KR100346411B1 - Automatic Encryption and Decrytion Method of File and Moving Method of File Pointer Using Thereof, and Computer Readable Recording Medium Having Thereon Programmed Automatic Encryption and Decrytion Method of File and Moving Method of File Pointer Using Thereof - Google Patents

Abstract

The present invention relates to a method of automatically encrypting and decrypting a file in kernel mode, a method of moving a file pointer using the same, and a computer-readable recording medium having recorded thereon a program. According to the present invention, when a user process of a Unix-based operating system (OS) attempts to write a file to a storage device (disk, diskette, CD-ROM, etc.) regardless of the user's intention in the kernel mode of the OS Automatically block-encrypts and stores files, and also automatically decodes all data or only partial data as needed in kernel mode when reading these files. In addition, when the file pointer is moved in the file encrypted according to the present invention, the file pointer movement amount is calculated based on the calculated amount of file pointer movement while automatically performing block decryption according to the present invention. The recording medium according to the present invention includes a method of automatically encrypting and decrypting a file in the kernel mode, and a method of moving a file pointer using the same, and recording the same on a predetermined recording medium so as to be read by a computer.

Description

Automatic Encryption and Decryption Method of File and Moving Method of File Pointer Using Thereof , and Computer Readable Recording Medium Having Thereon Programmed Automatic Encryption and Decrytion Method of File and Moving Method of File Pointer Using Thereof}

The present invention relates to a file security method in a Unix-like operating system (OS), and more particularly, when a user process writes data to a storage device, the data is automatically transferred in a kernel mode of the OS. To store and encrypt encrypted data, and to automatically decrypt all or as much data as necessary in kernel mode, to move file pointers based on them, and to program them. The present invention relates to a recording medium which can be read by.

Recently, security problems such as secret level information stored in computer storage devices, such as auxiliary storage devices, are illegally hijacked through a communication network or a storage medium, or lost or leaked by an owner's mistake.

The encryption and decryption of data in the conventional OS is a method of selectively encrypting and decrypting data in units of files by inputting an encryption and decryption key after a user selectively specifies a file using an encryption application program in a user mode. Used.

However, the problem in this manner is as follows.

First, when a secret file is created, a user's mistake or intentional encryption may occur.

Second, in case of reading or modifying a file in a document writing program, accounting processing program or other application program, it is inevitable to decrypt the whole file and store and process it. This form of plain text was often stored and maintained in an auxiliary memory device.

Third, in terms of processing speed, it is slower than encryption and decryption in kernel mode.

Fourth, a separate key management method for key management for encryption and decryption should be provided.

In conclusion, encryption and decryption in the user mode are cumbersome for the user, and inherent in security inefficiencies of the OS inefficiency and the secret level file processing.

Therefore, the technical problem to be achieved by the present invention is to automatically encrypt and store a file in the kernel mode of the OS when a user process tries to write a file in a Unix-like OS, and in kernel mode to read the encrypted file. It is to provide a method to automatically decrypt the entire file or the required size of data.

Another technical problem to be solved by the present invention is that a file having a security level is automatically and compulsorily existing in the kernel automatically and compulsorily regardless of the user's encryption specification without missing the encryption process due to a user's mistake. The present invention provides a method for performing encryption and decryption by a key.

Another technical problem to be solved by the present invention is to provide an improved encryption and decryption method capable of partial encryption and decryption of file contents required by a document creation program, an accounting program, and the like, which does not require decryption of the entire file unit.

Another technical problem to be solved by the present invention is to achieve a high-speed processing of file encryption and decryption by using a key implanted in a system, rather than by a user granting an encryption and decryption key when encrypting and decrypting a file. will be.

Another technical problem to be achieved by the present invention is to provide a modified file pointer movement system calling method using the file decryption method provided in the present invention.

Another object of the present invention is to provide a computer-readable recording medium in which the methods provided by the present invention are programmed and recorded.

1 is a block diagram schematically illustrating a file system for a kernel of a UNIX-based OS to which the present invention is applied.

2A is a flowchart schematically illustrating a kernel system write system call (sys_write) process according to the present invention.

2B shows an example of decrypting a file of 48 bytes encrypted according to the present invention.

Fig. 2C shows an example of a connection list in which 40 bytes are encrypted and constructed in a memory according to the present invention.

