CN102053925A

Movatterモバイル変換

Info

Publication number: CN102053925A
Application number: CN2009102104860A
Authority: CN
Inventors: 不公告发明人
Original assignee: Individual
Current assignee: Individual
Priority date: 2009-11-04
Filing date: 2009-11-04
Publication date: 2011-05-11

Abstract

The invention provides a realization method of data encryption in a hard disk, comprising the following steps: monitoring the status of a USB (universal serial bus) Key in real time, performing identity authentication by using an authorized USB Key and obtaining a secret key; storing the protected data in a protected catalog, mapping the space of the protected catalog into a virtual disc when the authorized authentication is successful, encrypting the data written into the disc and deciphering the data read from the disc; using an unprotected catalog as the common disc catalog; and hiding the virtual disc to prevent the access of the protected catalog and the protected data when the authorized USB Key is absent. The data stored in the virtual disc storage area of the protected catalog is encrypted forever, and is automatically decrypted in a memory when being used by a user. The method provided by the invention has the advantages that various discs and various file system can be supported, the traditional data use habit and application program behavior are not changed, and users do not need to purchase new disc devices.

Description

The fixed disk data enciphering implementation method

Affiliated technical field

The present invention relates to a kind of implementation method of fixed disk data enciphering, mainly is the automatic encryption and decryption protection that realizes user's hard disc data.Make the user not need to increase new system hardware facility, not change the automatic encryption and decryption that reaches hard disc data on the basis of traditional data use habit, improve information security, prevent information leakage, on the basis of use cost that does not increase the user and burden, reach the purpose of safe storage.This method is obtained key and is carried out authentication from USB Key, use virtual disk technology to realize the transparent encryption and decryption of data in real time; Use the filter Driver on FSD technology to realize the protection of virtual disk storage file; This method is specified a protected catalogue on hard disk, this directory user can not random access; When USB Key exists, to utilize virtual disk technology that the virtual disk storage file in this catalogue space is mapped to disk and use to the user, the data that are written in this virtual disk are encrypted automatically, and the data of reading in this disk are deciphered automatically; The outer disk space of protected catalogue remains general spatial, does not influence daily use; When USB Key did not exist, virtual disk disappeared, protected catalogue inaccessible, and the virtual disk storage file in protected catalogue space is inaccessible also.

Background technology

Along with the fast development of computer technology, the digitized degree of information is more and more higher, and a large amount of information are stored in the computing machine.This has just brought a huge threat: information leakage.The product miscarriage that international and domestic because information leakage causes, customer churn, prestige is impaired, incidents such as the property loss end that appears in the newspapers repeatly.Therefore the information protection of movable storage device has become a visitor and has not allowed the topic that delays.

In order to tackle this demand, many equipment vendors have released multiple information protection product one after another, and more common at present is exactly encryption menu and virtual disk.User storage is encrypted to the data in certain catalogue when using encryption menu, in use must elder generation's input licencing key.So just the information that can limit the disabled user is stolen.But there is following problem before this type order:

1: need realize read-write control in the file operation one-level, therefore must depend on the file operation of operating system.Because some operation is not open, causes this product stability relatively poor.

2:, often file system is optimized during operating system update, these optimizations also often cause this product not use, and cause Products Compatibility relatively poor.

3: the data in the protected catalogue in the space are all encrypted, and comprise bibliographic structure, in case catalogue can be visited, data just can be visited, so cumbersome during data backup.

Use the product of virtual disk, need the user to specify a disk file, virtual disk is mapped to disk with this document and uses for the user, must import licencing key earlier in use.So just the information that can limit the disabled user is stolen.But there is following problem before this type order:

1: disk file is a common data file, exists by the risk of accidental damage, in case file is damaged, all data can not be visited.

2: the appearing and subsiding of disk can not be accomplished robotization, needs the deactivation and the unloading of user's craft, and is cumbersome.

Summary of the invention

Fundamental purpose of the present invention is to provide a kind of confidential information with the protection hard disk not to be stolen, and does not influence the daily use of hard disk simultaneously again, meets user's use habit, saves the fixed disk data enciphering implementation method of customer using cost in a large number.

