Summary of the invention
The object of the present invention is to provide a kind of safety system of local data and methods, do not depend on networked environment, will
The broken apart storage of data file guarantees the private data " being perfectly safe " of user, has to calculating in secret disk and mobile close disk
Effect overcomes currently available technology above shortcomings.
The purpose of the present invention is be achieved through the following technical solutions:
According to an aspect of the present invention, a kind of method for secure storing of local data, the safety of the local data are provided
Storage method the following steps are included:
By data file to be protected according to pre-set file attribute information and filling information, write-in is preset
The secret disk of calculating false file in;
The close disk of pre-set movement is called to generate data encryption key and broken key at random, then with pre-set
The encrypted public key stored in USBKey respectively encrypts data encryption key and broken key, and it is close to obtain data encryption key
Literary and broken key ciphertext;
Data file to be protected is encrypted using the data encryption key, ciphertext data are generated, further according to pre-
Ciphertext data described in the breaking method being first arranged and broken key pair carry out broken piecemeal, obtain n parts of fragment files, and calculate every
Part fragment file HASH value;
Call preconfigured fragment file in the stored ratio for calculating secret disk and mobile close disk, it will according to stored ratio
N parts of fragment files are divided into two groups of fragment files, and send corresponding fragment to the secret disk of the calculating and mobile close disk respectively
File;
The relevant information of preconfigured data file to be protected is stored in the text of pre-set index data base
In each data item of part key information table and fragment index information table;
Fragment file corresponding with the close disk of movement is stored in mobile close disk, and will be corresponding with secret disk is calculated
The storage of fragment file removes memory into the hidden folder for calculating secret disk.
Further, further includes:
Before using mobile close disk and USBKey, user identity is verified by pre-set log-on message, in user
In the case that identity is by verification, to the public and private key of pre-stored encryption in USBKey and mobile close disk carry out using.
Further, the file key information table includes: data/falseness file ID, close disk storage fragment number, movement
Close disk storage fragment number, data encryption key ciphertext, broken key ciphertext, fragment HASH value field;Fragment index information table
It include: fragment HASH value, fragment store position, fragment reference digital section.
Further, further includes:
For in the case where first time is using mobile close disk, by the close disk ID of pre-set movement, mobile close disk path,
Pre-binding device id, crush fraction n and the pre-set configuration file of fragment store ratio write-in for calculating secret disk, i.e., in fact
The binding of existing equipment;
The id information of bound device in configuration file is deleted, i.e., realization equipment is unbinding.
According to another aspect of the present invention, a kind of safe storage device of local data, the peace of the local data are provided
Storage device includes: entirely
False file writing module, for by data file to be protected according to pre-set file attribute information and
Filling information is written in the pre-set false file for calculating secret disk;
Key generates protective module, for calling the close disk of pre-set movement to generate data encryption key at random and being crushed
Then key respectively adds data encryption key and broken key with the encrypted public key stored in pre-set USBKey
It is close, obtain data encryption key ciphertext and broken key ciphertext;
Broken module is encrypted, data file to be protected is encrypted using the data encryption key, generates ciphertext
Data carry out broken piecemeal further according to ciphertext data described in pre-set breaking method and broken key pair, obtain n parts of fragments
File, and calculate every part of fragment file HASH value;
Fragment file grouping module, for calling preconfigured fragment file calculating secret disk and moving depositing for close disk
N parts of fragment files are divided into two groups of fragment files according to stored ratio by storage ratio, and respectively to the secret disk of the calculating and movement
Close disk sends corresponding fragment file;
Index data base generation module, it is pre- for the relevant information of preconfigured data file to be protected to be stored in
In the file key information table for the index data base being first arranged and each data item of fragment index information table;
Fragment file storage module, for fragment file corresponding with the close disk of movement to be stored in mobile close disk;And
By fragment file storage corresponding with secret disk is calculated into the hidden folder for calculating secret disk, memory is removed.
Further, further includes:
Authentication module, for passing through pre-set log-on message school before using mobile close disk and USBKey
User identity is tested, it is close to the public and private key of encryption pre-stored in USBKey and movement in the case where user identity is by verification
Disk carry out using.