FIG. 2D illustrates a case of performing a 40-byte write operation according to the present invention when the current file pointer is in the 13th byte position of the first block.

3A is a flowchart schematically illustrating a kernel system read system call (sys_read) process according to the present invention.

Figure 3B shows a decrypted 48-byte file encrypted in accordance with the present invention.

3c shows valid data when there is a 20 byte read request according to the present invention when the current file pointer is in the 13 th byte position of the first block.

Figure 3d shows a concatenated list constructed in memory by decoding 20 bytes according to the present invention.

Figure 3e shows the contents of the buffer to be returned to the user process.

Figure 3f shows an example of file pointer movement made in accordance with the present invention after a read system call has taken place.

4A is a flowchart schematically illustrating a process of calling a file pointer movement system in a kernel mode (sys_lseek) according to the present invention.

4B illustrates an example of moving the file pointer according to the present invention in the case of + offset.

Figure 4c shows an example of moving the file pointer according to the present invention in the case of -offset.

4D illustrates an example of a connection list configured in a memory after reading and decoding in units of blocks while moving a file pointer in the case of ± offset.

A method for automatically encrypting a file in kernel mode according to the present invention for achieving the above technical problem includes a first area in which data is actually stored and a second area in which the number of data contained in the first area is stored. A method of automatically encrypting data newly requested from a user process in a kernel unit of a 1 byte size in kernel mode of a Unix-like OS, and includes the following steps.

First, (a) the process of the user logging into the system makes a write system call to the kernel to write the second byte of data stored in the buffer to storage. Subsequently, (b) the number of blocks necessary for encrypting the data of the second byte is calculated in consideration of the second byte and the number of bytes constituting the first region. Then, (c) for each of the blocks calculated in step (b), copy the data requested for writing in the first area into the buffer as needed, and the number of data contained in the first area in the second area. Next, the data stored in the first area and the second area is encrypted by the first byte unit using a predetermined encryption algorithm, and a connection list of the corresponding block is constructed in the memory. Then, (d) write a connection list for each block configured in the memory to the storage device.

In the present invention, before proceeding with the step (c), the method may further include checking whether the position of the current file pointer is the beginning of the block and moving the position of the file pointer to the beginning of the block according to the result.

In the present invention, the second area is an area used for recording the number of valid data recorded in the first area, and may be a predetermined area in the block. For example, the second region may be the first byte position or the last byte position of the block.

In the present invention, the number of blocks to be encrypted in the step (b) may be calculated by dividing the second byte by the number of bytes constituting the first area and adding 1 to the integer quotient.

In the present invention, after the step (d), the method may further include performing an encryption marking on the security level field assigned to the reserved field of the i-node of the encrypted file.

In the present invention, the encryption algorithm used in step (c) may be a block encryption algorithm. The encryption key used in the block encryption algorithm may be a key transplanted into a kernel image when the kernel is compiled and generated. The encryption key may be a seed encryption key that allows a user to define a unique string for key generation, and encrypts the unique string with a predetermined bit using a predetermined encryption algorithm. The seed encryption key may be used as an encryption key in the block encryption algorithm of step (c) whenever the write system call is re-encrypted using the file-specific information included in the i-node as an encryption key for each file.

In the present invention, before proceeding to the step (a), allowing a user to input user information including security level information when the user logs in to the Unix system and authenticating the user in the system; And when the authentication is completed, recording security level information of the user in a security level field of a predetermined number of bits allocated to the task structure of the user process.

In the present invention, before proceeding to the step (b), further comprising the step of determining whether the security level information is included in the security level field of the task structure to determine whether the write request data to be encrypted; Can be. After the step (d), the step of copying and storing the security level of the user included in the task structure of the process into the security level field allocated to the reserved field of the i-node of the file in which the data is encrypted and stored. It may further include.

In the kernel mode decryption method according to the present invention for achieving the above another technical problem, by using a block encryption algorithm, as much as the second byte of data in the file is encrypted data for each block having a size of the first byte When there is a system call to read, the method is to automatically decode the data block by block in the kernel mode of the Unix-like OS, and may include the following steps. Here, the block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted.

