by which files are stored on bit-locked disks and must pass software and hardware encryption authentication when accessing, so as to prevent files from being illegally backed up. Information security protection system for sabotage, or side-channel attack.

隨著電腦科技的發展,現代人不管在工作、學習、科研或其他應用皆採用電腦,或各種終端機為作業工具,尤其在企業、政府單位、金融機構、軍事單位,均無時無刻在產生大量的電子檔案。然而,在資訊化時代,只要牽涉到重要的,具有無論商務、策略、軍事、智慧創作等等具重大價值的電子檔案,即存在因組織內部管理不慎而洩漏,或遭到外部攻擊的可能,例如從組織內部非法備份、破壞電子檔案,或是物理上將裝有電子檔案的儲存設備夾帶至外部,再到由外部終端機藉由網路攻擊或竊取,再再使得企業或組織承受利益上的損失。此外,由於現代電腦的作業系統多可容納多組使用者帳號,亦或網路伺服器的分享,因此在多位使用者同時共享下,就必須對各種不同機密程度的文件加以區分。 With the development of computer technology, modern people use computers or various terminals as operating tools in work, study, scientific research or other applications, especially in enterprises, government units, financial institutions, and military units. Electronic archives. However, in the information age, as long as it involves important electronic files with significant value regardless of business, strategy, military, intelligent creation, etc., there is a possibility of leakage due to inadvertent internal management of the organization, or the possibility of external attacks. For example, from the organization's internal illegal backup, destroying electronic files, or physically entraining storage devices containing electronic files to the outside, and then attacking or stealing from external terminals through the network, and then making the enterprise or organization bear the benefits On the loss. In addition, because the operating system of modern computers can accommodate multiple user accounts, or network server sharing, when multiple users share at the same time, it is necessary to distinguish various documents with different levels of confidentiality.

在過往的資訊安全系統架構中,例如中國專利CN102708335,其公開了一種涉密文件的保護系統。在該系統架構中,其揭示了以一沙盤程序(SandBox)為基礎,客戶端將儲存於服務器端的涉密文件下載於該沙盤程序中,進行處理的應用。在該’335案中,其客戶端藉由和服務器端連線後,將涉密文件下載至一與實體磁體有所隔離的沙盤程序中進行有限度編輯,例如,依照權限設定可存取的動作,例如:寫入、讀取、拷貝、刪除,使其具有防止客戶端將涉密文件流出至外部終端機的效能,在資訊安全確實了提高的組織或企業的資安防護程度。然而,如同前述,該’335案中並未具有辨識加密檔案所屬之服 務器端以及客戶端的技術特徵,這導致了在客戶端中可能具有安全性的漏洞,例如,在物理上將安中有客戶端系統之終端機中的儲存設備卸下(如直接拆下電腦中,客戶端所在的硬碟),並將儲存設備在他地安裝在另一終端機上(如將所拆下的硬碟裝於另一台電腦),但此涉密文件依然可在客戶端與服務端連線後,於第三方的客戶端上進行使用;再例如,該’335案中並未針對第三方終端機的遠端連線做出限制,這使得雖然客戶端在編輯涉密文件時,雖然的確因沙盤程序中的限制機制,無法做出將涉密文件備份至遠端連線至客戶端的第三方終端機,但第三終端機仍有機會利用本身的螢幕截圖功能,將涉密文件中的內容記錄下來(如,利用第三方終端機藉由TeamViewer、Anydesk、ShowMyPC、UltraVNC,或Splashtop等軟體,甚或作業系統的後門做遠端連線時,以第三方終端機螢幕截圖的功能,而非由客戶端直接拷貝,來紀錄涉密文件內容,藉以規避客戶端於沙盤程序中的限制機制)。 In the past information security system architecture, for example, Chinese Patent CN102708335, which discloses a protection system for confidential documents. In this system architecture, it reveals an application based on a sandbox program (SandBox), and the client downloads the secret-related files stored on the server into the sandbox program for processing. In the '335 case, after connecting with the server, the client downloads the secret-related files to a sandbox program that is isolated from the physical magnet for limited editing, for example, those accessible according to permission settings Actions, such as writing, reading, copying, and deleting, have the effect of preventing the client from sending out secret-related documents to external terminals, and the information security has indeed improved the level of information security protection of the organization or enterprise. However, as mentioned above, the '335 case did not have the service to identify the encrypted file belongs to. The technical characteristics of the server and the client have led to possible security vulnerabilities in the client. For example, physically removing the storage device in the terminal with the client system (such as removing the computer directly) , The hard disk where the client is located), and the storage device is installed on another terminal (for example, the removed hard disk is installed on another computer), but the secret file can still be stored in the client After the client is connected to the server, it can be used on a third-party client; for another example, the '335 case did not restrict the remote connection of the third-party terminal. When secret files, although it is indeed impossible to back up the secret files to a third-party terminal connected to the client remotely due to the restriction mechanism in the sandbox program, the third terminal still has the opportunity to use its own screenshot function. Record the contents of confidential documents (for example, when using a third-party terminal to do remote connection through TeamViewer, Anydesk, ShowMyPC, UltraVNC, or Splashtop, or even the back door of the operating system, use the third-party terminal screen The function of taking screenshots, instead of directly copying by the client, records the content of secret files, so as to circumvent the client's restriction mechanism in the sandbox program).

對於資訊安全來說,一些應用程式,例如加密裝置應用程式(Encrypted Device Application,EDA),可以將一個特定的檔案空間進行加密,且將加密檔案儲存於隔離磁碟。隔離磁碟可以使用不同的加密演算法來保存使用者的資訊,以避免病毒或是駭客的惡意攻擊。習知技術中,在建立加密檔案的過程中,加密裝置應用程式係依據使用者設定的密碼來對於檔案進行加密。在處理加密檔案的過程中,加密裝置應用程式亦判斷密碼是否正確來決定是否將加密檔案設為隔離磁碟。由於檔案僅依據使用者設定之單一密碼進行加密。密碼極有可能被其他人破解,使得加密檔案可以被其他人使用。另外,由於習知的隔離磁碟不具有任何的控管機制,無法提供不同使用者的存取彈性。此外,由於習知隔離磁碟之管理機制中並無法辨識加密檔案所屬之主機,加密檔案亦可能被複製到其他的主機上使用。 For information security, some applications, such as Encrypted Device Application (EDA), can encrypt a specific file space and store the encrypted files on an isolated disk. Isolated disks can use different encryption algorithms to save user information to avoid malicious attacks from viruses or hackers. In the conventional technology, in the process of creating an encrypted file, the encryption device application encrypts the file according to the password set by the user. In the process of processing encrypted files, the encryption device application also determines whether the password is correct to determine whether to set the encrypted file as an isolated disk. Because the file is only encrypted according to the single password set by the user. The password is very likely to be cracked by others, making the encrypted file available to others. In addition, since the conventional isolated disk does not have any control mechanism, it cannot provide different users with access flexibility. In addition, since the conventional isolated disk management mechanism cannot identify the host to which the encrypted file belongs, the encrypted file may also be copied to other hosts for use.

因此,於現時時點上,對於現有基於隔離磁碟於資訊安全上的應用,仍有進一步改進的必要,以避免隔離磁碟中的檔案,藉由物理上,將儲存設備加以移動,或透過來源不明的遠端連線以隔離磁碟當作跳板,以竊取隔離磁碟中的檔案資料,造成企業或組織的損失。 Therefore, at the current point in time, there is still a need for further improvements to the existing isolated disk-based information security applications to avoid files on the isolated disk, by physically moving the storage device, or through the source An unknown remote connection uses the isolated disk as a springboard to steal the file data in the isolated disk, causing losses to the enterprise or organization.

有鑒於此,為解決上述問題,本發明的目標為,藉由企業或組織中所訂的防護政策(保護權限),建立位元鎖(Bitlocker)磁碟,使儲存於位元鎖磁碟中的涉密文件無法被不具有本發明系統的終端機所存取,其涉密文件,可能包含例如word、excel、autocad、VB檔案等等。舉例而言,若將E磁碟設定為第一位元鎖磁碟,則依照可能的防護政策,E磁碟中的涉密文件無法被儲存於其他磁碟,如C磁碟或D磁碟中,亦無法寫入其他內容或刪除。 In view of this, in order to solve the above-mentioned problems, the objective of the present invention is to establish a Bitlocker disk through the protection policy (protection authority) established in the enterprise or organization, and store it on the Bitlocker disk. The secret-related documents cannot be accessed by terminals without the system of the present invention. The secret-related documents may include, for example, word, excel, autocad, VB files, etc. For example, if the E disk is set as the first bit lock disk, according to the possible protection policy, the confidential files in the E disk cannot be stored on other disks, such as the C disk or the D disk No other content can be written or deleted.

為達上述目標,本發明提出了一種磁碟資安系統,其系統架構包含:處理模組,處理系統運算資源,及系統元件間的協調與運作;位元鎖磁碟管理模組,啟動位元鎖的認證,管理儲存於位元鎖磁碟中的涉密文件,與管理位元鎖磁碟的數量和位元鎖磁碟的建立;位元鎖磁碟驅動模組,耦接上述的位元鎖磁碟管理模組,將位元鎖磁碟耦接於處理模組,使涉密文件得被處理模組所存取;防護驅動模組,耦接位元鎖磁碟驅動模組,防止儲存於位元鎖磁碟之中的涉密文件存入到位元鎖磁碟之外的磁碟,或防止檔案總管或其他應用程式將未經允許的文件與程序存入所述的位元鎖磁碟中,或將未經允許的拷貝、預覽、刪除、列印,並在涉密文件關閉一預定的時間後刪除記憶體中關於涉密文件的內容;以及,位元鎖磁碟認證模組,耦接位元鎖磁碟管理模組,在位元鎖磁碟存取涉密文件時,認證所述位元鎖磁碟或涉密文件的保護權限,其中,所述的位元鎖,包含了位元鎖磁碟金鑰,與硬體金鑰,並可依照應用的需要,於加密涉密文件時選擇使用上述兩者之一進行加密,或兩者同時使用以進行加密。此外,每個位元鎖磁碟,可包含數個涉密文件,使位元鎖磁碟可依保護權限的態樣,對不同的涉密文件進行保護。 In order to achieve the above goals, the present invention proposes a disk information security system. The system architecture includes: a processing module, processing system computing resources, and coordination and operation among system components; bit-locked disk management module, start bit Metalock authentication manages the secret files stored in the bitlock disk, and manages the number of bitlock disks and the creation of the bitlock disk; the bitlock disk drive module is coupled to the above The bit-lock disk management module, which couples the bit-lock disk to the processing module, so that confidential documents can be accessed by the processing module; the protection drive module, which is coupled to the bit-lock disk drive module , To prevent secret documents stored in bit-locked disks from being stored on disks other than bit-locked disks, or to prevent File Explorer or other applications from storing unauthorized documents and programs in the stated location Meta-lock disks, or copy, preview, delete, and print without permission, and delete the contents of the secret-related files in the memory after the secret-related files are closed for a predetermined period of time; and, bit-lock disks The authentication module, coupled to the bit-lock disk management module, authenticates the protection authority of the bit-lock disk or the secret-related file when the bit-lock disk accesses the secret-related file. Metalock includes the bit-lock disk key, and the hardware key. According to the needs of the application, you can choose to use one of the two for encryption or both of the above for encryption according to the needs of the application. . In addition, each bit-locked disk can contain several secret-related files, so that the bit-locked disk can protect different secret-related files in accordance with the protection authority.

根據本發明內容,磁碟資安系統包含一公共函式庫模組,耦接防護驅動模組,儲存涉密文件於位元鎖磁碟中的路徑位址(例如,E:\A.PPTX、E:\B.PPTX、E:\C.PPTX),以供位元鎖磁碟管理模組存取儲存於位元鎖磁碟中的涉密文件;以及,防護驅動模組運作的函式檔案。其中,上述的公共函式庫模組中的檔案格式,可為一動態連結函式庫(Dynamic-Link Library,DLL),提高位元鎖磁碟資安系統之相容性。 According to the content of the present invention, the disk information security system includes a public library module, coupled to the protection drive module, and stores the path address of the secret file in the bit-lock disk (for example, E:\A.PPTX) , E:\B.PPTX, E:\C.PPTX), for the bit-lock disk management module to access the secret files stored in the bit-lock disk; and a letter to protect the operation of the drive module Style file. Among them, the file format in the above-mentioned public library module can be a dynamic-link library (DLL), which improves the compatibility of the bit-locked disk information security system.

根據本發明之一實施例,上述的位元鎖磁碟認證模組,包含位元鎖磁碟認證單元,儲存位元鎖磁碟金鑰,其長度可為一32位元、64位元、128位元、256位元,或512位元的用戶端識別碼(PIN Code),以依應用的環境調整位元鎖磁碟金鑰的安全等級。 According to an embodiment of the present invention, the above-mentioned bit-lock disk authentication module includes a bit-lock disk authentication unit, which stores a bit-lock disk key, the length of which can be a 32-bit, 64-bit, 128-bit, 256-bit, or 512-bit client identification code (PIN Code) to adjust the security level of the bit lock disk key according to the application environment.

根據本發明內容,上述的位元鎖磁碟認證模組,包含硬體認證單元,儲存硬體金鑰,以認證位元鎖磁碟資安系統中,所對應之特定的位元鎖磁碟,以避免位元鎖磁碟所在的實體儲存設備以物理的方式卸下,並將其裝設上不具硬體認證單元的電腦裝置,存取位元鎖磁碟中的涉密文件內容,其中,上述位元鎖磁碟金鑰的認證方式,可為一基於位元鎖(BitLocker)的認證方式。 According to the content of the present invention, the above-mentioned bit-lock disk authentication module includes a hardware authentication unit that stores a hardware key to authenticate a specific bit-lock disk corresponding to the bit-lock disk security system , To prevent the physical storage device where the bit-lock disk is located from being physically removed, and install it with a computer device without a hardware authentication unit to access the contents of the secret files in the bit-lock disk. The authentication method of the above-mentioned bit-lock disk key may be a bit-lock (BitLocker)-based authentication method.