Further, the file key information table includes: data/falseness file ID, close disk storage fragment number, movement
Close disk storage fragment number, data encryption key ciphertext, broken key ciphertext, fragment HASH value field;Fragment index information table
It include: fragment HASH value, fragment store position, fragment reference digital section.
According to another aspect of the present invention, a kind of safe read method of local data, the peace of the local data are provided
Full read method the following steps are included:
Step 1: reading the file ID in the false file for being stored in advance in and calculating secret disk, read according to false file ID
It is pre-configured in the HASH value of all fragment files corresponding with false file in index data base;
Step 2: according to the HASH value of all fragment files, respectively the close disk of the movement and calculate in secret disk inquiry with
The consistent fragment file of the HASH value of all fragment files, until finding pre-set n parts of fragment file;
Step 3: HASH value being calculated one by one to all n parts of fragment files, HASH value fragment file corresponding with false file
Carry out consistency desired result;In the HASH value of the corresponding HASH value fragment file of false file and n parts of fragment files, there are inconsistent
In the case where, system executes the pre-stored instruction for returning to wrong end operation automatically;In the corresponding HASH value of false file
Under the HASH value unanimous circumstances of fragment file and n parts of fragment files, 4 are thened follow the steps;
Step 4: the fragment file searched in calculating secret disk is read in into mobile close disk;
Step 5: calling the encryption key stored in the mobile close pre-set key storage area of disk, decrypt index number respectively
According to the corresponding data encryption key ciphertext of fragment file ID in library and broken key ciphertext, obtains data encryption key and be crushed
Key;Using put compatible reassembly algorithm with broken calculation and broken key pair n part fragment files recombinated to obtain data it is literary
Part ciphertext, then with data encryption key ciphertext data file cipher text, obtain data file;
Step 6: the HASH value of data file described in step 5 is calculated, with protected data file in false file
HASH value is compared, and under comparison result unanimous circumstances, content data file is showed user;Otherwise, it executes preparatory
The instruction of the wrong end operation of the return of storage.
According to another aspect of the present invention, a kind of security readers of local data, the peace of the local data are provided
Reading device includes: entirely
False file read module, for reading the file ID in the false file for being stored in advance in and calculating secret disk, root
The HASH value for all fragment files corresponding with false file being pre-configured in index data base is read according to false file ID;
Fragment store enquiry module, for the HASH value according to all fragment files, respectively in the close disk of the movement and meter
The consistent fragment file of HASH value for calculating inquiry and all fragment files in secret disk, until finding pre-set n parts of fragment
File;
Fragment file matching module, it is corresponding with false file for calculating HASH value one by one to all n parts of fragment files
HASH value fragment file carries out consistency desired result;In the corresponding HASH value fragment file of false file and n parts of fragment files
HASH value is deposited in the case of inconsistencies, and system executes the pre-stored instruction for returning to wrong end operation automatically;
Fragment file mobile module, in the corresponding HASH value fragment file of false file and n parts of fragment files
Under HASH value unanimous circumstances;The fragment file searched in calculating secret disk is read in into mobile close disk;
Deciphering module is recombinated, for calling the encryption key stored in the mobile close pre-set key storage area of disk, point
Not Xie Mi the corresponding data encryption key ciphertext of fragment file ID and broken key ciphertext in index data base, obtain data and add
Key and broken key;Using putting compatible reassembly algorithm with broken calculation and broken key pair n part fragment files carry out again
Group obtains data file ciphertext, then with data encryption key ciphertext data file cipher text, obtains data file;
Document authentication module, for calculating the HASH value for the data file that recombination deciphering module obtains, with falseness text
The HASH value of protected data file is compared in part, and under comparison result unanimous circumstances, content data file is shown
To user;Otherwise, the pre-stored instruction for returning to wrong end operation is executed.