First, a process of a user logged in to the system makes a read system call to read a second byte of the block encrypted file based on the current file pointer and store it in a buffer. The file pointer is then repositioned to the beginning of the block relative to the read system call. Subsequently copying the block to memory from the block in which the file pointer is located; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in the memory with reference to the number of valid data contained in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte read requested. . Then, copy the connection list configured in the memory into the buffer.

In accordance with another aspect of the present invention, there is provided a method of moving a file pointer, wherein a file pointer is moved from a predetermined byte position in a file in which data is encrypted for each block having a size of a first byte by a block encryption algorithm. When the user process the system call command to move the second byte in the direction of, the file pointer is moved while automatically decoding the data block by block in the kernel mode of the Unix-like OS. It may include. Here, the block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted.

First, a process of a user logged into the system makes a file pointer move system call to move the file pointer in a positive direction by a second byte from a predetermined byte position in the block encrypted file. Then, the position of the current file pointer is adjusted to the predetermined byte position. Then, it is checked whether the position of the adjusted file pointer is the first position of the block, and accordingly, the position of the file pointer is moved to the beginning of the block. Then copy the block into memory from the block in which the file pointer is located; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in the memory with reference to the number of valid data contained in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte. After that, the number of bytes that the file pointer should actually move is calculated by using the connection list configured in the memory, and the file pointer is actually moved based on the calculated result.

According to another aspect of the present invention, there is provided a method of moving a file pointer, in which a file pointer is negative from a predetermined byte position in a file in which data is encrypted for each block having a size of a first byte by a block encryption algorithm. When the user process the system call command to move the second byte in the direction, the file pointer is moved while automatically decoding the data block by block in the kernel mode of the Unix-like OS. It may include. Here, the block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted.

First, a process of a user logged into the system makes a file pointer move system call to move the file pointer in the negative direction by a second byte from a predetermined byte position in the block encrypted file. Then, the position of the current file pointer is adjusted to the predetermined byte position. Then, it checks whether the adjusted position of the file pointer is the first position of the block, and moves the position of the file pointer to the beginning of the block according to the result. Then copy the block to memory in order from the block in which the file pointer is located; Block decryption using an encryption key used to encrypt the file; And a concatenation list structure in a memory with reference to the number of valid data contained in the second region of the decoded block; And moving the position of the file pointer by -2 times the block size until the number of valid data accumulated in the linked list coincides with the second byte. After that, the number of bytes that the file pointer should actually move is calculated by using the connection list configured in the memory, and the file pointer is actually moved based on the calculated result.

According to another aspect of the present invention, there is provided a computer-readable recording medium including a first area in which data is actually stored and a second area in which the number of valid data contained in the first area is stored. A recording medium containing a program for automatically encrypting, in a kernel mode of a Unix-like OS, data of a second byte newly requested to be written from a user process in a block unit of a first byte size. A program module configured to calculate a number of blocks necessary for encrypting data equal to the second byte in consideration of bytes and number of bytes constituting the first region; (b) For each of the blocks calculated by the program module, copy the data requested for writing in the first area as necessary in the buffer transferred from the user process, and store the data in the first area in the second area. A program module for storing the number of data, and then encrypting the data contained in the first area and the second area by the first byte unit using a block encryption algorithm and configuring a connection list of the corresponding block in a memory; (c) a program module for writing a connection list for each block configured in the memory to a storage device.

According to another aspect of the present invention, a computer-readable recording medium according to the present invention uses a block encryption algorithm for data of a second byte in a file in which data is encrypted for each block having a size of a first byte. This is a recording medium that contains a program that can automatically decode data block by block in the kernel mode of Unix-like operating systems when there is a system call to read. Here, the block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted. The recording medium may include: (a) a program module for adjusting the position of the file pointer with respect to the beginning of the block based on when the read system call is made; (b) copying the block to memory from the block in which the file pointer is located; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in the memory with reference to the number of valid data stored in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte read requested. Program modules; (c) a program module for copying the connection list obtained through the program module (b) to the buffer.

