1. Windows File System Overview
The drive principle of the hard disk file encryption system is generally two types: the access permission to the file directory is controlled by hook some underlying system kernel calls, create a driver on the upper layer of the input/output driver of the file system to encrypt the data in the file directory. Because the Windows file system is not a physical device, its stack structure is special, therefore, the file system filter driver is also different from the general filter driver (for this background, refer to the document of Chu madman [1] and several documents provided by IFS, in addition to the normal file interface, there is also a type of "fastio". The file system constructs a device stack for each disk volume rather than the entire disk. Because the Windows File System driver generates two Device objects, namely the device object CDO and the volume device object VDO, the file system filter driver has two types of corresponding filter device objects (Fido ). In addition, the file system filter driver also has its own control device object CDO, which is not attached to any device object. It only provides some control functions, the IRP (I/O Request package) to be processed is also different. Therefore, a file system filter driver includes three Device objects. For different versions of Windows operating systems, the device stack of the same device has many different details on the processing of the same IRP, which must be handled by different systems. Next we will take Windows XP as an example to discuss the hard disk document encryption system.
2. How to implement data encryption and decryption
Data encryption and decryption are implemented in filtering device objects for volume device objects. There are some practical issues to consider, as listed below:
(1) What files are encrypted?
Not all data in read/write requests is encrypted. For example, system files cannot be encrypted or the root directory cannot be encrypted. Otherwise, a series of problems may occur. Therefore, you need to determine the object to be operated before encryption and selectively encrypt the object. This can be distinguished by the full file path. The full path of files to be decrypted is stored in a special file, the File Access Control Implemented in the file system filter driver is used to prevent the file from being used by any other file system filter driver. Program Access. The content of this special file will be loaded to the permission table buffer when the filter driver is loaded.
(2) how to obtain data content?
To encrypt the data, you must first obtain the data location and content. We cannot directly operate on the disk sector. Therefore, you must use the custom file system driver under the window to obtain the data. In XP, the Cache Management part leads to the following types of read and write operations in the file system or file system filter driver: cached I/O, non-cached user I/O, and paging I/O. Can we encrypt the data in the cache directly? For example, when data is updated and files are read and written, data changes are directly generated. Therefore, data encryption in the cache may cause many character problems. Therefore, we need to use the non-cached user I/O and paging I/O methods, because no matter how the final data is written to the hard disk through these two methods. The result is that the file data on the hard disk is always ciphertext, And the cached data is always plaintext. After an application reads the plaintext, the plaintext remains in the buffer. Other programs can read the plaintext and copy the plaintext. This becomes a security issue. One way to solve this problem is to clear the cache when closing the file. The data content in these two methods can be obtained in the mdladdress or userbuffer structure in the IRP. In addition, some settings of the spin lock can be used to solve this problem.
(3) Encryption Algorithm And Key Processing
The file system generates many irp_mj_read requests or irp_mj_write requests for reading and writing each file, and the data is divided into many blocks. At the same time, because Windows reading files are not necessarily sequential, the plaintext length is obtained through write. length in the IRP during encryption. If it is not enough to group integer times, fill them with all 0. However, it is worth noting that if the last part of the file is processed in an IRP, the write success length is iostatus. information is usually less than the write length of the IRP request. length. At this time, write again. length is used as a reference for grouping and encryption, and special processing is required. This problem does not exist during decryption in irp_mj_read requests. You can decrypt the data according to the returned length (iostatus. Information. Based on the above rules, the irp_mj_write dispatch function driven by the file system filtering is encrypted as follows:
1) determine the read/write mode of IRP. Only irp_nocache, irp_paging_io, and irp_synchronous_paging_io are processed;
2) whether or not to encrypt the file to be read depends on the file path and type. If you do not need to encrypt the file, directly upload the IRP to the next layer; otherwise, the file will be encrypted;
3) Get the data buffer address passed in windows, and allocate consecutive pages in the kernel as a new buffer to save data;
4) use aes to encrypt data in the new buffer;
5) set the completion routine and use the original IRP parameter as the environment variable below the completion function;
6) Call iocalldriver to transmit the ciphertext to the underlying driver and write it to the hard disk;
7) set the mdladdress and userbuffer of the IRP in the completion routine.
The decryption process is the same. Now there is another question: how to save the key of the AES algorithm? At the underlying layer, Microsoft does not provide a key container for encryption algorithms. There is a way to use a dynamic key and place it on the hard disk. Use an RSA public key to encrypt the dynamic AES key, and then use the private key for decryption to obtain the symmetric key. However, Microsoft's CryptoAPI and a USB key can be used, and the private key is on the USB key. We only need a USB key, that is, the method used in the bank, of course, we can also use the digital signature method. Some may ask, why not use RSA or ECC to encrypt data directly? This will lead to the consequences of driving a tractor on the runway, and the speed is very slow.