According to another aspect of the present invention, a kind of safety system of local data, the peace of the local data are provided
All risk insurance protecting system includes the safe storage device of local data and the security readers of local data, wherein the local number
According to safe storage device include:
False file writing module, for by data file to be protected according to pre-set file attribute information and
Filling information is written in the pre-set false file for calculating secret disk;
Key generates protective module, for calling the close disk of pre-set movement to generate data encryption key at random and being crushed
Then key respectively adds data encryption key and broken key with the encrypted public key stored in pre-set USBKey
It is close, obtain data encryption key ciphertext and broken key ciphertext;
Broken module is encrypted, data file to be protected is encrypted using the data encryption key, generates ciphertext
Data carry out broken piecemeal further according to ciphertext data described in pre-set breaking method and broken key pair, obtain n parts of fragments
File, and calculate every part of fragment file HASH value;
Fragment file grouping module, for calling preconfigured fragment file calculating secret disk and moving depositing for close disk
N parts of fragment files are divided into two groups of fragment files according to stored ratio by storage ratio, and respectively to the secret disk of the calculating and movement
Close disk sends corresponding fragment file;
Index data base generation module, it is pre- for the relevant information of preconfigured data file to be protected to be stored in
In the file key information table for the index data base being first arranged and each data item of fragment index information table;
Fragment file storage module, for fragment file corresponding with the close disk of movement to be stored in mobile close disk;And
By fragment file storage corresponding with secret disk is calculated into the hidden folder for calculating secret disk, memory is removed;
The security readers of the local data include:
False file read module, for reading the file ID in the false file for being stored in advance in and calculating secret disk, root
The HASH value for all fragment files corresponding with false file being pre-configured in index data base is read according to false file ID;
Fragment store enquiry module, for the HASH value according to all fragment files, respectively in the close disk of the movement and meter
The consistent fragment file of HASH value for calculating inquiry and all fragment files in secret disk, until finding pre-set n parts of fragment
File;
Fragment file matching module, it is corresponding with false file for calculating HASH value one by one to all n parts of fragment files
HASH value fragment file carries out consistency desired result;In the corresponding HASH value fragment file of false file and n parts of fragment files
HASH value is deposited in the case of inconsistencies, and system executes the pre-stored instruction for returning to wrong end operation automatically;
Fragment file mobile module, in the corresponding HASH value fragment file of false file and n parts of fragment files
Under HASH value unanimous circumstances;The fragment file searched in calculating secret disk is read in into mobile close disk;
Deciphering module is recombinated, for calling the encryption key stored in the mobile close pre-set key storage area of disk, point
Not Xie Mi the corresponding data encryption key ciphertext of fragment file ID and broken key ciphertext in index data base, obtain data and add
Key and broken key;Using putting compatible reassembly algorithm with broken calculation and broken key pair n part fragment files carry out again
Group obtains data file ciphertext, then with data encryption key ciphertext data file cipher text, obtains data file;
Document authentication module, for calculating the HASH value for the data file that recombination deciphering module obtains, with falseness text
The HASH value of protected data file is compared in part, and under comparison result unanimous circumstances, content data file is shown
To user;Otherwise, the pre-stored instruction for returning to wrong end operation is executed.
The invention has the benefit that.
(1) present invention is using encryption crushing technology, data file encryption is broken and separation stores, and point is stored to calculating secret
In disk and mobile close disk.Either party loses or divulges a secret for computer (notebook) and mobile close disk, since they only have data
Partial piece, attacker can not restore partial data by partial piece;
(2) even if computer and mobile close disk are stolen simultaneously, moving the data in close disk has encryption and finite number of time
The duplicate protection of user's PIN code effectively reduces a possibility that attacker reads fragment file from the close disk of movement;
(3) when reading protected data file, pass through the HASH of verification fragment HASH value and the data file of recombination
Value, it is consistent with data file when last stored with the protected data file for ensuring that user reads, it has been effectively ensured protected
The integrality and availability of data file;
(4) transparent encryption and decryption is carried out to file using inner nuclear layer file driving filtering technique, the use for not influencing user is practised
It is used, there is good user experience;
In conclusion the present invention provides for user, safety is high, local data safeguard protection of better user experience
Method.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art's every other embodiment obtained belong to what the present invention protected
Range.
