中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
基于linux系统的加密文件系统的设计与实现
作者: 魏丕会
答辩日期: 2003
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 加密文件系统 ; 操作系统 ; 信息安全 ; 密钥托管
其他题名: Design and Implementation of Secure Filesystem for Linux Operaring System
摘要: 随着计算机和通信技术的发展,信息安全技术越来越重要。信息保密是信息安全的一种重要手段,目的是防止非法用户得到机密的信息。加密技术是实现信息保密的重要保证,可以使一些重要数据存储在一台不安全的计算机上,或者在不安全的网络环境中传递。但是,引入加密技术不可避免地会带来系统运行效率上的影响。怎样尽量降低加密技术对系统负荷的增加是一个很重要的问题。安全性非常高,但是效率低下的系统不会得到广泛应用。本文介绍了基于linux系统设计的加密文件系统(Encr即ted Filesystem-EncFS)。EncFS系统体系结构包含四个重要的实体:文件存储服务器、客户端、认证服务器和密钥托管服务器。它的基本思想是在文件存储服务器上保存文件的密文信息,认证服务器负责对用户身份的认证,密钥托管服务器负责保存用户的所有历史密钥,只有在密钥确实不再需要时才从密钥托管服务器上彻底删除,用户在客户端通过网络访问文件,在客户端和文件存储服务器之间传输的只是文件的密文数据,只有拥有文件加密密钥的用户才能解密文件,得到明文信息。为了提高系统的效率,文件存储服务器只是作为文件的存储设备存在,所有的加密和解密操作都在客户端进行,这样就减轻了服务器的负担,使得系统的效率得到提高。系统的四个实体相互合作,完成对用户文件操作的所有功能。EncFS的设计重点关注于4个方面:首先,除客户端用户以外,系统中任何其他实体都不能看到文件的明文信息;第二,文件存储服务器面向网络,用户从客户端直接通过网络从存储服务器访问文件,网络上传输的只是密文数据;第三,每个文件都有自己的密钥,这个密钥使用用户的密钥保护,和文件一起保存,用户通过提供自己的合法密钥得到文件密钥;最后,客户端和文件存储服务器端之间的信息传输要进行完整性验证,对传输数据的任何篡改立刻能够被察觉。文章最后对EncFS系统进行了安全性和效率分析,证明加密文件系统的体系结构在提高安全性的同时也有较高的效率。
英文摘要: With the development of computer science and the development of communication technology, Information Security was becoming more and more important. Keeping information in secret is an important means to guarantee information security by prohibiting invalid person from achieving secrete data. Cryptography is an important method to achieve information secrecy. By using encryption, peoples can store their important data in insecure computers, or can transfer these data in insecure network environment. But, introducing cryptography can inevitably impair the system's efficiency. It is an important issue to study how to reduce the negative influence on the system made by cryptography. A very secure system cannot be widely used if it's efficiency is too low. In this paper, I introduced an encrypted file system(EncFS) which be developmented on Iinux operating system. In EncFS, there are four most important entities: file storage server, client, authentication server and key escrow server. The file storage server only saves the file's encrypted data; the authentication server takes charge in the authenticating of user's identity; the key ecsrow server retain user's key which is dropped by user but perhaps should be used to access file, only when the keys are never used to access files, they can be removed by the key escrow server fomi the system; users use clients to access their files. All the data transferred between the client and the file storage server are encrypted data, and one cannot get the clear data if he donot have a key. In order to guarantee the system's efficiency, the file storage server only behave as a storage device, all the encryption and decryption operations are performed in the client. By this means, the storage server can work more efficiently and the system performed very well. The four entities of EncFS cooperate to help users to access their files. During the designing of EncFS, I paid more attention to four aspects. Firstly, none of the entities except the client can see file's clear data; Secondly, the file storage server was attached to the network. The client access files directly by network, not by any mid-entity. All the data transferred by net are encrypted dada, eavesdrop can not harm the system's security; Thirdly, each file has its own key. This key is protected by users secret key and stored with the file. One user can get the file's key using his own secret key. Finally, the client and the file storage server should verify the integrity of the data gotten from the opposing entity. Any tamper or resending of the data will be detected and rejected. At the end of this paper, I fully analyzed the security and the efficiency of the system. Proved that EncFS's architecture can greatly improve the system's security and also has a good performance.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6620
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW011226.pdf(3146KB)----限制开放-- 联系获取全文

Recommended Citation:
魏丕会. 基于linux系统的加密文件系统的设计与实现[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2003-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[魏丕会]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[魏丕会]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace