A kind of method and system that disk is protected
Technical field
The present invention relates to field of information security technology, particularly a kind of method and system that disk is protected.
Background technology
In information security field, data are as a kind of wealth of preciousness, and the security of data is the unit of being subject to, enterprises and individuals's concern more and more.The protection of current data is mainly the protection based on file, and this method with protection is easy to be cracked, and follows increasing of file, and the method for this protection also can be very loaded down with trivial details.
The present invention is encrypted whole disk; and revise the startup flow process of system; system after encryption only has legal protective device just can enter system, enters after system when user reads file and deciphers in internal memory, after file is write, carries out encrypting storing on disk.On disk, there is never clear data, thereby reach the object of protection disk.
The present invention, in order to facilitate user to reduce to the disk after protection, as long as user inserts legal protective device, enters after the system of the disk after protection in addition, can be reduced to the state before not protection to whole disk.
The start-up course of Windows is as follows: after system powers on, the boot sequence that BIOS specifies according to user starts from soft, light, hard disk or other memory device, read simultaneously and carry out the Main Boot Record in boot disk, hard disk is fanned head position on 01 fan of 0 post at physics, then successively read sector end mark 55AAH, Main Boot Record, hard disk partition table, then the data that provide according to hard disk partition table, hard disk on the boot sector of active partition, then successively reads sector end mark 55AAH and operating system parameter by head position.This process reads operating system in internal memory, then gives operating system by control.
In Windows kernel, drive design to adopt hierarchy design.Disk filtration drive module is to be located on disk driver, can monitor, interception and modification system send to the I/O request bag of disk drive, thereby reaches the object of modification system execution flow process.
Software protecting equipment is that one is connected to the hardware device on main frame by computer interface (including but not limited to parallel port or USB interface).This device interior has nonvolatile storage space can, for read-write, also have the calculation processing unit such as single-chip microcomputer or micro-processing controls chip conventionally.Software developer can carry out exchanges data (software protecting equipment being read and write) by interface function and software protecting equipment, checks whether software protecting equipment is inserted on interface; Or be directly encrypted with the subsidiary instrument of software protecting equipment.Like this, software developer can arrange many places software locks in software, utilizes software protecting equipment to open these locks as key; If it is not corresponding not insert software protecting equipment or software protecting equipment, software can not normally be carried out.
In addition, software protecting equipment inside comprises specific function, for example a part of storage space, some cryptographic algorithms or some user-defined algorithm or function.Before software publishing; software developer revises the software code of oneself; make software in operational process, need to use some functions of software protecting equipment inside; software will move after leaving software protecting equipment like this; and the difficulty that software protecting equipment copies as a kind of hardware device is larger, thereby play the illegal effect of propagating of piracy software that prevents.
Software protecting equipment main on Vehicles Collected from Market comprises: WIBU-Key of the Elite series of the Sentinel Superpro of SafeNet company of the U.S., the Hasp HL of Aladdin company of Israel, BeiJing, China's deep thinking Luo Ke software incorporated company, German Wi-Bu company etc.All these software protecting equipments all provide built-in storage space, privately owned or disclosed cryptographic algorithm, check whether belong to legal when calling these functions in software running process.These software protecting equipments have adopted the basis of intelligent card chip as hardware; and the function of supporting user that oneself is defined is written to software protecting equipment inside; even can directly the partial function of software be transplanted to software protecting equipment inside completes; thereby greatly improve the difficulty of software pirate version, conventionally claimed that this technology that the function of oneself definition or the partial function of software are transplanted to software protecting equipment inside is that code is transplanted.The present corresponding website of the inventor is http://www.sense.com.cn/, wherein discloses in detail design parameter performance and the principle of work of the software protecting equipment of inventor's exploitation.
In the prior art; this is not encrypted disk in start-up course; therefore current technical need is: operating system is encrypted whole disk; and the startup flow process of operating system guarantees that the operating system after encryption only has legal software protecting equipment (hereinafter referred to as protective device) and just can enter operating system; in internal memory, decipher entering after operating system when user reads file; after file is write, carry out encrypting storing on disk, make to there will not be on disk clear data.
Summary of the invention
In view of this, the invention provides a kind of method of disk protect and reduction, to solve the problem of data in magnetic disk safety.