As shown in Figure 1, it is according to an aspect of the present invention described according to embodiments of the present invention, provide a kind of local data
Method for secure storing, the method for secure storing of the local data the following steps are included:
By data file to be protected according to pre-set file attribute information and filling information, write-in is preset
The secret disk of calculating false file in;
The close disk of pre-set movement is called to generate data encryption key and broken key at random, then with pre-set
The encrypted public key stored in USBKey respectively encrypts data encryption key and broken key, and it is close to obtain data encryption key
Literary and broken key ciphertext;
Data file to be protected is encrypted using the data encryption key, ciphertext data are generated, further according to pre-
Ciphertext data described in the breaking method being first arranged and broken key pair carry out broken piecemeal, obtain n parts of fragment files, and calculate every
Part fragment file HASH value;
Call preconfigured fragment file in the stored ratio for calculating secret disk and mobile close disk, it will according to stored ratio
N parts of fragment files are divided into two groups of fragment files, and send corresponding fragment to the secret disk of the calculating and mobile close disk respectively
File;
The relevant information of preconfigured data file to be protected is stored in the text of pre-set index data base
In each data item of part key information table and fragment index information table;
Fragment file corresponding with the close disk of movement is stored in mobile close disk, and will be corresponding with secret disk is calculated
The storage of fragment file removes memory into the hidden folder for calculating secret disk.
Further, further includes:
Before using mobile close disk and USBKey, user identity is verified by pre-set log-on message, in user
In the case that identity is by verification, to the public and private key of pre-stored encryption in USBKey and mobile close disk carry out using.
Further, the file key information table includes: data/falseness file ID, close disk storage fragment number, movement
Close disk storage fragment number, data encryption key ciphertext, broken key ciphertext, fragment HASH value field;Fragment index information table
It include: fragment HASH value, fragment store position, fragment reference digital section.
Further, further includes:
For in the case where first time is using mobile close disk, by the close disk ID of pre-set movement, mobile close disk path,
Pre-binding device id, crush fraction n and the pre-set configuration file of fragment store ratio write-in for calculating secret disk, i.e., in fact
The binding of existing equipment;
The id information of bound device in configuration file is deleted, i.e., realization equipment is unbinding.
As shown in Fig. 2, according to another aspect of the present invention, a kind of safe storage device of local data is provided, this
The safe storage device of ground data includes:
False file writing module, for by data file to be protected according to pre-set file attribute information and
Filling information is written in the pre-set false file for calculating secret disk;
Key generates protective module, for calling the close disk of pre-set movement to generate data encryption key at random and being crushed
Then key respectively adds data encryption key and broken key with the encrypted public key stored in pre-set USBKey
It is close, obtain data encryption key ciphertext and broken key ciphertext;
Broken module is encrypted, data file to be protected is encrypted using the data encryption key, generates ciphertext
Data carry out broken piecemeal further according to ciphertext data described in pre-set breaking method and broken key pair, obtain n parts of fragments
File, and calculate every part of fragment file HASH value;
Fragment file grouping module, for calling preconfigured fragment file calculating secret disk and moving depositing for close disk
N parts of fragment files are divided into two groups of fragment files according to stored ratio by storage ratio, and respectively to the secret disk of the calculating and movement
Close disk sends corresponding fragment file;
Index data base generation module, it is pre- for the relevant information of preconfigured data file to be protected to be stored in
In the file key information table for the index data base being first arranged and each data item of fragment index information table;
Fragment file storage module, for fragment file corresponding with the close disk of movement to be stored in mobile close disk;And
By fragment file storage corresponding with secret disk is calculated into the hidden folder for calculating secret disk, memory is removed.
Further, further includes:
Authentication module, for passing through pre-set log-on message school before using mobile close disk and USBKey
User identity is tested, it is close to the public and private key of encryption pre-stored in USBKey and movement in the case where user identity is by verification
Disk carry out using.
Further, the file key information table includes: data/falseness file ID, close disk storage fragment number, movement
Close disk storage fragment number, data encryption key ciphertext, broken key ciphertext, fragment HASH value field;Fragment index information table
It include: fragment HASH value, fragment store position, fragment reference digital section.
