Research And Implementation For Linux Cryptographic File System Based On Trusted Computing Platform

With the generalization and enhancement of military information system, such problems as secure storage and prevention from filch and juggle of military confidential data are attached more and more importance. Although Cryptographic File System is effective in solving these problems, traditional ones can't protect data from being juggled completely, so that isn't fit for the secure storage of military confidential data. At the same time, present cryptographic File Systems, based on Trusted Computing Platform, encrypt the whole disk or file system, and such encryption with coarse granularity restricts the share of military internal files.To make up existent cryptographic File System's disadvantages, the key technologies and mechanisms of them are studied, and a new kind of one——TEFS, which is based on TCP, is put forward. With ground secure support of TCP and principle of stackable file system, it realizes the confidentiality and integrity mainly on the level of file granularity in Linux kernel.The main contributions of this paper are listed as below. Firstly, Trusted Computing theories are researched, and cryptographic technologies of Trusted Computing are applied to make sure the security of the key management for TEFS. Secondly, In order to prevent substitutive attacks to TCG objects access and authorization protocol, the original one is improved and applied to interaction between TEFS and TPM. Thirdly, based on the key retention services in Linux2.6 kernel, keys are organized and managed to increase the efficiency and security of key searching for TEFS. Fourthly, the share of encrypted files among TCPs is realized. Fifthly, in order to decrease the waste of system performance in file integrity verifying, an integrity verifying mechanism based on secondary HMAC is introduced. Sixthly, more secure and flexible entity authentication is realized on the basis of TPM and Linux's PAM mechanism. Seventhly, based on the Linux's netlink communication mechanism, the bidirection communication between TEFS's kernel and userspace modules, which is without blocking, is achieved.In the end, the security and main characters of TEFS are compared and analyzed, and the system performances are tested comprehensively. The result indicates that the whole performance of TEFS accords to its anticipated designing requirement.