根據本發明之一實施例,上述的硬體認證單元可為一可信賴平台模組(Trusted Platform Module,TPM),其位元鎖磁碟金鑰的加密演算法,可為一非對稱演算法,或對稱演算法,使儲存涉密文件的儲存設備即便流出企業或組織外部,涉密文件之內容亦無法為未部署磁碟資安系統之終端機所存取。 According to an embodiment of the present invention, the above-mentioned hardware authentication unit may be a trusted platform module (Trusted Platform Module, TPM), and the encryption algorithm of the bit-locked disk key may be an asymmetric algorithm , Or symmetrical algorithm, so that even if the storage device for storing secret-related documents flows out of the enterprise or organization, the contents of the secret-related documents cannot be accessed by terminals that have not deployed a disk information security system.

根據本發明內容,磁碟資安系統包含一保護權限模組,耦接防護驅動模組,以設定防護驅動模組的保護權限範圍,包含:是否允許儲存於位元鎖磁碟之中的涉密文件存入到位元鎖磁碟之外的磁碟;是否允許檔案總管,或其他應用程式將未經允許的文件與程序存入所述的位元鎖磁碟中;是否在涉密文件於結束存取後,立即或在一預定時間內,刪除記憶體中關於涉密文件的內容;或是以上的功能組合。 According to the content of the present invention, the disk information security system includes a protection authority module coupled to the protection drive module to set the protection authority range of the protection drive module, including: whether to allow storage in the bit-lock disk. Confidential documents are stored on a disk other than the bit-lock disk; whether File Explorer or other applications are allowed to store unauthorized documents and programs on the said bit-lock disk; whether the secret files are in After the end of access, immediately or within a predetermined period of time, delete the contents of the secret-related files in the memory; or a combination of the above functions.

根據本發明內容,磁碟資安系統包含一輸入來源認證模組,耦接處理模組,以辨識輸入(Input)來源,例如鍵盤、滑鼠、手寫板或控制器為近端或遠端,並經由防護驅動模組中保護權限範圍,設定是否允許其輸入來源存取涉密文件。 According to the content of the present invention, the disk information security system includes an input source authentication module coupled to the processing module to identify the input source, such as a keyboard, a mouse, a writing pad, or a controller as a local or remote controller. And through the protection scope of the protection drive module, set whether to allow its input source to access confidential documents.

以上所述係用以說明本發明之目的、技術手段以及其可達成之功 效,相關領域內熟悉此技術之人可以經由以下實施例之示範與伴隨之圖式說明及申請專利範圍更清楚明瞭本發明。 The above is used to explain the purpose, technical means and achievable functions of the present invention Effective, people familiar with this technology in the relevant field can understand the present invention more clearly through the following examples of demonstrations and accompanying schematic descriptions and the scope of patent applications.

A-F‧‧‧情境 A-F‧‧‧Situation

200‧‧‧磁碟資安系統 200‧‧‧Disk Information Security System

201‧‧‧處理模組 201‧‧‧Processing Module

209‧‧‧輸入來源認證模組 209‧‧‧Input source authentication module

210‧‧‧磁碟 210‧‧‧Disk

210A‧‧‧第一位元鎖磁碟 210A‧‧‧First Bit Lock Disk

210C‧‧‧第二位元鎖磁碟 210C‧‧‧Second bit lock disk

210N‧‧‧第N位元鎖磁碟 210N‧‧‧Nth bit lock disk

211‧‧‧位元鎖磁碟管理模組 211‧‧‧Bit Lock Disk Management Module

213‧‧‧位元鎖磁碟驅動模組 213‧‧‧Bit Lock Disk Drive Module

215‧‧‧位元鎖磁碟認證模組 215‧‧‧Bit Lock Disk Authentication Module

215A‧‧‧硬體認證單元 215A‧‧‧Hardware Certification Unit

215C‧‧‧位元鎖磁碟認證單元 215C‧‧‧Bit Lock Disk Authentication Unit

221‧‧‧保護權限模組 221‧‧‧Protection Authority Module

223‧‧‧公共函式庫模組 223‧‧‧Public Library Module

223A‧‧‧防護驅動函式單元 223A‧‧‧Protection drive function unit

225‧‧‧防護驅動模組 225‧‧‧Protection drive module

501‧‧‧涉密文件 501‧‧‧Secret Documents

503‧‧‧硬體金鑰 503‧‧‧Hardware Key

505‧‧‧位元鎖磁碟金鑰 505‧‧‧Bit Lock Disk Key

601A‧‧‧明文 601A‧‧‧plain text

603A‧‧‧密鑰 603A‧‧‧Key

605A‧‧‧密文 605A‧‧‧Ciphertext

601B‧‧‧明文 601B‧‧‧plain text

603B‧‧‧密鑰 603B‧‧‧Key

605B‧‧‧密文 605B‧‧‧Ciphertext

如下所述之對本發明的詳細描述與實施例之示意圖,應使本發明更被充分地理解;然而,應可理解此僅限於作為理解本發明應用之參考,而非限制本發明於一特定實施例之中。 The detailed description of the present invention and the schematic diagrams of the embodiments described below should make the present invention more fully understood; however, it should be understood that this is only used as a reference for understanding the application of the present invention, and does not limit the present invention to a specific implementation. In the case.

圖1係說明磁碟資安系統欲達到的具體防護效能,與所對應可能遭受攻擊或洩密的情境。 Figure 1 illustrates the specific protection performance that the disk information security system wants to achieve, and the corresponding scenarios that may be attacked or leaked.

圖2顯示磁碟資安系統之元件架構。 Figure 2 shows the component architecture of the disk information security system.

圖3顯示磁碟管理模組的詳細元件架構,以及本發明如何將磁碟加密為位元鎖磁碟。 Figure 3 shows the detailed component structure of the disk management module and how the present invention encrypts the disk as a bit-locked disk.

圖4進一步說明公共函式庫模組的詳細元件架構,以及與周遭元件的作用關係。 Figure 4 further illustrates the detailed component structure of the public library module and the relationship with surrounding components.

圖5說明在本發明實施例中,如何利用硬體金鑰與位元鎖磁碟金鑰加密涉密文件。 FIG. 5 illustrates how to use a hardware key and a bit-locked disk key to encrypt a secret-related file in an embodiment of the present invention.

圖6A說明在本發明一實施例中,如何加密涉密文件之其中一步驟。 Figure 6A illustrates one of the steps of how to encrypt a secret-related file in an embodiment of the present invention.

