Detailed description of dynamic encryption/decryption technology (figure)

Comments: With the rapid development of computer and network technologies, more and more information is stored in personal and commercial computers in electronic form, and is widely transmitted through the network, in the mass storage and exchange of information, the security of information has attracted more and more attention. The theoretical basis of information confidentiality is cryptography. According to the theory of modern cryptography, the security of a good encryption algorithm only depends on
With the rapid development of computer and network technologies, more and more information is stored in personal and commercial computers in electronic form, and is widely transmitted through the network. In a large amount of information storage and exchange, information security issues have attracted more and more attention. The theoretical basis of information confidentiality is cryptography. According to modern cryptography theory, the security of a good encryption algorithm only depends on the key. The openness of the encryption algorithm does not affect its security. After decades of research and development, modern cryptography has invented many highly secure encryption algorithms and is widely used in various information security products, data Encryption technology is an important application area of cryptography. Because of the different implementation methods and layers, the Data Encryption product determines its application fields and scope.
Data Encryption technology can be divided into static encryption and dynamic encryption according to the implementation method. From the implementation level, it can be divided into file-level encryption and storage device-level encryption.
1. Static encryption and dynamic encryption
Static encryption means that the data to be encrypted is not in use during the encryption period. Once the data is encrypted, the plaintext must be obtained through static decryption before use. At present, many encryption software products on the market belong to this encryption method.
Different from static encryption, dynamic encryption (also known as real-time encryption and transparent encryption). Its English name is encrypt on-the-fly ), it means that data is automatically encrypted or decrypted during use without user intervention. Valid users can use the encrypted files without performing decryption, on the surface, encrypted files and unencrypted files are basically the same. For legal users, these encrypted files are "Transparent", that is, they do not seem to have been encrypted, however, users who do not have access permissions cannot use these files even if they are obtained through other unconventional means because they are encrypted. Dynamic encryption technology not only does not change users' usage habits, but also does not require too many interventions to ensure document security. Therefore, it has been widely used in recent years.
Because dynamic encryption needs to encrypt data in real time, it is necessary to dynamically track the data stream to be encrypted, and its implementation level is generally located in the system kernel. Therefore, from the technical perspective of implementation, dynamic encryption is much more difficult than static encryption, and the technical difficulties to be solved far exceed static encryption.
2. Hierarchical Implementation of Dynamic Encryption
In different operating systems (such as WINDOWS, LINUX, and UNIX), although the data organization and storage structure are different, they can all be represented by the model shown in Figure 1, that is, when an application accesses the data of a storage device, it generally calls the file system through the API provided by the operating system, and then the file system accesses the specific storage media through the driver of the storage media. Layers I and II belong to the application layer, and levels III and IV belong to the operating system kernel layer. This organizational structure determines the implementation method of the encryption system. Each path from the storage medium to the application can encrypt/decrypt the accessed data, in the model, layer I can only capture data read and written by the application itself, and data of other applications does not pass through this layer. Therefore, layer I can only implement static encryption and cannot implement dynamic encryption; even Level II does not allow all file data to pass through this layer, but it can block operations such as opening and closing various files. Therefore, the dynamic encryption and decryption products implemented at the application layer cannot truly implement "real-time" encryption/decryption operations. Generally, they can only be implemented in other disguised forms (generally in Level II ). For example, when an application opens a file, it directly decrypts the entire file or decrypts the entire file to another path, and then allows the application to directly (redirect) access the fully decrypted file, when the application closes the file, it encrypts the decrypted file. The essence is the automation of the static encryption and decryption process, which is not strictly dynamic encryption.
Because the current operating system, such as Windows, Linux, and Unix, can only intercept various file or disk operations at the kernel layer, real dynamic encryption and decryption products can only be implemented at the kernel layer. In the model shown in figure 1, the file system in the kernel layer can intercept all file operations, but cannot intercept all storage devices (in the following description, generally, disks are used to represent storage devices. To intercept operations on all storage devices, they must be intercepted in the storage device driver, the operating system's access to storage devices determines two types of dynamic encryption and decryption Security Products: file-level dynamic encryption and decryption products and disk-level dynamic encryption and decryption products.
500) this. width = 500 "title =" Click here to browse images in a new window "/>

