CN101751536A - Transparent file encryption method for increasing file header - Google Patents
Transparent file encryption method for increasing file header Download PDFInfo
- Publication number
- CN101751536A CN101751536A CN200910188873A CN200910188873A CN101751536A CN 101751536 A CN101751536 A CN 101751536A CN 200910188873 A CN200910188873 A CN 200910188873A CN 200910188873 A CN200910188873 A CN 200910188873A CN 101751536 A CN101751536 A CN 101751536A
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- data
- header
- encrypt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000015654 memory Effects 0.000 claims abstract description 10
- 238000010168 coupling process Methods 0.000 claims description 6
- 238000006073 displacement reaction Methods 0.000 claims 2
- 238000012795 verification Methods 0.000 claims 2
- 238000013507 mapping Methods 0.000 abstract 1
- 230000008878 coupling Effects 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 230000002950 deficient Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013506 data mapping Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a transparent file encryption method for increasing file header, which comprises the following steps: setting a mapping rule for progress and file; scanning a whole hard disk and encrypting the file needing encryption; a kernel module automatically increases one file header and encrypts data behind the file header when discovering a file needing encryption is not encrypted; adding one offset onto all the IO relevant with offset for a designated progress accessing encryption file, reading in the data decryption of an internal memory and writing in the data decryption of a disc.
Description
Technical field
The present invention is applied to field of data encryption, especially file encryption.Use the method encrypt file of add file head, can under the situation that does not change user's use habit, realize the encryption and the protection of data.The present invention can be applied to data security protecting initiatively and passive data security protecting.
Background technology
Now, be from many-sided for the threat of the security of system on the computing machine, hacker and wooden horse are difficult to estimate to the loss that enterprise brings.Data presentation, China every year is divulged a secret the economic loss that causes up to over ten billion because of network.
The continuous development of infotech day by day highlights the double-edged sword of Internet resources.Come the security threat of automatic network serious day by day, as network data burglar, hacker invasion and attack, virus distribution, even internal system divulges a secret, and made information security become matter of utmost importance in the every profession and trade informatization.
According to the responsible official of state security department, there is 63.6% enterprise customer to be in " height risk " rank, therefore, network security technology more and more receives the concern of industry-by-industry as the field of a uniqueness.
If the network information security can not get effective guarantee, enterprise will face that network can't normally use, file is lost or many-sided threat such as damage, production and management system paralysis, server and the damage of client hardware facility, confidential information and intellecture property be stolen, and these all can bring direct economic loss to enterprise.
In information security field, encrypted sensitive information must become indispensable necessary link of data storage.
Existing solution is, file manually encrypted and at specific process the HOOK module of Application and Development layer, revised file read-write behavior.Manually the defective of encryption method is, does not go manual encryption if the employee forgets manual encryption or employee's malice, will bring the risk of divulging a secret.Application layer HOOK module defective is that compatibility is very poor, can't support the encryption of many programs.
Summary of the invention
The purpose of this invention is to provide a kind of add file head mode, realize general file transparent encryption method.
Technical scheme of the present invention is:
1 at first to the total system initialization:
Setting process matched rule and file matched rule and encryption key;
Use the application layer program scanning overall, increase the logo file head of a fixed size in the file front that needs are encrypted, and with the data encryption behind the file header.
Workflow during 2 operate as normal
Kernel module interception file operation, and whether identification be the file that satisfies process matched rule and file matched rule, is not then to be left intact; If then walk following flow process.
At the file that does not have to encrypt, kernel module replenishes a file header to file, and with the data encryption behind the file header;
At encrypt file, kernel module all is offset a file header size with the IO operation relevant with side-play amount and handles;
At encrypt file, kernel module is to writing the data encryption of disk, to reading in the data decryption of internal memory.
Owing to use the kernel driver module to realize, can be by revising matched rule, the file of the designated suffix type that designated program is visited is encrypted, and does not need the employee manually to encrypt, and compatibility is also good than application layer HOOK.
Because what use is the mode of add file head, encryption indicator can stably be stored in the file, the problem that does not exist power down to cause encryption indicator information to be damaged.
Because what use is that the data mapping that different processes is seen is different according to the cipher mode of process as recognition rule.Decryption process can be seen data decryption, but non-decryption process sees there is not decrypted data.This data isolation mode according to process, the data leak that can stop hacker, wooden horse supervisor to produce.
Description of drawings:
Fig. 1: system initialization flow process
Fig. 2: the flow process when system normally moves
Fig. 3: the concrete diagram of implementing
Embodiment:
As follows based on the software and hardware structure that the file transparent of file header is encrypted:
The transparent encryption software of PC, add file head, windows system.As shown in Figure 3, the operational process of total system is as follows:
Step 1: use " process matching files coupling encryption key is provided with instrument " configuration encryption rule, what file encryption of what process operation.
