CN100452076C - Method for constructing transparent coding environment - Google Patents

Method for constructing transparent coding environment Download PDF

Info

Publication number
CN100452076C
CN100452076C CNB2007101185857A CN200710118585A CN100452076C CN 100452076 C CN100452076 C CN 100452076C CN B2007101185857 A CNB2007101185857 A CN B2007101185857A CN 200710118585 A CN200710118585 A CN 200710118585A CN 100452076 C CN100452076 C CN 100452076C
Authority
CN
China
Prior art keywords
file
environment
name
suffix
routine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2007101185857A
Other languages
Chinese (zh)
Other versions
CN101101622A (en
Inventor
姜斌斌
文中领
吕俊
陈华平
张磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsense Info Tech Co ltd
Original Assignee
Beijing Topsense High-Tech Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsense High-Tech Information Technology Co Ltd filed Critical Beijing Topsense High-Tech Information Technology Co Ltd
Priority to CNB2007101185857A priority Critical patent/CN100452076C/en
Publication of CN101101622A publication Critical patent/CN101101622A/en
Application granted granted Critical
Publication of CN100452076C publication Critical patent/CN100452076C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

Using WINDOWS kernel HOOK technique HOOKs filtering and driving WINDOWS file to make request for file operation to enter to HOOKed routine related to file operation. Proper monitoring logic and encoding process are added to each routine to be passed through in order to monitor all file operations and to construct a transparent encoding environment for user. The method adds extension name to encrypted file, hide extension name in environment to make encoding process transparent in environment to user. Extension name is not hidden outside environment. User is unable to carry out any normal operation for encrypted file outside the environment. Guarding against first author from leaking private information, the invention implements monitoring file operation in WINDOWS system all sidedly and thoroughly so as to reach purpose of protecting data security roundly.

