| In information era, large amount of data are stored electronically in a variety of devices. The block-oriented storage device is the main data storage device of computers, carrying a lot of confidential and important data. Recently, there are many cases of confidential and important data leakage which are caused by disk lost, stolen or unauthorized access, leading to serious economic loss. Encryption techniques are the most effective ways to solve the problem of data leakage from the block storage devices. Nowadays, disks are the mainstream of data storage devices due to the properties of small size, large capacity, high speed and etc.. Therefore, since the 21st century; the disk encryption has become a hot research topic in information security domain. In the past ten years, there have emerged a number of outstanding disk encryption products, but they are all focused on small-capacity, single-disk encryption. There are few disk encryption products proposed for the servers, which actually have more important data stored.In this thesis, we are motivated to prevent data leakage caused by lost / stolen disks. Based on the detailed analysis of disk storage systems, we proposed a novel disk data threat model - CA model, which focuses on the system Confidentiality and user Authentication. In the CA framework, we designed and implemented the DARE_SPS disk encryption software in the Windows operating system, based on the theories of short-plate and robustness, and concepts of internal/external isolation and concise user-friendly design. Our CA model successfully prevents the data leakage of disks. Different from previous models, our model could support disk arrays with high-level system security.As for data confidentiality, we choose different encryption levels for different function disks according to their special properties. To implement the filter driver for encryption and decryption, we choose the upper volume level on the data disk for the reason that the system could satisfy the function of disk arrays without considering the organization of physical disks or upper file information. As such, it is very simple and convenient to complete the full data disk encryption. Different from the data disk, we choose the upper file system for driver implementation for the system disk. Thus, the users'private information could be encrypted in file units while the operating system works in normal status. In this way, we achieve a better balance between safety and performance. In addition, we implement the kernel-mode cryptography programming interface --WKCAPI in Windows operating system, which provides the cryptography functions for the volume/file system filter drivers. As the interface has the properties of security, compatibility, scalability and re-versatility, it makes up for the inadequate cryptography service of the Windows kernel-mode with wide applications to other procedures concerning kernel cryptography.Besides the system confidentiality, disk encryption is also essential for data-at-rest protection due to unauthorized access and stolen disks. However, the security of existing disk encryption systems heavily depends on the authentication of operating systems, and hence they are easily cracked. In this thesis, according to the special authentication requirements for disk encryption, we design a two-factor authentication system based on the MBR and physical token. To the best of our knowledge, we are the first to encrypt MBR through combination of authentication and encryption. Our system ensures the security of MBR, which greatly strengthens the overall disk encryption system.We believe that our research provides high-level security for information encryption, which would help to avoid information leakage in many application domains. |
PDF Full Text Request