WO2021164166A1 - Service data protection method, apparatus and device, and readable storage medium - Google Patents

Service data protection method, apparatus and device, and readable storage medium Download PDF

Info

Publication number
WO2021164166A1
WO2021164166A1 PCT/CN2020/098032 CN2020098032W WO2021164166A1 WO 2021164166 A1 WO2021164166 A1 WO 2021164166A1 CN 2020098032 W CN2020098032 W CN 2020098032W WO 2021164166 A1 WO2021164166 A1 WO 2021164166A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
data
business
encryption
program
Prior art date
Application number
PCT/CN2020/098032
Other languages
French (fr)
Chinese (zh)
Inventor
邢希双
Original Assignee
苏州浪潮智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州浪潮智能科技有限公司 filed Critical 苏州浪潮智能科技有限公司
Publication of WO2021164166A1 publication Critical patent/WO2021164166A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present invention relates to the technical field of data security assurance, in particular to a method, device, equipment and readable storage medium for protecting business data.
  • Encryption and decryption capabilities are usually designed as independent hardware (such as HSM, USB Key), independent systems (such as KMS, KMC), independent chips (such as TPM), independent of the operating system where the application program is located, to achieve sufficient Safety.
  • independent hardware such as HSM, USB Key
  • independent systems such as KMS, KMC
  • independent chips such as TPM
  • the purpose of the present invention is to provide a business data protection method, device, equipment and readable storage medium, so as to effectively protect business data without adding additional encryption and decryption hardware.
  • the present invention provides the following technical solutions:
  • a business data protection method applied to file system filter driver including:
  • it also includes:
  • the key generation logic is used to update the key periodically.
  • the periodic use of key generation logic to update the key includes:
  • the method further includes:
  • the combining multiple block key data to obtain the key includes:
  • the key combination logic after code obfuscation is used to combine a plurality of the block key data to obtain the key.
  • it also includes:
  • verifying whether the target business program is legal includes:
  • the method before receiving the encryption/decryption request sent by the target service program through the secure communication channel, the method further includes:
  • the ID corresponding to the legal business program is recorded in the trusted business program table.
  • a business data protection device applied to a file system filter driver including:
  • the encryption and decryption request obtaining module is used to receive the encryption and decryption request sent by the target business program through the secure communication channel;
  • the legality verification module is used to verify whether the target business program is legal
  • the encryption and decryption processing module is configured to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request if the target business program is legal;
  • the data protection module is configured to disconnect the secure communication channel with the target business program if the target business program is illegal.
  • it also includes:
  • the key update module is used to periodically update the key using key generation logic.
  • the key update module is specifically configured to periodically generate a new key by using the key generation logic in combination with the transformation and combination corresponding to the designated data; wherein the designated data includes the MAC address of the hardware network card , The ID of the hardware CPU, the current system time and the currently generated random number; using the segment data of the new key to update the segment key data in the designated file.
  • a key acquisition module configured to read multiple block key data from a designated file that is hidden from the outside after the file system is restarted, and perform analysis on the multiple block key data Combine to obtain the key.
  • a business data protection device including:
  • Memory used to store computer programs
  • the processor is used to implement the steps of the business data protection method when the computer program is executed.
  • a readable storage medium having a computer program stored on the readable storage medium, and when the computer program is executed by a processor, the steps of the foregoing business data protection method are realized.
  • Apply the method provided by the embodiment of the present invention use a secure communication channel to receive the encryption and decryption request sent by the target business program; verify whether the target business program is legal; if so, use the key to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request ; If not, disconnect the secure communication channel with the target business program.
  • the legitimacy of the target business program is first verified. After determining that the target business program is legal, the key is used to perform the encryption and decryption request on the business data corresponding to the encryption and decryption request. Encryption and decryption processing. If it is determined that the target business program is illegal, the secure channel with the target business program can be disconnected directly. It can be seen that in this method, the encryption and decryption protection of the business data can be realized through the file system filter driver without adding hardware equipment. In addition, since the encryption and decryption request is transmitted through the secure communication channel, the legality of the target business program is verified , It realizes multiple protection of business data from multiple protection angles, which can guarantee the security of business data.
  • the embodiment of the present invention also provides a business data protection device, equipment and a readable storage medium corresponding to the foregoing business data protection method, which have the foregoing technical effects, and will not be repeated here.
  • FIG. 1 is an implementation flowchart of a method for protecting business data in an embodiment of the present invention
  • Figure 2 is a schematic structural diagram of a service data protection device in an embodiment of the present invention.
  • Figure 3 is a schematic structural diagram of a service data protection device in an embodiment of the present invention.
  • Fig. 4 is a schematic diagram of a specific structure of a service data protection device in an embodiment of the present invention.
  • KMS Key Management System, also known as Key Management Center. It is based on the security requirements of banking, mobile, telecommunications and other structures for key management, allowing users to easily create and manage keys, protect the confidentiality, integrity and availability of keys, and meet the needs of users for multi-application and multi-service keys Management needs to meet regulatory and compliance requirements.
  • HSM Hardware security module, a dedicated encryption processor designed to protect the life cycle of encryption keys.
  • the hardware security module has become the starting point of the chain of trust by safely managing, processing, and storing encryption keys in a strengthened and tamper-proof device, protecting its encryption infrastructure for the world's most security-conscious organizations.
  • KMC The key management center provides encryption key pairs for digital certification centers, and provides related services such as backup, archive, restoration, and update of these key pairs to ensure that they can meet the needs of certification centers and judicial forensics.
  • USB Key It is a hardware device with a USB interface. It has a built-in single-chip microcomputer or smart card chip, has a certain storage space, and can store the user's private key and digital certificate.
  • TPM Security chip
  • a chip that conforms to the Trusted Platform Module standard must first have the function of generating encryption and decryption keys. In addition, it must be able to perform high-speed data encryption and decryption, and act as an auxiliary processor that protects the BIOS and operating system from being modified.
  • ioctl A function that manages the I/O channel of the device in the device driver under the Linux operating system.
  • the application program calls the ioctl function, and the processing logic of the function is in the driver.
  • DeviceIoControl A function that directly sends control codes to the specified device driver under the Windows operating system, so that the corresponding mobile device can perform the corresponding operation.
  • the application program calls the DeviceIoControl function, and the processing logic of the function is in the driver.
  • System security communication method the secure communication channel, which refers to the way that the application program communicates with the file system filter driver through the ioctl method under the Linux operating system and the DeviceIoControl method (or proprietary API function) under the Windows operating system.
  • Figure 1 is a flowchart of a business data protection method in an embodiment of the present invention.
  • the method can be applied to a file system filter driver.
  • the method includes the following steps:
  • S101 Use a secure communication channel to receive an encryption and decryption request sent by a target service program.
  • the secure communication channel can be specifically the ioctl mode under the Linux operating system, and the mode of communicating with the file system filter driver under the Windows operating system through the DeviceIoControl mode (or proprietary API function).
  • the encryption and decryption request is a request for encrypting or decrypting business data.
  • the target business program can be any application.
  • memory can be allocated for the business data to be encrypted and decrypted in advance to store the result data of the encryption and decryption. Then, establish a secure communication channel with the file system filter driver.
  • the file system filter driver can receive the encryption and decryption request sent by the target business program through the secure communication channel.
  • the encryption and decryption request can specify the business data to be encrypted and decrypted and the memory address for storing the encryption and decryption results.
  • the file system filter driver can also be hidden. Specifically, when the file system filter driver is started, its information is removed from the kernel driver linked list. In this way, the business program cannot find the file system filter driver, and the trusted business program that requires encryption and decryption can inform the file system filter driver of the access method in advance.
  • the legality of the target business program can be verified through the private verification mechanism agreed with the legal business program, and the legality of the business program can also be verified through the ID of the business program.
  • a private verification mechanism is adopted, the verification process can be agreed with a legal business program in advance, for example, the business program sends specified information to the file system filter driver.
  • the specific implementation process of verifying whether the target business program is legal based on ID can include:
  • Step 1 Determine whether the ID of the target business program is the ID in the trusted business program table
  • the ID of the target business program can be obtained, and then the trusted business program table can be traversed to determine whether the target business program ID is included in the trusted business program table. If the ID is included in the trusted task program table, it is determined that the target business program is legal, otherwise the target business program is illegal.
  • the trusted business program table is set by pre-writing, or it can be obtained after the legality of the business program is verified through the private verification mechanism agreed with the business program.
  • the following is a detailed description of how to obtain the trust business program table through the private verification mechanism.
  • the private verification mechanism agreed with the business program can be used to verify the legality of the business program; after the verification is passed, the ID corresponding to the legal business program is recorded in the trust In the business process table.
  • the business program when the business program is started, it can communicate and interact with the file system filter driver.
  • the file system filter driver uses a private verification mechanism for the business program to verify the legality of the business program. After the verification is passed, the ID can be recorded in the trusted business program table. middle.
  • step S103 After determining the legitimacy of the target business program, follow-up operations are performed according to the specific verification results. Specifically, if the target business program is legal, the operation of step S103 is performed; if the target business program is illegal, the operation of step S104 is performed.
  • a key can be used to encrypt and decrypt service data.
  • the key itself can be secured.
  • the physical storage of the key data on the hard disk can adopt a block storage method or a random storage method.
  • block storage that is, storing each part of the key data in multiple files
  • the specific implementation process of encrypting and decrypting business data based on the block storage key including:
  • Step 1 Read multiple block key data from a designated file that is hidden from the outside, and combine the multiple block key data to obtain a key;
  • Step 2 Use the key to encrypt and decrypt the service data.
  • step two for how to use the key to encrypt and decrypt service data, please refer to the existing process of how to encrypt and decrypt data based on the key for details, which will not be repeated here.
  • a symmetric encryption and decryption algorithm can be used to perform encryption and decryption processing on the service data.
  • the file system filter driver can be used from the time of startup to any time before the key is used to encrypt and decrypt the business data. It can be seen that the block key data is read from the specified file in), and the key is obtained after combining. In other words, after the file system is restarted, the key is stored in the designated file in blocks, and the designated file is hidden from the outside. In order to ensure the reliability of the block key data, the block key data can be stored in a non-volatile readable storage medium, such as a hard disk or a non-volatile memory.
  • the key after obtaining the block key data, the key can be obtained by combining the block key data.
  • the block key data can be specifically combined by key combination logic.
  • code obfuscation can also be performed on the key combination logic. That is, the file system filter driver can use the key combination logic after code obfuscation to combine multiple block key data to obtain the key.
  • code obfuscation of the key combination logic reference may be made to existing code obfuscation methods for details. For example, a flower instruction method can be used to obfuscate the key combination logic.
  • the key generation logic can also be used to update the key periodically.
  • the key generation logic can be used to generate a new key periodically in combination with the transformation and combination of the designated data; wherein the designated data includes the MAC address of the hardware network card, the ID of the hardware CPU, and the current system time. And the currently generated random number; use the segment data of the new key to update the segment key data in the specified file. That is, when the key itself is updated, the block key data stored in the specified file is also updated, so that after the system restarts, the currently valid key can be obtained.
  • the encrypted data is also decrypted when the key is updated.
  • the file system filter driver periodically modifies the key, and performs the following operations:
  • the file system filter driver is started for the first time after installation, and the initial encryption and decryption key is automatically generated.
  • the initial key is generated in a secure way, for example: the MAC address of the hardware network card, the ID of the hardware CPU, the current system time, and the currently generated random number can be used to transform and combine to generate the key, and the generated key data can be segmented Keep in the designated file, the corresponding generation logic adopts code obfuscation (for example: flower instruction) to ensure the safety of the generation logic.
  • the file system filter driver runs for a period of time (for example: a week, the time is configurable), and the key can be automatically replaced periodically.
  • the file system filter driver informs each application in the trusted business program table that the key is to be replaced.
  • the business application After the business application receives the key replacement notification, it uses a secure communication channel to connect to the file system filter driver, decrypts the encrypted data, and sends a complete notification to the filter driver after decryption.
  • the file system filter driver After the file system filter driver receives the notification of completion of all business applications, it uses a secure method to generate a new key (the generation method/process is the same as the first generation of the key).
  • the file system filter driver After the new key is generated, the file system filter driver notifies each application in the trusted service program table, and the key replacement is completed.
  • the business application After the business application receives the notification of the completion of the key replacement, it uses a secure communication channel to connect to the file system filter driver to encrypt the data that needs to be encrypted.
  • the eight files are randomly distributed in different positions on the hard disk.
  • the eight files are logically ordered, and the order is only known by the filter driver.
  • the filter driver needs to write the key data to the hard disk, it first randomly generates a random number between 1 and 8, and then writes the key data and the random number into a file in the corresponding order after the key data and the random number are XORed. Then exclude the file written with the key data, and randomly generate a new random number between 1 and 7.
  • the contents of 8 files are read in sequence.
  • the file serial number is read in a fixed position of the file, and the file containing the key data is found according to the file serial number.
  • Content after XOR the relevant content with the serial number, the actual key data is obtained.
  • the secure communication channel with the target business program can be disconnected.
  • Apply the method provided by the embodiment of the present invention use a secure communication channel to receive the encryption and decryption request sent by the target business program; verify whether the target business program is legal; if so, use the key to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request ; If not, disconnect the secure communication channel with the target business program.
  • the legitimacy of the target business program is first verified. After determining that the target business program is legal, the key is used to perform the encryption and decryption request on the business data corresponding to the encryption and decryption request. Encryption and decryption processing. If it is determined that the target business program is illegal, the secure channel with the target business program can be disconnected directly. It can be seen that in this method, the encryption and decryption protection of the business data can be realized through the file system filter driver without adding hardware equipment. In addition, since the encryption and decryption request is transmitted through the secure communication channel, the legality of the target business program is verified , It realizes multiple protection of business data from multiple protection angles, which can guarantee the security of business data.
  • the business data protection method disclosed in the embodiment of the present invention is a pure software encryption and decryption method for application programs based on file system filter drive.
  • This method has the characteristics of low external dependence, simple deployment and high security.
  • the core of the method is to add a file system filter driver to the operating system where the application program is located, and realize key file hiding and access protection through the file system filter driver. Manually install the file system filter driver on the operating system that needs to be deployed (no additional installation program, higher security) and set random startup.
  • a business application is started for the first time, its application ID is passed to the file system filter driver using a secure communication channel.
  • the file system filter driver removes itself from the kernel driver list at startup.
  • the file system filter driver When the file system filter driver receives the application ID transmitted by the business application, it first verifies the legitimacy of the business application, and then saves the application ID to the kernel space memory.
  • the file system filter driver saves the key data used for encryption and decryption to the kernel space memory, and saves it in sections to a number of designated files.
  • the file attribute for saving the key data is set to hidden, and ordinary users cannot view these files.
  • the file system filter driver When the file system filter driver is running, it monitors the files that store the key data, intercepts file access, and all access to these files will be denied.
  • business applications need to use encryption and decryption functions, use the system's secure communication method to pass plain text to obtain cipher text or pass cipher text to obtain plain text.
  • the salient feature of this method is that the file system filter driver is used to save and protect the key.
  • the business application program encrypts and decrypts sensitive data through the system secure communication method (ie, secure communication channel). Any program other than the business application program cannot use the filter driver to provide With the encryption and decryption function, all programs cannot obtain and view the encryption and decryption keys.
  • the file system filter driver is implemented at the kernel layer of the operating system where the business application is located, and can be manually installed and configured to automatically start with the system.
  • the file system filter driver automatically reads the block key data in the specified file and combines it into key data when it is started. If there is no block key data, it means that the file system filter driver is started after the first installation and will automatically generate encryption and decryption keys. key.
  • the operating system restarts, because the file system filter driver is located in the kernel space, it will start before all applications, which can well protect the key data in the specified file from being damaged.
  • the file system filter driver receives the application ID issued by the business application and stores the application ID in the kernel linked list.
  • the filter driver After the filter driver generates the key, it saves the key data in the kernel memory and saves the key data in blocks in a designated file.
  • the file system filter driver intercepts access to each file storing the key data in real time, and all applications' access to these files will be denied.
  • the file system filter driver performs key replacement on a regular basis.
  • the file system filter driver receives the application ID of the application, and the processing steps are as follows:
  • the legality verification adopts the private verification mechanism agreed by the business application and the file system filter driver, and the corresponding verification logic in the file system filter driver adopts code obfuscation (for example: flower instructions) to ensure the security of the verification logic. Application requests that fail the verification will be ignored.
  • the application ID is saved in the kernel linked list (a specific trust business program table).
  • the file system filter driver After the file system filter driver receives the encryption and decryption request of the business application, it can perform the following operations:
  • business application using the business data protection method provided by the embodiment of the present invention, the application needs to establish a connection with the file system filter driver when it is started, and then send its own application ID to the file system filter driver, and receive the file After the feedback of the system filter driver is successful, it can request encryption and decryption of the business data from the file system filter driver. After the file system filter driver is loaded, it removes itself from the kernel module linked list, so applications other than business applications cannot find the filter driver.
  • the business application obtains its own application ID.
  • the business application program allocates memory to store the encryption and decryption result data.
  • the business data protection method proposed by the embodiment of the present invention obtains its own application ID in the business application, passes the application ID to the file system filter driver through the system security communication method and a private authentication mechanism, and uses the additional application ID when needed. Sending request data to the file system filter driver during the decryption function.
  • the file system filter driver By adding a file system filter driver to the kernel layer of the operating system where the business application is located, the file system filter driver removes itself from the kernel module linked list after it is started to hide from the application, and saves the application ID linked list in the kernel memory of the file system filter driver And the key data generated in a secure manner, the key data is permanently stored in blocks in the designated hidden file, and the file system filter driver intercepts all access to the saved key file, and all accesses will fail.
  • the file system filter driver is integrated in the operating system kernel, runs with the operating system, and is not perceived by upper-level applications. This method can guarantee the confidentiality and availability of application business sensitive data to the greatest extent without resorting to independent hardware/system/chip.
  • the embodiment of the present invention also provides a business data protection device, which can be applied to file system filter driver.
  • the business data protection device described below and the business data protection method described above can interact with each other. Corresponding reference.
  • the device includes the following modules:
  • the encryption and decryption request obtaining module 101 is configured to receive the encryption and decryption request sent by the target business program by using the secure communication channel;
  • the legality verification module 102 is used to verify whether the target business program is legal
  • the encryption and decryption processing module 103 is configured to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request by using the key if the target business program is legal;
  • the data protection module 104 is configured to disconnect the secure communication channel with the target business program if the target business program is illegal.
  • the secure communication channel is used to receive the encryption and decryption request sent by the target business program; verify whether the target business program is legal; if so, use the key to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request ; If not, disconnect the secure communication channel with the target business program.
  • the legitimacy of the target business program is first verified. After determining that the target business program is legal, the key is used to perform the encryption and decryption request on the business data corresponding to the encryption and decryption request. Encryption and decryption processing. If it is determined that the target business program is illegal, the secure channel with the target business program can be disconnected directly. It can be seen that in this device, the file system filter driver can realize the encryption and decryption protection of business data without adding hardware equipment. In addition, since the encryption and decryption request is transmitted through the secure communication channel, the legality of the target business program is verified , It realizes multiple protection of business data from multiple protection angles, which can guarantee the security of business data.
  • the key update module is used to update the key regularly using the key generation logic.
  • the key update module is specifically configured to periodically use the key generation logic to generate a new key in combination with the transformation and combination corresponding to the designated data; wherein, the designated data includes The MAC address of the hardware network card, the ID of the hardware CPU, the current system time and the currently generated random number; use the segment data of the new key to update the segment key data in the specified file.
  • a key acquisition module which is used to read multiple block key data from a designated file that is hidden from the outside after the file system is restarted, and to Combine the pieces of key data to obtain the key.
  • the key acquisition module is specifically configured to use the key combination logic after code obfuscation to combine multiple block key data to obtain the key.
  • a driver stealth module which is used to extract its own information from the kernel driver linked list when the file system filter driver is started.
  • the legality verification module 102 is specifically used to determine whether the ID of the target business program is an ID in the trusted business program table; if it is, it is determined that the target business program is legal; if not, then Determine that the target business program is illegal.
  • a trust business program table acquisition module which is used to use the private verification mechanism agreed with the business program before receiving the encryption and decryption request sent by the target business program through the secure communication channel.
  • the legality of the business program is verified; after the verification is passed, the ID corresponding to the legal business program is recorded in the trusted business program table.
  • the embodiment of the present invention also provides a service data protection device.
  • the service data protection device described below and the service data protection method described above can be referenced correspondingly.
  • the service data protection equipment includes:
  • the memory D1 is used to store computer programs
  • the processor D2 is configured to implement the steps of the business data protection method in the foregoing method embodiment when the computer program is executed.
  • FIG. 4 is a schematic diagram of the specific structure of a business data protection device provided by this embodiment.
  • the business data protection device may have relatively large differences due to different configurations or performance, and may include one or more processes.
  • a central processing unit (CPU) 322 for example, one or more processors
  • a memory 332 for example, one or more storage media 330 (for example, one or more storage devices with a large amount of data) storing application programs 342 or data 344.
  • the memory 332 and the storage medium 330 may be short-term storage or persistent storage.
  • the program stored in the storage medium 330 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the data processing device.
  • the central processing unit 322 may be configured to communicate with the storage medium 330, and execute a series of instruction operations in the storage medium 330 on the service data protection device 301.
  • the business data protection device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input and output interfaces 358, and/or one or more operating systems 341.
  • Windows Server TM Mac OS X TM , Unix TM , Linux TM , FreeBSD TM and so on.
  • the steps in the business data protection method described above can be implemented by the structure of the business data protection device.
  • the embodiment of the present invention also provides a readable storage medium, and a readable storage medium described below and a service data protection method described above can be referenced correspondingly.
  • a readable storage medium in which a computer program is stored, and when the computer program is executed by a processor, the steps of the business data protection method in the foregoing method embodiment are implemented.
  • the readable storage medium may specifically be a U disk, a mobile hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk that can store program codes. Readable storage medium.

Abstract

Provided are a service data protection method, apparatus and device, and a readable storage medium. The method comprises the following steps: using a secure communication channel to receive an encryption and decryption request sent by a target service program; verifying whether the target service program is legitimate; and if so, using a key to perform encryption and decryption processing on service data corresponding to the encryption and decryption request, and if not, disconnecting the secure communication channel with the target service program. In this method, encryption and decryption protection can be performed on service data by means of a file system filtering driver without a hardware device; in addition, due to the fact that an encryption and decryption request is transmitted by means of a secure communication channel, the legitimacy of a target service program is verified, and the service data is covered by multiple types of protection from multiple protection perspectives, such that the security of the service data can be guaranteed.

Description

一种业务数据保护方法、装置、设备及可读存储介质Business data protection method, device, equipment and readable storage medium
本申请要求于2020年2月20日提交至中国专利局、申请号为202010104952.3、发明名称为“一种业务数据保护方法、装置、设备及可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed to the Chinese Patent Office on February 20, 2020, the application number is 202010104952.3, and the invention title is "a business data protection method, device, equipment, and readable storage medium". The entire content is incorporated into this application by reference.
技术领域Technical field
本发明涉及数据安全保障技术领域,特别是涉及一种业务数据保护方法、装置、设备及可读存储介质。The present invention relates to the technical field of data security assurance, in particular to a method, device, equipment and readable storage medium for protecting business data.
背景技术Background technique
随着云计算、大数据等新型技术的发展,对云主机和服务器的安全性要求越来越高。云主机和服务器上的应用程序是对外提供服务的承载者,其通过处理各种各样的业务数据来为用户提供着所需的服务。业务数据包含许多敏感信息,黑客获取到这些敏感信息后,可以很容易获取利益。因此业务数据受到了外部黑客的重点关注,防止业务数据中的敏感信息泄露也就成了重中之重。保护业务数据中的敏感信息最常用的手段就是加密,包括加密保存和加密传输。黑客面对一份加密后的业务数据,就相当于面对了一个上锁的大门,是无法获取任何有价值的信息的。加密如此重要,就决定了加解密系统要足够安全,足够健壮。With the development of new technologies such as cloud computing and big data, the security requirements for cloud hosts and servers are getting higher and higher. The application programs on the cloud host and the server are the bearers of external services, which provide users with the required services by processing a variety of business data. Business data contains a lot of sensitive information. Hackers can easily obtain benefits after obtaining this sensitive information. Therefore, business data has attracted the attention of external hackers, and preventing the leakage of sensitive information in business data has become a top priority. The most commonly used means to protect sensitive information in business data is encryption, including encrypted storage and encrypted transmission. A hacker facing a piece of encrypted business data is equivalent to facing a locked door and cannot obtain any valuable information. Encryption is so important that it determines that the encryption and decryption system should be sufficiently secure and robust.
加解密能力,通常被设计为独立的硬件(如HSM、USB Key),独立的系统(如KMS、KMC),独立的芯片(如TPM),以独立于应用程序所在的操作系统,达到足够的安全。但是,在实际生产环境下,一些小型系统本身投入就很低,如果再引入独立的硬件/系统/芯片,系统厂商将不能接受额外的硬件费用。另外,一些现有业务系统的安全升级改造,运营商或客户也不允许再添加另外的硬件/系统/芯片。Encryption and decryption capabilities are usually designed as independent hardware (such as HSM, USB Key), independent systems (such as KMS, KMC), independent chips (such as TPM), independent of the operating system where the application program is located, to achieve sufficient Safety. However, in the actual production environment, some small systems themselves have very low investment. If independent hardware/systems/chips are introduced, system manufacturers will not be able to accept additional hardware costs. In addition, for the security upgrades of some existing business systems, operators or customers are not allowed to add additional hardware/systems/chips.
综上所述,如何有效地解决在无需额外添加加解密硬件的情况下,对业务数据进行有效保护等问题,是目前本领域技术人员急需解决的技术问题。In summary, how to effectively solve the problem of effectively protecting business data without adding additional encryption and decryption hardware is a technical problem that is urgently needed to be solved by those skilled in the art.
发明内容Summary of the invention
本发明的目的是提供一种业务数据保护方法、装置、设备及可读存储介质,以在无需额外添加加解密硬件的情况下,对业务数据进行有效保护。The purpose of the present invention is to provide a business data protection method, device, equipment and readable storage medium, so as to effectively protect business data without adding additional encryption and decryption hardware.
为解决上述技术问题,本发明提供如下技术方案:In order to solve the above technical problems, the present invention provides the following technical solutions:
一种业务数据保护方法,应用于文件系统过滤驱动,包括:A business data protection method applied to file system filter driver, including:
利用安全通信通道接收目标业务程序发送的加解密请求;Use the secure communication channel to receive the encryption and decryption request sent by the target business program;
验证所述目标业务程序是否合法;Verify that the target business program is legal;
如果是,则利用密钥对所述加解密请求对应的业务数据进行加解密处理;If so, use the key to perform encryption and decryption processing on the service data corresponding to the encryption and decryption request;
如果否,则断开与所述目标业务程序之间的所述安全通信通道。If not, disconnect the secure communication channel with the target business program.
优选地,还包括:Preferably, it also includes:
定期利用密钥生成逻辑对所述密钥进行更新。The key generation logic is used to update the key periodically.
优选地,所述定期利用密钥生成逻辑对所述密钥进行更新,包括:Preferably, the periodic use of key generation logic to update the key includes:
定期利用所述密钥生成逻辑并结合指定数据对应的变换和组合的方式生成新密钥;其中,所述指定数据包括的硬件网卡的MAC地址、硬件CPU的ID、当前系统时间和当前生成的随机数;Regularly use the key generation logic and combine the transformation and combination of the designated data to generate a new key; wherein the designated data includes the MAC address of the hardware network card, the ID of the hardware CPU, the current system time and the currently generated random number;
利用所述新密钥的分段数据对所述指定文件中的所述分块密钥数据进行更新。Using the segment data of the new key to update the segment key data in the designated file.
优选地,在所述文件系统重启后,还包括:Preferably, after the file system is restarted, the method further includes:
从对外处于隐藏状态的指定文件中读取出多个分块密钥数据,并对多个分块密钥数据进行组合,获得所述密钥。Read multiple block key data from a designated file that is hidden from the outside, and combine the multiple block key data to obtain the key.
优选地,所述对多个分块密钥数据进行组合,获得密钥,包括:Preferably, the combining multiple block key data to obtain the key includes:
利用进行代码混淆后的密钥组合逻辑对多个所述分块密钥数据进行组合,获得所述密钥。The key combination logic after code obfuscation is used to combine a plurality of the block key data to obtain the key.
优选地,还包括:Preferably, it also includes:
所述文件系统过滤驱动启动时,从内核驱动链表中摘除自身信息。When the file system filter driver is started, its own information is removed from the kernel driver linked list.
优选地,验证所述目标业务程序是否合法,包括:Preferably, verifying whether the target business program is legal includes:
判断所述目标业务程序的ID是否为信任业务程序表中的ID;Determine whether the ID of the target business program is the ID in the trusted business program table;
如果是,则确定所述目标业务程序合法;If it is, it is determined that the target business procedure is legal;
如果否,则确定所述目标业务程序非法。If not, it is determined that the target business program is illegal.
优选地,在所述利用安全通信通道接收目标业务程序发送的加解密请求之前,还包括:Preferably, before receiving the encryption/decryption request sent by the target service program through the secure communication channel, the method further includes:
利用与业务程序约定的私有验证机制,对所述业务程序进行合法性验证;Use the private verification mechanism agreed with the business program to verify the legality of the business program;
在验证通过后,将合法的业务程序对应的ID记录在所述信任业务程序表中。After the verification is passed, the ID corresponding to the legal business program is recorded in the trusted business program table.
一种业务数据保护装置,应用于文件系统过滤驱动,包括:A business data protection device applied to a file system filter driver, including:
加解密请求获得模块,用于利用安全通信通道接收目标业务程序发送的加解密请求;The encryption and decryption request obtaining module is used to receive the encryption and decryption request sent by the target business program through the secure communication channel;
合法性验证模块,用于验证所述目标业务程序是否合法;The legality verification module is used to verify whether the target business program is legal;
加解密处理模块,用于若所述目标业务程序合法,则对所述加解密请求对应的业务数据进行加解密处理;The encryption and decryption processing module is configured to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request if the target business program is legal;
数据保护模块,用于若所述目标业务程序非法,则断开与所述目标业务程序之间的所述安全通信通道。The data protection module is configured to disconnect the secure communication channel with the target business program if the target business program is illegal.
优选地,还包括:Preferably, it also includes:
密钥更新模块,用于定期利用密钥生成逻辑对所述密钥进行更新。The key update module is used to periodically update the key using key generation logic.
优选地,所述密钥更新模块,具体用于定期利用所述密钥生成逻辑并结合指定数据对应的变换和组合的方式生成新密钥;其中,所述指定数据包括的硬件网卡的MAC地址、硬件CPU的ID、当前系统时间和当前生成的随机数;利用所述新密钥的分段数据对所述指定文件中的所述分块密钥数据进行更新。Preferably, the key update module is specifically configured to periodically generate a new key by using the key generation logic in combination with the transformation and combination corresponding to the designated data; wherein the designated data includes the MAC address of the hardware network card , The ID of the hardware CPU, the current system time and the currently generated random number; using the segment data of the new key to update the segment key data in the designated file.
优选地,还包括:密钥获取模块,用于在所述文件系统重启后,从对外处于隐藏状态的指定文件中读取出多个分块密钥数据,并对多个分块密钥数据进行组合,获得所述密钥。Preferably, it further includes: a key acquisition module, configured to read multiple block key data from a designated file that is hidden from the outside after the file system is restarted, and perform analysis on the multiple block key data Combine to obtain the key.
一种业务数据保护设备,包括:A business data protection device, including:
存储器,用于存储计算机程序;Memory, used to store computer programs;
处理器,用于执行所述计算机程序时实现上述业务数据保护方法的步骤。The processor is used to implement the steps of the business data protection method when the computer program is executed.
一种可读存储介质,所述可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现上述业务数据保护方法的步骤。A readable storage medium having a computer program stored on the readable storage medium, and when the computer program is executed by a processor, the steps of the foregoing business data protection method are realized.
应用本发明实施例所提供的方法,利用安全通信通道接收目标业务程序发送的加解密请求;验证目标业务程序是否合法;如果是,则利用密钥对加解密请求对应的业务数据进行加解密处理;如果否,则断开与目标业务程序之间的安全通信通道。Apply the method provided by the embodiment of the present invention, use a secure communication channel to receive the encryption and decryption request sent by the target business program; verify whether the target business program is legal; if so, use the key to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request ; If not, disconnect the secure communication channel with the target business program.