Description

A kind of method of constructing transparent coding environment
Technical field
The present invention relates to a kind of method of constructing transparent coding environment, belong to the computer security technique field.
Background technology
In recent years, continuous development along with computing machine and related information technology thereof, computer system in the application of every field more and more widely, act on also more and more important, this becomes a very important problem with regard to the data security that makes computer system, the data of various preciousnesses, important file all needs to obtain desirable security protection, the leakage of security information may cause irreparable damage, the safety protecting method of current data mainly is at the computer application layer file to be carried out coding encrypting to handle, but this method has following defective: 1, can't realize that different user has different access rights; 2, can only carry out encryption to designated directory or file, perhaps carry out the document No. processing, not have ubiquity at specific file layout or specific software; 3, be to carry out encoding process by user's select File mostly, whole process need user initiates, and can not accomplish to carry out automatically, can't realize a transparent running environment, inconvenient operation.
In order to overcome the above problems; application number is that 200610096441.1 patented claim discloses a kind of computer data security protective method that uses in computer system; this method is inserted a filter Driver on FSD module in the file system Drive Layer of operating system; the file read-write operation that the interception application program is sent; set up the electron key that has user key and encrypted message; electron key inserts USB interface opens program; system sets up virtual " deedbox " for relative users automatically; any file or folder that interpolates proof box in the copy/paste mode is protected; file or folder is present on the physical medium with the ciphertext form; be present in the internal memory with the plaintext form; validated user to the operation of encrypt file as ordinary file; the encryption and decryption process is transparent to validated user; when the user extracts electron key, encrypt file is hidden at once.
The prior art that above-mentioned retrieval is found no doubt has the certain protection effect to the data in the computing machine; and solved the user access rights, protection file ubiquity and to the problem of user transparent; yet; this method is to be based upon on the basis that first author is trusted fully; protected file is for first author; do not exist necessary protection to handle; first author's human factor causes fileinfo to reveal becomes possibility, so can't take precautions against the important defective that first author is this method.
Summary of the invention
The technical problem to be solved in the present invention is: at the deficiency of described prior art existence; a kind of method of constructing transparent coding environment is proposed; solve the different access authority of different user, protect the ubiquity of file and to the user on the basis of problem such as transparent fully, realization comprises that strick precaution first author reveals the comprehensive data protection of security information.
In order to solve above technical matters, the method of constructing transparent coding environment of the present invention is: adopt WINDOWS kernel HOOK technology that the WINDOWS filter Driver on FSD is carried out HOOK, file operation requests is entered in the relevant routine of file operation behind the HOOK, and in each routine that will pass through, add monitoring logic and encoding process, operation is monitored to All Files, constructs a transparent coding environment, and encrypt file is appended extension name.
Described method is created monitoring logic and encoding process with open file operation according to following steps:
1) dependent routine of the filter Driver on FSD of HOOKWindows, interception I/O operation requests IRP;
2) extraction document object from the IRP request of interception, and the character of judgement current file, and whether current process is for being subjected to monitoring process;
3) extraction document suffix name, and judge whether file object exists in the HASH list item;
4) judge request type,, then create file, and add the encryption suffix for the file of creating if create file request; If the request of opening file judges then whether file exists, as if existing and not being with the suffix name, for encryption indicator is arranged, if exist and band suffix name, executable operations opens file with file mark; As if not existing and not being with the suffix name, judge whether to be system file, if system file does not exist, then carry out and create file request, create the new file that includes encryption indicator, if system file, then shut-down operation;
Described method is carried out the monitoring logic and the encoding process of write operation according to following steps:
1) judge current process whether for being subjected to monitoring process, and whether be provided with is the sign of being monitored;
2) judge whether current process is system process or specific process, if current process is not system process or specific process, the outer process of refusal environment is to the write operation of encrypt file; If current process is system process or specific process, accept the interior process of environment and write file operation, and to file encryption;
In addition, the monitoring logic of described method and encoding process also comprise following control:
When write operation is finished, the data that write in the buffer memory are decrypted processing, be the clear text file data with what guarantee to write to buffer memory;
In system environments, hide the suffix name of appending, guarantee the transparent of coding environment;
During the inquiry file name, remove the file suffixes name of appending;
During to the file rename, the suffix name of the file behind the rebaptism is added simultaneously, guaranteed the operate as normal of Rename file.
The present invention can realize the ubiquity of file security protection owing to adopt WINDOWS kernel HOOK technology that the WINDOWS filter Driver on FSD is carried out HOOK; Owing to be in the kernel mode of system, the bottom operation of the imperceptible computing machine of validated user does not need other operation bidirectionals, and hides the extension name that encrypt file is appended, and is therefore transparent fully to the user; Because the WINDOWS filter Driver on FSD is carried out HOOK, completion logic monitoring in the routine of file operation process, at any time, comprise of the operation of first author's Any user to file, all be under the logic monitoring, formed a tight coding environment, strick precaution comprises that first author's user reveals security information, thereby realize the file operation of WINDOWS system is monitored completely, reach the purpose of comprehensive protection data security.