The present invention uses USB Key to realize authenticating user identification and the preservation of encryption and decryption key, and key stores among the Key after adopting hardware to generate at random when producing, and need not user's memory; The HID equipment that this Key uses operating system to provide drives, so it does not need the user that driving additionally is installed, and has reduced the expense of user's drive installation and maintenance; The present invention uses virtual disk technology to realize data encryption, and compatible all hard disks needn't additionally be purchased new hardware device; Complete compatible original user data use habit of virtual disk and mode have great convenience for the user; The present invention utilizes filter Driver on FSD to specify protected catalogue in hard disk, has only the space of protected catalogue to be mapped to virtual disk, and other catalogues still can normally sharply be used.

This method hardware components is the USB Key of a common HID interface, directly uses the HID device drives to drive, and utilizes the equipment intercommunication of core layer to realize the control of this equipment and reading of verify data and key.

Software section is that virtual disk driver and file system filter drive, during in the Key existence and by authentication, this driving is responsible for becoming disk to use protected catalogue spatial mappings to the user, and the data that write this disk are encrypted, and the data of reading from this disk are decrypted; Is inaccessible when there is not protected catalogue in Key to the user, guarantees that the interior data of this catalogue are not by accidental damage; Whether other catalogues Key exists all is common fixed disk file catalogue, does not influence use.

Owing to adopted above technical scheme, the present invention had:

The USB Key of 1:HID interface does not need extra the installation to drive, and reduces user's device drives maintenance costs;

2: hard disk and file system that virtual disk driver is compatible all, do not need the new equipment of the extra purchase of user, can directly support original hard disk, save user's equipment use cost;

3: virtual disk provides transparent encrypting and decrypting process fully, and complete compatible user's use habit reduces user's learning cost;

4: file system filter drives and only to realize selectable file access control, does not handle encryption and decryption, both can protect the virtual disk files in the protected catalogue not to be destroyed, again can compatible all file system and operating system;

5: the real-time device monitoring, in case USB Key does not exist, virtual disk will be unloaded automatically, protected catalogue data is promptly protected simultaneously, can't use, and not only is user-friendly to but also can guarantee data security carefree.

6: support multiple encryption algorithms, can arbitrarily specify as required or upgrade, flexible;

7: key is formed and stored among the Key at random by hardware, need not the user and preserves, and avoids losing.

8: the non-protection catalogue data of hard disk is not encrypted, remains common hard disc data.The data storage function of hard disk is unaffected.

9: the protected catalogue of hard disk is not when Key exists, and user's inaccessible prevents that protected data is by accidental damage.

10: the loading of virtual disk and unloading are automatically fully, can realize loading automatically and unloading according to the state of USB Key.

These characteristics are better than existing any fixed disk data enciphering product on the market.

The invention has the beneficial effects as follows: can make the user on the basis that need not buy new hard disk, mobile hard disc box, just can realize fixed disk data enciphering, effectively utilize existing resource to reduce user cost; Simultaneously fully transparent encryption and decryption effect can complete compatible original user data use habit and mode, and the user need not to do any special study and just can use, and alleviates user's use burden; The user can arbitrarily specify protected catalogue, can prevent that information-leakage from not influencing daily hard disk again and using, and the USB Key of HID interface need not to install and drives, and has reduced user's system maintenance expense; The automatic loading and unloading of virtual disk that realize according to USB Key state have reduced user's use burden.

Description of drawings

The present invention is further described below in conjunction with drawings and embodiments.

Fig. 1 is software architecture figure of the present invention.

Fig. 2 is hardware structure figure of the present invention.

Fig. 3 is a HID monitoring of tools process flow diagram of the present invention

Fig. 4 is a virtual disk driver workflow diagram of the present invention

Fig. 5 is that file system filter of the present invention drives workflow diagram

1. application programs among the figure, 2. user's operation, 3. system file operation A PI, 4. core document service interface, 5. file system drives, and 6. file system filter drives, 7. virtual disk driver, 8.HID device drives, 9. disk drive, 10.HID interface register, 11.HID equipment firmware.

Embodiment:

For the effect that describes structure of the present invention in detail and reached, existing following preferred embodiment of act and conjunction with figs. are described as follows:

Among Fig. 1, application program and user's operation and system file interactive interfacing, the system file interface changes into the request of kernel state file service to request.These requests at first are sent to file system and drive, file system drives is given to the file system filter driving with request, filtration drive is filtered file request, and unauthorized file request will directly be refused, and the request that will authorize is distributed to corresponding disk unit driving then; After virtual disk is received request of access, request is shone upon, be given to actual disk drive then; Filtration drive and virtual disk driver are operated according to the state of present HID USB Key.If Key does not exist, virtual disk driver is forbidden simulating disk unit and is given system, and filtration drive is the protected catalogue of disable access also, and this moment, the space of protected catalogue can not be visited; If existing and pass through, Key authenticates, filtration drive allows the protected catalogue of visit, the virtual disk driver mock disc is given system, the spatial mappings of protected catalogue is become a disk, write the file data of this disk and encrypted by virtual disk driver this moment, and be stored in the disk space of protected catalogue; Be redirected to the disk space of protected catalogue from the request of this disk reading of data by virtual disk driver, the file data of reading is decrypted, gives system's normal process then; Data outside the protected catalogue space remain common disk storage directly by the system disk driven management, are not affected.

Among Fig. 2; virtual disk driver utilizes HID to drive and the USB Key of equipment room mechanics of communication and HID interface carries out communication; the USB Key that meets a series of identification sequences of virtual disk driver is exactly the Key through authorizing; virtual disk driver is obtained key from this Key; the user uses password; protected directory information, the information such as size in virtual disk zone.

Among Fig. 3; the state of virtual disk driver monitoring USB Key; if find USB Key existence just the carrying out data interaction of HID interface; the Key that meets specific data interaction sequence is exactly our purpose Key; next the key and the user that obtain prior storage from Key use password; and notify the user to carry out password authentication, and notify virtual disk driver Key existence behind the authentication success and provide key, the circular document system filtration drives and allows protected catalogue accessed simultaneously.If the HID interface USB Key by authentication is removed, just notify virtual disk driver Key not exist and empty key, the circular document system filtration drives protected catalogue inaccessible simultaneously, cancels the disk space mapping then.

Among Fig. 4, virtual disk driver receives after the file data request that system sends, according to the parameter that from Key, obtains with request be redirected to actual disk protected catalogue space, the data that write are encrypted, the data that read are decrypted.

Among Fig. 5, file system filter drives after the file data request that the system of receiving sends, and at first analyzes the request that this request is protected catalogue, if not the disk drive of just directly being given to response.If the state of authorizing USB key is just checked in the request of protected catalogue, if not existing, key just do not refuse this request of access, if there is the disk drive of just this visit being given to response.

Claims

1. a fixed disk data enciphering implementation method has been added virtual disk driver in system, and file system filter drives and HID interfacing equipment watch-dog.It is characterized in that: common system core service routine, when this kernel service program run, if there is USB Key by authentication, can add a virtual disk in the system, this disk is mapped to the storage space of protected catalogue, the file data that is written to this disk is encrypted automatically, is deciphered automatically from the file data that this disk is read; Not shielded disk directory spatial data is unaffected; If there is no by the Key of authentication, the space of protected catalogue and data can not be visited.

2. kernel service program according to claim 1 is characterized in that: operate in the service routine of core layer, can add the state of virtual disk and real-time monitoring HID interface USB Key in system, can filter specific file operation requests.

3. kernel service program according to claim 1 is characterized in that: support all types of disks and file system, need specify the position and the shielded space size of protected catalogue on disk, protected catalogue can't be visited when Key does not exist.

4. kernel service program according to claim 1; it is characterized in that: support all types of disks and file system; need on disk, specify the position of protection catalogue and the size of protected space; not shielded disk directory space is not affected, and still can be used as a common disk and uses.

5. kernel service program according to claim 1 is characterized in that: the spatial mappings of protected catalogue can be become virtual disk for user capture, virtual disk is supported the All Files system.

6. kernel service program according to claim 1 is characterized in that: can examine the operation of protected catalogue, and decision allows or refuses some operation according to authorization conditions.

7. kernel service program according to claim 1; it is characterized in that: the state of monitoring USB Key in real time; the prompting user carried out authentication when USB Key existed, and directly cancelled existing virtual disk mapping when not existing, and forbade the visit to protected catalogue.

8. kernel service program according to claim 1 is characterized in that: the USB Key of use is the HID interface, does not need to provide in addition driving, and Key is used for carrying out key storage and authentication.

9. kernel service program according to claim 1 is characterized in that: the mode with virtual disk provides the user access to protected data, does not change any behavior of application program and user accesses data.

10. kernel service program according to claim 1 is characterized in that: extra any type of built-in function is not provided, does not change size and other any attributes of the file of handling, can load dynamically, operate in system core layer fully.All data-switching and processing all are to finish in core layer, do not need other support program.