Summary of the invention
The object of the present invention is to provide a kind of method for encrypting data memory apparatus based on virtual system, it can use a plurality of virtual systems that move on same the machine respectively different cryptographic algorithm or encrypt the key of usefulness, thereby improves safety of data.
Technical method of the present invention is:
A kind of method for encrypting data memory apparatus based on virtual system the steps include:
1) in hardware system, sets up a virtual machine platform and several virtual systems;
2) an interchangeable enciphering and deciphering algorithm module is set in described virtual machine platform, is used to virtual system that cryptographic algorithm is provided;
3) virtual machine platform is divided the data memory device, for each virtual system distributes a data space, key and cryptographic algorithm that each virtual system uses is set simultaneously;
4) own used key is sent to described virtual machine platform during virtual system visit data memory device;
5) virtual machine platform carries out consistency checking to the key of this virtual system, if consistent then utilize key and corresponding cryptographic algorithm to carry out corresponding data and handle.
Described interchangeable enciphering and deciphering algorithm module comprises virtual system management tabulation, and described virtual system management list field comprises: virtual system feature, cipher key feature, cryptographic algorithm, virtual system data start address, virtual system data space length, True Data memory device start address, True Data memory device, stores space length.
Described cipher key feature is the HASH value of key.
If certain virtual system enciphered data storage addresses in described True Data memory device is discontinuous in the described method, then each the True Data memory device start address with virtual system adds corresponding length tabulation as this virtual system data space length.
Described interchangeable enciphering and deciphering algorithm module comprises an access interface, is used for virtual system and installs, changes or upgrading renewal cryptographic algorithm.
Described consistency verification method is: be provided with one and confirm key module in described virtual machine platform, described affirmation key module judges that the key that receives is whether consistent with the cipher key feature of the corresponding virtual system preserved in the described interchangeable enciphering and deciphering algorithm module, carries out described consistency checking.
In the described method, if described consistency checking result is inconsistent, then:
A) error message is fed back to virtual system, and write down this incident;
B) virtual system is continuous send false key 3 times after, every reception one secondary key then suspended this virtual system respective service a period of time, every corresponding many mistakes once, time out doubles, wherein said a period of time is set at 1 second, the value of described time out is 2
N-4Second, n is wrong continuously number of times.
Described virtual machine platform is that described virtual system is provided with one or more cryptographic algorithm.
Described cryptographic algorithm comprises SMS4 cryptographic algorithm, 3DES cryptographic algorithm, AES cryptographic algorithm.
Described data storage device comprises: hard disk, USB flash disk, the network storage equipment.
Flow process of the present invention is as shown in Figure 2:
1. utilize known technology to build the virtual system of a stylobate in VMM, virtual system has a plurality of, each virtual system has the data space of oneself at hard disk, and can only visit the data space of oneself, can not visit the data in other virtual systems, virtual system uses the cryptographic algorithm of oneself respectively, and leaves data on the hard disk in the secret key encryption oneself of oneself.
2. utilize known technology, VMM has the hard disk de facto control, and the hard disk I/O of all upper strata virtual systems can be intercepted and captured by VMM, and knows the corresponding hard disc data of visit is to belong to which virtual system.
3. a built-in interchangeable enciphering and deciphering algorithm module and each system key feature in VMM; Comprise some cryptographic algorithm in the interchangeable enciphering and deciphering algorithm module; Interchangeable enciphering and deciphering algorithm module comprises an access interface simultaneously, is used for virtual system and installs, changes or upgrading renewal cryptographic algorithm.
3.1. this cipher key feature can be the cipher key feature that known technology generates, as the HASH value of key.
4. during upper strata virtual system access hard disk data, it utilizes known technology that key is issued VMM earlier, and VMM carries out consistency checking to key that receives and the own key of preserving, and examines back affirmation key validity.
4.1. the consistency verification method of this key can be the key of comparison upper strata virtual system and the cipher key feature of preservation, also can be not preserve the deciphering feature, directly utilizes the key of cryptography known technology to confirm that effectively algorithm carries out consistency checking;
5. based on the data access requirement of finishing virtual system by known technology with key and corresponding enciphering and deciphering algorithm;
5.1. the data read access requirement can be with the upper strata virtual system is issued in corresponding hard disc data deciphering;
5.2. the requirement of data write-access can be to be kept on the hard disk after using the data encryption that virtual system is sent;
6. a virtual system different application can be used different cryptographic algorithm or different keys;
This enciphered data storage location can be a hard disk, also can be USB flash disk, suchlike data storage device such as the network storage equipment.