为了确保密钥本身的安全,在本实施例中,为了确保业务数据安全,首先验证目标业务程序的合法性,在确定目标业务程序合法之后,再利用密钥对加解密请求对应的业务数据进行加解密处理。若确定出目标业务程序非法,则可直接断开与目标业务程序之间的安全通道。可见,在本方法中,通过文件系统过滤驱动即可实现对业务数据进行加解密保护,无需添加硬件设备,另外,由于加解密请求通过安全通信通道进行传输,对目标业务程序的合法性进行验证,从多个保护角度对业务数据实现了多重保护,可保障业务数据安全。In order to ensure the security of the key itself, in this embodiment, in order to ensure the security of the business data, the legitimacy of the target business program is first verified. After determining that the target business program is legal, the key is used to perform the encryption and decryption request on the business data corresponding to the encryption and decryption request. Encryption and decryption processing. If it is determined that the target business program is illegal, the secure channel with the target business program can be disconnected directly. It can be seen that in this method, the encryption and decryption protection of the business data can be realized through the file system filter driver without adding hardware equipment. In addition, since the encryption and decryption request is transmitted through the secure communication channel, the legality of the target business program is verified , It realizes multiple protection of business data from multiple protection angles, which can guarantee the security of business data.
相应地,本发明实施例还提供了与上述业务数据保护方法相对应的业务数据保护装置、设备和可读存储介质,具有上述技术效果,在此不再赘述。Correspondingly, the embodiment of the present invention also provides a business data protection device, equipment and a readable storage medium corresponding to the foregoing business data protection method, which have the foregoing technical effects, and will not be repeated here.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1为本发明实施例中一种业务数据保护方法的实施流程图;FIG. 1 is an implementation flowchart of a method for protecting business data in an embodiment of the present invention;
图2为本发明实施例中一种业务数据保护装置的结构示意图;Figure 2 is a schematic structural diagram of a service data protection device in an embodiment of the present invention;
图3为本发明实施例中一种业务数据保护设备的结构示意图;Figure 3 is a schematic structural diagram of a service data protection device in an embodiment of the present invention;
图4为本发明实施例中一种业务数据保护设备的具体结构示意图。Fig. 4 is a schematic diagram of a specific structure of a service data protection device in an embodiment of the present invention.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本发明方案,下面结合附图和具体实施方式对本发明作进一步的详细说明。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本 领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to enable those skilled in the art to better understand the solution of the present invention, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
为便于本领域技术人员更好地理解本发明实施例所提供的业务数据保护方法,下面对本文涉及的缩略词、关键术语进行说明。In order to facilitate those skilled in the art to better understand the business data protection method provided by the embodiments of the present invention, the acronyms and key terms involved in this document are described below.
KMS:密钥管理系统,又称密钥管理中心。是基于银行、移动、电信等各种结构对密钥管理的安全需求,可以让用户轻松创建和管理密钥,保护密钥的保密性、完整性和可用性,满足用户多应用多业务的密钥管理需求,符合监管和合规要求。KMS: Key Management System, also known as Key Management Center. It is based on the security requirements of banking, mobile, telecommunications and other structures for key management, allowing users to easily create and manage keys, protect the confidentiality, integrity and availability of keys, and meet the needs of users for multi-application and multi-service keys Management needs to meet regulatory and compliance requirements.
HSM:硬件安全模块,专为保护加密密钥生命周期而设计的专用加密处理器。硬件安全模块通过在强化且防篡改的设备中安全地管理、处理和保存加密密钥,已成为信任链的起点,为世界上具有最高安全意识的组织保护其加密基础设施。HSM: Hardware security module, a dedicated encryption processor designed to protect the life cycle of encryption keys. The hardware security module has become the starting point of the chain of trust by safely managing, processing, and storing encryption keys in a strengthened and tamper-proof device, protecting its encryption infrastructure for the world's most security-conscious organizations.
KMC:密钥管理中心,是为数字认证中心提供加密密钥对,并提供对这些密钥对的备份、归档、恢复、更新等相关服务,以保证能满足认证中心和司法取证的需要。KMC: The key management center provides encryption key pairs for digital certification centers, and provides related services such as backup, archive, restoration, and update of these key pairs to ensure that they can meet the needs of certification centers and judicial forensics.
USB Key:是一种USB接口的硬件设备。它内置单片机或智能卡芯片,有一定的存储空间,可以存储用户的私钥以及数字证书。USB Key: It is a hardware device with a USB interface. It has a built-in single-chip microcomputer or smart card chip, has a certain storage space, and can store the user's private key and digital certificate.
TPM:安全芯片,指符合可信赖平台模块标准的安全芯片,它能有效地保护计算机、防止非法用户访问。符合可信赖平台模块标准的芯片首先必须具有产生加解密密钥的功能,此外还必须能够进行高速的资料加密和解密,以及充当保护BIOS和操作系统不被修改的辅助处理器。TPM: Security chip, refers to a security chip that complies with the Trusted Platform Module standard. It can effectively protect the computer and prevent unauthorized users from accessing it. A chip that conforms to the Trusted Platform Module standard must first have the function of generating encryption and decryption keys. In addition, it must be able to perform high-speed data encryption and decryption, and act as an auxiliary processor that protects the BIOS and operating system from being modified.
ioctl:Linux操作系统下设备驱动程序中对设备的I/O通道进行管理的函数。应用程序调用ioctl函数,函数的处理逻辑在驱动中。ioctl: A function that manages the I/O channel of the device in the device driver under the Linux operating system. The application program calls the ioctl function, and the processing logic of the function is in the driver.
DeviceIoControl:Windows操作系统下直接发送控制代码到指定的设备驱动程序,使相应的移动设备以执行相应的操作的函数。应用程序调用DeviceIoControl函数,函数的处理逻辑在驱动中。DeviceIoControl: A function that directly sends control codes to the specified device driver under the Windows operating system, so that the corresponding mobile device can perform the corresponding operation. The application program calls the DeviceIoControl function, and the processing logic of the function is in the driver.
系统安全通信方式:即安全通信通道,是指应用程序在Linux操作系统下通过ioctl方式,在Windows操作系统下通过DeviceIoControl方式(或专有API函数)与文件系统过滤驱动通信的方式。System security communication method: the secure communication channel, which refers to the way that the application program communicates with the file system filter driver through the ioctl method under the Linux operating system and the DeviceIoControl method (or proprietary API function) under the Windows operating system.
实施例一:Example one:
请参考图1,图1为本发明实施例中一种业务数据保护方法的流程图,该方法可应用于文件系统过滤驱动,该方法包括以下步骤:Please refer to Figure 1. Figure 1 is a flowchart of a business data protection method in an embodiment of the present invention. The method can be applied to a file system filter driver. The method includes the following steps:
S101、利用安全通信通道接收目标业务程序发送的加解密请求。S101. Use a secure communication channel to receive an encryption and decryption request sent by a target service program.
其中,安全通信通道可具体为Linux操作系统下ioctl方式,在Windows操作系统下通过DeviceIoControl方式(或专有API函数)与文件系统过滤驱动通信的方式。Among them, the secure communication channel can be specifically the ioctl mode under the Linux operating system, and the mode of communicating with the file system filter driver under the Windows operating system through the DeviceIoControl mode (or proprietary API function).
其中,加解密请求即对业务数据进行加密或解密的请求。Among them, the encryption and decryption request is a request for encrypting or decrypting business data.
目标业务程序可为任意一个应用程序,当目标业务程序需要对业务数据进行加解密时,可预先为待加解密的业务数据分配内存来存储加解密结果数据。然后,与文件系统过滤驱动建立安全通信通道。The target business program can be any application. When the target business program needs to encrypt and decrypt business data, memory can be allocated for the business data to be encrypted and decrypted in advance to store the result data of the encryption and decryption. Then, establish a secure communication channel with the file system filter driver.
如此,文件系统过滤驱动便可通过安全通信通道接收目标业务程序发送的加解密请求。该加解密请求可指定待加解密的业务数据以及存储加解密结果的内存地址。In this way, the file system filter driver can receive the encryption and decryption request sent by the target business program through the secure communication channel. The encryption and decryption request can specify the business data to be encrypted and decrypted and the memory address for storing the encryption and decryption results.
优选地,为了避免过多的非法业务程序访问文件系统过滤驱动,造成占用系统资源,还可将文件系统过滤驱动进行隐藏处理。具体的,文件系统过滤驱动启动时,从内核驱动链表中摘除自身信息。如此,业务程序便无法发现文件系统过滤驱动,而需要加解密处理的可信任业务程序可提前告知文件系统过滤驱动的访问方式。Preferably, in order to prevent too many illegal business programs from accessing the file system filter driver and occupy system resources, the file system filter driver can also be hidden. Specifically, when the file system filter driver is started, its information is removed from the kernel driver linked list. In this way, the business program cannot find the file system filter driver, and the trusted business program that requires encryption and decryption can inform the file system filter driver of the access method in advance.
S102、验证目标业务程序是否合法。S102. Verify whether the target business program is legal.
可通过与合法的业务程序约定的私有验证机制对目标业务程序的合法性进行验证,也可通过业务程序的ID验证业务程序的合法性。当采用私有验证机制时,则可预先与合法的业务程序约定具有的验证过程,例如业务程序向文件系统过滤驱动发送指定信息。The legality of the target business program can be verified through the private verification mechanism agreed with the legal business program, and the legality of the business program can also be verified through the ID of the business program. When a private verification mechanism is adopted, the verification process can be agreed with a legal business program in advance, for example, the business program sends specified information to the file system filter driver.
其中,基于ID验证目标业务程序是否合法的具体实现过程,可包括:Among them, the specific implementation process of verifying whether the target business program is legal based on ID can include:
步骤一、判断目标业务程序的ID是否为信任业务程序表中的ID;Step 1: Determine whether the ID of the target business program is the ID in the trusted business program table;
步骤二、如果是,则确定目标业务程序合法;Step 2. If yes, confirm that the target business procedure is legal;
步骤三、如果否,则确定目标业务程序非法。Step 3. If no, determine that the target business program is illegal.
为便于描述,上面将上述三个步骤结合起来进行说明。For ease of description, the above three steps are combined for description.
在判断目标业务程序是否合法时,可获取目标业务程序的ID,然后对信任业务程序表进行遍历,以确定信任业务程序表中是否包括了目标业务 程序的ID。如果信任任务程序表中包括有该ID,则确定目标业务程序合法,否则该目标业务程序非法。When judging whether the target business program is legitimate, the ID of the target business program can be obtained, and then the trusted business program table can be traversed to determine whether the target business program ID is included in the trusted business program table. If the ID is included in the trusted task program table, it is determined that the target business program is legal, otherwise the target business program is illegal.
其中,信任业务程序表通过预先写入方式进行设置,也可通过与业务程序约定的私有验证机制,对业务程序进行合法性验证之后,得到的。下面对具体如何通过私有验证机制,获得信任业务程序表进行详细说明。Among them, the trusted business program table is set by pre-writing, or it can be obtained after the legality of the business program is verified through the private verification mechanism agreed with the business program. The following is a detailed description of how to obtain the trust business program table through the private verification mechanism.
利用安全通信通道接收目标业务程序发送的加解密请求之前,可利用与业务程序约定的私有验证机制,对业务程序进行合法性验证;在验证通过后,将合法的业务程序对应的ID记录在信任业务程序表中。具体的,业务程序在启动时,可与文件系统过滤驱动进行通信交互,文件系统过滤驱动对业务程序采用私有验证机制对业务程序进行合法性验证,验证通过即可将ID记录在信任业务程序表中。Before using the secure communication channel to receive the encryption and decryption request sent by the target business program, the private verification mechanism agreed with the business program can be used to verify the legality of the business program; after the verification is passed, the ID corresponding to the legal business program is recorded in the trust In the business process table. Specifically, when the business program is started, it can communicate and interact with the file system filter driver. The file system filter driver uses a private verification mechanism for the business program to verify the legality of the business program. After the verification is passed, the ID can be recorded in the trusted business program table. middle.