Step 2: use " process matching files coupling encryption key is provided with instrument ", use the file matched rule of front, travel through whole computing machine, the file that needs are encrypted increases a file header, and to content-encrypt.
Step 3: the user normally used a computer according to former mode.When the process of appointment was opened an encrypt file, kernel module read file header automatically, extracted decryption information, and the key information in the coupling access rule is to reading in the data decryption of internal memory, to writing the data encryption of disk.Open a unencrypted file or new files when (comprising covering) when the process of appointment, kernel module increases file header with the unencrypted file automatically, with content-encrypt; To write the data encryption of disk then, read in the data decryption of internal memory.
Be described below with regard to relevant issues below:
1 file header
Have a mark in the file header, whether file of mark is encrypted, and preserves some other additional information; There is a random key in the file header, is used for enciphered data; User key is encrypted file header.
2 file identification
Use file suffixes, catalogue, or the combination of asterisk wildcard realizes.Support is also supported the file encryption to a type to the encryption of single file, also supports the file encryption under the catalogue.
The identification of 3 processes
Use process name identification or the identification of process complete trails, perhaps the condition code of executable file is discerned.
The deciphering of 4 file headers
After the deciphering, inner mark is consistent with the mark that calculates.
The intercepting and capturing and the processing of 5IO request
The intercepting and capturing of I/O request realize at inner nuclear layer.There are three kinds of situations in request for I/O:
First kind: I/O request (as the inquiry file attribute) is not need to tackle, and for this IO request, directly issues just passable.
Second kind: the IRP (IO Request Packet) for the CACHE mode of file is read and write, directly let slip.
The third: for the IRP (IO Request Packet) that the non-CACHE mode of file is read and write, the position with a file header of read-write deflection will write data encryption, then with the data decryption of reading.
The decrypted state of 6 files and the switching of encrypted state
When a file becomes encryption by deciphering in internal memory, perhaps conversely the time, need to use the mode of clear buffer memorys (CACHE), data in buffer in the internal memory is all flushed on the disk, destroy buffer memory.Allow system rebuild buffer memory then.
7 applications
Reference under the Windows system realizes:
The present invention is successful Application in WINDOWS XP system, and its concrete system is composed as follows: Windows XPProfessional (sp3); User interface program of the present invention and driver.
Process description is as follows:
The present invention has comprised user class under Windows and kernel level is two-layer calls;
The main function that user class is called comprises:
SetPolicyToDriver: be responsible for the rule downloading of process coupling and file coupling is arrived in the driving;
ScanFileAndEncrypt:: be responsible for the scanning DISK to Image, with the file add file head of needs encryption, and encrypted file data.
Operating process is as follows:
Initialization:
Strategy is provided with facility invokes SetPolicyToDriver strategy is set to driving;
Strategy is provided with facility invokes ScanFileAndEncrypt scanning totally, and the file of this encryption is added file header, and data encryption.
Normal operation:
The user operates popular software according to mode in the past.
Claims (6)
1. increase the file transparent encryption method of file header, it is characterized in that comprising following steps:
During initialization, the matched rule of process and file is set;
During initialization, scan DISK to Image, will need the file encryption of encrypting according to the file matched rule;
During normal operation, kernel module at a process file of visit of finding appointment but this file do not encrypt, increase a file header automatically, and with the data encryption behind the file header;
During normal the operation, the process of kernel module discovery appointment is opened an encrypt file, the legitimacy of service marking verification file head;
During normal the operation, kernel module is for encrypt file, and the IO action need relevant with side-play amount adds a side-play amount;
During normal the operation, kernel module reads in the data decryption of internal memory for encrypt file, writes the data encryption of disk.
2. the method for the increase file header that requires according to right 1 is characterized in that:
When using for the first time, the file of user's appointment scanned encrypt all files that need encrypt, need the add file head;
In the normal use of user,, increase file header automatically by driving for the file that does not have in the past to encrypt;
For the file of having encrypted, kernel module uses the data in the file header to do the legitimacy verification.
3. according to the method for right 1 described IO operation skew, it is characterized in that:
All need skew for the IO that writes disk, side-play amount is a file header size;
For not being the IO that writes disk, then do not need skew;
For the file size that application program need be seen, need cut a file header size.
4. described based on encryption method according to right 1, it is characterized in that:
For the data that write disk, increase a file header displacement after, data encryption is write disk;
For the data of reading from disk, increase a file displacement after, data are read and are deciphered.
5. based on the method for right 1 described kill file, it is characterized in that:
Use asterisk wildcard identification filename.