As shown in figure 3, according to another aspect of the present invention, a kind of safe read method of local data is provided, this
The safe read methods of ground data the following steps are included:
Step 1: reading the file ID in the false file for being stored in advance in and calculating secret disk, read according to false file ID
It is pre-configured in the HASH value of all fragment files corresponding with false file in index data base;
Step 2: according to the HASH value of all fragment files, respectively the close disk of the movement and calculate in secret disk inquiry with
The consistent fragment file of the HASH value of all fragment files, until finding pre-set n parts of fragment file;
Step 3: HASH value being calculated one by one to all n parts of fragment files, HASH value fragment file corresponding with false file
Carry out consistency desired result;In the HASH value of the corresponding HASH value fragment file of false file and n parts of fragment files, there are inconsistent
In the case where, system executes the pre-stored instruction for returning to wrong end operation automatically;In the corresponding HASH value of false file
Under the HASH value unanimous circumstances of fragment file and n parts of fragment files, 4 are thened follow the steps;
Step 4: the fragment file searched in calculating secret disk is read in into mobile close disk;
Step 5: calling the encryption key stored in the mobile close pre-set key storage area of disk, decrypt index number respectively
According to the corresponding data encryption key ciphertext of fragment file ID in library and broken key ciphertext, obtains data encryption key and be crushed
Key;Using put compatible reassembly algorithm with broken calculation and broken key pair n part fragment files recombinated to obtain data it is literary
Part ciphertext, then with data encryption key ciphertext data file cipher text, obtain data file;
Step 6: the HASH value of data file described in step 5 is calculated, with protected data file in false file
HASH value is compared, and under comparison result unanimous circumstances, content data file is showed user;Otherwise, it executes preparatory
The instruction of the wrong end operation of the return of storage.
According to another aspect of the present invention, a kind of security readers of local data, the peace of the local data are provided
Reading device includes: entirely
As shown in figure 4, false file read module, for reading in the false file for being stored in advance in and calculating secret disk
File ID reads all fragment files corresponding with false file being pre-configured in index data base according to false file ID
HASH value;
Fragment store enquiry module, for the HASH value according to all fragment files, respectively in the close disk of the movement and meter
The consistent fragment file of HASH value for calculating inquiry and all fragment files in secret disk, until finding pre-set n parts of fragment
File;
Fragment file matching module, it is corresponding with false file for calculating HASH value one by one to all n parts of fragment files
HASH value fragment file carries out consistency desired result;In the corresponding HASH value fragment file of false file and n parts of fragment files
HASH value is deposited in the case of inconsistencies, and system executes the pre-stored instruction for returning to wrong end operation automatically;
Fragment file mobile module, in the corresponding HASH value fragment file of false file and n parts of fragment files
Under HASH value unanimous circumstances;The fragment file searched in calculating secret disk is read in into mobile close disk;
Deciphering module is recombinated, for calling the encryption key stored in the mobile close pre-set key storage area of disk, point
Not Xie Mi the corresponding data encryption key ciphertext of fragment file ID and broken key ciphertext in index data base, obtain data and add
Key and broken key;Using putting compatible reassembly algorithm with broken calculation and broken key pair n part fragment files carry out again
Group obtains data file ciphertext, then with data encryption key ciphertext data file cipher text, obtains data file;
Document authentication module, for calculating the HASH value for the data file that recombination deciphering module obtains, with falseness text
The HASH value of protected data file is compared in part, and under comparison result unanimous circumstances, content data file is shown
To user;Otherwise, the pre-stored instruction for returning to wrong end operation is executed.