确定了目标业务程序的合法性之后,根据具体的验证结果执行后续操作。具体的,如果目标业务程序合法,则执行步骤S103的操作;如果目标业务程序非法,则执行步骤S104的操作。After determining the legitimacy of the target business program, follow-up operations are performed according to the specific verification results. Specifically, if the target business program is legal, the operation of step S103 is performed; if the target business program is illegal, the operation of step S104 is performed.
S103、利用密钥对加解密请求对应的业务数据进行加解密处理。S103. Use the key to perform encryption and decryption processing on the service data corresponding to the encryption and decryption request.
具体的,在实际应用中,可采用密钥对业务数据进行加解密处理。为了提高密钥的安全性,可对密钥本身进行安全保护。密钥数据在硬盘上的物理存储,可以采用分块存储的方式,也可以采用随机存储的方式。Specifically, in practical applications, a key can be used to encrypt and decrypt service data. In order to improve the security of the key, the key itself can be secured. The physical storage of the key data on the hard disk can adopt a block storage method or a random storage method.
其中,分块存储,即将密钥数据各部分存储在多个文件中,对于恶意攻击者而言存储密钥数据的所有文件很难找全。既使找全了所有密钥文件后,不知道这些文件的排列顺序,也无法生成密钥数据。Among them, block storage, that is, storing each part of the key data in multiple files, it is difficult for a malicious attacker to find all the files that store the key data. Even after finding all the key files, without knowing the order of these files, the key data cannot be generated.
其中,随机存储,即将密钥数据单独存储在多个类似文件中的一个,对于恶意攻击者而言,存储密钥数据的所有类似文件很难找全。既使找全了所有类似文件,也不知道密钥存在哪个文件中,更不知道如何还原出密钥数据。Among them, random storage, that is, the key data is stored separately in one of multiple similar files. For a malicious attacker, it is difficult to find all similar files that store the key data. Even if I find all similar files, I don't know which file the key is stored in, let alone how to restore the key data.
也就是说,无论是分块存储,还是随机存储,所有涉及的文件都是隐藏的,所有涉及的文件都通过内核驱动的访问控制机制进行了保护。而这些机制保证了密钥的安全,密钥的安全是对称加密方法的重要内容。That is to say, whether it is block storage or random storage, all involved files are hidden, and all involved files are protected by the kernel-driven access control mechanism. These mechanisms ensure the security of the key, which is an important part of the symmetric encryption method.
下面分别针对不同的密钥保护的存储方式进行详细说明。The following is a detailed description of different key protection storage methods.
基于分块存储密钥,对业务数据进行加解密处理的具体实现过程,包 括:The specific implementation process of encrypting and decrypting business data based on the block storage key, including:
步骤一、从对外处于隐藏状态的指定文件中读取出多个分块密钥数据,并对多个分块密钥数据进行组合,获得密钥;Step 1: Read multiple block key data from a designated file that is hidden from the outside, and combine the multiple block key data to obtain a key;
步骤二、利用密钥对业务数据进行加解密处理。Step 2: Use the key to encrypt and decrypt the service data.
对于上述步骤二,对于如何利用密钥对业务数据进行加解密处理,则可具体参见现有的如何基于密钥对数据进行加解密的过程,在此不再一一赘述。Regarding the above step two, for how to use the key to encrypt and decrypt service data, please refer to the existing process of how to encrypt and decrypt data based on the key for details, which will not be repeated here.
对于上述步骤二,在本发明实施例中,可采用对称加解密算法对业务数据进行加解密处理。For the above step two, in the embodiment of the present invention, a symmetric encryption and decryption algorithm can be used to perform encryption and decryption processing on the service data.
具体的,可利用文件系统过滤驱动自启动时至要利用密钥对业务数据进行加解密处理之前的任意时刻,从对外处于隐藏状态(即除可信应用程序可见外,其余应用或进程均不可见)的指定文件中读取出分块密钥数据,并组合后得到的密钥。也就是说,在文件系统重启后,密钥是分块存储在指定文件中,且指定文件对外处于隐藏状态。为了保障分块密钥数据的可靠性,可将分块密钥数据存储在非易失性可读存储介质中,如硬盘,非易失性内存。Specifically, the file system filter driver can be used from the time of startup to any time before the key is used to encrypt and decrypt the business data. It can be seen that the block key data is read from the specified file in), and the key is obtained after combining. In other words, after the file system is restarted, the key is stored in the designated file in blocks, and the designated file is hidden from the outside. In order to ensure the reliability of the block key data, the block key data can be stored in a non-volatile readable storage medium, such as a hard disk or a non-volatile memory.
其中,得到分块密钥数据之后,通过组合分块密钥数据即可获得密钥。可具体通过密钥组合逻辑对分块密钥数据进行组合。Among them, after obtaining the block key data, the key can be obtained by combining the block key data. The block key data can be specifically combined by key combination logic.
优选地,为了避免因密钥组合逻辑被窃取,从而导致密钥被泄漏,在本实施例中,还可对密钥组合逻辑进行代码混淆。即,文件系统过滤驱动可利用进行代码混淆后的密钥组合逻辑对多个分块密钥数据进行组合,获得密钥。在本实施例中,对密钥组合逻辑进行代码混淆可具体参见现有的代码混淆方式。例如,可采用花指令方式对密钥组合逻辑进行代码混淆。Preferably, in order to prevent the key combination logic from being stolen and thereby causing the key to be leaked, in this embodiment, code obfuscation can also be performed on the key combination logic. That is, the file system filter driver can use the key combination logic after code obfuscation to combine multiple block key data to obtain the key. In this embodiment, for code obfuscation of the key combination logic, reference may be made to existing code obfuscation methods for details. For example, a flower instruction method can be used to obfuscate the key combination logic.
优选地,为了进一步提高密钥的安全性,在实际应用中,还可定期利用密钥生成逻辑对密钥进行更新。具体的,可定期利用所述密钥生成逻辑并结合指定数据对应的变换和组合的方式生成新密钥;其中,所述指定数据包括的硬件网卡的MAC地址、硬件CPU的ID、当前系统时间和当前生成的随机数;利用新密钥的分段数据对指定文件中的分块密钥数据进行更新。即更新密钥本身时,也对指定文件中存储的分块密钥数据进行更新,以便在系统重启后,能够获得当前有效的密钥。Preferably, in order to further improve the security of the key, in practical applications, the key generation logic can also be used to update the key periodically. Specifically, the key generation logic can be used to generate a new key periodically in combination with the transformation and combination of the designated data; wherein the designated data includes the MAC address of the hardware network card, the ID of the hardware CPU, and the current system time. And the currently generated random number; use the segment data of the new key to update the segment key data in the specified file. That is, when the key itself is updated, the block key data stored in the specified file is also updated, so that after the system restarts, the currently valid key can be obtained.
为了避免因密钥更新,而无法对更新前加密的数据进行解密,因此在更新密钥时,还对已加密数据进行解密。具体的,文件系统过滤驱动周期性的修改密钥,进行以下操作:In order to avoid the inability to decrypt the data encrypted before the update due to the key update, the encrypted data is also decrypted when the key is updated. Specifically, the file system filter driver periodically modifies the key, and performs the following operations:
a)、文件系统过滤驱动安装后第一次启动,自动生成初始加解密密钥。初始密钥使用安全的方式生成,例如:可以采用硬件网卡的MAC地址、硬件CPU的ID、当前系统时间、当前生成的随机数进行变换和组合的方式生成密钥,生成的密钥数据分段保持于指定的文件中,相应的生成逻辑采用代码混淆(例如:花指令)的方式确保生成逻辑的安全性。a) The file system filter driver is started for the first time after installation, and the initial encryption and decryption key is automatically generated. The initial key is generated in a secure way, for example: the MAC address of the hardware network card, the ID of the hardware CPU, the current system time, and the currently generated random number can be used to transform and combine to generate the key, and the generated key data can be segmented Keep in the designated file, the corresponding generation logic adopts code obfuscation (for example: flower instruction) to ensure the safety of the generation logic.
b)、文件系统过滤驱动每运行一段时间(例如:一周,时间可配置),就可自动进行密钥周期性更换。b). The file system filter driver runs for a period of time (for example: a week, the time is configurable), and the key can be automatically replaced periodically.
c)、密钥更换前,文件系统过滤驱动通知信任业务程序表中的各个应用程序,将要进行密钥更换。c) Before the key replacement, the file system filter driver informs each application in the trusted business program table that the key is to be replaced.
d)、业务应用程序收到密钥更换通知后,采用安全通信通道连接文件系统过滤驱动,将已经加密的数据解密,解密后发送完成通知给过滤驱动。d) After the business application receives the key replacement notification, it uses a secure communication channel to connect to the file system filter driver, decrypts the encrypted data, and sends a complete notification to the filter driver after decryption.
e)、文件系统过滤驱动收到所有业务应用的完成通知后,使用安全的方式生成新的密钥(生成方法/流程与首次生成密钥相同)。e) After the file system filter driver receives the notification of completion of all business applications, it uses a secure method to generate a new key (the generation method/process is the same as the first generation of the key).
f)、新密钥生成后,文件系统过滤驱动通知信任业务程序表中的各个应用,密钥更换完成。f) After the new key is generated, the file system filter driver notifies each application in the trusted service program table, and the key replacement is completed.
g)、业务应用程序收到密钥更换完成通知后,采用安全通信通道连接文件系统过滤驱动,将需要加密的数据加密。g) After the business application receives the notification of the completion of the key replacement, it uses a secure communication channel to connect to the file system filter driver to encrypt the data that needs to be encrypted.
h)、业务应用程序后续的加解密操作全部依托于更换后的新密钥。h). The subsequent encryption and decryption operations of the business application all rely on the new key after the replacement.
随机存储密钥的具体实现:在系统有多个文件可用于密钥数据存储。下面以八个文件为例,对存储密钥进行详细说明。The specific realization of the random storage key: There are multiple files in the system that can be used for key data storage. The following uses eight files as an example to describe the storage key in detail.
八个文件随机分布在硬盘的不同位置,八个文件在逻辑上是有顺序的,其顺序只有过滤驱动自身知道。过滤驱动需要将密钥数据写入硬盘时,首先随机生成一个1到8之间的随机数,将密钥数据与随机数按位异或处理后,写入随机数对应顺序的文件中。然后将写入密钥数据的文件排除,随机生成一个1到7之间的新随机数,可先把7个文件写上伪数据(伪数据的长度与密钥数据文件长度相同、从内容上无法判断差异),再把新随机数对应的文件一个固定位置加上标识(标识指明了这是一个需要系统识别的文件),该 文件的另一个固定位置写上文件顺序号(是在8个文件中的对应顺序号)。The eight files are randomly distributed in different positions on the hard disk. The eight files are logically ordered, and the order is only known by the filter driver. When the filter driver needs to write the key data to the hard disk, it first randomly generates a random number between 1 and 8, and then writes the key data and the random number into a file in the corresponding order after the key data and the random number are XORed. Then exclude the file written with the key data, and randomly generate a new random number between 1 and 7. You can write 7 files with dummy data (the length of the dummy data is the same as the length of the key data file, from the content Unable to judge the difference), and then add a label to a fixed position of the file corresponding to the new random number (the label indicates that this is a file that needs to be recognized by the system), and write the file sequence number in another fixed position of the file (in 8 The corresponding sequence number in the file).
在过滤驱动重启后,依次读取8个文件的内容,当读到某个文件的内容中含有标识后,再在该文件的固定位置读取文件序号,根据文件序号找到包含密钥数据的文件内容,将相关内容与序号异或后,就获得了实际的密钥数据。After the filter driver is restarted, the contents of 8 files are read in sequence. When the contents of a certain file contain a mark, the file serial number is read in a fixed position of the file, and the file containing the key data is found according to the file serial number. Content, after XOR the relevant content with the serial number, the actual key data is obtained.
优选地,为了减少占用系统资源,在对目标业务程序请求加解密的业务数据完成加解密之后,可断开与目标业务程序之间的安全通信通道。Preferably, in order to reduce the occupation of system resources, after the encryption and decryption of the business data requested by the target business program for encryption and decryption is completed, the secure communication channel with the target business program can be disconnected.
S104、断开与目标业务程序之间的安全通信通道。S104. Disconnect the secure communication channel with the target business program.
当确定目标业务程序非法时,此时可无需对其请求的加解密请求进行响应,此时可直接断开安全通信通道。When it is determined that the target business program is illegal, there is no need to respond to the requested encryption and decryption request at this time, and the secure communication channel can be directly disconnected at this time.
应用本发明实施例所提供的方法,利用安全通信通道接收目标业务程序发送的加解密请求;验证目标业务程序是否合法;如果是,则利用密钥对加解密请求对应的业务数据进行加解密处理;如果否,则断开与目标业务程序之间的安全通信通道。Apply the method provided by the embodiment of the present invention, use a secure communication channel to receive the encryption and decryption request sent by the target business program; verify whether the target business program is legal; if so, use the key to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request ; If not, disconnect the secure communication channel with the target business program.
为了确保密钥本身的安全,在本实施例中,为了确保业务数据安全,首先验证目标业务程序的合法性,在确定目标业务程序合法之后,再利用密钥对加解密请求对应的业务数据进行加解密处理。若确定出目标业务程序非法,则可直接断开与目标业务程序之间的安全通道。可见,在本方法中,通过文件系统过滤驱动即可实现对业务数据进行加解密保护,无需添加硬件设备,另外,由于加解密请求通过安全通信通道进行传输,对目标业务程序的合法性进行验证,从多个保护角度对业务数据实现了多重保护,可保障业务数据安全。In order to ensure the security of the key itself, in this embodiment, in order to ensure the security of the business data, the legitimacy of the target business program is first verified. After determining that the target business program is legal, the key is used to perform the encryption and decryption request on the business data corresponding to the encryption and decryption request. Encryption and decryption processing. If it is determined that the target business program is illegal, the secure channel with the target business program can be disconnected directly. It can be seen that in this method, the encryption and decryption protection of the business data can be realized through the file system filter driver without adding hardware equipment. In addition, since the encryption and decryption request is transmitted through the secure communication channel, the legality of the target business program is verified , It realizes multiple protection of business data from multiple protection angles, which can guarantee the security of business data.
为了便于本领域技术人员更好地理解本发明实施例所提供的业务数据保护方法,下面结合具体的应用场景为例对上述业务数据保护方法进行详细说明。In order to facilitate those skilled in the art to better understand the business data protection method provided by the embodiments of the present invention, the foregoing business data protection method will be described in detail below with reference to specific application scenarios as an example.
从上文可知,本发明实施例所公开的业务数据保护方法,即一种基于文件系统过滤驱动的应用程序纯软件加解密方法。该方法具有对外依赖小、部署简单、安全性高的特点。该方法的核心即在应用程序所在操作系统上增加文件系统过滤驱动,通过文件系统过滤驱动实现密钥文件隐藏和访问保护。在需要部署的操作系统上手动安装(不涉及另外的安装程序,安全 性更高)文件系统过滤驱动并设置随机启动。业务应用程序首次启动时将自己的应用ID使用安全通信通道传递给文件系统过滤驱动。文件系统过滤驱动在启动时在内核驱动链表中摘除自身。文件系统过滤驱动收到业务应用程序传送的应用ID时,先验证业务应用程序合法性,然后将应用ID保存到内核空间内存。文件系统过滤驱动将加解密使用的密钥数据保存到内核空间内存,并分段保存到若干指定文件中,保存密钥数据的文件属性设置为隐藏,普通用户是无法查看到这些文件的。文件系统过滤驱动运行时监控保存密钥数据的文件,拦截文件访问,所有对这些文件的访问都将被拒绝。业务应用程序需要使用加解密功能时,使用系统安全通信方式传递明文获取密文或传递密文获取明文。业务应用程序和文件系统过滤驱动的结合,发挥了过滤驱动的实时拦截文件访问、隐藏自身、应用程序不可绕过和访问其内存的能力,强力的保证了加解密流程的安全性,防止业务应用程序的机密性遭到破坏。It can be seen from the foregoing that the business data protection method disclosed in the embodiment of the present invention is a pure software encryption and decryption method for application programs based on file system filter drive. This method has the characteristics of low external dependence, simple deployment and high security. The core of the method is to add a file system filter driver to the operating system where the application program is located, and realize key file hiding and access protection through the file system filter driver. Manually install the file system filter driver on the operating system that needs to be deployed (no additional installation program, higher security) and set random startup. When a business application is started for the first time, its application ID is passed to the file system filter driver using a secure communication channel. The file system filter driver removes itself from the kernel driver list at startup. When the file system filter driver receives the application ID transmitted by the business application, it first verifies the legitimacy of the business application, and then saves the application ID to the kernel space memory. The file system filter driver saves the key data used for encryption and decryption to the kernel space memory, and saves it in sections to a number of designated files. The file attribute for saving the key data is set to hidden, and ordinary users cannot view these files. When the file system filter driver is running, it monitors the files that store the key data, intercepts file access, and all access to these files will be denied. When business applications need to use encryption and decryption functions, use the system's secure communication method to pass plain text to obtain cipher text or pass cipher text to obtain plain text. The combination of business application and file system filter driver gives full play to the filter driver's ability to intercept file access in real time, hide itself, and the application cannot bypass and access its memory. It strongly guarantees the security of the encryption and decryption process and prevents business applications. The confidentiality of the program has been breached.
该方法的显著特征是采用文件系统过滤驱动保存和保护密钥,业务应用程序通过系统安全通信方式(即安全通信通道)进行敏感数据加密和解密,业务应用程序以外的任何程序无法使用过滤驱动提供的加解密功能,所有程序无法获取和查看加解密密钥。The salient feature of this method is that the file system filter driver is used to save and protect the key. The business application program encrypts and decrypts sensitive data through the system secure communication method (ie, secure communication channel). Any program other than the business application program cannot use the filter driver to provide With the encryption and decryption function, all programs cannot obtain and view the encryption and decryption keys.
其中,文件系统过滤驱动:文件系统过滤驱动在业务应用程序所在操作系统的内核层实现,可通过手动安装并配置为随系统自动启动。文件系统过滤驱动启动时自动读取指定文件中的分块密钥数据并组合成密钥数据,如果没有分块密钥数据,说明文件系统过滤驱动是首次安装后启动,将自动生成加解密密钥。在操作系统重启时,文件系统过滤驱动由于位于内核空间,将先于所有应用程序启动,能够很好的保护指定文件中的密钥数据不被破坏。文件系统过滤驱动接收到业务应用程序下发的应用ID,将应用ID存放在内核链表中。过滤驱动生成密钥后,在内核内存中保存密钥数据的同时,还将密钥数据分块保存在指定的文件中。文件系统过滤驱动实时拦截对保存密钥数据的各个文件的访问,所有应用程序对这些文件的访问都将被拒绝。文件系统过滤驱动定期进行密钥更换。Among them, the file system filter driver: The file system filter driver is implemented at the kernel layer of the operating system where the business application is located, and can be manually installed and configured to automatically start with the system. The file system filter driver automatically reads the block key data in the specified file and combines it into key data when it is started. If there is no block key data, it means that the file system filter driver is started after the first installation and will automatically generate encryption and decryption keys. key. When the operating system restarts, because the file system filter driver is located in the kernel space, it will start before all applications, which can well protect the key data in the specified file from being damaged. The file system filter driver receives the application ID issued by the business application and stores the application ID in the kernel linked list. After the filter driver generates the key, it saves the key data in the kernel memory and saves the key data in blocks in a designated file. The file system filter driver intercepts access to each file storing the key data in real time, and all applications' access to these files will be denied. The file system filter driver performs key replacement on a regular basis.
文件系统过滤驱动接收到应用程序的应用ID,处理步骤如下:The file system filter driver receives the application ID of the application, and the processing steps are as follows:
a)、先验证业务程序的合法性。合法性的验证采用业务应用程序和文 件系统过滤驱动约定的私有验证机制,文件系统过滤驱动中相应的验证逻辑采用代码混淆(例如:花指令)的方式确保验证逻辑的安全性。验证不通过的应用程序请求,将被忽略。a), first verify the legality of the business procedure. The legality verification adopts the private verification mechanism agreed by the business application and the file system filter driver, and the corresponding verification logic in the file system filter driver adopts code obfuscation (for example: flower instructions) to ensure the security of the verification logic. Application requests that fail the verification will be ignored.
b)、验证通过后,应用ID被保存到内核链表(一种具体的信任业务程序表)中。b) After the verification is passed, the application ID is saved in the kernel linked list (a specific trust business program table).
c)、文件系统过滤驱动监控到业务应用程序退出时,自动从内核链表中对应的应用ID信息删除。c) When the file system filter driver monitors the service application exit, it will automatically delete the corresponding application ID information from the kernel linked list.
文件系统过滤驱动收到业务应用程序加解密请求后,可进行以下操作:After the file system filter driver receives the encryption and decryption request of the business application, it can perform the following operations:
a)、先验证业务程序的合法性。验证不通过的应用程序请求,可忽略。a), first verify the legality of the business procedure. Application requests that fail the verification can be ignored.
b)、判断请求加解密的应用程序ID是否和保存的应用ID一致,如果不一致,则忽略此行为。b). Determine whether the application ID requested for encryption and decryption is consistent with the saved application ID, if not, ignore this behavior.
c)、如果请求加解密的应用程序ID与保存的应用ID一致,对于加解密请求,则使用过滤驱动保存的密钥和通用安全算法(例如:AES)进行加解密,并将结果拷贝到应用程序提供的缓冲区。c). If the application ID requested for encryption and decryption is consistent with the saved application ID, for the encryption and decryption request, use the key saved by the filter driver and the general security algorithm (for example: AES) for encryption and decryption, and copy the result to the application The buffer provided by the program.
其中,业务应用程序:使用本发明实施例所提供的业务数据保护方法,应用程序需要在启动时与文件系统过滤驱动建立连接,然后将自身的应用ID下发给文件系统过滤驱动,收到文件系统过滤驱动的反馈成功后,就可向文件系统过滤驱动请求业务数据的加解密。由于文件系统过滤驱动在加载后,从内核模块链表中将自身摘除了,所以业务应用程序以外的其它应用程序发现不了过滤驱动。Among them, business application: using the business data protection method provided by the embodiment of the present invention, the application needs to establish a connection with the file system filter driver when it is started, and then send its own application ID to the file system filter driver, and receive the file After the feedback of the system filter driver is successful, it can request encryption and decryption of the business data from the file system filter driver. After the file system filter driver is loaded, it removes itself from the kernel module linked list, so applications other than business applications cannot find the filter driver.
具体的,业务应用程序下发应用ID的步骤如下:Specifically, the steps for a business application to issue an application ID are as follows:
a)、业务应用程序获取自身的应用ID。a). The business application obtains its own application ID.
b)、使用系统安全通信方式和私有的验证机制与文件系统过滤驱动建立连接。b) Use the system's secure communication method and a private authentication mechanism to establish a connection with the file system filter driver.
c)、将应用ID下发给文件系统过滤驱动。c). Send the application ID to the file system filter driver.
d)、接收到文件系统过滤驱动的成功信息后,断开与其连接。d) After receiving the success message of the file system filter driver, disconnect it.
具体的,业务应用程序进行业务数据的加解密的步骤如下:Specifically, the steps for a business application to encrypt and decrypt business data are as follows:
a)、业务应用程序分配内存用来存储加解密结果数据。a) The business application program allocates memory to store the encryption and decryption result data.
b)、使用系统安全通信方式和私有的验证机制与文件系统过滤驱动建立连接。b) Use the system's secure communication method and a private authentication mechanism to establish a connection with the file system filter driver.
c)、将请求的明文或密文传递给文件系统过滤驱动。c). Pass the requested plaintext or ciphertext to the file system filter driver.
d)、获取到文件系统过滤驱动返回的结果数据。d). Obtain the result data returned by the file system filter driver.
e)、断开与文件系统过滤驱动的连接。e). Disconnect the file system filter driver.
f)、加解密结果使用完毕后,删除分配的内存。f). After the encryption and decryption results are used, delete the allocated memory.