6. based on the method for right 1 described filter course, it is characterized in that:
Use the condition code of the executable program file of the asterisk wildcard coupling process name or the process of use to come the identification process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910188873A CN101751536A (en) | 2009-12-16 | 2009-12-16 | Transparent file encryption method for increasing file header |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910188873A CN101751536A (en) | 2009-12-16 | 2009-12-16 | Transparent file encryption method for increasing file header |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101751536A true CN101751536A (en) | 2010-06-23 |
Family
ID=42478506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910188873A Pending CN101751536A (en) | 2009-12-16 | 2009-12-16 | Transparent file encryption method for increasing file header |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101751536A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314579A (en) * | 2010-07-01 | 2012-01-11 | 成都市华为赛门铁克科技有限公司 | File filter protecting method, drive device and client end |
| CN102945342A (en) * | 2012-09-29 | 2013-02-27 | 北京奇虎科技有限公司 | Method, device and terminal equipment for progress identification |
| CN103065082A (en) * | 2012-07-04 | 2013-04-24 | 北京京航计算通讯研究所 | Software security protection method based on Linux system |
| CN106060084A (en) * | 2016-07-18 | 2016-10-26 | 青岛大学 | Transparent file encryption technology |
| CN113792319A (en) * | 2021-09-18 | 2021-12-14 | 深圳须弥云图空间科技有限公司 | File encryption method and device, storage medium and electronic equipment |
| CN115438358A (en) * | 2022-09-05 | 2022-12-06 | 长江量子(武汉)科技有限公司 | Controlled file encryption method and electronic equipment |
-
2009
- 2009-12-16 CN CN200910188873A patent/CN101751536A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314579A (en) * | 2010-07-01 | 2012-01-11 | 成都市华为赛门铁克科技有限公司 | File filter protecting method, drive device and client end |
| CN102314579B (en) * | 2010-07-01 | 2014-06-04 | 华为数字技术(成都)有限公司 | File filter protecting method, drive device and client end |
| CN103065082A (en) * | 2012-07-04 | 2013-04-24 | 北京京航计算通讯研究所 | Software security protection method based on Linux system |
| CN102945342A (en) * | 2012-09-29 | 2013-02-27 | 北京奇虎科技有限公司 | Method, device and terminal equipment for progress identification |
| CN102945342B (en) * | 2012-09-29 | 2015-08-05 | 北京奇虎科技有限公司 | Progress recognizing method, device and terminal device |
| CN106060084A (en) * | 2016-07-18 | 2016-10-26 | 青岛大学 | Transparent file encryption technology |
| CN113792319A (en) * | 2021-09-18 | 2021-12-14 | 深圳须弥云图空间科技有限公司 | File encryption method and device, storage medium and electronic equipment |
| CN113792319B (en) * | 2021-09-18 | 2024-06-18 | 深圳须弥云图空间科技有限公司 | File encryption method, device, storage medium and electronic equipment |
| CN115438358A (en) * | 2022-09-05 | 2022-12-06 | 长江量子(武汉)科技有限公司 | Controlled file encryption method and electronic equipment |
| CN115438358B (en) * | 2022-09-05 | 2023-07-14 | 长江量子(武汉)科技有限公司 | Controlled file encryption method and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102945355B (en) | Fast Data Encipherment strategy based on sector map is deferred to | |
| Halcrow | eCryptfs: An enterprise-class encrypted filesystem for linux | |
| JP4759513B2 (en) | Data object management in dynamic, distributed and collaborative environments | |
| US8204233B2 (en) | Administration of data encryption in enterprise computer systems | |
| JP5643318B2 (en) | Temporary confidential secure storage method | |
| Squicciarini et al. | Preventing information leakage from indexing in the cloud | |
| CN102855452B (en) | Fast Data Encipherment strategy based on encryption chunk is deferred to | |
| CN102999732B (en) | Multi-stage domain protection method and system based on information security level identifiers | |
| KR101613146B1 (en) | Method for encrypting database | |
| CN109923548A (en) | Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process | |
| US20030208686A1 (en) | Method of data protection | |
| EP1365306A2 (en) | Data protection system | |
| CN110990851B (en) | Static data encryption protection method and system | |
| US7962492B2 (en) | Data management apparatus, data management method, data processing method, and program | |
| JP4167476B2 (en) | Data protection / storage method / server | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN102831359A (en) | Encryption file system of portable mobile storage device | |
| CN115329389B (en) | File protection system and method based on data sandbox | |
| CN101751536A (en) | Transparent file encryption method for increasing file header | |
| KR100440037B1 (en) | Document security system | |
| CN103532712B (en) | digital media file protection method, system and client | |
| Aissaoui et al. | Survey on data remanence in Cloud Computing environment | |
| Virvilis et al. | A cloud provider-agnostic secure storage protocol | |
| KR20100106110A (en) | Secure boot data total management system, methods for generating and verifying a verity of matadata for managing secure boot data, computer-readable recording medium storing program for executing any of such methods | |
| JP2008035449A (en) | Data distributing method using self-decryption file and information processing system using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| DD01 | Delivery of document by public notice |
Addressee: Hu Yangbin Document name: Notification of Publication of the Application for Invention |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100623 |