Description of drawings
Fig. 1 is a logical flow chart of the present invention.
Embodiment
Because all operations such as read-write to file among the Windows all can be passed through the Windows filter Driver on FSD, therefore the present invention adopts the dependent routine in the filter Driver on FSD is carried out HOOK, and interception Windows filter Driver on FSD realizes transparent document No..When the user carries out file read-write, system can send I/O read-write requests IRP accordingly, these IRP requests at first can be through the filter Driver on FSD of windows, and we have carried out HOOK to the dependent routine of the filter Driver on FSD of windows, so these IRP requests can be tackled by our filtration drive, in the interception routine we to user's All Files operation filter the initialization when comprising to the coding of user writable content and document creation.After from us the IRP processing of request being returned, system can continue to finish remaining data read-write operation in filter Driver on FSD, thereby has guaranteed transparency protected to operation such as All Files read-write.
More than transparent coding realize being common to windows 2000/xp/2003 system.
Transparent coding environment relates to main routine and comprises: CreateRoutine (), ReadCompleteRoutine (), WriteRoutine (), WriteCompleteRoutine (), DirectoryControlRoutine (), FileInformationRoutine ().
Below processing logic in the above-mentioned routine is described in detail respectively:
1、CreateRoutine():
Realize in this routine carrying out the encoding process flow process when creating a file when (comprise and opening file).
The idiographic flow false code is as follows:
BOOLEAN HasSuffix;
PFILE_OBJECT FileObject;
PHASH_ENTRY CurrentEntry;
FileObject=currentIrpStack->FileObject; // extraction document object from IRP
CurrentEntry=FindFileObjectHashEntry (FileObject); // find by FileObject
If (! IsFileObjectDirectory (...)) then//if file
If (IsProcess Watched (PID)) then//current process is to be subjected to monitoring process
HasSuffix=FileNameHasEncryptSuffix (OldFileName); The suffix name of // extraction document
If(CurrentEntry?!=NULL)then
// current encryption indicator is set to TRUE;
If (establishment file) // current operation is to create file
IF (! HasSuffix) if then//filename does not have the encryption suffix
// the suffix name is appended to suffix;
Endif
Else if (open file operation) then
IF (! HasSuffix) if then//filename does not have the encryption suffix
// the suffix name is appended to suffix;
Endif
If (FileExists) then//current file exists
IF (! HasSuffix) if then//filename does not have the encryption suffix
// with file mark for encryption indicator is arranged;
Endif
Else//current file does not exist
IF (! HasSuffix) then//be not with suffix may be system file
If (! FileExists) if then//system file does not exist
If (current operation is to create file) then
// creating new literature kit contains encryption indicator;
Endif
Else//the file with suffix does not exist
//donothing;
Endif
Endif
Endif
Endif
The process that Else//we allow to be monitored is opened the file of encryption, but the file that does not allow its read-write to encrypt
//donothing;
Endif
Endif
2、ReadCompleteRoutine():
Realize in this routine when the read operation request arrives, file being decrypted the flow process of processing.
3、WriteRoutine():
Realize in this routine when write operation requests arrives, file being carried out the flow process of encryption.
The idiographic flow false code is as follows:
If(CurrentEntry)then
if(CurrentEntry)then
If (! The then/ of CurrentEntry->Watched)/monitored is masked as FALSE
Whether // setting is the sign of being monitored
CurrentEntry->Watched=IsProcess?Watched((ULONG)PsGetCurrentProcess());
Endif
// because during system start-up, some encrypt file is created, but the Encrypted in its hash table
// sign is not set up, and needs to be provided with herein
if(!CurrentEntry->Encrypted)then
CurrentEntry->Encrypted=FileNameHasEncryptSuffixA(fullPathName);
Endif
If (! CurrentEntry->Watched ﹠amp; ﹠amp; CurrentEntry->Encrypted ﹠amp; ﹠amp; Current process is not a system process
﹠amp; ﹠amp; Current process is not a specific process) then
The outer process of // environment attempts to write encrypt file, and operation is rejected
return?FILE_WRITE_NOT_PERMITTED;
endif
// because during the system cache file, use may be different FileObject objects, therefore, work as literary composition
The part name has
During // suffix, must encrypt file, in case this just requires system start-up, the non-monitoring process that is subjected to must
Must forbid write data in the // encrypt file
If ((current process is a system process || current process is a specific process) and then
if(CurrentEntry->Encrypte)then
CurrentEntry->Watched=TRUE;
Endif
if(CurrentEntry->Watched)then
if(CurrentEntry->Encrypted)then
Process writes file in the // environment, and file is encrypted
Endif
Endif
Endif
Endif
4、WriteCompleteRoutine():
Realize in this routine that what assurance write is clear data, promptly the data that write in the buffer memory is decrypted processing when write operation is finished in buffer memory.
The idiographic flow false code is as follows:
if(CurrentEntry)then
(then/ of CurrentEntry->Watched)/monitored is masked as TRUE to if
If (CurrentEntry->Encrypted) encrypt by then//file content
// file content of encrypting is decrypted processing, guarantee to write data in buffer and be plaintext;
Endif
Endif
Endif
5、DirectoryControlRoutine():
Main effect is to guarantee that the file that the user sees in system environments is transparent in this routine, promptly hides the suffix name of appending.
The idiographic flow false code is as follows:
If (being the process of being monitored) then
If (file has the suffix that appends) then
// hiding suffix name of appending
Endif
Endif
6、FilelnformationRoutine():
Main effect is to have solved following two problems in this routine:
1, removes the file suffixes name of appending during the inquiry file name;
2, to the file rename time, the suffix name of the file behind the rebaptism is added simultaneously, guaranteed the operate as normal of rename.
The idiographic flow false code is as follows:
If (IRP_MJ_QUERY_INFORMATION) then//inquiry file request
If (CurrentEntry ﹠amp; ﹠amp; Then//the file appending of CurrentEntry->AppendedSuffix) the suffix name
// hiding suffix name;
Endif
Else if (FileRenameInformation) then//rename request
If (! IsFileObjectDirectory ()) then // be file
If (CurrentEntry ﹠amp; ﹠amp; The then/ of CurrentEntry->Encrypted)/be the file of encrypting
The suffix name of // extraction document
HasSuffix=FileNameHasEncryptSuffix(&tmpUniFileName);
If (! HasSuffix) // the suffix name of not appending
// filename after the rename is added suffix
Endif
Endif
Endif
Endif