According to another aspect of the present invention, a kind of safety system of local data, the peace of the local data are provided
All risk insurance protecting system includes the safe storage device of local data and the security readers of local data, wherein the local number
According to safe storage device include:
False file writing module, for by data file to be protected according to pre-set file attribute information and
Filling information is written in the pre-set false file for calculating secret disk;
Key generates protective module, for calling the close disk of pre-set movement to generate data encryption key at random and being crushed
Then key respectively adds data encryption key and broken key with the encrypted public key stored in pre-set USBKey
It is close, obtain data encryption key ciphertext and broken key ciphertext;
Broken module is encrypted, data file to be protected is encrypted using the data encryption key, generates ciphertext
Data carry out broken piecemeal further according to ciphertext data described in pre-set breaking method and broken key pair, obtain n parts of fragments
File, and calculate every part of fragment file HASH value;
Fragment file grouping module, for calling preconfigured fragment file calculating secret disk and moving depositing for close disk
N parts of fragment files are divided into two groups of fragment files according to stored ratio by storage ratio, and respectively to the secret disk of the calculating and movement
Close disk sends corresponding fragment file;
Index data base generation module, it is pre- for the relevant information of preconfigured data file to be protected to be stored in
In the file key information table for the index data base being first arranged and each data item of fragment index information table;
Fragment file storage module, for fragment file corresponding with the close disk of movement to be stored in mobile close disk;And
By fragment file storage corresponding with secret disk is calculated into the hidden folder for calculating secret disk, memory is removed;
The security readers of the local data include:
False file read module, for reading the file ID in the false file for being stored in advance in and calculating secret disk, root
The HASH value for all fragment files corresponding with false file being pre-configured in index data base is read according to false file ID;
Fragment store enquiry module, for the HASH value according to all fragment files, respectively in the close disk of the movement and meter
The consistent fragment file of HASH value for calculating inquiry and all fragment files in secret disk, until finding pre-set n parts of fragment
File;
Fragment file matching module, it is corresponding with false file for calculating HASH value one by one to all n parts of fragment files
HASH value fragment file carries out consistency desired result;In the corresponding HASH value fragment file of false file and n parts of fragment files
HASH value is deposited in the case of inconsistencies, and system executes the pre-stored instruction for returning to wrong end operation automatically;
Fragment file mobile module, in the corresponding HASH value fragment file of false file and n parts of fragment files
Under HASH value unanimous circumstances;The fragment file searched in calculating secret disk is read in into mobile close disk;
Deciphering module is recombinated, for calling the encryption key stored in the mobile close pre-set key storage area of disk, point
Not Xie Mi the corresponding data encryption key ciphertext of fragment file ID and broken key ciphertext in index data base, obtain data and add
Key and broken key;Using putting compatible reassembly algorithm with broken calculation and broken key pair n part fragment files carry out again
Group obtains data file ciphertext, then with data encryption key ciphertext data file cipher text, obtains data file;
Document authentication module, for calculating the HASH value for the data file that recombination deciphering module obtains, with falseness text
The HASH value of protected data file is compared in part, and under comparison result unanimous circumstances, content data file is shown
To user;Otherwise, the pre-stored instruction for returning to wrong end operation is executed.
When concrete application, as shown in figure 5, this system includes computer system, data protection software and mobile close disk;Its
In:
The computer system is connected with the close disk of the movement by USB interface;It can be desktop computer, notebook, intelligence
It can terminal;
The data protection software installation on said computer system, on said computer system for user setting
A certain particular file folder protected, be to calculate secret disk by this document folder definition;Program and kernel are controlled using application layer
Layer file system filter driver, the data file for calculating the arbitrary format of secret disk to write-in are protected;
The close disk of movement is one and itself has hardware cryptographic system mobile storage disc;The data of the mobile close disk of disengaging are all
It is that in plain text, the data being stored in mobile close disk are ciphertexts, passes through crypto chip encryption/decryption;Intelligent code key (following letter
Claim USBKey) close disk is moved by USB interface access, it joins together with the close disk of movement using passing through the key on the close disk of movement
The PIN code for inputting USBKey verifies user identity, to obtain the access right for encrypting public private key pair and mobile close disk in USBKey.
In conjunction with as shown in Fig. 2, controlling program and inner nuclear layer file system filter driver for number to be protected using application layer
It is write as a false file according to file, is stored on the secret disk of calculating, it is visible to user;Data file encryption to be protected is broken
N parts of (n is the integer greater than 1, be can configure) fragment files are broken into, by the n parts of fragment file according to stored ratio (configurable)
It is divided into two groups, is stored respectively in the hidden folder for calculating secret disk and in mobile close disk;Establish an index data inventory
It is stored in mobile close disk, guarantees data security while realizing fragment file quick storage and inquiry reliable;Wherein:
The falseness file is consistent with the format of data file to be protected and file name, and the content of storage includes fixing
Two parts of file attribute information and filling information of size;The file attribute information: including file ID, file level of confidentiality, text
Part controls the size of information, founder, the source owner, current owner, file verification and protected data file, is protected
The HASH value for protecting the HASH value of data file, filemodetime, current file complete trails, aforementioned information, for by data text
The true content of part is directed to corresponding fragment file in the secret disk of calculating and mobile close disk;The filling information: if true
Data file size is less than or equal to file attribute information size, then false file is not filled;Otherwise, the length of filling information
The length of file attribute information is subtracted for the length of authentic document, what filling information can be randomly generated, it is also possible to fix
Value;
The fragment file, which refers to, first encrypts data file to be protected with Encryption Algorithm, then with broken algorithm to ciphertext
Broken obtained file;The fragment file is named with the HASH value of fragment content, for verifying the integrality of fragment file;
The index data base includes file key information table and fragment index information table, for storing key information and broken
Piece information;File key information table includes: that file ID, close disk storage fragment number, mobile close disk storage fragment number, data add
Key ciphertext, broken key ciphertext, fragment HASH value field;Fragment index information table includes: fragment HASH value, fragment store
Position, fragment quote digital section.