圖6B說明在本發明另一實施例中,如何加密涉密文件之其中另一步驟。 FIG. 6B illustrates another step of how to encrypt a secret-related file in another embodiment of the present invention.

本發明將以較佳之實施例及觀點加以詳細敘述。下列描述提供本 發明特定的施行細節,俾使閱者徹底瞭解這些實施例之實行方式。然該領域之熟習技藝者須瞭解本發明亦可在不具備這些細節之條件下實行。此外,本發明亦可藉由其他具體實施例加以運用及實施,本說明書所闡述之各項細節亦可基於不同需求而應用,且在不悖離本發明之精神下進行各種不同的修飾或變更。本發明將以較佳實施例及觀點加以敘述,此類敘述係解釋本發明之結構,僅用以說明而非用以限制本發明之申請專利範圍。以下描述中使用之術語將以最廣義的合理方式解釋,即使其與本發明某特定實施例之細節描述一起使用。 The present invention will be described in detail with preferred embodiments and viewpoints. The following description provides this Invent specific implementation details so that readers can thoroughly understand how these embodiments are implemented. However, those skilled in the field must understand that the present invention can also be implemented without these details. In addition, the present invention can also be applied and implemented by other specific embodiments. The details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention. . The present invention will be described in terms of preferred embodiments and viewpoints. Such description is to explain the structure of the present invention, and is only for illustration and not to limit the scope of patent application of the present invention. The terms used in the following description will be interpreted in the broadest reasonable manner, even if they are used in conjunction with the detailed description of a specific embodiment of the present invention.

在本發明中,所述之處理模組(201),通常包含處理晶片、記憶體、顯示裝置、網路通訊模組、儲存設備、作業系統、防火牆、檔案總管及應用程式等等,以通常已知方式相互連接,執行運算、暫存、顯示及資料傳輸,與提供近端或遠端的終端機之運作與管理協調等功能,而所述的對涉密文件(501)之存取,則可包含寫入、讀取、預覽、拷貝、刪除,或列印。此外,在本發明中,為解釋如何對涉密文件(501)進行加密所需要的演算法,在不同實施例中,所述的密鑰(603A)、密鑰(603B),均可依照需要應用於硬體金鑰(503),與位元鎖磁碟金鑰(505)中,同樣地,所述的明文(601A)、明文(601B),密文(605A)、密文(605B),係指加密前,與加密後的狀態;所述的第一位元鎖磁碟、第二位元鎖磁碟、第N位元鎖磁碟,可被統稱為位元鎖磁碟本領域熟知技術者當可在閱讀說明後,明白此類敘述僅用於解釋,而非用以限制本發明,於此先行予以敘明。 In the present invention, the processing module (201) generally includes processing chips, memory, display devices, network communication modules, storage devices, operating systems, firewalls, file managers, and applications, etc. Known methods are interconnected to perform operations, temporary storage, display and data transmission, and provide functions such as near-end or remote terminal operation and management coordination, and the aforementioned access to secret files (501), It can include writing, reading, previewing, copying, deleting, or printing. In addition, in the present invention, in order to explain how to encrypt the secret file (501) required by the algorithm, in different embodiments, the key (603A) and the key (603B) can be used as required. Applied to the hardware key (503), and the bit-lock disk key (505), the same, the plain text (601A), plain text (601B), cipher text (605A), cipher text (605B) , Refers to the state before and after encryption; the first bit lock disk, the second bit lock disk, and the Nth bit lock disk can be collectively referred to as bit lock disks in this field Those skilled in the art can understand that after reading the description, such descriptions are only used for explanation and not for limiting the present invention, which is described here first.

請參閱圖1,本發明所提出之磁碟資安系統(200),其具體上欲達成的效能,除了改善習知技術的缺失外,亦有如情境(A)-(E)說明,得防止涉密文件(501)由內部外流的效能。在情境(A)中,磁碟資安系統(200)可用以防止一遠端連線,或未知連接埠,藉由控制近端的輸入設備,例如鍵盤、滑鼠、手寫板或控制器,以對涉密文件(501)進行存取,其存取的動作包含寫入、讀取、拷貝、刪除、列印、預覽等等,例如:藉由TeamViewer、Anydesk、ShowMyPC、UltraVNC、Splashtop,或按鍵精靈、控制器外掛程式,控制近端的輸入設備;在情境(B)中,防止企業或組織內部的儲存設備,或記憶體,被物理上卸下,並裝設上外部的另一終端機中執行,使習知以隔離磁碟為基礎的沙箱程序(SandBox)形同虛設;於情境(C)中,防止藉由另一儲存設備所安裝之作業系統啟動近端的終端機,繞 過本發明具有的保護機制,讀取其中的涉密文件(501);於情境(D)中,防止涉密文件(501)被拷貝至其他的儲存設備中,如硬碟、隨身碟、光碟、軟碟,或軟端的終端機,以及電子郵件中;情境(E)中,根據不同的保護權限,防止以未經允許的動作對涉密文件(501)進行存取,如寫入、讀取、拷貝,或刪除等動作;以及,情境(F)中,防止涉密文件(501)在未經許可下列印。 Please refer to FIG. 1, the performance of the disk information security system (200) proposed by the present invention, in addition to improving the lack of conventional technology, is also as described in the scenarios (A)-(E). The efficiency of secret files (501) from internal outflow. In scenario (A), the disk security system (200) can be used to prevent a remote connection, or unknown port, by controlling a local input device, such as a keyboard, mouse, handwriting pad or controller, To access the secret file (501), the access actions include writing, reading, copying, deleting, printing, previewing, etc., for example: by TeamViewer, Anydesk, ShowMyPC, UltraVNC, Splashtop, or Button wizard, controller plug-in program, control the local input device; in scenario (B), prevent the storage device or memory inside the enterprise or organization from being physically removed and installed on another external terminal In-device execution makes the conventional sandbox program (SandBox) based on isolated disks useless; in scenario (C), the local terminal is prevented from being started by the operating system installed on another storage device, bypassing Through the protection mechanism of the present invention, read the secret-related files (501); in scenario (D), prevent the secret-related files (501) from being copied to other storage devices, such as hard disks, flash drives, and CD-ROMs. , Floppy disks, or soft-end terminals, and e-mails; in the context (E), according to different protection rights, prevent unauthorized actions from accessing the confidential files (501), such as writing, reading Actions such as fetching, copying, or deleting; and, in the context (F), prevent the confidential document (501) from being printed without permission.