Figure 1 Storage Device Access Model of the Operating System
3. File-level dynamic encryption and decryption technology
At the file system layer, you can not only obtain various file information, but also obtain process information and user information for accessing these files. Therefore, you can develop a document security product with powerful functions. For dynamic Encryption and decryption products, some File systems support dynamic File Encryption and decryption. For example, in Windows, NTFS File systems provide EFS (Encryption File System) support, however, as a general system, although it provides fine-grained control capabilities (for example, each file can be controlled), in practical applications, the encrypted object is usually in the unit of partition or directory, and it is difficult to meet the Personalized Requirements of various users, such as automatic encryption of certain types of files. Although there are some shortcomings, a file system that supports dynamic encryption can provide security comparable to the disk-level encryption technology to some extent. Because the dynamic encryption technology provided by the file system is difficult to meet users' personalized needs, it provides sufficient space for third parties to provide dynamic encryption and decryption security products.
To develop a file-level dynamic encryption/Decryption security product, although it is related to a specific operating system, there are still many ways to choose from, generally, you can embed a file into a file system by means of Hook or filter driver to make it a part of the file system. In a sense, third-party dynamic encryption and decryption products can be seen as a function extension of the file system, which is often in a modular form and can be mounted or uninstalled as needed, this can meet various user needs, which is hard to achieve as a dynamic encryption system embedded in the file system.
The following uses SmartSec of yicetong as an example to analyze the specific implementation of file dynamic encryption and decryption. Figure 2 shows the implementation principle of SmartSec. It can be seen that dynamic encryption and decryption of SmartSec is implemented in the form of a file Filter Driver (Level III ), at the same time, access control is provided at the application layer (level II) and kernel layer (Level III), in addition to logging and program behavior control, this implementation through the application layer and kernel layer can not only provide higher security, but also help reduce the impact of the security system on system performance.
500) this. width = 500 "title =" Click here to browse images in a new window "/>

Figure 2 Implementation of Dynamic encryption and decryption in the SmartSec System
4. Disk-level dynamic encryption and decryption technology
For users with high information security requirements, file-level encryption is difficult to meet the requirements. For example, in Windows (similar in other operating systems), we generate various temporary files when accessing files, although these temporary files are in most cases, will be automatically deleted by the application, but in some cases, there will be leakage and deletion, even if the temporary file is deleted, it can still be restored through various data recovery software, in practical applications, these temporary files are generally not encrypted, and thus become an important channel for information leakage. Furthermore, even if temporary files are encrypted, the system's Page Swap files (such as Windows Pagefile. in addition to the built-in encryption method of the file system, third-party dynamic encryption and decryption products generally cannot encrypt system files, otherwise the system may fail to start) it also keeps some information of the user accessing the file, causing information leakage.
One way to avoid the aforementioned vulnerabilities is to encrypt all the data on the storage device, including the operating system, only disk-level dynamic encryption and decryption technologies can meet the requirements. In this case, the static encryption technology is generally unavailable because the operating system is encrypted. To start the system, you must decrypt the operating system to start it. If you use static encryption and decryption, only all data on the disk can be encrypted after each shutdown, and all data on the disk can be decrypted when it needs to be started (at least all operating system files must also be decrypted, otherwise, the system cannot be started. Because the operating system occupies more and more space, the time required for this process is unbearable.
Different from the static mode, when the system is started, the dynamic encryption and decryption system decrypts the hard disk data in real time. When the system reads any data, it decrypts the data directly in the memory, then, you can submit the decrypted data to the operating system. The impact on the system performance is only related to the speed of the encryption and decryption algorithm used. The impact on the system performance is also very limited, the overall impact of such products on system performance is generally no more than 10% (taking the maximum performance indicators of similar products on the current market ). Figure 3 shows the implementation principle of DiskSec, a disk-level dynamic encryption/Decryption-based security product of yisaitong. It can be seen that the dynamic encryption/decryption algorithm of DiskSec is at the bottom of the operating system, all disk operations of the operating system are performed through DiskSec. When the system writes data to the disk, DiskSec first encrypts the data to be written, and then writes the data to the disk. Otherwise, when the system reads disk data, DiskSec automatically decrypts the read data and submits it to the operating system. Therefore, the encrypted disk data is transparent to the operating system, that is, in the operating system's view, the encrypted data on the disk is in the same status as the unencrypted data.
500) this. width = 500 "title =" Click here to browse images in a new window "/>

Figure 3 Implementation of Disk-level dynamic encryption and decryption
5. Comparison of file-level and disk-level dynamic encryption
These two types of encryption methods have their own advantages and disadvantages. Compared with the file-level encryption method, disk-level encryption has the following advantages: high encryption strength and good security.
This level of encryption directly encrypts the physical sector of the disk, regardless of the logical concept of storage data such as files. In this mode, data stored on disks is encrypted. On the contrary, file-level encryption is generally used to encrypt only specified files, temporary files pose security risks. Therefore, disk-level encryption is more secure than file-level encryption.
The main disadvantage of Disk-level encryption is that it is not flexible enough and has a narrow application scope.
Unlike the file-level encryption method, the disk-level encryption method does not have the concepts of files and directories, making it difficult to encrypt or hide specified files or directories. Otherwise, the file-level encryption method can adopt various flexible encryption methods to achieve more fine-grained control. Users can not only specify the file type or directory to be encrypted, but also hide some directories.