In addition, this system can also include binding module, authentication module, encrypt broken module, recombination deciphering module, fragment
Store enquiry module;Wherein:
The binding module include binding and it is unbinding;During data protection software is in installation or first time makes
When disk close with movement, by close disk ID, close disk path, bound device ID, broken number n, the fragment store ratio for calculating secret disk
Configuration file is written, realizes apparatus bound;Bound device id information in allocation of computer file is deleted, realizes to release and tie up
It is fixed;
The authentication module be after the close disk of movement accesses computer system every time, it is right before carrying out PIN code verification
Whether mobile close disk and the secret disk of calculating correspond to and are authenticated;Authentication method are as follows: extract the ID of mobile close disk and calculate secret disk
The bound device ID of information is compared, if unanimously, then move the PIN code verification of close disk;Otherwise, denied access computer
Close disk;
It is described to encrypt broken module progress key generation, cryptographic key protection, encryption, broken, fragment grouping, calculate HASH value behaviour
Make;The key generates, and mobile close disk is called to generate data encryption key and broken key at random;The cryptographic key protection is used
USBKey is encrypted to obtain data encryption key ciphertext and be crushed close to the encrypted public key of data encryption key and broken key
Key ciphertext;The encryption calls mobile close disk to content data file to be protected with being encrypted to obtain data ciphertext;
It is described broken, using broken algorithm and broken key and fragment number n, data ciphertext is broken into n parts of fragment files;Institute
Fragment grouping is stated, according to the fragment store ratio lambda for calculating secret disk in configuration file, x(x ≈ λ * will be divided by calculating fragment
N, x are integer) two groups of part and n-x part, x parts of broken files are randomly choosed from n parts of fragment files, it is determined that this x parts is stored into
Secret disk is calculated, in addition n-x parts of fragment files are stored into mobile close disk;The calculating HASH value, input text will be calculated by referring to
The HASH value of part;
Key, fragment recombination and decryption oprerations are decrypted in the recombination deciphering module;The decruption key calls
Data encryption key ciphertext and broken key ciphertext is decrypted in the private key stored in USBKey respectively;The fragment recombination,
Using reassembly algorithm corresponding with broken algorithm and broken key, n parts of fragment files are combined into data ciphertext;The decryption,
Call mobile close disk that data ciphertext is decrypted into data clear text with the broken data ciphertext of data encryption key;
The method that the fragment store enquiry module realizes a kind of fragment file quick storage and deletion: in fragmentation
When file: being inquired in the fragment index information table of index data base on identical fragment store position with the presence or absence of literary with the fragment
The identical fragment HASH value of part HASH value;If it exists, by fragment number of references+1;Otherwise, fragment file is stored to corresponding
Fragment store position (calculate secret disk or mobile cryptographic key);When deleting agent-protected file: for corresponding n parts of fragment
File inquires the fragment that on identical fragment store position and will be deleted in the fragment index information table of index data base one by one
The identical fragment HASH value of file HASH value;If fragment number of references is 1, the fragment file and related database records are deleted;
If fragment number of references is greater than 1, by fragment number of references -1;Until deleting corresponding all n parts of fragment files.
Further, the broken algorithm controls a randomizer as seed by broken key, generates one
The isometric random sequence with the binary bit stream of data ciphertext to be broken, each element value of the sequence fall in set 0,
1 ... .n-1 } in, it is stitched and fastened according to the binary bit that identical value in the sequence chooses corresponding position respectively, so
Data are just divided into n parts of ciphertext fragments, every part of fragment is numbered according to sequential value.
