US007596695B2
`
`(12) United States Patent
`Liao et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,596,695 B2
`Sep. 29, 2009
`
`(54) APPLICATION-BASED DATA ENCRYPTION
`SYSTEMAND METHOD THEREOF
`
`2004/0091114 A1* 5/2004 Carter et al. ................ 380,259
`2004/0172538 A1* 9, 2004 Satoh et al. ...
`... 713/175
`
`(75) Inventors: Wen-Chiuan Liao, Hsinchu (TW);
`Jun-Bin Shi, Dounan Township (TW)
`s
`(73) Assignee: Industrial Technology Research
`Institute, Hsinchu (TW)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 682 days.
`(21) Appl. No.: 10/981,127
`
`(*) Notice:
`
`(22) Filed:
`(65)
`
`2005, 0125684 A1* 6/2005 Schmidt ..................... T13/200
`2005/0235145 A1 * 10/2005 Slicket al. .................. T13,165
`2005/0278527 A1* 12/2005 Liao et al. ................... T13,165
`
`OTHER PUBLICATIONS
`
`“Linux Encryption HOWTO” by Marc Mutz, v0.2.2; Oct. 4, 2000.*
`Title:A parallel algorithm for determining the inverse of a matrix for
`use in blockcipher encryption/decryption. Source :Journal of
`Supercomputing, {J-Supercomput-Netherlands, Feb. 2007, vol.39,
`No. 2, p. 113-30, 20 refs, CODEN: JOSUED, ISSN: 0920-8542.
`Nov. 4, 2004
`Publisher Kluwer Academic Publishers, Netherlands."
`Prior Publication Data
`Title:ID-based threshold decryption secure against adaptive chosen
`ciphertext attack. Source :Computers and Electrical Engineering,
`US 2005/0278.527 A1
`Dec. 15, 2005
`{Comput-Electr-Eng-UK, May 2007, vol. 33, No. 3, p. 166-76, 20
`O
`O
`refs, CODEN: CPEEBO, ISSN: 0045-7906. Publisher: Elsevier,
`Foreign Application Priority Data
`(30)
`Jun. 10, 2004
`(TW) .............................. 93.116656. A UK."
`(51) Int. Cl.
`(Continued)
`(2006.01)
`H04L 29/06
`Primary Examiner Kambiz Zand
`E. c - - - - - ificati- - - - - -s - - - - -
`13/165; 380,
`Assistant Examiner—Monjour Rahim
`OSSO Sea
`.................
`74) Attorney, Agent,
`Firm—Thomas, Kayden,
`s
`380/28, 37,277, 44, 259, 713/175, 200, Rtagg, or firm
`nomas, sayden
`y
`y
`713/165, 194; 726/7
`See application file for complete search history.
`(57)
`ABSTRACT
`References Cited
`
`..
`
`(56)
`
`An application-based data encryption method implemented
`U.S. PATENT DOCUMENTS
`in an operating system. When receiving system calls for writ
`4,780,905 A * 10/1988 Cruts et al. ................... 380/44
`ing data opened by an application, the operating system
`5,584,023 A 12, 1996 Hsu ........................... 707,204
`-
`5,757,908 A * 5/1998 Cooper et al. ............... T13,165
`6,185,681 B1
`2/2001 Zizzi .......................... ... encrypts the data utilizing an encryption key. When receiving
`6,249,866 B1
`6/2001 Brundrett et al. ............ T13,165
`system calls for reading data requested by the application, the
`6,259,789 B1* 7/2001 Paone.............
`... 380/28
`operating system decrypts the data utilizing a decryption key.
`6,363.486 B1* 3/2002 Knapton, III .................. 726/7
`The encryption key and the decryption key may be the same
`7,200,760 B2 * 4/2007 Riebe et al. .....
`713,194
`key Or tWO different keys.
`7,221,757 B2* 5/2007 Alao ...........