可见,本发明实施例所提出的业务数据保护方法,通过在业务应用程序中获取自身应用ID,通过系统安全通信方式和私有的验证机制,将应用ID传递到文件系统过滤驱动,在需要使用加解密功能时向文件系统过滤驱动发送请求数据。通过在业务应用程序所在操作系统的内核层增加文件系统过滤驱动,文件系统过滤驱动启动后将自身从内核模块链表中摘除以便向应用程序隐身,在文件系统过滤驱动的内核内存中保存应用ID链表和采用安全方式生成的密钥数据,在指定的隐藏文件中分块永久保存密钥数据,文件系统过滤驱动拦截所有对保存密钥文件的访问,所有访问都将失败。文件系统过滤驱动集成在操作系统内核中,随操作系统一起运行,上层应用程序感知不到。该方法在不借助独立硬件/系统/芯片的情况下,能够最大程度的保证了应用程序业务敏感数据的机密性和可用性。It can be seen that the business data protection method proposed by the embodiment of the present invention obtains its own application ID in the business application, passes the application ID to the file system filter driver through the system security communication method and a private authentication mechanism, and uses the additional application ID when needed. Sending request data to the file system filter driver during the decryption function. By adding a file system filter driver to the kernel layer of the operating system where the business application is located, the file system filter driver removes itself from the kernel module linked list after it is started to hide from the application, and saves the application ID linked list in the kernel memory of the file system filter driver And the key data generated in a secure manner, the key data is permanently stored in blocks in the designated hidden file, and the file system filter driver intercepts all access to the saved key file, and all accesses will fail. The file system filter driver is integrated in the operating system kernel, runs with the operating system, and is not perceived by upper-level applications. This method can guarantee the confidentiality and availability of application business sensitive data to the greatest extent without resorting to independent hardware/system/chip.
实施例二:Embodiment two:
相应于上面的方法实施例,本发明实施例还提供了一种业务数据保护装置,该装置可应用于文件系统过滤驱动,下文描述的业务数据保护装置与上文描述的业务数据保护方法可相互对应参照。Corresponding to the above method embodiment, the embodiment of the present invention also provides a business data protection device, which can be applied to file system filter driver. The business data protection device described below and the business data protection method described above can interact with each other. Corresponding reference.
参见图2所示,该装置包括以下模块:As shown in Figure 2, the device includes the following modules:
加解密请求获得模块101,用于利用安全通信通道接收目标业务程序发送的加解密请求;The encryption and decryption request obtaining module 101 is configured to receive the encryption and decryption request sent by the target business program by using the secure communication channel;
合法性验证模块102,用于验证目标业务程序是否合法;The legality verification module 102 is used to verify whether the target business program is legal;
加解密处理模块103,用于若目标业务程序合法,则利用密钥对加解密请求对应的业务数据进行加解密处理;The encryption and decryption processing module 103 is configured to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request by using the key if the target business program is legal;
数据保护模块104,用于若目标业务程序非法,则断开与目标业务程序之间的安全通信通道。The data protection module 104 is configured to disconnect the secure communication channel with the target business program if the target business program is illegal.
应用本发明实施例所提供的装置,利用安全通信通道接收目标业务程序发送的加解密请求;验证目标业务程序是否合法;如果是,则利用密钥对加解密请求对应的业务数据进行加解密处理;如果否,则断开与目标业 务程序之间的安全通信通道。Using the device provided by the embodiment of the present invention, the secure communication channel is used to receive the encryption and decryption request sent by the target business program; verify whether the target business program is legal; if so, use the key to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request ; If not, disconnect the secure communication channel with the target business program.
为了确保密钥本身的安全,在本实施例中,为了确保业务数据安全,首先验证目标业务程序的合法性,在确定目标业务程序合法之后,再利用密钥对加解密请求对应的业务数据进行加解密处理。若确定出目标业务程序非法,则可直接断开与目标业务程序之间的安全通道。可见,在本装置中,通过文件系统过滤驱动即可实现对业务数据进行加解密保护,无需添加硬件设备,另外,由于加解密请求通过安全通信通道进行传输,对目标业务程序的合法性进行验证,从多个保护角度对业务数据实现了多重保护,可保障业务数据安全。In order to ensure the security of the key itself, in this embodiment, in order to ensure the security of the business data, the legitimacy of the target business program is first verified. After determining that the target business program is legal, the key is used to perform the encryption and decryption request on the business data corresponding to the encryption and decryption request. Encryption and decryption processing. If it is determined that the target business program is illegal, the secure channel with the target business program can be disconnected directly. It can be seen that in this device, the file system filter driver can realize the encryption and decryption protection of business data without adding hardware equipment. In addition, since the encryption and decryption request is transmitted through the secure communication channel, the legality of the target business program is verified , It realizes multiple protection of business data from multiple protection angles, which can guarantee the security of business data.
在本发明的一种具体实施方式中,还包括:In a specific embodiment of the present invention, it further includes:
密钥更新模块,用于定期利用密钥生成逻辑对密钥进行更新。The key update module is used to update the key regularly using the key generation logic.
在本发明的一种具体实施方式中,密钥更新模块,具体用于定期利用所述密钥生成逻辑并结合指定数据对应的变换和组合的方式生成新密钥;其中,所述指定数据包括的硬件网卡的MAC地址、硬件CPU的ID、当前系统时间和当前生成的随机数;利用新密钥的分段数据对指定文件中的分块密钥数据进行更新。In a specific embodiment of the present invention, the key update module is specifically configured to periodically use the key generation logic to generate a new key in combination with the transformation and combination corresponding to the designated data; wherein, the designated data includes The MAC address of the hardware network card, the ID of the hardware CPU, the current system time and the currently generated random number; use the segment data of the new key to update the segment key data in the specified file.
在本发明的一种具体实施方式中,还包括:密钥获取模块,用于在文件系统重启后,从对外处于隐藏状态的指定文件中读取出多个分块密钥数据,并对多个分块密钥数据进行组合,获得密钥。In a specific embodiment of the present invention, it further includes: a key acquisition module, which is used to read multiple block key data from a designated file that is hidden from the outside after the file system is restarted, and to Combine the pieces of key data to obtain the key.
在本发明的一种具体实施方式中,密钥获取模块,具体用于利用进行代码混淆后的密钥组合逻辑对多个分块密钥数据进行组合,获得密钥。In a specific embodiment of the present invention, the key acquisition module is specifically configured to use the key combination logic after code obfuscation to combine multiple block key data to obtain the key.
在本发明的一种具体实施方式中,还包括:驱动隐身模块,用于文件系统过滤驱动启动时,从内核驱动链表中摘除自身信息。In a specific embodiment of the present invention, it further includes: a driver stealth module, which is used to extract its own information from the kernel driver linked list when the file system filter driver is started.
在本发明的一种具体实施方式中,合法性验证模块102,具体用于判断目标业务程序的ID是否为信任业务程序表中的ID;如果是,则确定目标业务程序合法;如果否,则确定目标业务程序非法。In a specific embodiment of the present invention, the legality verification module 102 is specifically used to determine whether the ID of the target business program is an ID in the trusted business program table; if it is, it is determined that the target business program is legal; if not, then Determine that the target business program is illegal.
在本发明的一种具体实施方式中,还包括:信任业务程序表获取模块,用于在利用安全通信通道接收目标业务程序发送的加解密请求之前,利用与业务程序约定的私有验证机制,对业务程序进行合法性验证;在验证通过后,将合法的业务程序对应的ID记录在信任业务程序表中。In a specific embodiment of the present invention, it further includes: a trust business program table acquisition module, which is used to use the private verification mechanism agreed with the business program before receiving the encryption and decryption request sent by the target business program through the secure communication channel. The legality of the business program is verified; after the verification is passed, the ID corresponding to the legal business program is recorded in the trusted business program table.
实施例三:Embodiment three:
相应于上面的方法实施例,本发明实施例还提供了一种业务数据保护设备,下文描述的一种业务数据保护设备与上文描述的一种业务数据保护方法可相互对应参照。Corresponding to the above method embodiment, the embodiment of the present invention also provides a service data protection device. The service data protection device described below and the service data protection method described above can be referenced correspondingly.
参见图3所示,该业务数据保护设备包括:As shown in Figure 3, the service data protection equipment includes:
存储器D1,用于存储计算机程序;The memory D1 is used to store computer programs;
处理器D2,用于执行计算机程序时实现上述方法实施例的业务数据保护方法的步骤。The processor D2 is configured to implement the steps of the business data protection method in the foregoing method embodiment when the computer program is executed.
具体的,请参考图4,为本实施例提供的一种业务数据保护设备的具体结构示意图,该业务数据保护设备可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上处理器(central processing units,CPU)322(例如,一个或一个以上处理器)和存储器332,一个或一个以上存储应用程序342或数据344的存储介质330(例如一个或一个以上海量存储设备)。其中,存储器332和存储介质330可以是短暂存储或持久存储。存储在存储介质330的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对数据处理设备中的一系列指令操作。更进一步地,中央处理器322可以设置为与存储介质330通信,在业务数据保护设备301上执行存储介质330中的一系列指令操作。Specifically, please refer to FIG. 4, which is a schematic diagram of the specific structure of a business data protection device provided by this embodiment. The business data protection device may have relatively large differences due to different configurations or performance, and may include one or more processes. A central processing unit (CPU) 322 (for example, one or more processors), a memory 332, and one or more storage media 330 (for example, one or more storage devices with a large amount of data) storing application programs 342 or data 344. Among them, the memory 332 and the storage medium 330 may be short-term storage or persistent storage. The program stored in the storage medium 330 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the data processing device. Furthermore, the central processing unit 322 may be configured to communicate with the storage medium 330, and execute a series of instruction operations in the storage medium 330 on the service data protection device 301.
业务数据保护设备301还可以包括一个或一个以上电源326,一个或一个以上有线或无线网络接口350,一个或一个以上输入输出接口358,和/或,一个或一个以上操作系统341。例如,Windows Server TM,Mac OS X TM,Unix TM,Linux TM,FreeBSD TM等。 The business data protection device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input and output interfaces 358, and/or one or more operating systems 341. For example, Windows Server TM , Mac OS X TM , Unix TM , Linux TM , FreeBSD TM and so on.
上文所描述的业务数据保护方法中的步骤可以由业务数据保护设备的结构实现。The steps in the business data protection method described above can be implemented by the structure of the business data protection device.
实施例四:Embodiment four:
相应于上面的方法实施例,本发明实施例还提供了一种可读存储介质,下文描述的一种可读存储介质与上文描述的一种业务数据保护方法可相互对应参照。Corresponding to the above method embodiment, the embodiment of the present invention also provides a readable storage medium, and a readable storage medium described below and a service data protection method described above can be referenced correspondingly.
一种可读存储介质,可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现上述方法实施例的业务数据保护方法的步骤。A readable storage medium in which a computer program is stored, and when the computer program is executed by a processor, the steps of the business data protection method in the foregoing method embodiment are implemented.
该可读存储介质具体可以为U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可存储程序代码的可读存储介质。The readable storage medium may specifically be a U disk, a mobile hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk that can store program codes. Readable storage medium.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further realize that the units and algorithm steps of the examples described in the embodiments disclosed in this article can be implemented by electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, in the above description, the composition and steps of each example have been generally described in accordance with the function. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.