According to an aspect of the present invention, provide a kind of system of disk being protected by protective device, described protective device is the information safety devices with intelligent card chip, and software, data protection function are provided, and described protective device also comprises:
Protective device arranges module, overall encrypting module, the first bootstrap module, the second bootstrap module, disk filtration drive module; Wherein, described the second bootstrap module is arranged in described protective device;
Described protective device arranges module, for described protective device is arranged, the code of the second bootstrap module, start-up parameter, password is put into described protective device;
Described overall encrypting module, writes the first bootstrap module front 63 sectors of disk, and disk is encrypted totally, adopts disk filtration drive module to protect disk;
Described the first bootstrap module, carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control;
Described the second bootstrap module; replacing disk read-write interrupts; when being read, disk is decrypted; disk is write to fashionable being encrypted; the second bootstrap module reads the leader record of active partition; now the leader record reading is decrypted, thereby after deciphering, the leader record of executed activity subregion starts the operating system;
Described disk filtration drive module, for totally protecting disk; Wherein, after os starting, by disk filtration drive module, the data that read are decrypted in internal memory, after the data that write are encrypted, are kept on disk.
According to an aspect of the present invention, provide a kind of system of disk being protected by protective device, described protective device is the information safety devices with intelligent card chip, and software, data protection function are provided, and described protective device also comprises:
Protective device arranges module, overall encrypting module, the first bootstrap module, the second bootstrap module, reducing disk module; Wherein, described the second bootstrap module is arranged in described protective device;
Described protective device arranges module, for described protective device is arranged, the code of the second bootstrap module, start-up parameter, password is put into described protective device, and wherein said password is inputted by user;
Described overall encrypting module, writes the first bootstrap module front 63 sectors of disk, and disk is encrypted totally, adopts disk filtration drive module to protect disk;
Described the first bootstrap module, carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control;
Described the second bootstrap module; replacing disk read-write interrupts; when being read, disk is decrypted; disk is write to fashionable being encrypted; the second bootstrap module reads the leader record of active partition; now the leader record reading is decrypted, thereby after deciphering, the leader record of executed activity subregion starts the operating system;
Described reducing disk module, comprises application layer program and disk filtration drive module;
Wherein, first described application layer program reads the maximum sector number of whole disk, then sends undo command and needs the sector number reducing to described disk filtration drive module successively;
Wherein, described disk filtration drive module, for totally protecting disk; Wherein, after os starting, by disk filtration drive module, the data that read are decrypted in internal memory, after the data that write are encrypted, are kept on disk; When the data of described disk filtration drive module after to the encryption on disk are reduced, the enciphered data in reading disk, deciphers in internal memory the data of encrypting, and the data after deciphering are write to disk;
Described disk filtration drive module reads the content of particular sector, and the content reading is decrypted, and the data after deciphering are write to the sector on disk;
Wherein, after all sector decryption on disk complete, described application layer program sends the order of unloading disk filtration drive module to described disk filtration drive module, and disk filtration drive module is called the unloading routine unloading disk filtration drive module of self; Application layer program is the data that do not have before protection by the content recovery of front 63 sectors of disk.
According to an aspect of the present invention, described cryptographic algorithm adopts symmetric encipherment algorithm or rivest, shamir, adelman.
According to an aspect of the present invention, described verification comprises by identification informations such as checking PIN code, protective device sequence numbers and carries out authentication.
According to an aspect of the present invention, wherein password is inputted by User Defined.
According to an aspect of the present invention, provide a kind of method of disk being protected by described protective device, described method comprises:
Protective device is arranged, the code of the second bootstrap module, start-up parameter, password are put into protective device;
The first bootstrap module is write to disk;
Disk is encrypted totally, adopted disk filtration drive module to protect disk;
Disk filtration drive module is installed on disk.
According to an aspect of the present invention, described method also comprises:
When disk after encryption starts, first move the first bootstrap module, the first bootstrap module carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control;
The second bootstrap module replaces disk read-write and interrupts, when disk is read, be decrypted, disk is write to fashionable being encrypted, the second bootstrap module reads the leader record of active partition, the leader record reading is decrypted, thereby after deciphering, the leader record of executed activity subregion starts the operating system;
After os starting, by disk filtration drive module, read operation is decrypted, write operation is encrypted.
According to an aspect of the present invention, described method also comprises:
When disk after encrypting is reduced, insert described protective device, start the disk after encrypting, user selects the operation that the disk after encrypting is reduced;
First application layer program reads the maximum sector number of whole disk, then send undo command and need the sector number reducing to disk filtration drive module successively, described disk filtration drive module reads the content of particular sector, and the content reading is decrypted, the data after deciphering are write to the sector on disk;
After all sector decryption on disk complete, application layer program sends the order of unloading disk filtration drive module to disk filtration drive module, and disk filtration drive module is called the unloading routine unloading disk filtration drive module of self;
Application layer program is the data that do not have before protection by the content recovery of front 63 sectors of disk.