According to another aspect of the present invention, a computer-readable recording medium includes a file from a predetermined byte position in a file in which data is encrypted for each block having a size of a first byte by a block encryption algorithm. When a user process executes a system call command to move the pointer by the second byte in the positive direction, the program contains a program that allows the file pointer to be moved while automatically decoding the data block by block in the kernel mode of the Unix-like OS. Readable recording medium. Here, the block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted. The recording medium may include: (a) a program module for adjusting a position of a current file pointer to the predetermined byte position; (b) a program module for checking whether the position of the file pointer adjusted through the program module is the first position of the block, and moving the position of the file pointer to the beginning of the block according to the result; (c) copying the block into memory from the block in which the file pointer is located after the execution of the program module; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in a memory with reference to the number of valid data stored in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte. module; (d) a program module for calculating the number of bytes that the file pointer should actually move using the connection list obtained through the program module (c), and allowing the file pointer to actually move based on the calculated result. Can be.

A computer-readable recording medium for achieving the another technical problem is to record a file pointer from a predetermined byte area in a file in which data is encrypted for each block having a size of a first byte by a block encryption algorithm. When a user process executes a system call command for shifting a second byte in the direction, the program includes a program that enables a file pointer to be moved while automatically decoding data block by block in the kernel mode of a Unix-like OS. Here, the block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted. The recording medium may include: (a) a program module for adjusting a position of a current file pointer to the predetermined byte position; (b) a program module for checking whether the position of the file pointer adjusted through the program module is the initial position of the block, and moving the position of the file pointer to the beginning of the block according to the result; (c) copying the block into memory from the block in which the file pointer is located after the execution of the program module; Block decryption using an encryption key used to encrypt the file; And a concatenation list structure in a memory with reference to the number of valid data contained in the second region of the decoded block; And a program module for moving the position of the file pointer by -2 times the block size until the number of valid data accumulated in the linked list matches the second byte. (d) a program module for calculating the number of bytes that the file pointer should actually move using the connection list obtained through the program module (c), and allowing the file pointer to actually move based on the calculated result. Can be.

Hereinafter, a method for automatically encrypting and decrypting a file in kernel mode and a method of moving a file pointer using the same will be described in detail with reference to the accompanying drawings. However, the preferred embodiments of the present invention described below are not intended to limit the technical scope of the present invention, but are intended to more clearly and easily describe the present invention to those skilled in the art. In particular, the present invention is applicable to general files as well as files to which a security level has been granted. In this case, the user inputs his security level when logging in to the system, and authenticating the security level entered by the user; Checking the security level of the user process; Derived steps can be omitted because the system user has the security level, such as checking whether the file contains i-nodes. Like reference numerals in the drawings refer to like elements.

FIG. 1 schematically illustrates the components of a Unix OS centered on a file system in order to explain a process of writing and reading data to and from a memory device and moving a pointer in a Unix-like OS.

Referring to FIG. 1, when a process 10 of a general user application wants to create a new file or modify data in an existing file in a user mode, a write call (for example, a system call of a UNIX-based OS) is performed. , sys_read: 20, read calls (e.g., sys_write: 30), pointer move calls (e.g., sys_lseek: 40) are supported by the ext2 (virtual file system (VFS): 50) via the system library. 60), through the file system (I) such as msdos (70), minix (80), proc (100). Here, the process 10 refers to all document creation programs, file processing programs, accounting processing programs, and the like that read and write files in the storage device 100. The system calls 20, 30, and 40 are executed by the buffer cache 110 in the file system I constituting the kernel mode, and the storage device 100, such as a hard disk, diskette or This will write data to the CD-ROM, read it, or move the pointer.

In the present invention, when writing or reading data requiring security to a storage device, the above three system call execution processes are changed in kernel mode using a block encryption algorithm (to be described later), thereby encrypting or decrypting data. Automatically and forcibly encrypts and decrypts data so that users do not actually feel it.

As the block encryption algorithm, a symmetric key block encryption algorithm such as SEED, DES, or 3-DES may be used, or an asymmetric key block encryption algorithm such as RSA may be used. In an embodiment of the present invention, the SEED symmetric key block encryption algorithm is employed, and the number of bits of the encryption key is 128.