Good effect of the present invention:
1. cryptographic algorithm and hard disk are irrelevant and VMM irrelevant, and related algorithm can be joined in the virtual machine by the final user, guarantees the security of related algorithm;
2. upgrading is convenient if needed later on for cryptographic algorithm;
3. be provided with according to the user, different storage zone is used different encryption keys, improves safety of data;
4. if there are a plurality of systems on the virtual system, these systems can use different cryptographic algorithm or encrypt the key of usefulness.
Embodiment
Below in conjunction with accompanying drawing, further describe the specific embodiment of the present invention, structured flowchart of the present invention is as shown in Figure 1.
One, system initialization
1. virtual platform VMM is installed in the real hardware system;
2. preset an interchangeable enciphering and deciphering algorithm module and access interface is provided in VMM, keep supplying layer virtual system and use, the associated encryption algorithm can be a kind of, also can be multiple; Such as cryptographic algorithm such as SMS4,3DES, AES;
3. virtual system is installed on VMM, and data are used in the virtual system key and cryptographic algorithm are set, and the space size of data preservation, cryptographic algorithm can be selected according to the needs of oneself by the different virtual system in interchangeable encryption and decryption module;
4. be virtual system distribute data storage space on hard disk, interchangeable enciphering and deciphering algorithm module is encrypted the data of storage with key and its corresponding cryptographic algorithm
5. (field that the virtual system management tabulation comprises is as the feature of key to deposit the hard disk address of the feature and the secret key encryption data correspondence of this key in the tabulation of the virtual system management of interchangeable enciphering and deciphering algorithm module, the cryptographic algorithm that makes, virtual system data start address, length, corresponding true hard disk start address, length, if enciphered data is discontinuous in the address of true hard disk storing, then set up the hard-disc storage space length of true hard disk start address+length tabulation as this virtual system correspondence), as shown in table 1:
Table 1, virtual system management tabulation
The virtual system feature |
Cipher key feature |
Cryptographic algorithm |
Virtual system hard disk start address |
Length (sector) |
True hard disk start address |
Length (sector) |
VMM_VISTA |
Feature 1 |
SMS4 |
0 |
102,400 |
25,600 |
102,400 |
VMM_VISTA |
Feature 2 |
SMS4 |
102,400 |
512,000 |
128,000 |
512,000 |
VMM_XP |
Feature 3 |
3DES |
0 |
4,096,000 |
640,000 |
4,736,000 |
VMM_XP |
Feature 4 |
AES |
4,096,000 |
256,000 |
4,736,000 |
4,992,000 |
In the table 1, same virtual system VMM_XP has adopted AES and 3DES algorithm to encrypt respectively according to different application.
Two, during the virtual system visit data
1. virtual system sends key to the interchangeable enciphering and deciphering algorithm module among the VMM
2. whether interchangeable enciphering and deciphering algorithm module check virtual system key is consistent with the cipher key feature of preserving
If a) inconsistent, error message fed back to virtual system, and write down this incident
B) after the virtual system continuous several times sends false key (3 times), every reception one secondary key then suspended this virtual system respective service a period of time, every corresponding many mistakes once, time out doubles.When receiving false key such as continuous the 4th, next time is for after virtual system provides the respective service time to be 1 second, when receiving false key such as continuous the 5th, next time is for after virtual systems provide the respective service time to be 2 seconds a bit, continuous when receiving false key the n time, be 2 for a little virtual systems provide the respective service time next time
N-4Second.
3. after the interchangeable enciphering and deciphering algorithm module check password unanimity, in managing listings, select corresponding cryptographic algorithm to carry out data processing
A) data read access requirement utilizes key and corresponding cryptographic algorithm that the upper strata virtual system is issued in corresponding hard disc data deciphering
B) data write-access requirement is kept on the hard disk after the data encryption that utilizes key and corresponding cryptographic algorithm that virtual system is sent.