According to an aspect of the present invention, in the step of the code of the second bootstrap module, start-up parameter, password being put into protective device, password is inputted by user.
A method for disk protect, the method concrete steps comprise:
Protective device is arranged, by the second bootstrap module, (the second bootstrap module is used for starting the operating system, this second bootstrap module is arranged in protective device, when os starting by the first bootstrap module read in internal memory and carry out, it acts on the second bootstrap module part and has a detailed description) code, start-up parameter, password put into protective device;
The data of front 63 sectors to disk back up, on wherein data directly back up to disk;
The first bootstrap module is write to front 63 sectors of disk;
Disk is encrypted totally, (disk filtration drive module is the driver being mounted to above the disk driver of operating system to adopt disk filtration drive module, this disk filtration drive module is positioned on disk, the effect of this disk filtration drive module refers to disk filtration drive module to be described) disk to be protected, cryptographic algorithm can adopt symmetric encipherment algorithm or rivest, shamir, adelman;
When disk after encryption starts, first move the first bootstrap module, the first bootstrap module carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control;
The second bootstrap module replaces disk read-write and interrupts, when disk is read, be decrypted, disk is write to fashionable being encrypted, the second bootstrap module reads the leader record of active partition, the leader record reading is decrypted, thereby after deciphering, the leader record of executed activity subregion starts the operating system;
After os starting, by disk filtration drive module, read operation is decrypted, write operation is encrypted, thereby complete the defencive function of disk.
When disk after encrypting is reduced, need to insert correct protective device, start the disk after encrypting, user selects the operation that the disk after encrypting is reduced, now utilize disk filtration drive module to be decrypted the data of encrypting on whole disk by the reducing disk module being stored on disk, the algorithm that the algorithm adopting when deciphering uses when to disk encryption is consistent, data after deciphering are write to disk, after having deciphered, unloading disk filtration drive module (wherein, according to one embodiment of present invention, send unloading order by the application layer program in reducing disk module to disk filtration drive module, the unloading routine of disk filtration drive module completes the unloading of self), be the data that do not have before protection by the content recovery of front 63 sectors of disk.
The present invention also provides a kind of system that disk is protected, and described system comprises:
Protective device, device arrange module, overall encrypting module, the first bootstrap module, the second bootstrap module, disk filtration drive module, reducing disk module; Wherein, described the second bootstrap module is arranged in described protective device;
Described protective device is the information safety devices with intelligent card chip, and software, data protection function are provided.According to an embodiment, described protective device includes but not limited to encryption lock.
Described protective device arranges module, is used for protective device to arrange, and the code of the second bootstrap module, start-up parameter, password are put into protective device, and wherein password is inputted by User Defined;
Described overall encrypting module; front 63 sector datas to disk back up; the first bootstrap module is write to front 63 sectors of disk; disk is encrypted totally; adopt disk filtration drive module to protect disk, cryptographic algorithm can adopt symmetric encipherment algorithm or rivest, shamir, adelman.According to an embodiment, described symmetric encipherment algorithm comprises AES, DES, TDES; Rivest, shamir, adelman comprises ECC, RSA.
Described the first bootstrap module, carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control;
Described the second bootstrap module, replacing disk read-write interrupts, when being read, disk is decrypted, disk is write to fashionable being encrypted, the second bootstrap module reads the leader record of active partition, the leader record reading is decrypted, thereby after deciphering, the leader record of executed activity subregion starts the operating system;
Described disk filtration drive module; for disk is protected totally; disk after protection; after os starting, by disk filtration drive module, the data that read are decrypted in internal memory; after being encrypted, the data that write are kept on disk, when the data of disk filtration drive module after to the encryption on disk are reduced, and the enciphered data in reading disk; the data of encrypting are deciphered in internal memory, the data after deciphering are write to disk.
Described reducing disk module; formed by application layer program and disk filtration drive module two parts; first application layer program reads the maximum sector number of whole disk; then send undo command and need the sector number reducing to disk filtration drive module successively; described disk filtration drive module reads the content of particular sector; and the content reading is decrypted, the algorithm adopting when deciphering algorithm used when to disk protect is consistent, and the data after deciphering are write to the sector on disk.After all sector decryption on disk complete, application layer program sends the order of unloading disk filtration drive module to disk filtration drive module, and disk filtration drive module is called the unloading routine unloading disk filtration drive module of self.Application layer program is the data that do not have before protection by the content recovery of front 63 sectors of disk.