Meanwhile, in order to encrypt and decrypt data according to the present invention using a block encryption algorithm, a predetermined key is required. In a preferred embodiment of the present invention, a key is inserted into a kernel image when the kernel is compiled and generated. Adopt a method of using this. Specifically, the system security manager allows a user to define a unique key generation string in order to generate a unique key that is different for each user of the Unix-like OS. The key generation string is then encrypted using a cryptographic algorithm such as a hash algorithm capable of generating a predetermined number of bits, for example, a 128-bit key, for example, 128 bit seed encryption using MD5 (Message Digest 5). Create a key. The seed encryption key is then ported into a kernel image when compiling the kernel of a Unix system. In this way, if the seed encryption key is ported to the kernel image, the seed encryption key is loaded and resides in the kernel whenever the kernel image is loaded at system boot. In this case, the seed encryption key may be stored in the smart card, and then a method of inputting the seed encryption key into the system using the smart card when compiling and generating the kernel may be adopted.

In the present invention, a seed encryption key implanted in a kernel image of a Unix OS is used to automatically encrypt and decrypt a security level file at the kernel level. This will be described in detail later with reference to a preferred embodiment of the present invention. Shall be.

Hereinafter, a method of automatically encrypting and decrypting data requiring security in kernel mode regardless of a user's intention, and a method of moving pointers by a specified number in an encrypted file will be described sequentially. However, in the embodiments described below, the block size is limited to 16 bytes when processing data using the block encryption algorithm. However, it is natural to those skilled in the art that the block size is not limited to 16 bytes. For example, the size of a block to be encrypted or decrypted may be set to 8 bytes as necessary.

<How to automatically encrypt data in the kernel mode and save it to the storage device>

FIG. 2A is a flowchart illustrating a series of processes occurring in kernel mode when there is a write system call (eg, sys_write: S1) in a UNIX-based OS to which the inventive concept is applied. Here, sys_write (step S1) is a kernel function used when a user mode process requests a write function service from the kernel.

Referring to FIG. 2A, when a write system call is made through a library function such as write, fwrite, fprintf, and putw in a user process, the kernel performs a task requested by the user process. For example, write (fd, buf, 40) is an example of writing to a file which specifies as many as 40 bytes of data stored in the buffer as the file descriptor fd. If there is a write system call as described above, first obtain an i-node of the file using a file descriptor to obtain file information, and calculate the i-node to determine whether the system call is in write mode or what storage device to write to. The file system of the storage device determines what to use.

Then, it is determined whether or not the data to be written to the storage device is the encryption target (step S2). In the execution of the modified write system call according to the present invention, whether or not the user process has a security level rather than relying on the user's selective will when determining whether the data to be written is an encryption target (step S2). This is enforced in kernel mode. To this end, the present invention further allocates a security level field having a predetermined number of bits to the task structure of the user process. Then, the security level of the user is recorded in the security level field in a predetermined manner, and when determining whether to encrypt the data, the security level is forcibly controlled in kernel mode depending on whether the security level is included in the security level field. To be able. For example, if you assign an additional 32-bit security level field to the task structure of a user process, and set some of them, for example, 8 bits, as the security level payer, a total of 256 security levels can be included. . As a method for recording the security level of the user process in the security level field, a method of receiving user information including the security level at the system login may be input from the user through a direct input method or an indirect input method such as a smart card. . The security level information received from the user is authenticated in the authentication step based on the security level database prepared in the system, and then is stored in the security level field assigned to the task structure of the user process.

As described above, two or more security levels can be recorded by setting one or more bits. However, whether or not data should be encrypted in kernel mode is determined according to the security level regardless of the security level.

In detail, the security level of the process is obtained by bitwise computing the security level field allocated to the task structure of the process that has made the write request. If there is no security level of the process that made the write request, the write request data is classified as general data and the part to be written based on the current file pointer is locked. Then, the contents of the buffer passed from the user process are written to the file designated by the file descriptor fd as many times as required (step S3). Then, returning from the system call returns to the user process (step S4). If, as a result of bitwise operation of the security level field, if there is a security level of the process that made the write request, the process branches to the block encryption routine according to the present invention.

In the data encryption method according to the present invention, since the data is automatically encrypted in units of blocks in the kernel mode using a block encryption algorithm, it is necessary to check whether the current file pointer is located at the start of the block (step S5). In block encryption, when the basic unit of the block is 16 bytes, the checking method divides the number of bytes corresponding to the current position of the file pointer by 16, and determines that the remainder is not the starting point of the block. If it is determined that the current position of the file pointer is not the start point of the block, the file pointer is moved to the start point of the block (step S6). Then, we store the file pointer's movement distance in a stack variable.