Claims (14)

  1. 一种业务数据保护方法,其特征在于,应用于文件系统过滤驱动,包括:A business data protection method, characterized in that it is applied to a file system filter driver, and includes:
    利用安全通信通道接收目标业务程序发送的加解密请求;Use the secure communication channel to receive the encryption and decryption request sent by the target business program;
    验证所述目标业务程序是否合法;Verify that the target business program is legal;
    如果是,则利用密钥对所述加解密请求对应的业务数据进行加解密处理;If so, use the key to perform encryption and decryption processing on the service data corresponding to the encryption and decryption request;
    如果否,则断开与所述目标业务程序之间的所述安全通信通道。If not, disconnect the secure communication channel with the target business program.
  2. 根据权利要求1所述的业务数据保护方法,其特征在于,还包括:The business data protection method according to claim 1, further comprising:
    定期利用密钥生成逻辑对所述密钥进行更新。The key generation logic is used to update the key periodically.
  3. 根据权利要求2所述的业务数据保护方法,其特征在于,所述定期利用密钥生成逻辑对所述密钥进行更新,包括:The service data protection method according to claim 2, wherein said periodically updating said key using key generation logic comprises:
    定期利用所述密钥生成逻辑并结合指定数据对应的变换和组合的方式生成新密钥;其中,所述指定数据包括的硬件网卡的MAC地址、硬件CPU的ID、当前系统时间和当前生成的随机数;Regularly use the key generation logic and combine the transformation and combination of the designated data to generate a new key; wherein the designated data includes the MAC address of the hardware network card, the ID of the hardware CPU, the current system time and the currently generated random number;
    利用所述新密钥的分段数据对所述指定文件中的所述分块密钥数据进行更新。Using the segment data of the new key to update the segment key data in the designated file.
  4. 根据权利要求1所述的业务数据保护方法,其特征在于,在所述文件系统重启后,还包括:The business data protection method according to claim 1, wherein after the file system is restarted, the method further comprises:
    从对外处于隐藏状态的指定文件中读取出多个分块密钥数据,并对多个分块密钥数据进行组合,获得所述密钥。Read multiple block key data from a designated file that is hidden from the outside, and combine the multiple block key data to obtain the key.
  5. 根据权利要求4所述的业务数据保护方法,其特征在于,所述对多个分块密钥数据进行组合,获得密钥,包括:The service data protection method according to claim 4, wherein the combining multiple block key data to obtain the key comprises:
    利用进行代码混淆后的密钥组合逻辑对多个所述分块密钥数据进行组合,获得所述密钥。The key combination logic after code obfuscation is used to combine a plurality of the block key data to obtain the key.
  6. 根据权利要求1所述的业务数据保护方法,其特征在于,还包括:The business data protection method according to claim 1, further comprising:
    所述文件系统过滤驱动启动时,从内核驱动链表中摘除自身信息。When the file system filter driver is started, its own information is removed from the kernel driver linked list.
  7. 根据权利要求1所述的业务数据保护方法,其特征在于,验证所述目标业务程序是否合法,包括:The business data protection method according to claim 1, wherein verifying whether the target business program is legal comprises:
    判断所述目标业务程序的ID是否为信任业务程序表中的ID;Determine whether the ID of the target business program is the ID in the trusted business program table;
    如果是,则确定所述目标业务程序合法;If it is, it is determined that the target business procedure is legal;
    如果否,则确定所述目标业务程序非法。If not, it is determined that the target business program is illegal.
  8. 根据权利要求7所述的业务数据保护方法,其特征在于,在所述利用安全通信通道接收目标业务程序发送的加解密请求之前,还包括:The service data protection method according to claim 7, characterized in that, before said using the secure communication channel to receive the encryption and decryption request sent by the target service program, the method further comprises:
    利用与业务程序约定的私有验证机制,对所述业务程序进行合法性验证;Use the private verification mechanism agreed with the business program to verify the legality of the business program;
    在验证通过后,将合法的业务程序对应的ID记录在所述信任业务程序表中。After the verification is passed, the ID corresponding to the legal business program is recorded in the trusted business program table.
  9. 一种业务数据保护装置,其特征在于,应用于文件系统过滤驱动,包括:A business data protection device, which is characterized in that it is applied to a file system filter driver, and includes:
    加解密请求获得模块,用于利用安全通信通道接收目标业务程序发送的加解密请求;The encryption and decryption request obtaining module is used to receive the encryption and decryption request sent by the target business program through the secure communication channel;
    合法性验证模块,用于验证所述目标业务程序是否合法;The legality verification module is used to verify whether the target business program is legal;
    加解密处理模块,用于若所述目标业务程序合法,则对所述加解密请求对应的业务数据进行加解密处理;The encryption and decryption processing module is configured to perform encryption and decryption processing on the business data corresponding to the encryption and decryption request if the target business program is legal;
    数据保护模块,用于若所述目标业务程序非法,则断开与所述目标业务程序之间的所述安全通信通道。The data protection module is configured to disconnect the secure communication channel with the target business program if the target business program is illegal.
  10. 根据权利要求9所述的业务数据保护装置,其特征在于,还包括:The service data protection device according to claim 9, further comprising:
    密钥更新模块,用于定期利用密钥生成逻辑对所述密钥进行更新。The key update module is used to periodically update the key using key generation logic.
  11. 根据权利要求10所述的业务数据保护装置,其特征在于,所述密钥更新模块,具体用于定期利用所述密钥生成逻辑并结合指定数据对应的变换和组合的方式生成新密钥;其中,所述指定数据包括的硬件网卡的MAC地址、硬件CPU的ID、当前系统时间和当前生成的随机数;利用所述新密钥的分段数据对所述指定文件中的所述分块密钥数据进行更新。The service data protection device according to claim 10, wherein the key update module is specifically configured to periodically generate a new key by using the key generation logic in combination with the transformation and combination corresponding to the specified data; Wherein, the designated data includes the MAC address of the hardware network card, the ID of the hardware CPU, the current system time and the currently generated random number; the segment data of the new key is used to block the segment in the designated file The key data is updated.
  12. 根据权利要求9所述的业务数据保护装置,其特征在于,还包括:密钥获取模块,用于在所述文件系统重启后,从对外处于隐藏状态的指定文件中读取出多个分块密钥数据,并对多个分块密钥数据进行组合,获得所述密钥。The business data protection device according to claim 9, further comprising: a key acquisition module, configured to read multiple blocks from a designated file that is hidden from the outside after the file system is restarted Key data, and combine multiple block key data to obtain the key.
  13. 一种业务数据保护设备,其特征在于,包括:A business data protection device, which is characterized in that it comprises:
    存储器,用于存储计算机程序;Memory, used to store computer programs;
    处理器,用于执行所述计算机程序时实现如权利要求1至8任一项所述业务数据保护方法的步骤。The processor is configured to implement the steps of the service data protection method according to any one of claims 1 to 8 when the computer program is executed.
  14. 一种可读存储介质,其特征在于,所述可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至8任一项所述业务数据保护方法的步骤。A readable storage medium, characterized in that a computer program is stored on the readable storage medium, and when the computer program is executed by a processor, the steps of the business data protection method according to any one of claims 1 to 8 are realized .
PCT/CN2020/098032 2020-02-20 2020-06-24 Service data protection method, apparatus and device, and readable storage medium WO2021164166A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010104952.3A CN111310213A (en) 2020-02-20 2020-02-20 Service data protection method, device, equipment and readable storage medium
CN202010104952.3 2020-02-20