請參閱圖2,為達上述目的,本發明提出了一種磁碟資安系統(200),其系統架構包含利用處理模組(201),處理系統運算資源,及系統元件間的協調與運作;本發明包含位元鎖磁碟管理模組(211),啟動位元鎖的認證,管理儲存於位元鎖磁碟中的涉密文件(501),與管理位元鎖磁碟的數量和位元鎖磁碟的建立;位元鎖磁碟驅動模組(213),耦接上述的位元鎖磁碟管理模組(211),將位元鎖磁碟耦接於處理模組(201),使涉密文件(501)得被處理模組(201)所存取;防護驅動模組(225),耦接位元鎖磁碟驅動模組(213),防止儲存於位元鎖磁碟之中的涉密文件(501)存入到位元鎖磁碟之外的磁碟,或防止檔案總管或其他應用程式將未經允許的文件與程序存入所述的位元鎖磁碟中,或將未經允許的拷貝、預覽、刪除、列印,並在涉密文件(501)關閉一預定的時間後刪除記憶體中關於涉密文件(501)的內容,防止記憶體的旁道攻擊;以及,位元鎖磁碟認證模組(215),耦接位元鎖磁碟管理模組(211),在存取涉密文件(501)或位元鎖磁碟時,認證所述位元鎖磁碟或涉密文件(501)的保護權限,而磁碟資安系統(200)則可被部署於任意終端機的近端,或遠端的處理模組(201)中。此外,所述的位元鎖,包含了位元鎖磁碟金鑰(505),與硬體金鑰(503),並可依照應用的需要,於加密涉密文件時選擇使用上述兩者之一進行加密,或兩者同時使用,以進行加密。 Please refer to FIG. 2. In order to achieve the above objective, the present invention proposes a disk information security system (200). The system architecture includes the utilization of a processing module (201), processing system computing resources, and coordination and operation among system components; The present invention includes a bit-lock disk management module (211), which activates the authentication of the bit-lock, manages the secret files (501) stored in the bit-lock disk, and manages the number and location of the bit-lock disk Creation of a meta-lock disk; the bit-lock disk drive module (213) is coupled to the above-mentioned bit-lock disk management module (211), and the bit-lock disk is coupled to the processing module (201) , So that the secret files (501) can be accessed by the processing module (201); the protection drive module (225) is coupled to the bit-lock disk drive module (213) to prevent storage on the bit-lock disk The secret-related documents (501) are stored on a disk other than the bit-locked disk, or to prevent File Explorer or other applications from storing unauthorized documents and programs on the said bit-locked disk, Or copy, preview, delete, print without permission, and delete the content of the secret file (501) in the memory after the secret file (501) is closed for a predetermined period of time to prevent side channel attacks from the memory And, the bit-lock disk authentication module (215), coupled to the bit-lock disk management module (211), authenticates the bit when accessing the secret file (501) or the bit-lock disk Meta-lock disks or secret-related files (501) have the protection authority, and the disk security system (200) can be deployed in the near end of any terminal or the remote processing module (201). In addition, the bit lock includes a bit lock disk key (505) and a hardware key (503). According to the needs of the application, you can choose to use one of the two when encrypting confidential documents. One is for encryption, or both are used for encryption.

根據本發明內容,磁碟資安系統(200)包含一輸入來源認證模組(209),耦接處理模組(201),以辨識輸入(Input)來源,例如鍵盤、滑鼠、手寫板或控制器為近端或遠端,並經由防護驅動模組(225)中保護權限範圍,設定是否允許其輸入來源存取涉密文件(501),以避免在情境(A)中,一遠端的終端機,或未知連接埠,藉由控制近端的輸入設備,例如鍵盤、滑鼠、手寫板或控制器,對磁碟資安系統(200)進行存取,例如:藉由TeamViewer、Anydesk、ShowMyPC、UltraVNC、Splashtop,或藉由按鍵精靈、控制器外掛程式,控制近端的輸入設 備,以遠端終端機螢幕截圖的功能藉以規避保護權限模組(221)中的保護機制。 According to the content of the present invention, the disk information security system (200) includes an input source authentication module (209) coupled to the processing module (201) to identify the input source, such as a keyboard, a mouse, a writing pad, or The controller is either a near-end or a remote-end, and through the protection scope of the protection drive module (225), it sets whether to allow its input source to access the secret file (501), so as to avoid the situation (A), a remote Terminal, or unknown port, by controlling the local input device, such as keyboard, mouse, handwriting pad or controller, to access the disk security system (200), for example: by TeamViewer, Anydesk , ShowMyPC, UltraVNC, Splashtop, or through the button wizard, controller plug-in, control the local input device In addition, the remote terminal screen screenshot function is used to circumvent the protection mechanism in the protection authority module (221).

請參閱圖3,其係說明本發明如何將磁碟(210)加密為位元鎖磁碟。根據本發明實施例,位元鎖磁碟管理模組(211)中,可根據應用的需要,將磁碟(210)以位元鎖加密的方式,加密為位元鎖磁碟,並管理應用所需的數量,如建立第一位元鎖磁碟(210A)、第二位元鎖磁碟(210C),至第N位元鎖磁碟(210N)等N個位元鎖磁碟,每一個位元鎖磁碟,均可包含一至數個不等的涉密文件(501)。其中,上述不同的位元鎖磁碟,可依據存取的需要,藉由保護權限模組(211),設定不同的保護權限,例如,在第一位元鎖磁碟(210A)中,由於涉密文件(501)之機敏程度較高,因此可設定其允許存取的動作為讀取與預覽,但不允許寫入、拷貝、刪除與列印;另外,在第二位元鎖磁碟(210C)中,由於涉密文件(501)之機敏程度稍低,因此允許讀取、預覽、列印,但不允許刪除、寫入或拷貝,其保護權限設定之態樣,可依據應用的需求調整,並不限於其上。此外,因每個位元鎖磁碟,均可包含數個涉密文件(501)。 Please refer to Figure 3, which illustrates how the present invention encrypts the disk (210) into a bit-locked disk. According to the embodiment of the present invention, in the bit-lock disk management module (211), the disk (210) can be encrypted as a bit-lock disk by bit-lock encryption according to the needs of the application, and the application can be managed The required quantity, such as the creation of the first bit lock disk (210A), the second bit lock disk (210C), to the Nth bit lock disk (210N) and other N bit lock disks, each A bit-locked disk can contain one to several secret-related files (501). Among them, the above-mentioned different bit-lock disks can be set to different protection permissions through the protection permission module (211) according to the needs of access. For example, in the first bit-lock disk (210A), because The confidential document (501) is highly sensitive, so the allowed access actions can be set to read and preview, but writing, copying, deleting and printing are not allowed; in addition, the disk is locked in the second position In (210C), because the confidential document (501) is slightly less sensitive, it is allowed to read, preview, and print, but it is not allowed to delete, write, or copy. The protection authority setting can be based on the application Demand adjustment is not limited to it. In addition, because each bit-locked disk can contain several secret files (501).