4. Hook some IRPs to further control the files.
The key to achieving these goals is to hook some functions driven by the file system, parse various directory operations from the IRP, and intercept the returned values based on different operating systems. Logs can be recorded at the same time. Creating a file and opening a file are both at irp_mj_create, so you need to differentiate between creating a file and opening a file. When creating a file, the system will first send a request named file_open and determine the returned value of the underlying file system. If the returned value is successful, the file exists and has been opened successfully, otherwise, if no such file is returned, an e_open_if request is created to create the file. Therefore, if file_create is found in the options field of mj_create, one of the three flags of e_open_if or file_overwrite_if is created or opened.
(2) If the obtained IRP is irp_mj_set_information, obtain the io_stack_location structure pointer irpsp associated with the IRP (this structure contains the type of the IRP ). Code And parameter information and the address of the completed function), and then take out irpsp-> parameters. setfile. fileinformationclass. If it is equal to filedispositioninformation, It is the delete operation. If it is equal to filerenameinformation, It is the file RENAME operation.
(3) the method to prevent copying to a USB flash disk is to query the device type of the new volume, and file_removable_media is generated by mobile storage. After obtaining the data type, save it to the filtering device object of the volume. When the filter device object receives a Write Request IRP, it can determine whether the file is being copied to the USB flash drive. The next step is to disable or allow the file.
The file system filter-driven encryption product, as its name implies, is transparent encryption and decryption in the file system filter driver, that is, decryption and encryption during the process of opening a file in an application, the file system filter driver is on the disk drive. Its specific product form is mainly popular transparent encryption and decryption document security products.
Advantages of file system filter drive encryption:
1. the encryption and decryption process is transparent compared with traditional encryption tools (such as encryption file cabinets. The benefits include:
1) the document is automatically encrypted from the first time it is generated. This prevents the author from intentionally or unintentionally leaving plain text during the compilation process, or intentionally or unintentionally leaving plain text after decryption by the subsequent processor, encryption is mandatory.
2) the encryption and decryption process is transparent to users, so that users do not need to learn how to perform file encryption and decryption.
2. Compared with full-disk encryption, file system filter-driven encryption products usually allow transparent encryption and decryption only for file operations of specific processes or file types. Undesirable File Operations, for example, if you manually copy a file to a USB disk, send it as an email attachment, or remotely copy the file through file sharing, or copy the file after Hackers break the system, the ciphertext is obtained.
3. Compared with full encryption, the file system filter-driven encryption product can support multiple users in principle.
disadvantage of transparent encryption and decryption:
1. The file content obtained by a valid application is plaintext, in order to prevent these plain text from "Slipping Away" in various ways, We need to block various ways that may output the plain text ". These methods are divided into two categories based on whether or not programming is required:
1) If no programming is required, the existing functions of the application or the functions of the operating system are used, for example, content copying, mouse drag and drop copying, printing, mail sending, third-party software plug-ins, screen recording, and so on.
2) programming is required, such as memory reading, API hook mounting, window messages, and custom plug-ins.
in general, there are many ways to prevent attacks. A variety of products are more or less blocked, and it is difficult to be foolproof.
2. Compared with traditional encryption tools (such as encryption file cabinets), the file system filter drives encryption products to transparently encrypt and decrypt specific types of files, rather than based on whether the files are classified. If the number of confidential files is small and the number of non-confidential files is large, this will cause a large number of non-confidential files to be encrypted, causing a great management burden. If a small number of confidential files and a large number of non-confidential files are required to be approved during decryption, this management burden will easily lead to security vulnerabilities.
3. File System filtering-driven encryption products generally rely on the Identity Authentication Mechanism of the operating system. Users authenticated by the operating system are transparently encrypted and decrypted, therefore, the operating system's Identity Authentication Vulnerability becomes a file system filter-driven encryption product Vulnerability (as we all know, Windows identity authentication is easily broken through ).
for example, the loss of a laptop, file System filtering drive encryption products provide better protection for attempts to steal data on hard disks from other systems (such as attaching protected hard disks to other machines or starting from the optical drive, however, thieves can use n methods to crack or leave a blank user password and directly access the system. Then, all the ciphertext of the user will be transparently decrypted to him.
4. similar to article 3rd, operating system vulnerabilities may cause fatal damage to the file system filter drive encryption product.
for example, in the case of a hacker attacking the system, although the hacker directly copied the ciphertext, the hacker controlled the system permission and then remotely controlled it to open the file locally on the attacked host, ciphertext is transparently decrypted. If the hacker record the screen on the local host, the plaintext can be transferred out.