`... 380,37
`2003/O123667 A1* 7, 2003 Weber et al. .
`... 380.277
`2004/0057579 A1* 3/2004 Fahrny ........................ 380/44
`
`24 Claims, 9 Drawing Sheets
`
`File header
`value of
`encryption
`bit = 0
`
`420
`
`421
`
`430
`
`
`
`
`
`
`
`480
`
`
`
`Designation model
`
`201
`
`File header
`
`Key encryption model
`
`Application key
`
`Key generation model
`
`value of encryption
`
`470
`Eaced Encrypted application
`key
`
`410a
`
`Executable file
`
`Program security
`utility
`
`200
`
`Executable file
`
`APPLE 1022
`
`1
`
`

`

`US 7,596,695 B2
`Page 2
`
`OTHER PUBLICATIONS
`Gerald J. Popek: Encryption and Secure Computer Networks; Com
`puting Surveys, vol. 11, No. 4. Dec. 1979: pp. 1-16.*
`
`“Linux Encryption How To' Mutz; 2000; http://encryptionhowto.
`sourceorge.net/Encryption-HOWTO-1.html.
`* cited by examiner
`
`2
`
`

`

`U.S. Patent
`U.S. Patent
`
`Sep. 29, 2009
`Sep. 29, 2009
`
`Sheet 1 of 9
`Sheet 1 of 9
`
`US 7,596,695 B2
`US 7,596,695 B2
`
`:
`:
`
`
`
`DOTE-—
`
`noneonddy
`
`AIOUIITA,
`
`raatesoudAry
`
`(uy10d)b‘SIs
`
`
`
`wiasAsJACTA
`
`3
`
`
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 2 of 9
`
`US 7,596,695 B2
`
`Application-based data
`encryption system
`
`designation
`model
`
`key generation
`model
`
`kev encryption
`program
`Security utility Nias ryp
`
`2O2
`
`2O3
`
`crypto operating System
`
`process management
`System
`
`file management System
`
`
`
`300
`
`201
`
`200
`
`100
`
`40
`
`20
`
`30
`
`50
`
`FIG. 2
`
`4
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 3 of 9
`
`US 7,596,695 B2
`
`An administrative authority is required for assigning
`an application a Secure State
`
`Utilizing the administrative authority
`
`Assigning an application the Secure State
`
`Acquiring an executable file of the application
`
`Recording designation in the executable file
`
`Providing a system key
`
`Providing an application key
`
`Encrypting the application key utilizing the system
`key to generate an encrypted application key
`
`S3
`
`S4
`
`S5
`
`S6
`
`S8
`
`SO
`
`S12
`
`S14
`
`FIG 3
`
`5
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 4 of 9
`
`US 7,596,695 B2
`
`
`
`ºpoo uupuñou?
`
`[07
`
`ZOZ
`
`00Z
`
`
`
`
`
`
`
`Topolu u?o?eJou.33 KOSI
`
`6
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 5 of 9
`
`US 7,596,695 B2
`
`
`
`
`
`0ZHovejustUeseueyed
`Lowneeeee
`
`
`
`
`
`ayoJayinwaysAs
`
`401'woI—~{uoneoyddy|-++|uonesyddy||voneoyddy|—eo1opoulJasq)
`
`Co
`
`i|
`
`apourw9skS
`
`ssa001g
`
`Lobo
`
`7
`
`
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 6 of 9
`
`US 7,596,695 B2
`
`Start
`
`Preprocessing
`
`S510
`
`Reading file header 420b
`
`S520
`
`S530
`
`
`
`
`
`Yes
`
`Determining the value
`of encryption bit 421b
`
`S540
`
`Setting the value of corresponding
`encryption bit 421c to "1"
`
`S550
`
`Reading encrypted application key
`440 from Excutable file 410b
`
`S560
`
`
`
`Decrypting encrypted application
`key 440 to acquire and store
`application key 470 in process
`data structure 610
`
`FIG. 6
`
`8
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`
`
`0¢9O19
`
`AveOIL
`
`
`
`ByepSSdd01g
`
`
`
`WOTJEULLOFULOIE
`
`
`
`aimjonnseyep
`
`Sheet 7 of 9
`
`0c9
`
`US 7,596,695 B2
`
`LOld
`
`
`
`sInjonyyjsbyep
`
`
`
`0¢9Joyutod9[L.J
`
`
`
`UONCUWIOJULSITY
`
`
`
`ginjonyjseyep
`
`Joyutod31
`
`TONVULIOFULOIE
`
`AayuoneorddyOLY
`
`yoyutodAveoly119
`
`osoJoyutodICVyquondAroUg ainjonys9]1J
`
`9
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 8 of 9
`
`US 7,596,695 B2
`
`Start
`
`Issuing a write system call
`
`S300
`
`Passing the write system
`call to the file system
`
`Passing the write system
`call to crypto driver 30
`
`S310
`
`S320
`
`S330
`
`
`
`
`
`Determining
`whether application
`10a is assigned the
`SeCure State
`
`
`
`No
`
`
`
`
`
`
`
`
`
`
`
`
`
`Acquiring application key
`470 from process data
`Structure 610
`
`Encrypting data utilizing
`application key 470 to
`generate encrypted data
`
`S340
`
`S350
`
`Passing the write System
`call to hardware driver 50
`
`S360
`
`Storing the encrypted data
`into storage device 140
`
`S370
`
`End
`
`FIG. 8
`
`10
`
`

`

`U.S. Patent
`
`Sep. 29, 2009
`
`Sheet 9 of 9
`
`US 7,596,695 B2
`
`Start
`
`S200
`
`Issuing read System call
`
`S210
`
`Passing the read system
`call to a file system
`
`S240
`
`S220
`
`Passing the read system
`call to crypto driver 30
`
`Reading data from
`storage device 140
`
`Passing the read system
`call to hardware driver 50
`
`S250
`
`
`
`
`
`Determining
`whether application
`10a is assigned the
`Secure State
`
`
`
`No
`
`
`
`
`
`
`
`S230
`
`Acquiring application
`key 470 from process
`data structure 610
`
`Decrypting the data using
`application key 470 to
`generate plain text data
`
`Passing the plain text
`data to application 10a
`
`S280
`
`End
`
`FIG. 9
`
`11
`
`

`

`1.
`APPLICATION-BASED DATA ENCRYPTION
`SYSTEMAND METHOD THEREOF
`
`US 7,596,695 B2
`
`BACKGROUND
`
`5
`
`10
`
`15
`
`25
`
`30
`
`The invention relates to data encryption, and in particular
`to a method of encrypting data utilizing an operating system
`according to the state of the application and Supervisory defi
`nition.
`With popularity of Internet and intranet, and usage of por
`table memory devices, document security has become a sig
`nificant issue.
`U.S. Pat. No. 6.249,866 discloses a data encryption method
`employing designation of a directory or a file to be encrypted.
`Any user, however, can demand the designation. In addition,
`encryption and decryption keys can be provided by any user.
`Thus, general users can easily obtain or copy plain text data
`without requiring authorization.
`A document “Linux Encryption HOWTO” by Marc Mutz
`discloses a data encryption method wherein a security disk
`Volume is presented.
`In the method, encryption and decryption keys are obtained
`by general users. When sharing encrypted files, it is necessary
`to disclose and share decryption keys to other users for access
`to the encrypted files. With the decryption keys, other users
`can easily decrypt the encrypted files stored in the security
`disk volume. Thus, the method cannot prevent risks to critical
`data.
`In addition, if encrypted data in the security disk Volume is
`copied to another Volume, the data is first decrypted to plain
`text data.