According to an aspect of the present invention, described the first bootstrap module carries out verification to protective device, is specially by identification informations such as checking PIN code, protective device sequence numbers protective device is carried out to authentication.
According to method provided by the invention; obtained beneficial effect is: protected disk only has the normally startup system of correct protective device of inserting; after system starts; when user reads file; disk filtration drive module can be deciphered and return to user temporarily in internal memory; the data that user writes deposit disk in after can be encrypted; data in disk are encrypted forever; even if disk is illegally accessed; do not have correct protective device cannot enter system, cannot decipher the content on disk yet.
In order to facilitate user to reduce to the disk after protection, as long as user inserts legal protective device, enter after the system of the disk after protection, can be reduced to the state before not protection to whole disk.
Accompanying drawing explanation
Fig. 1 is according to the schematic flow sheet of the protection process of a preferred embodiment of the present invention.
Fig. 2 is schematic diagram during according to disk operation behind protected in a preferred embodiment of the present invention.
Fig. 3 is according to the schematic diagram while reducing to the disk after protection in a preferred embodiment of the present invention.
Fig. 4 is according to the structural drawing of the reducing disk module in a preferred embodiment of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
According to an embodiment of the invention, a kind of method of disk protect and reduction is provided, specifically comprise:
1. pair protective device arranges, and the code of the second bootstrap module, start-up parameter, password are put into protective device;
2. the data of front 63 sectors of disk are backed up;
3. the first bootstrap module is write to front 63 sectors of disk;
4. pair disk is encrypted totally, adopts disk filtration drive module to protect disk, and cryptographic algorithm can adopt symmetric encipherment algorithm or rivest, shamir, adelman;
5. when the disk after encrypting starts, first move the first bootstrap module, the first bootstrap module carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control;
6. the second bootstrap module replaces disk read-write interruption, when being read, disk is decrypted, disk is write to fashionable being encrypted, the second bootstrap module reads the leader record of active partition, the leader record reading is decrypted, thereby after deciphering, the leader record of executed activity subregion starts the operating system;
7. after os starting, by disk filtration drive module, the data that read are decrypted in internal memory, after the data that write are encrypted, are kept on disk, thereby complete the defencive function of disk.
8. when pair disk reduces; need to insert correct protective device; start the disk after encrypting; user selects the operation that the disk after encrypting is reduced; now reducing disk module utilizes disk filtration drive module to be decrypted the data of encrypting on whole disk; the algorithm that the algorithm adopting when deciphering uses when to disk encryption is consistent; data after deciphering are write to disk; after having deciphered; unloading disk filtration drive module is the data that do not have before protection by the content recovery of front 63 sectors of disk.
According to an embodiment of the invention, a kind of system that disk is protected, comprising:
Protective device, protective device arrange module, overall encrypting module, the first bootstrap module, the second bootstrap module, disk filtration drive module, reducing disk module, wherein,
Described protective device is the information safety devices with intelligent card chip, and software, data protection function are provided.According to an embodiment, described protective device includes but not limited to encryption lock.
Described protective device arranges module, is used for protective device to arrange, and the code of the second bootstrap module, start-up parameter, password are put into protective device, and wherein password is inputted by User Defined.
Described overall encrypting module; front 63 sector datas to disk back up; the first bootstrap module is write to front 63 sectors of disk; disk is encrypted totally; adopt disk filtration drive module to protect disk, cryptographic algorithm can adopt symmetric encipherment algorithm or rivest, shamir, adelman.
Described the first bootstrap module, carries out verification to protective device, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control.According to an embodiment, described verification comprises by identification informations such as checking PIN code, protective device sequence numbers carries out authentication.
Described the second bootstrap module, replacing disk read-write interrupts, when being read, disk is decrypted, disk is write to fashionable being encrypted, the second bootstrap module reads the leader record of active partition, now can be decrypted the leader record reading, thereby after deciphering, the leader record of executed activity subregion starts the operating system.
Described disk filtration drive module; for disk is protected totally; disk after protection; after os starting, by disk filtration drive module, the data that read are decrypted in internal memory; after being encrypted, the data that write are kept on disk, when the data of disk filtration drive module after to the encryption on disk are reduced, and the enciphered data in reading disk; the data of encrypting are deciphered in internal memory, the data after deciphering are write to disk.