Further, the reassembly algorithm controls a randomizer as seed by broken key, generates one
The isometric random sequence with the binary bit stream of data ciphertext to be broken, each element value of the sequence fall in set 0,
1 ... .n-1 } in, the fragment binary digit of identical number is successively selected according to stochastic ordering train value, and from left to right split one
It rises, obtains data ciphertext.
Further, the randomizer selects the Linear Congruential Generator with good stochastic behaviourX k=AX k-1
+B(modC), wherein A=7141, B=54773, C=259200.Randomly choose primary condition X0As broken key.Use Yk=Xk
(modn) generate element value in set { 0,1 ... .n-1 } range with the isometric random sequence of data ciphertext binary bit stream.
In addition, it is pacified using above-mentioned local data the present invention also provides a kind of method for secure storing of local data
All risk insurance protecting system, comprising the following steps:
A1: by the file attribute information and filling information of data file to be protected, write-in calculates the virtual text of secret disk
Part;
A2: calling mobile close disk to generate data encryption key and broken key at random, is then added with what is stored in USBKey
Migong key distinguishes encryption data encryption key and broken key, obtains data encryption key ciphertext and broken key ciphertext;It calls
Mobile close disk password encrypts data file to be protected, carries out being crushed piecemeal to ciphertext data according still further to broken number n,
N parts of fragment files are obtained, HASH value is calculated to every part of fragment file;
A3: reading the stored ratio that secret disk and mobile close disk are calculated in configuration file, calculates fragment rule of classification from n parts
Middle random selection x(x ≈ λ * stored ratio, x is integer) part;
A4: by the relevant information of protected data file, the file key information table and fragment of index data base are arrived in storage
In each data item of index information table;
A5: the broken file storage of x part that A3 step is determined is into the hidden folder for calculating secret disk, by remaining n-x
The broken file storage of part removes memory into the close disk of movement.
Also, the present invention also provides a kind of safe read methods of local data, it is pacified using above-mentioned local data
All risk insurance protecting system, comprising the following steps:
B1: data protection software reads the file ID in the false file for calculating secret disk, is read and is moved according to file ID
The HASH value for all fragment files of correspondence that index data base stores in close disk;
B2: according to above-mentioned HASH value, respectively from the close disk of movement and calculate in secret disk inquiry All Files name with it is above-mentioned
The consistent fragment file of HASH value, n parts altogether;
B3: calculating HASH value to all n parts of fragment files one by one, carries out consistency with corresponding HASH value fragment filename
Verification.If have one it is inconsistent, illustrate that fragment file has been tampered, can not recover correct data file, return to mistake knot
Beam operation;If verification is consistent, enter B4 step;
B4: the x part fragment file searched in secret disk will be calculated and read in mobile close disk;
B5: the encryption key of mobile Mi Pan key storage area storage is called, decrypts file ID pair in index data base respectively
The data encryption key ciphertext and broken key ciphertext answered, obtain data encryption key and broken key;With broken key pair n parts
Fragment file is recombinated to obtain data file ciphertext, then with data encryption key ciphertext data file cipher text, obtains data text
Part;
B6: the HASH value of data file described in B5 step, the HASH value with protected data file in false file are calculated
It is compared;If consistent, content data file is showed into user;Otherwise, illustrate that data file has been destroyed, return " wrong
Accidentally ".
In conclusion the present invention is using encryption crushing technology, by data file by means of above-mentioned technical proposal of the invention
Encryption is broken and separation stores, and divides and is stored in the secret disk of calculating and the close disk of movement.Computer (notebook) and mobile close disk are any
One side loses or divulges a secret, and since they only have the partial piece of data, attacker can not restore complete by partial piece
Data;
Even if computer and mobile close disk are stolen simultaneously, the data in mobile close disk have the user of encryption and finite number of time
The duplicate protection of PIN code effectively reduces a possibility that attacker reads fragment file from the close disk of movement;
When reading protected data file, the HASH value of the data file by verifying fragment HASH value and recombination,
It is consistent with data file when last stored with the protected data file for ensuring that user reads, protected data has been effectively ensured
The integrality and availability of file;
Transparent encryption and decryption is carried out to file using inner nuclear layer file driving filtering technique, does not influence the use habit of user,
With good user experience;
In conclusion the present invention provides for user, safety is high, local data safeguard protection of better user experience
Method.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.