`U.S. Pat. No. 6,185,681 discloses another data encryption
`method providing encryption to electronic document man
`agement (EDM) systems without updating original EDM
`systems. A crypto server disclosed in the patent is responsible
`35
`for the encryption functions.
`FIG. 1 is a schematic diagram of the method. Memory a100
`comprises application all, EDM system a12, and crypto
`server a13. When application all issues commands compris
`ing “close”, “save' or “save as for a file, crypto server a13
`saves corresponding events and determines whether to
`encrypt the file. If the file is to be encrypted, crypto servera13
`encrypts the file and provides encrypted file to EDM a12.
`EDM a12 then performs corresponding “close”, “save' or
`“save as operations for the encrypted file. When application
`all issues an “open command for a file, crypto server a13
`saves corresponding events and determines whether to
`decrypt the file. If the file is to be decrypted, crypto servera13
`decrypts the file and provides the decrypted file to EDMa12.
`EDMa12 then performs the corresponding “open’ command
`50
`for the decrypted file.
`Application all and EDMa12 must conform to open docu
`ment management API (ODMA) standard. If application all
`or EDMa12 does not conform to the ODMA standard, crypto
`server a13 cannot save above-described events. In addition,
`crypto server a13 may be removed without affecting the entire
`EDM system a12 and operation thereof. If crypto server a13
`is removed, files managed by EDM system a12 cannot be
`automatically encrypted.
`Hence, there is a need for a new data encryption method to
`ameliorate the problems described above.
`
`40
`
`45
`
`55
`
`60
`
`SUMMARY
`
`Accordingly, an embodiment of the invention provides an
`application-based data encryption method, implemented in
`an operating system. Data opened by an application is
`
`65
`
`2
`encrypted utilizing an encryption key in response to each
`system call received by the operating system for storing data.
`Data requested by the application is decrypted utilizing a
`decryption key in response to each system call received by the
`operating system for reading data. The encryption key and the
`decryption key may comprise the same or two different keys.
`Additionally, applications may be designated to a secure
`state. When receiving a data write or read system call, encryp
`tion and decryption are automatically performed in respective
`response to the write and read system call only if an applica
`tion issuing the system call is in the secure state.
`An embodiment of the invention also provides an applica
`tion-based data encryption system comprising an operating
`system. The operating system comprises a crypto driver. The
`crypto driver encrypts data opened by an application utilizing
`an encryption key when the operating system receives any
`system call for storing data. The crypto driver decrypts data
`requested by the application utilizing a decryption key when
`the operating system receives any system call to read the data.
`The encryption key and the decryption key may comprise the
`same or two different keys.
`An embodiment of the invention may further comprise a
`program security utility. The program security utility desig
`nates applications assuming a secure state. When receiving a
`data write or read system call, an operating system automati
`cally performs encryption and decryption in respective
`response to the write and read system call only if the appli
`cation issuing the system call is in the secure state.
`
`DESCRIPTION OF THE DRAWINGS
`
`The invention can be more fully understood by reading the
`Subsequent detailed description and examples with refer
`ences made to the accompanying drawings, wherein:
`FIG. 1 is a schematic diagram of a conventional data
`encryption method;
`FIG. 2 is a schematic diagram of an application-based data
`encryption system of an embodiment of the invention;
`FIG.3 is a flowchart of secure state designation performed
`by a program security utility according to an embodiment of
`the invention;
`FIG. 4 is a schematic diagram of secure state designation in
`an embodiment of the invention;
`FIG. 5 is a schematic diagram of a computer system in an
`embodiment of the invention;
`FIG. 6 is a flowchart of executable file loading according to
`an embodiment of the invention;
`FIG. 7 is a schematic diagram of runtime data structure of
`an application in an embodiment of the invention;
`FIG. 8 is a flowchart of data writing of the application
`based data encryption method according to an embodiment of
`the invention; and
`FIG. 9 is a flowchart of data reading of the application
`based data encryption method according to an embodiment of
`the invention.
`
`DETAILED DESCRIPTION
`
`The invention provides an application-based data encryp
`tion method and system capable of encrypting data using an
`operating system according to the state of the application and
`Supervisory definition.
`In FIG. 2, application-based data encryption system 300
`comprises a program security utility 200 and a crypto oper
`ating system 100.
`Program security utility 200 comprises a designation
`model 201, key generation model 202 and key encryption
`
`12
`
`

`

`US 7,596,695 B2
`
`10
`
`15
`
`3
`model 203. Designation model 201 assigns an application a
`secure State. Key generation model 202 generates application
`keys for applications. Key encryption model 203 encrypts
`application keys.
`Crypto operating system 100 comprises a file management
`system 20, a crypto driver 30, a process management system
`40 and hardware driver 50. File management system 20 man
`ages file systems. Crypto driver 30 encrypts data output to an
`input/output device and decrypts data input from the input/
`output device. Process management system 40 manages pro
`cesses in crypto operating system 100. Hardware driver 50
`drives the input/output device. The input/output device may
`comprise a hard disk drive, a disc drive, a floppy disk drive, a
`network attached disk drive, or other storage device. Crypto
`driver 30 may be included in file management system 20 or
`integrated into crypto hardware.
`Program security utility 200 assigns an application a secure
`state. Crypto operating system 100 is capable of managing
`cipher text or plain text files. Specifically, crypto operating
`system 100 is capable of encrypting data opened by an appli
`cation before storage to a device or decrypting encrypted data
`requested by the application after the encrypted data is read
`from the storage device according to the state of the applica
`tion. File management system 20 instructs crypto driver 30 to
`perform encryption or decryption.
`FIG. 3 is a flowchart of operation of program security
`utility 200, which may comprise a portion of crypto operating
`system 100, an application or a portion thereof. Program
`security utility 200 requires that all procedures related to
`assigning an application the secure state must be performed
`utilizing a Supervisory authority (step S3) from an adminis
`trator. Users other than the administrator are referred to as
`general users. Program security utility 200 allows the admin
`istrator to instruct all procedures related to designating an
`application to the secure state (step S4). User authentication
`and limitation may be implemented automatically by crypto
`operating system 100 or manually by administrative person
`nel.
`An administrator uses program security utility 200 to
`assign an application the secure state (step S5). Program
`security utility 200 acquires an executable file of the applica
`tion (step S6) and records designation in the executable file
`(step S8), assigning a secure status. The designation informa
`45
`tion can comprise an encryption bit in the header of the
`executable file in which value, for example, “0” assigns non
`secure state and value “1” secure state.
`Additionally, a cipher text record (not shown) may store
`identification of applications in the secure State and encryp
`tion and decryption keys corresponding thereto. In this case,
`crypto operating system 100 loads the cipher text record.
`When I/O operations for write or read occur, crypto driver 30
`retrieves information stored in the cipher text record to deter
`mine whether the applications are in the secure state and
`acquire corresponding encryption and decryption keys.
`Crypto driver 30 may determine whether to perform encryp
`tion or decryption in response to the I/O operations issued by
`the application utilizing the cipher text record. Encryption
`and decryption are performed utilizing encryption and
`decryption key stored in the cipher text record if necessary.
`The encryption key and the decryption key may comprise the
`same or two different keys according to employed cryptog
`raphy architecture.
`In FIG. 4, executable file 410a is a disk image file of an
`application not designated, and comprises file header 420 and
`program code 430. File header 420 comprises an encryption
`
`55
`
`4
`bit 421, the value of which is “0”. Program security utility 200
`processes executable file 410a to generate executable file
`410b.
`Executable file 410b comprises file header 420b, program
`code 430b and encrypted application key 440. Content of
`program code 430b is the same as that of program code 430.
`Value of encryption bit 421b included in file header 420b has
`been designated as “1” by designation model 201.