Claims (6)

1, a kind of method of constructing transparent coding environment, adopt WINDOWS kernel HOOK technology that the WINDOWS filter Driver on FSD is carried out HOOK, file operation requests is entered in the relevant routine of file operation behind the HOOK, and in each routine that will pass through, add monitoring logic and encoding process, operation is monitored to All Files, constructs a transparent coding environment, encrypt file is appended extension name, it is characterized in that create with open file operation in may further comprise the steps:
1) dependent routine of the filter Driver on FSD of HOOKWindows, interception I/O operation requests IRP;
2) extraction document object from the IRP request of interception, and the character of judgement current file, and whether current process is for being subjected to monitoring process;
3) extraction document suffix name, and judge whether file object exists in the HASH list item;
4) judge request type,, then create file, and add the encryption suffix for the file of creating if create file request; If the request of opening file judges then whether file exists, as if existing and not being with the suffix name, for encryption indicator is arranged, if exist and band suffix name, executable operations opens file with file mark; As if not existing and not being with the suffix name, judge whether to be system file, if system file does not exist, then carry out and create file request, create the new file that includes encryption indicator, if system file, then shut-down operation.
2,, it is characterized in that carrying out the monitoring logic and the encoding process of write operation according to following steps as the method for claims 1 described constructing transparent coding environment:
1) judge current process whether for being subjected to monitoring process, and whether be provided with is the sign of being monitored;
2) judge whether current process is system process or specific process, if current process is not system process or specific process, the outer process of refusal environment is to the write operation of encrypt file; If current process is system process or specific process, accept the write operation of the interior process of environment to encrypt file, and to file encryption.
3, as the method for claims 2 described constructing transparent coding environments, it is characterized in that when write operation is finished, the data that write in the buffer memory being decrypted processing, be the clear text file data with what guarantee to write to buffer memory.
4, as the method for claims 1 described constructing transparent coding environment, it is characterized in that in system environments, hiding the suffix name of appending, guarantee the transparent of coding environment.
5,, when it is characterized in that the inquiry file name, remove the file suffixes name of appending as the method for claims 1 described constructing transparent coding environment.
6, as the method for claims 1 described constructing transparent coding environment, when it is characterized in that, the suffix name of the file behind the rebaptism is added simultaneously the file rename, guaranteed the operate as normal of rename.
CNB2007101185857A 2007-07-10 2007-07-10 Method for constructing transparent coding environment Expired - Fee Related CN100452076C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2007101185857A CN100452076C (en) 2007-07-10 2007-07-10 Method for constructing transparent coding environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2007101185857A CN100452076C (en) 2007-07-10 2007-07-10 Method for constructing transparent coding environment

Publications (2)

Publication Number Publication Date
CN101101622A CN101101622A (en) 2008-01-09
CN100452076C true CN100452076C (en) 2009-01-14

Family

ID=39035894

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2007101185857A Expired - Fee Related CN100452076C (en) 2007-07-10 2007-07-10 Method for constructing transparent coding environment

Country Status (1)