請參閱圖4,公共函式庫模組(223)中,儲存有涉密文件(501)於位元鎖磁碟中的路徑位址(例如,E:\A.PPTX、E:\B.PPTX、E:\C.PPTX),唯有當通過位元鎖磁碟認證模組(215)的認證時,才能存取儲存於位元鎖磁碟中的內容。此外,在本發明的內容中,上述的路徑位址、涉密文件(501)於位元鎖磁碟中的內容,或將虛擬磁碟藉由位元鎖磁碟驅動模組(213)耦接於處理模組(201)的動作,均可藉由位元鎖磁碟認證模組(215),以基於位元鎖(BitLocker)的方式加密。此外,在本發明一實施例中,公共函式庫模組(223)中,包含一防護驅動函式單元(223A),紀錄讀取、預覽、列印、刪除、寫入、拷貝等存取的保護權限的設定函式,並可依需要更新,並在涉密文件(501)存取時通知防護驅動模組(255)啟動,其中,上述的公共函式庫模組(223)中的檔案格式,可為一動態連結函式庫(Dynamic-Link Library,DLL),以提高磁碟資安系統(200)之相容性,使其可防護任意格式的涉密文件(501),包含電腦程式、設計圖以及檔案。 Please refer to Figure 4. In the public library module (223), the path address of the secret file (501) in the bit-locked disk is stored (for example, E:\A.PPTX, E:\B. PPTX, E:\C.PPTX), only after passing the authentication of the bit-lock disk authentication module (215), can you access the content stored in the bit-lock disk. In addition, in the content of the present invention, the above-mentioned path address, the content of the secret file (501) in the bit-locked disk, or the virtual disk is coupled by the bit-locked disk drive module (213) The actions connected to the processing module (201) can be encrypted by the bitlocker-based method by the bitlock disk authentication module (215). In addition, in an embodiment of the present invention, the public library module (223) includes a protection drive function unit (223A), which records access to read, preview, print, delete, write, copy, etc. The protection authority setting function can be updated as needed, and the protection drive module (255) will be notified to start when the secret file (501) is accessed. Among them, the above-mentioned public library module (223) The file format can be a dynamic link library (Dynamic-Link Library, DLL) to improve the compatibility of the disk information security system (200), so that it can protect confidential files (501) in any format, including Computer programs, design drawings and files.

請參閱圖1與圖5,在本發明內容中,位元鎖磁碟認證模組(215)包含硬體認證單元(215A)與位元鎖磁碟認證單元(215C),其分別具有硬體金鑰 (503)與位元鎖磁碟金鑰(505),以加密涉密文件(501)的內容,以及認證位元鎖磁碟啟動的過程。其中,硬體金鑰(503)與位元鎖磁碟金鑰(505)的加密與認證方式為位元鎖。 1 and 5, in the content of the present invention, the bit-lock disk authentication module (215) includes a hardware authentication unit (215A) and a bit-lock disk authentication unit (215C), which respectively have hardware Key (503) and the bit-lock disk key (505) to encrypt the content of the secret-related file (501), and to authenticate the bit-lock disk startup process. Among them, the encryption and authentication method of the hardware key (503) and the bit lock disk key (505) is a bit lock.

在本發明一實施例中,若硬體認證單元(215A)為可信賴平台模組(TPM)時,處理模組(201),以及涉密文件或位元鎖磁碟中上均存有一硬體金鑰(503),以使處理模組(201)能和位元鎖磁碟能具有專一性,使得企業或組織儲存有位元鎖磁碟的儲存設備或記憶體,無法被物理上卸下,並裝設上外部的另一終端機中執行。其中,在本發明實施例中,上述的可信賴平台模組,可依應用的需要,將硬體金鑰(503)儲存於處理模組(201)中的處理晶片、記憶體、顯示裝置、網路通訊模組、儲存設備,或是以上任意的至少兩個元件以上,以達到本發明改善習知技術之一目的。其中,硬體金鑰(503)的加密演算法,可為一非對稱演算法,或對稱演算法,較佳地,可為RSA、EIGamal、迪飛-哈爾曼金鑰交換協定、橢圓曲線加密演算法、AES演算法(Advanced Encryption Standard,或稱Rijndael)、DES(Data Encryption Standard)、3DES(Triple Data Encryption Algorithm)、Blowfish、IDEA(International Data Encryption Algorithm)、RC5、RC6等等,而第一位元鎖磁碟(210A)、第二位元鎖磁碟(210C),以及第N位元鎖磁碟(210N),可依不同的保護權限,應用不同的加密演算法。 In an embodiment of the present invention, if the hardware authentication unit (215A) is a trusted platform module (TPM), the processing module (201), as well as the secret file or the bit-locked disk store a hard disk The physical key (503), so that the processing module (201) can have specificity with the bit-lock disk, so that the storage device or memory of the enterprise or organization storing the bit-lock disk cannot be physically removed And install it in another external terminal for execution. Among them, in the embodiment of the present invention, the above-mentioned trusted platform module can store the hardware key (503) in the processing chip, memory, display device, etc. in the processing module (201) according to the needs of the application. A network communication module, a storage device, or at least two of the above components are used to achieve one of the purposes of the present invention to improve the conventional technology. Among them, the encryption algorithm of the hardware key (503) can be an asymmetric algorithm or a symmetric algorithm. Preferably, it can be RSA, Eigamal, Difei-Halmann key exchange protocol, elliptic curve Encryption algorithm, AES algorithm (Advanced Encryption Standard, or Rijndael), DES (Data Encryption Standard), 3DES (Triple Data Encryption Algorithm), Blowfish, IDEA (International Data Encryption Algorithm), RC5, RC6, etc., and the first One bit lock disk (210A), second bit lock disk (210C), and Nth bit lock disk (210N) can apply different encryption algorithms according to different protection rights.

在本發明另一實施例中,位元鎖磁碟金鑰(505)可為一32位元、64位元、128位元、256位元,或512位元的用戶端識別碼(PIN code),當欲存取涉密文件(501)或位元鎖磁碟時,同樣可依應用的需要,將第一位元鎖磁碟(210A)、第二位元鎖磁碟(210C),以及第N位元鎖磁碟(210N),依不同的保護權限,將上述的用戶識別碼運用於不同的加密演算法,例如RSA、EIGamal、迪飛-哈爾曼金鑰交換協定、橢圓曲線加密演算法、AES演算法(Advanced Encryption Standard,或稱Rijndael)、DES(Data Encryption Standard)、3DES(Triple Data Encryption Algorithm)、Blowfish、IDEA(International Data Encryption Algorithm)、RC5、RC6等等。 In another embodiment of the present invention, the bit lock disk key (505) can be a 32-bit, 64-bit, 128-bit, 256-bit, or 512-bit PIN code ), when you want to access a secret file (501) or a bit-locked disk, you can also lock the first bit to the disk (210A) and the second bit to lock the disk (210C) according to the needs of the application. And the Nth bit lock disk (210N), according to different protection rights, apply the above user identification code to different encryption algorithms, such as RSA, EIGamal, Difei-Halman key exchange protocol, elliptic curve Encryption algorithm, AES algorithm (Advanced Encryption Standard, or Rijndael), DES (Data Encryption Standard), 3DES (Triple Data Encryption Algorithm), Blowfish, IDEA (International Data Encryption Algorithm), RC5, RC6, etc.