`System key 480 is provided to crypto operating system 100
`for decrypting encrypted application key 440 (step S10) can
`be saved as a file or in a memory device. System key 480 may
`be provided by program security utility 200 or others. For
`example, system key 480 and application key 470 may be
`embedded keys of crypto operating system 100.
`Key generation model 202 provides application key 470
`(step S12). Key encryption model 203 encrypts application
`key 470 utilizing system key 480 to generate encrypted appli
`cation key 440 (step S14). Data access by the application of
`executable file 410a is encrypted or decrypted utilizing appli
`cation key 470 decrypted from encrypted application key
`440. System key 480 and application key 470 conform to
`symmetric cryptography and can be used as encryption and
`decryption keys, but are not limit thereto. For example, when
`conforming to asymmetric cryptography, at least system key
`480 or application key 470 may comprise an encryption key
`and a decryption key.
`Thus, only an administrator can assign an application the
`secure State and maintain application key 470 and system key
`480. General users cannot easily obtain or change application
`key 470 and system key 480 and cannot cancel the security
`designation.
`Program security utility 200 can designate crypto operat
`ing system 100 to the secure state. If in the secure state, crypto
`operating system 100 performs corresponding encryption or
`decryption operations for all output or input data of all appli
`cations.
`In FIG. 5, memory 120 comprises a plurality of applica
`tions 10a-10n in a user mode and crypto operating system
`100 in a system mode. Applications 10a-10n comprise appli
`cations loaded in main memory 120 and executed by the
`computer system while crypto operating system 100 is shown
`in a Linux-based or UNIX-based framework, the application
`based data encryption method of the invention may be imple
`mented in other operating systems.
`Application 10a comprises application of executable file
`410a. Description of loading application 10a is shown in
`given by referring to FIG. 4 to 7.
`In FIG. 6, first, process management system 40 performs
`loading preprocessing (step S510) allocating run time data
`structure of application 10a, as shown in FIG. 7.
`FIG. 7 is a schematic diagram of runtime data structure of
`application 10a, in which process data structure 610 com
`prises encryption bit 421c, application key 470, and file array
`pointer 611. Application key 470 is used by crypto driver 30
`for decrypting data after reading from storage device 140 or
`for encrypting data before storage in storage device 140. File
`array pointer 611 records address of file array 620. File array
`620 records address of file information data structure 630
`comprising all files opened, read, or written by the run time
`process of process data structure 610. File information data
`structure 630 enables file management system 20 to calculate
`addresses offiles in storage device 140 required for reading or
`writing the files.
`After load preprocessing, process management system 40
`reads file header 420b (step S520) and determines the value of
`encryption bit 421b to record corresponding designation
`information in process data structure 610 (step S530). If
`
`25
`
`30
`
`35
`
`40
`
`50
`
`60
`
`65
`
`13
`
`

`

`US 7,596,695 B2
`
`5
`
`10
`
`15
`
`25
`
`30
`
`40
`
`5
`encryption bit 421b is “1”, executable file 410b is in the
`secure state. Thus, process management system 40 sets the
`value of corresponding encryption bit 421C in process data
`structure 610 to “1” (step S540), reads encrypted application
`key 440 from executable file 410b (step S550) and decrypts
`encrypted application key 440 using system key 480 to
`acquire and store application key 470 in process data structure
`610 (step S560). Application key 470, however, may be stored
`in other data structure. Encrypted application key 440 may
`not be decrypted until encryption or decryption.
`If encryption bit is “0”, process management system 40
`directly performs loading postprocessing to allocate memory
`capacity for application 10a (step S570).
`When applications 10b-10n are not assigned the secure
`state, input and output operations thereofare performed as if
`crypto driver 30 is not present. If application 10a has been
`assigned the secure state, input and output operations of
`applications 10a activate decryption or encryption accord
`ingly.