Country Link
CN (1) CN100452076C (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101980160B (en) * 2010-10-28 2013-02-13 飞天诚信科技股份有限公司 Implementing method for encrypted .NET program
WO2012165889A2 (en) * 2011-05-31 2012-12-06 삼성에스디에스 주식회사 Id-based encryption and signature method and terminal
CN102982031B (en) * 2011-09-05 2015-04-01 腾讯科技(深圳)有限公司 File opening method and file opening device
TWI488066B (en) * 2012-12-27 2015-06-11 Chunghwa Telecom Co Ltd System and method to prevent confidential documents from being encrypted and delivered out
CN103488949B (en) * 2013-09-17 2016-08-17 上海颐东网络信息有限公司 A kind of electronic document security system
CN109886034A (en) * 2019-02-27 2019-06-14 北京智游网安科技有限公司 A kind of APK data encryption processing method, intelligent terminal and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10260903A (en) * 1997-03-19 1998-09-29 Hitachi Ltd Group ciphering method and file ciphering system
JP2004126634A (en) * 2002-09-30 2004-04-22 Nec Software Chubu Ltd File protection system
CN1928881A (en) * 2006-09-26 2007-03-14 南京擎天科技有限公司 Computer data security protective method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10260903A (en) * 1997-03-19 1998-09-29 Hitachi Ltd Group ciphering method and file ciphering system
JP2004126634A (en) * 2002-09-30 2004-04-22 Nec Software Chubu Ltd File protection system
CN1928881A (en) * 2006-09-26 2007-03-14 南京擎天科技有限公司 Computer data security protective method

Also Published As

Publication number Publication date
CN101101622A (en) 2008-01-09

Similar Documents

Publication Publication Date Title
CN101853363B (en) File protection method and system
US20200028827A1 (en) Method and system for digital rights management of documents
CN100585608C (en) Data file safe treatment method and system
CN100452076C (en) Method for constructing transparent coding environment
US20080016127A1 (en) Utilizing software for backing up and recovering data
TW201112035A (en) Support for secure objects in a computer system
CN103218575A (en) Host file security monitoring method
CN100378689C (en) Enciphered protection and read write control method for computer data
CN104778954B (en) A kind of CD subregion encryption method and system
KR101033511B1 (en) Method for protecting private information and computer readable recording medium therefor
CN103488954A (en) File encryption system
CN109508224A (en) A kind of user data isolating and protecting system and method based on KVM virtual machine
CN1776563A (en) File encrypting device based on USB interface
WO2007091652A1 (en) Tally information management method and management device
CN101000583A (en) Smart card and USB combined equipment and method of self-destroy forillegal access and try to pass valve value
CN103544443B (en) A kind of application layer file hiding method under new technology file system
CN1794210A (en) Data safety storage and processing method of mobile storage equipment
CN101132275B (en) Safety system for implementing use right of digital content
CN107563226A (en) A kind of Memory Controller, processor module and key updating method
CN100543762C (en) Computer-aided design data encryption protecting method based on hardware environment
CN101609490A (en) Digital content protection method and system based on mobile memory medium
Liu et al. A file protection scheme based on the transparent encryption technology
CN104951407B (en) One kind can encrypted U disk and its encryption method
CN101814120A (en) Word document data transfer based on digital watermarking
CN106952659B (en) CD multistage imprinting encryption method based on XTS encryption mode

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: SUZHOU HIERSTAR LTD.

Free format text: FORMER OWNER: BEIJING TOPSENSE HIGH-TECH INFORMATION TECHNOLOGY CO., LTD.

Effective date: 20130607

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100085 HAIDIAN, BEIJING TO: 215200 SUZHOU, JIANGSU PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20130607

Address after: 215200, Jiangsu, Wujiang, Wujiang Economic Development Zone, south of Yang Lian Road, east of Changan Road (Science and Technology Pioneer Park), Suzhou

Patentee after: HIERSTAR (SUZHOU)., Ltd.

Address before: 100085, room 306, North building, rainbow building, No. 11 information road, Beijing, Haidian District

Patentee before: Beijing Topsense Info-Tech Co.,Ltd.

PP01 Preservation of patent right

Effective date of registration: 20160711

Granted publication date: 20090114

RINS Preservation of patent right or utility model and its discharge
PD01 Discharge of preservation of patent
PD01 Discharge of preservation of patent

Date of cancellation: 20170711

Granted publication date: 20090114

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170926

Address after: 100085, Beijing, Haidian District on the road No. 11 Rainbow Building on the third floor

Patentee after: Beijing Topsense Info-Tech Co.,Ltd.

Address before: 215200, Jiangsu, Wujiang, Wujiang Economic Development Zone, south of Yang Lian Road, east of Changan Road (Science and Technology Pioneer Park), Suzhou

Patentee before: HIERSTAR (SUZHOU)., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090114

Termination date: 20210710