請參閱圖6A,上述硬體金鑰(503),與位元鎖磁碟金鑰(505)的其 中一加密的實施例中,其加密的方式可藉由一與明文(601A)相對應的密鑰(603A),藉由一互斥或(XOR)的運算,將涉密文件(501)加密為密文(605A)。其中,上述的明文(601A)與密鑰(603A),可依應用的需要,各為一NxN矩陣,其中的每一元素均可對應以進行互斥或運算,例如,在明文(601A)中的元素a44,可對應密鑰(603A)中的k44,並在經過互斥或運算後,形成密文中的元素b44,此外,在本發明之一觀點中,上述的加密方式,可應用於硬體金鑰(503),與位元鎖磁碟金鑰(505)中,其亦可經過多次加密,而不僅限於一次,以使儲存於位元鎖磁碟中的涉密文件(501)避免被情境(A)-(E)中所述,由企業或組織中外流造成洩密。 Please refer to FIG. 6A. In one of the encryption embodiments of the above-mentioned hardware key (503) and the bit-locked disk key (505), the encryption method can be by an encryption method corresponding to the plaintext (601A) The key (603A) encrypts the secret-related document (501) into a ciphertext (605A) through an exclusive OR (XOR) operation. Among them, the above-mentioned plaintext (601A) and key (603A) can each be an NxN matrix according to the needs of the application, each element of which can correspond to mutually exclusive OR operation, for example, in the plaintext (601A) The element a 44 of can correspond to the k 44 in the key (603A), and form the element b 44 in the ciphertext after mutual exclusion or operation. In addition, in one aspect of the present invention, the above encryption method can be Applied to the hardware key (503) and the bit-lock disk key (505), it can also be encrypted multiple times, not only once, so as to make the secret files stored in the bit-lock disk (501) Avoid leaks caused by outflows from enterprises or organizations as described in scenarios (A)-(E).

請參閱圖6B,上述硬體金鑰(503),與位元鎖磁碟金鑰(505)的另一加密的實施例中,其加密的方式可藉由將一個NxN矩陣的明文(601B)產生列位移,或行位移的密鑰(603B)進行加密。例如,將原本明文(601B)的元素b11,藉由密鑰(603B)位移至原本明文(601B)b14的位置,以及將原本明文(601B)的元素b12,藉由密鑰(603B)位移至原本明文(601B)元素b11的位置,藉以形成密文(605B)。其中,上述列位移,或行位移的密鑰(603B)對明文(601B)的加密,不限於僅位移一列,或位移一行。例如,第一列可不進行位移,第二列則位移一列,第三列位移兩列,其位移的方式,可依照應用的需要進行密鑰(603B)的設定,而在本發明之另一觀點中,上述的加密方式,可應用於硬體金鑰(503),與位元鎖磁碟金鑰(505)中,亦可經過多次加密,而不僅限於一次,以使儲存於位元鎖磁碟中的涉密文件(501)避免被情境(A)-(E)中所述,由企業或組織中外流造成洩密。 Please refer to FIG. 6B. In another encryption embodiment of the above-mentioned hardware key (503) and the bit-locked disk key (505), the encryption method can be achieved by combining the plaintext of an NxN matrix (601B) The key (603B) that generates the column shift or row shift is encrypted. For example, the element b 11 of the original plaintext (601B) is shifted to the position of the original plaintext (601B) b 14 by the key (603B), and the element b 12 of the original plaintext (601B) is replaced by the key (603B). ) Is shifted to the position of element b 11 in the original plaintext (601B) to form a ciphertext (605B). Wherein, the encryption of the plaintext (601B) by the key (603B) for column displacement or row displacement is not limited to displacement by only one column or one row. For example, the first column may not be shifted, the second column may be shifted by one column, and the third column may be shifted by two columns. The shifting method can be used to set the key (603B) according to the needs of the application. In another aspect of the present invention Among them, the above encryption method can be applied to the hardware key (503) and the bit-lock disk key (505). It can also be encrypted multiple times, not limited to one time, so that it can be stored in the bit-lock The secret-related files (501) in the disk are prevented from being leaked out by the enterprise or organization as described in the scenarios (A)-(E).

以上敘述係為本發明之較佳實施例。此領域之技藝者應得以領會其係用以說明本發明而非用以限定本發明所主張之專利權利範圍。其專利保護範圍當視後附之申請專利範圍及其等同領域而定。凡熟悉此領域之技藝者,在不脫離本專利精神或範圍內,所作之更動或潤飾,均屬於本發明所揭示精神下所完成之等效改變或設計,且應包含在下述之申請專利範圍內。 The above description is the preferred embodiment of the present invention. Those skilled in this field should be able to understand that it is used to illustrate the present invention rather than to limit the scope of the claimed patent rights of the present invention. The scope of its patent protection shall be determined by the attached scope of patent application and its equivalent fields. Anyone who is familiar with the art in this field, without departing from the spirit or scope of this patent, makes changes or modifications that are equivalent changes or designs completed under the spirit of the present invention, and should be included in the scope of the following patent applications Inside.

200‧‧‧磁碟資安系統 200‧‧‧Disk Information Security System

201‧‧‧處理模組 201‧‧‧Processing Module

209‧‧‧輸入來源認證模組 209‧‧‧Input source authentication module

210‧‧‧磁碟 210‧‧‧Disk

211‧‧‧位元鎖磁碟管理模組 211‧‧‧Bit Lock Disk Management Module

213‧‧‧位元鎖磁碟驅動模組 213‧‧‧Bit Lock Disk Drive Module

215‧‧‧位元鎖磁碟認證模組 215‧‧‧Bit Lock Disk Authentication Module

215A‧‧‧硬體認證單元 215A‧‧‧Hardware Certification Unit

215C‧‧‧位元鎖磁碟認證單元 215C‧‧‧Bit Lock Disk Authentication Unit

221‧‧‧保護權限模組 221‧‧‧Protection Authority Module

223‧‧‧公共函式庫模組 223‧‧‧Public Library Module

225‧‧‧防護驅動模組 225‧‧‧Protection drive module

Claims (9)