`Virtual file system 22 in FIG. 5 provides a standardized file
`operation interface through which file operations, such as
`open, read, write, or lseek operations, are conveyed to dedi
`cated file systems. File systems 24a-24n is responsible for
`managing allocation, storage or access of files in specific
`volumes of storage device 140. Different file systems may
`provide different file management mechanisms. File systems
`24a-24n must calculate the address of a data set in Storage
`device 140 before writing or reading thereof. Hardware driver
`50 controls hardware for actual data input or output. Crypto
`driver 30 decrypts data for read requests before providing the
`data to an application requesting the data and encrypts data
`for write requests before passing the data to hardware driver
`50. Buffer cache 26 is responsible for temporarily storing data
`to increase efficiency of file systems 24a-24n. Process man
`agement system 40 provides encryption and decryption keys
`35
`to crypto driver 30.
`FIG. 8 is a flowchart of data writing steps, including auto
`encryption. First, application 10a passes a write request to file
`management system 20 via a write system call (step S300).
`The write system call is issued to write a data set to storage
`device 140. Virtual file system 22 of file management system
`20 determines the file system to which the data set belongs
`and then passes the write request to the file system (step
`S310). The file system 24 calculates the address of the data set
`in storage device 140 based on file information data structure
`630 and passes the write request to crypto driver 30 (step
`S320). Crypto driver 30 identifies encryption bit 421c to
`determine whether application 10a is assigned the secure
`state (step S330). If application 10a is assigned the secure
`state, the data set is determined to be encrypted before written
`into storage device 140, and step S340 is performed. If not,
`step S360 is performed directly. Crypto driver 30 acquires
`application key 470 from process data structure 610 (step
`S340) and encrypts the data set utilizing application key 470
`to generate a encrypted data set (step S350). Crypto driver 30
`passes the write request to hardware driver 50 (step S360).
`Hardware driver 50 stores the encrypted data set into storage
`device 140 (step S370), completing auto encryption process
`in response to the write system call.
`FIG. 9 is a flowchart of data reading steps including auto
`decryption. First, application 10a passes a read request to file
`management system 20 via a read system call (step S200).
`The read system call is issued to read a data set from Storage
`device 140. Virtual file system 22 of file management system
`20 determines the file system to which the data set belongs
`and passes the read request to the file system (step S210). The
`file system calculates the address of the data set in Storage
`
`55
`
`45
`
`50
`
`60
`
`65
`
`6
`device 140 based on file information data structure 630 and
`passes the read request to crypto driver 30 (step S220). Crypto
`driver 30 passes the read request to hardware driver 50 (step
`S230). Hardware driver 50 reads the data set from storage
`device 140 into buffer cache 26 (step S240). Crypto driver 30
`identifies encryption bit 421C to determine whether applica
`tion 10a is assigned the secure state (step S250). If application
`10a is assigned the secure state, the set of data is determined
`to be cipher text and determined to be decrypted, and step
`S260 is performed. If not, step S280 is performed directly.
`Crypto driver 30 acquires application key 470 from process
`data structure 610 (step S260) and decrypts the data set using
`application key 470 to generate a plain text data set (step
`S270). Crypto driver 30 passes the plain text data set to file
`management system 20. File management system 20 pro
`vides the plain text data set to application 10a (step S280),
`completing auto decryption in response to the read system
`call.
`The invention can be implemented in devices, such as
`computers, Network Attached Storage (NAS), Storage Area
`Network (SAN), or others, such as digital cameras or video
`game devices.
`While the invention has been described by way of example
`and in terms of the preferred embodiment, it is to be under
`stood that the invention is not limited thereto. To the contrary,
`it is intended to cover various modifications and similar
`arrangements (as would be apparent to those skilled in the
`art). Therefore, the scope of the appended claims should be
`accorded the broadest interpretation so as to encompass all
`Such modifications and similar arrangements.