Publications (1)

Publication Number Publication Date
WO2021164166A1 true WO2021164166A1 (en) 2021-08-26

Family

ID=71160000

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/098032 WO2021164166A1 (en) 2020-02-20 2020-06-24 Service data protection method, apparatus and device, and readable storage medium

Country Status (2)

Country Link
CN (1) CN111310213A (en)
WO (1) WO2021164166A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116204201A (en) * 2023-04-26 2023-06-02 烽台科技(北京)有限公司 Service processing method and device

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111310213A (en) * 2020-02-20 2020-06-19 苏州浪潮智能科技有限公司 Service data protection method, device, equipment and readable storage medium
CN111914289B (en) * 2020-07-15 2023-11-24 中国民航信息网络股份有限公司 Application program configuration information protection method and device
CN114692175A (en) * 2020-12-30 2022-07-01 成都鼎桥通信技术有限公司 Encryption and decryption method, device, equipment, storage medium and computer program product
CN113221171A (en) * 2021-05-21 2021-08-06 杭州弗兰科信息安全科技有限公司 Encrypted file reading and writing method and device, electronic equipment and storage medium
CN114826729A (en) * 2022-04-22 2022-07-29 马上消费金融股份有限公司 Data processing method, page updating method and related hardware
CN115221524B (en) * 2022-09-20 2023-01-03 深圳市科力锐科技有限公司 Service data protection method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125216A (en) * 2014-06-30 2014-10-29 华为技术有限公司 Method, system and terminal capable of improving safety of trusted execution environment
CN105512576A (en) * 2015-12-14 2016-04-20 联想(北京)有限公司 Method for secure storage of data and electronic equipment
CN106650435A (en) * 2016-12-28 2017-05-10 郑州云海信息技术有限公司 Method and apparatus of protecting system
CN106980794A (en) * 2017-04-01 2017-07-25 北京元心科技有限公司 TrustZone-based file encryption and decryption method and device and terminal equipment
CN111310213A (en) * 2020-02-20 2020-06-19 苏州浪潮智能科技有限公司 Service data protection method, device, equipment and readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729550B (en) * 2009-11-09 2012-07-25 西北大学 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof
CN105072025B (en) * 2015-08-05 2018-03-13 北京科技大学 For the security protection gateway and system of modern industrial control system network service
CN109214196B (en) * 2018-08-13 2022-04-19 创新先进技术有限公司 Data interaction method, device and equipment
CN109558340B (en) * 2018-11-15 2023-02-03 北京计算机技术及应用研究所 Secure solid-state disk encryption system and method based on trusted authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125216A (en) * 2014-06-30 2014-10-29 华为技术有限公司 Method, system and terminal capable of improving safety of trusted execution environment
CN105512576A (en) * 2015-12-14 2016-04-20 联想(北京)有限公司 Method for secure storage of data and electronic equipment
CN106650435A (en) * 2016-12-28 2017-05-10 郑州云海信息技术有限公司 Method and apparatus of protecting system
CN106980794A (en) * 2017-04-01 2017-07-25 北京元心科技有限公司 TrustZone-based file encryption and decryption method and device and terminal equipment
CN111310213A (en) * 2020-02-20 2020-06-19 苏州浪潮智能科技有限公司 Service data protection method, device, equipment and readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116204201A (en) * 2023-04-26 2023-06-02 烽台科技(北京)有限公司 Service processing method and device

Also Published As

Publication number Publication date
CN111310213A (en) 2020-06-19

Similar Documents

Publication Publication Date Title
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
US9135464B2 (en) Secure storage system for distributed data
EP2913956B1 (en) Management control method and device for virtual machines
JP4089171B2 (en) Computer system
CN102948114B (en) Single for accessing enciphered data uses authentication method and system
WO2020192406A1 (en) Method and apparatus for data storage and verification
US20070022285A1 (en) Administration of data encryption in enterprise computer systems
KR20110055510A (en) Backing up digital content that is stored in a secured storage device
US20120137372A1 (en) Apparatus and method for protecting confidential information of mobile terminal
US11469880B2 (en) Data at rest encryption (DARE) using credential vault
CN104618096A (en) Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center
US20140281499A1 (en) Method and system for enabling communications between unrelated applications
US20220366030A1 (en) Password Management Method and Related Apparatus
CN108491724A (en) A kind of hardware based computer interface encryption device and method
CN114942729A (en) Data safety storage and reading method for computer system
CN112688999B (en) TrustZone-based key use frequency management method and system in cloud storage mode
KR101107056B1 (en) Method for protecting important information of virtual machine in cloud computing environment
CN112613048A (en) Secret key use frequency management method and system based on SGX in cloud storage mode
US7694154B2 (en) Method and apparatus for securely executing a background process
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method
WO2021164167A1 (en) Key access method, apparatus, system and device, and storage medium
KR102554875B1 (en) Apparatus and method for connecting network for providing remote work environment
US11601285B2 (en) Securely authorizing service level access to a backup system using a specialized access key
KR20160146623A (en) A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal
KR20160102915A (en) Security platform management device for smart work based on mobile virtualization

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20919761

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20919761

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20919761

Country of ref document: EP

Kind code of ref document: A1