一種磁碟資安系統,包含: A disk information security system, including: 一位元鎖磁碟管理模組,管理儲存於至少一位元鎖磁碟的涉密文件; A one-bit lock disk management module, which manages confidential documents stored on at least one-bit lock disks; 一位元鎖磁碟驅動模組,耦接該位元鎖磁碟管理模組,使涉密文件得被處理模組所存取; A bit-lock disk drive module, coupled to the bit-lock disk management module, so that confidential files can be accessed by the processing module; 一防護驅動模組,耦接該位元鎖磁碟驅動模組,防止未經允許而存取儲存於該至少一位元鎖磁碟之中的涉密文件;以及, A protective drive module, coupled to the bit-lock disk drive module, to prevent unauthorized access to the secret files stored in the at least one bit-lock disk; and, 一位元鎖磁碟認證模組,耦接該位元鎖磁碟管理模組,於存取該至少一位元鎖磁碟,或涉密文件時,認證該至少一位元鎖磁碟,或涉密文件的保護權限。 A one-bit lock disk authentication module, coupled to the bit-lock disk management module, authenticates the at least one-bit lock disk when accessing the at least one-bit lock disk or a secret file, Or the protection authority of confidential documents. 如請求項1所述之磁碟資安系統,更包含一保護權限模組,耦接該防護驅動模組,設定該防護驅動模組對涉密文件的保護權限範圍,包含讀取、預覽、列印、刪除、寫入、拷貝、記憶體中存在的時間,或以上之保護權限的任意組合。 The disk information security system described in claim 1, further includes a protection authority module, coupled to the protection drive module, and set the protection authority scope of the protection drive module for confidential documents, including reading, previewing, and Print, delete, write, copy, time in memory, or any combination of the above protection permissions. 如請求項2所述之磁碟資安系統,更包含一公共函式庫模組,耦接該防護驅動模組,儲存涉密文件於該至少一位元鎖磁碟中的路徑位址,使該位元鎖磁碟管理模組可以存取儲存於該至少一位元鎖磁碟中的涉密文件。 The disk information security system of claim 2, further comprising a public library module, coupled to the protection drive module, and storing the path address of the secret-related file in the at least one-digit lock disk, The bit-lock disk management module can access the secret files stored in the at least one bit-lock disk. 如請求項3所述之磁碟資安系統,其中該公共函式庫模組中的檔案格式,為動態連結函式庫(Dynamic-Link Library,DLL),以提高該磁碟資安系統之相容性。 The disk information security system according to claim 3, wherein the file format in the public library module is a dynamic-link library (DLL) to improve the performance of the disk information security system compatibility. 如請求項4所述之磁碟資安系統,其中該公共函式庫模組包含一防護驅動函式單元,紀錄保護權限的設定函式,並可依需要更新,並在涉密文件存取時通知該防護驅動模組啟動。 For the disk information security system described in claim 4, the public library module includes a protection drive function unit, which records the setting function of the protection authority, and can be updated as needed, and can be accessed in the secret file When the protection drive module is notified to start. 如請求項1所述之磁碟資安系統,更包含一輸入來源認證模組,耦接該處理模組,辨識近端或遠端的輸入來源,並經由該防護驅動模組中定義保護權限 的範圍,以設定是否允許近端或遠端存取涉密文件。 The disk information security system as described in claim 1, further comprising an input source authentication module, coupled to the processing module, to identify the near-end or remote input source, and define the protection authority through the protection drive module The range to set whether to allow local or remote access to confidential documents. 如請求項1所述之磁碟資安系統,其中該位元鎖磁碟認證模組認證保護權限的演算法,可為但不限於RSA、EIGamal、迪飛-哈爾曼金鑰交換協定、橢圓曲線加密演算法、AES、DES、3DES、Blowfish、IDEA、RC5、RC6,或以上演算法的任意組合。 For the disk information security system described in claim 1, the algorithm for the authentication protection authority of the bit-lock disk authentication module can be, but is not limited to, RSA, EIGamal, Difei-Harman key exchange protocol, Elliptic curve encryption algorithm, AES, DES, 3DES, Blowfish, IDEA, RC5, RC6, or any combination of the above algorithms. 如請求項1所述之磁碟資安系統,其中該位元鎖磁碟認證模組,包含一硬體認證單元,儲存一硬體金鑰,認證該磁碟資安系統中,所對應之特定的位元鎖磁碟。 The disk information security system according to claim 1, wherein the bit-lock disk authentication module includes a hardware authentication unit that stores a hardware key and authenticates the corresponding one in the disk information security system Specific bit lock disks. 如請求項1所述之磁碟資安系統,其中該位元鎖磁碟認證模組,包含一位元鎖磁碟認證單元,儲存一位元鎖磁碟金鑰,其中該位元鎖磁碟金鑰的長度可為32位元-512位元。 The disk information security system according to claim 1, wherein the bit-locked disk authentication module includes a bit-locked disk authentication unit that stores a bit-locked disk key, wherein the bit is locked The length of the disc key can be 32-512 bits.
TW108140686A 2019-11-08 2019-11-08 Disc security system TWI745784B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108140686A TWI745784B (en) 2019-11-08 2019-11-08 Disc security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108140686A TWI745784B (en) 2019-11-08 2019-11-08 Disc security system

Publications (2)

Publication Number Publication Date
TW202119244A true TW202119244A (en) 2021-05-16
TWI745784B TWI745784B (en) 2021-11-11

Family

ID=77020774

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108140686A TWI745784B (en) 2019-11-08 2019-11-08 Disc security system

Country Status (1)

Country Link
TW (1) TWI745784B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL235729A (en) * 2014-11-17 2017-06-29 Kaluzhny Uri Secure storage device and method
JP6045728B1 (en) * 2015-10-14 2016-12-14 株式会社アイキュエス ACCESS MANAGEMENT SYSTEM, FILE ACCESS SYSTEM, ENCRYPTION DEVICE, AND PROGRAM
CN108073351B (en) * 2016-11-11 2021-06-15 阿里巴巴集团控股有限公司 Data storage method of nonvolatile storage space in chip and credible chip

Also Published As

Publication number Publication date
TWI745784B (en) 2021-11-11

Similar Documents

Publication Publication Date Title
US7428306B2 (en) Encryption apparatus and method for providing an encrypted file system
US8799651B2 (en) Method and system for encrypted file access
US20080072071A1 (en) Hard disc streaming cryptographic operations with embedded authentication
KR101613146B1 (en) Method for encrypting database
US20050262361A1 (en) System and method for magnetic storage disposal
US20030221115A1 (en) Data protection system
US20080016127A1 (en) Utilizing software for backing up and recovering data
CN100378689C (en) Enciphered protection and read write control method for computer data
JP2002318719A (en) Highly reliable computer system
US8200964B2 (en) Method and apparatus for accessing an encrypted file system using non-local keys
US10346319B1 (en) Separate cryptographic keys for protecting different operations on data
KR20140051350A (en) Digital signing authority dependent platform secret
JP2024500732A (en) Cryptographic erasure of data stored in key-per IO-enabled devices via internal operations
US9361483B2 (en) Anti-wikileaks USB/CD device
US20130145145A1 (en) System and method of securing data using a server-resident key
US7694154B2 (en) Method and apparatus for securely executing a background process
TWI745784B (en) Disc security system
US20210083858A1 (en) Crypto-erasure via internal and/or external action
CN112784321B (en) Disk resource security system
Liu et al. A file protection scheme based on the transparent encryption technology
TWI783189B (en) Bitlocker disc administration system
Borders et al. Securing sensitive content in a view-only file system
US20210409196A1 (en) Secure Key Storage Systems Methods And Devices
CN112784322A (en) Bit lock disk management system
GB2624693A (en) Updating secure guest metadata of a specific guest instance