`What is claimed is:
`1. An application-based data encryption system, compris
`1ng:
`a first executable file, further comprising a first file header
`and a first program code, wherein the first file header
`comprises a first encryption bit;
`a second executable file, further comprising a second file
`header, a second program code, and an encrypted appli
`cation key, wherein the second file header comprises a
`second encryption bit;
`a system key:
`a program security utility, further comprising:
`a key generation model, providing an application key:
`and
`a key encryption model, encrypting the application key
`utilizing the system key to generate the encrypted
`application key:
`wherein the program security utility processes the first
`executable file to generate the second executable file;
`and
`a crypto operating system, decrypting the encrypted appli
`cation key using the system key, further comprising:
`a file management system, further comprising:
`a virtual file system, when the file management sys
`tem receives a write system call corresponding to
`an application, determining a file system to which a
`file to be written for the application belongs and
`then passing a write request to the determined file
`system; and
`a file system, when the write request is received, cal
`culating a specified address of the file to be written
`in a storage device based on a file information data
`structure corresponding to the application and
`passing the write request;
`a crypto driver, receiving the write request from the
`file system, identifying an encryption bit of a pro
`cess data structure corresponding to the application
`
`14
`
`

`

`US 7,596,695 B2
`
`5
`
`10
`
`15
`
`30
`
`35
`
`45
`
`25
`
`7
`to determine whether the application is assigned a
`secure state, acquiring the application key from the
`process data structure if the application is assigned
`the secure state, and encrypting the file to be written
`utilizing the application key to generate an
`encrypted file; and
`hardware driver, retrieving the write request from the
`crypto driver and writing the encrypted file into the
`specified address of the storage device.
`2. The system as claimed in claim 1, wherein the first
`encryption bit is “0”.
`3. The system as claimed in claim 1, wherein the first
`executable file is a disk image file of an application not
`designated.
`4. The system as claimed in claim 1, wherein the second
`encryption bit is “1”.
`5. The system as claimed in claim 1, wherein the system
`key is saved as a file or in a memory device.
`6. The system as claimed in claim 1, wherein the system
`key is provided by the program security utility.
`7. The system as claimed in claim 6, wherein the system
`key and the application key are embedded keys of the crypto
`operating system.
`8. The system as claimed inclaim 1, wherein data access by
`an application of the second executable file is encrypted or
`decrypted utilizing the application key decrypted from the
`encrypted application key.
`9. The system as claimed in claim 1, wherein the system
`key or the application key comprises an encryption key and a
`decryption key.
`10. The system as claimed in claim 1, further comprising a
`process management system, wherein the program security
`utility and the process management system further designates
`the crypto operating system to the secure state.
`11. The system as claimed in claim 10, wherein the crypto
`operating system in the secure state performs corresponding
`encryption or decryption operations for all output or input
`data of all applications.
`12. An application-based data encryption method, com
`40
`prising:
`providing a system key, a first executable file, and a second
`executable file, wherein the first executable file com
`prises a first file header and a first program code and the
`first file header comprises a first encryption bit, and the
`Second executable file comprises a second file header, a
`Second program code, and an encrypted application key
`and the second file header comprises a second encryp
`tion bit;
`providing a program security utility, further comprising:
`a key generation model, providing an application key; and
`a key encryption model, encrypting the application key
`utilizing the system key to generate the encrypted appli
`cation key:
`processing the first executable file to generate the second
`executable file using the program security utility; and
`decrypting the encrypted application key according to the
`System key using a crypto operating system, wherein the
`crypto operating system comprises a file management
`System, a crypto driver, and hardware driver and, when
`the file management system receives a write system call
`corresponding to an application, the method further
`comprises:
`determining a file system to which a file to be written for
`the application belongs and then passing a write
`request to the determined file system using a virtual
`file system;
`
`50
`
`55
`
`60
`
`65
`
`8
`when the write request is received, calculating a speci
`fied address of the file to be written in a storage device
`based on a file information data structure correspond
`ing to the application and passing the write request to
`the crypto driver using