Described reducing disk module is made up of application layer program and disk filtration drive module two parts, first application layer program reads the maximum sector number of whole disk, then send undo command and need the sector number reducing to disk filtration drive module successively, described disk filtration drive module reads the content of particular sector, and the content reading is decrypted, the data after deciphering are write to the sector on disk.After all sector decryption on disk complete, application layer program sends the order of unloading disk filtration drive module to disk filtration drive module, and disk filtration drive module is called the unloading routine unloading disk filtration drive module of self.Application layer program is the data that do not have before protection by the content recovery of front 63 sectors of disk.
According to an embodiment of the invention, provide an embodiment below the present invention is described.
embodiment 1
The disk that this embodiment is provided with 7 32 systems of the Windows of Microsoft take protection, as example, is described the detailed process that realizes disk protect according to specific embodiment of the application.
Protective device is encryption lock, and data security protecting function is provided.
Protective device arranges module, protective device is arranged, the code of the second bootstrap module, start-up parameter, password are put into protective device, wherein the length of password is 64 bytes, wherein password is inputted by User Defined, and the lock that password is identical can start mutually the disk after encryption;
Encrypting module totally, first the data of front 63 sectors of disk are backed up, disk filtration drive module is installed in system, and filtration drive is set to start with os starting, the first bootstrap module is write to front 63 sectors of disk, utilize disk filtration drive module to be encrypted protection to disk, cryptographic algorithm herein adopts aes algorithm, and encryption key generates at random;
As shown in Figure 1, the detailed step of disk being protected is:
1. insert protective device;
2. user inputs self-defining password;
3. the code of the second bootstrap module, start-up parameter, password are put into protective device;
4. the data of front 63 sectors of disk are backed up;
5. disk filtration drive module is installed on disk;
6. the first bootstrap module is write to front 63 sectors of disk;
7. pair disk is encrypted totally.
In the time that the disk of protected unit protection starts:
The first bootstrap module, first carries out verification to protective device, utilizes specifically order, reads code, start-up parameter, the password of the second bootstrap module from protective device, gives the second bootstrap module control.
The second bootstrap module, replaces disk read-write and interrupts, and according to one embodiment of present invention, replace int 13 and interrupt, in the time that the value of register AH is 02, be read operation, in the time that the value of register AH is 03, be write operation.After read-write is interrupted being replaced, when disk is read, be decrypted, disk is write to fashionable being encrypted, the second bootstrap module reads the leader record of active partition, now can be decrypted the leader record reading, thereby after deciphering, the leader record of executed activity subregion starts the operating system.
Disk filtration drive module; after disc operating system (DOS) after protection starts; by disk filtration drive module, disk read operation is decrypted; disk write operation is encrypted; when the data of disk filtration drive module after to the encryption on disk are reduced; enciphered data in reading disk, deciphers in internal memory the data of encrypting, and the data after deciphering are write to disk.
As shown in Figure 2, when the disk after encryption moves, comprise the steps:
1. insert protective device;
2. pair protective device carries out verification, and verification is by performing step 3, otherwise prompting error message;
3. from protective device, read code, start-up parameter, the password of the second bootstrap module;
4. int 13 read-writes of Replace Disk and Press Anykey To Reboot are interrupted;
5. the leader record that reads active partition, is decrypted leader record;
6. carry out leader record, start the operating system;
7. pair disk read operation is decrypted in internal memory, after disk write operation is encrypted, writes disk.
In the time that disk after protecting is reduced; reducing disk module utilizes disk filtration drive module to be decrypted the data of encrypting on whole disk; data after deciphering are write to disk; unloading disk filtration drive module is the data that do not have before protection by the content recovery of front 63 sectors of disk.
As shown in Figure 3, the step when disk after protection reduction is as follows:
1. insert protective device;
2. the disk after starting protection, setting up procedure is referring to Fig. 2 in detail;
3. user selects disk to reduce;
4. the data of the encryption on pair disk are decrypted, and write disk after deciphering, and decipherment algorithm adopts aes algorithm herein;
5. unloading disk filtration drive module;
6. be the data that do not have before protection by the content recovery of front 63 sectors of disk.
Reducing disk module is made up of application layer program and disk filtration drive module two parts, and its workflow as shown in Figure 4.
As shown in Figure 4, application layer program sends the order of reduction sector and needs the sector number reducing to disk filtration drive module;
Disk filtration drive module reads the content of particular sector, and the content reading is decrypted, and the data after deciphering are write to the sector on disk;
After all sector decryption on disk complete, application layer program sends the order of unloading disk filtration drive module to disk filtration drive module;
Disk filtration drive module is called the unloading routine unloading disk filtration drive module of self;
Application layer program is the data that do not have before protection by the content recovery of front 63 sectors of disk.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of doing, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.