节点文献
基于文件保险箱的集中加密存储技术的研究与实现
The Research and Implementation of File-Safe Based Centralized Encryption Storage Technique
【作者】 张路;
【导师】 何连跃;
【作者基本信息】 国防科学技术大学 , 计算机科学与技术, 2007, 硕士
【摘要】 加密文件系统是一种较新式的数据加密存储方式。同传统数据加密方式相比,其在可用性及安全性方面取得了长足的进步。但目前的加密文件系统只能服务于操作系统用户,无法对应用服务程序用户的数据起到保护作用。为此,本文提出保护应用服务程序用户数据安全的新方法:使用加密文件系统的方式来加密应用服务程序的数据。论文首先研究了如何使用加密文件系统支持应用服务程序的用户:提出加密文件系统空间技术,将加密数据按用户体系归类到各个加密文件系统空间中;通过允许不同用户体系用户访问各自加密文件系统空间中的数据,使得加密文件系统可以直接服务于应用服务程序的用户,继而为操作系统上运行的不同服务程序提供灵活的存储加密支持。在此基础上,为对用户间共享的加密数据提供保护,论文采用了加密文件系统访问控制技术保护共享的加密数据。论文进一步对支持应用服务程序时,如何保证加密文件系统密钥结构的安全性及高效性进行了研究。为减少用户需要解密的密钥数量,降低在解密密钥时网络及用户智能卡的负载,论文采用了四级密钥结构,将需要用户解密的密钥数量保持为一个;为防范密钥在传输过程中遭窃取,论文采用了密钥安全解密技术,采用密钥“替身”代替密钥在网络上传递,即使密钥“替身”被窃取也不会威胁到密钥安全。根据这些研究结果,课题设计并实现了集中式文件加密存储平台。论文最后给出其在KYLIN操作系统上的实现方式,并对其安全性及性能进行了测评。测评表明,本文研究的技术对加密文件系统造成的I/O性能损失在3.4%至6.6%之间。
【Abstract】 Cryptographic file system is a new kind of data encrypting storage method. Comparing to the traditional data encryption methods, its most significant improvement lies in security and usability. But cryptographic file system can only serve users of OS, it can’t protect data of service application users. So this paper creates a new way to protect data of service application users: use cryptographic file system.In this paper, we introduced cryptographic file system space technique to categorize encrypted data according to their users’ system. By letting users from different applications to access data in different cryptographic file system space, service application can use cryptographic file system to protect their data. On this basis, we introduced access control technique to protect shared data between users of service application.This paper also focuses on how to guarantee the security and efficiency of key structure. For reducing the numbers of keys needed to decrypt, a four-level key structure is introduced to reduce the overload of network and user’s smartcard while decrypting keys. In case of key leaking in network transmission of decrypting, this paper introduced a secure key decrypting technique which use a key substitute to decrypt through network, the key can keep safe even substitute is stolen.The result of this paper is an implementation of centralized file encryption storage platform, which is shown at the last part. The test of the platform shows techniques in this paper caused loss in I/O efficiency is between 3.4% and 6.6%.
【Key words】 Cryptographic File System; Data Encryption Storage; Cryptographic File System Space; Security of Key Decryption;