Implementation of the document security encryption system (Figure)

CommentsEncryption technology uses mathematical or physical means to protect the data of electronic information during transmission or storage devices to prevent leakage. In information security technology, encryption technology plays an important role, and uses encryption technology in secure communication, data security, and software encryption. Common encryption algorithms include DES series (including DES and 3DES) and RC series (commonly used include RC4 ).
Encryption technology is a technology that uses mathematical or physical means to protect electronic information during transmission or data stored in the device to prevent leakage. In information security technology, encryption technology plays an important role, and uses encryption technology in secure communication, data security, and software encryption. Common encryption algorithms include the DES series (including DES and 3DES), RC series (commonly used RC4 and RC6), and AES symmetric encryption algorithms (the encryption key and decryption key are the same or similar) and asymmetric encryption algorithms such as RSA. In addition, MD5 is used to obtain information summaries. For these common encryption algorithms, as long as you set a suitable password, the existing computer technology can generally meet the security requirements, but different encryption algorithms, the amount of computing required varies greatly. For the document security encryption system, the encryption algorithm is the core of the system. The selection is generally determined based on the security requirements of the system, use a fast encryption algorithm as much as possible. If conditions permit, you can use hardware to encrypt the data (such as directly using the encryption algorithm provided by the security chip ).
1. encryption technology in document security
Although the encryption algorithm is the core of the document security system, the implementation of the encryption algorithm is the key to determining the document security system. In the document security system, common implementation methods include static encryption and dynamic encryption. Static encryption means that the data to be encrypted is in the unused state (static) during encryption ), once the data is encrypted, the plaintext must be obtained through static decryption before use. At present, many encryption software products on the market belong to this encryption method.
Different from static encryption, dynamic encryption (also known as real-time encryption and transparent encryption) is an exponential data usage process (dynamic). Its English name is encrypt on-the-fly) data is automatically encrypted or decrypted without user intervention. Valid users can use the encrypted file without performing decryption. On the surface, access to encrypted files is basically the same as access to unencrypted files. For legal users, these encrypted files are "Transparent", that is, they do not seem to have been encrypted, however, users who do not have access permissions cannot use these files even if they are obtained through other unconventional means because they are encrypted. Dynamic encryption technology not only does not change users' usage habits, but also does not require too many interventions to ensure document security. Therefore, it has been widely used in recent years.
Because dynamic encryption needs to encrypt data in real time, it is necessary to dynamically track the data stream to be encrypted, and its implementation level is generally located in the system kernel. Therefore, from the technical perspective of implementation, dynamic encryption is much more difficult than static encryption, and the technical difficulties to be solved far exceed static encryption.
2. implementation level of the document security encryption system
In modern operating systems, file operations are performed through file systems. Although different operating systems support different file systems, file access methods are basically the same. In Windows systems, the file system exists as a device driver. In Windows, device drivers are layered to allow multiple driver layers between applications and hardware. The filter driver is a special type of intermediate driver, they are located at the upper or lower layers of other drivers and intercept requests sent to the device objects of the lower-layer drivers. Before the requests reach the lower-layer drivers, the filter driver can change the request, the lower-layer drivers do not know all the operations that occur in their upper-layer drivers. Figure 1 shows the file operation procedures in Windows, where layers I and II belong to the application layer, and levels III and IV belong to the operating system kernel layer. It can be seen that when an application (layer I) sends a file operation request, it must go through the API layer (layer II) and file filter driver layer (Layer III) provided by the operating system) and the file system layer (layer IV) can access files. Therefore, we can see that the document security encryption system can only be implemented at these four levels.
This organizational structure of the file system determines the implementation method of the document security encryption system. In each layer of data accessed from the application, encryption/Decryption can be performed on the accessed data. Because level I can only obtain data read and written by the application itself, data of other applications does not pass through this layer, in Level I, only static encryption can be implemented and dynamic encryption cannot be implemented. Even Level II does not allow all file data to pass through this layer, however, at this layer, you can block operations such as opening and closing various files. Therefore, the dynamic encryption and decryption products implemented at the application layer cannot truly implement "real-time" encryption/decryption operations. Generally, they can only be implemented in other disguised forms (generally in Level II ). For example, when an application opens a file, it directly decrypts the entire file or decrypts the entire file to another path, and then allows the application to directly (redirect) access the fully decrypted file, when the application closes the file, it encrypts the decrypted file. The essence is the automation of the static encryption and decryption process, which is not strictly dynamic encryption.
Various file operations can be intercepted only in levels III and IV. Therefore, the real dynamic encryption and decryption product can only be implemented at the kernel layer.
　　
500) this. width = 500 "title =" Click here to browse images in a new window "/>
Figure 1 file operation procedure in Windows