Meanwhile, in automatically encrypting data in units of blocks in kernel mode, it is preferable to record the number of valid data contained in a block in a specific byte area of the block and use the same when decrypting the data. Therefore, in the preferred embodiment according to the present invention, the basic unit of the block is 16 bytes, and the last byte is set as the information recording area for the number of valid data. Of course, in this case, the first byte of the block, or any byte between the first byte and the sixteenth byte, can be set as the effective data number recording area.

FIG. 2B shows a file in which data is to be written by a write system call from a user process for decryption (by automatic data decoding method in kernel mode according to the present invention. This will be described later). . Looking at the 16th byte positions of the first block (A), the second block (B), and the third block (C), 15, 7, and 11, which are valid data numbers of each block, are stored. The 8-15th byte position of the second block B; The 12th through 15th byte positions of the third block C are null, which is an area where no data is stored even if there is a write system call from the user process. In other words, since the valid data numbers of the second block (B) and the third block (C) are 7 and 11, respectively, the recording of data exceeding these numbers is allowed in the second block (B) and the third block (C). It doesn't work.

2A and 2B, a method of automatically encrypting data in kernel mode according to an embodiment of the present invention will be described in detail. At the time when a write system call from a user process is made, the current file pointer is assigned to the first block A. FIG. If the position is at the 13th byte position (12 is stored) of the), the file pointer is adjusted to the 1st byte position (0 is stored), and the moving distance 12 is stored in the stack variable (step S6). . In the present invention, since write-requested data is encrypted in blocks of 16 bytes, valid data of 15 or less based on a count transferred from a user process in consideration of the 16th byte position to record the number of valid data for each block. Obtain the number of blocks having a number (step S7). For example, if there is a 40 byte write system call from a user process and the file pointer is in the 13th byte position of the first block (A), a linked list formed in memory, for example, a doubly linked list. List) is a first block of valid data number 15 (A; data is added only to the 13-15th byte position); A second block B of seven valid data numbers; A third block C of which the valid data number is 11; A fourth block (not shown) having a valid data number of 15; Since the block structure is formed of a fifth block having an effective number of four (4), the number of blocks to be encrypted becomes five, and when the file is written to the storage device, the block is encrypted by 16, 16, 16, 16, 16 bytes. Stored. In the case of a newly created file, the linked list is 15, 15, or 10 bytes in the memory, and the block structure is formed. Therefore, the number of blocks to be encrypted becomes 3, and 16, 16, 16 when the file is written to the disk. Block encrypted in bytes.

The encryption key used for block encryption of data may be the seed encryption key described above. However, in the present invention, in order to further strengthen the security of the file, a different unique encryption key is generated for each file to be encrypted based on the seed encryption key. To do this, when encrypting and writing data to a file with a security level, the data having a unique value for each file is extracted by referring to the i-node of each file, for example, the time at which the file is first created or the unique number of the file given to each file do. Then, using the data extracted from the i-node, the seed encryption key is once again encrypted using a predetermined encryption algorithm, for example, a SEED encryption algorithm, thereby regenerating the encryption key for each file to a predetermined number of bits, for example, 128 bits. do. For example, a predetermined byte, for example, 16 bytes of data including user information such as a user password, a user password, and file unique information such as a file number, may be formed and used to re-encrypt the seed encryption key for each file. . Then, the encryption key for each file is used as a key when encrypting data for each block according to the present invention. If you use different encryption key for each file with security level, you can enhance security.

After calculating the number of blocks to be encrypted as described above (step S7), copying and encrypting the contents of the buffer received from the user process by the number of valid data of each block, and configuring a connection list for each block in the memory (step S8). )do. At this time, the encryption for each block is made through an encryption algorithm loaded into the kernel at system boot, and for this purpose, the encryption algorithm can be loaded into the kernel when the kernel is compiled and generated. Kernel loading of cryptographic algorithms can be easily taken by those skilled in the art. The final appearance of the connection list configured through the step S8 is shown in Figure 2c, the configuration process is as follows.

Specifically, referring to FIGS. 2A and 2C, first, the number of bytes is accumulated while accumulating the linked list one block in memory (ⓐ-> ⓑ-> ⓒ-> ...-> ⓝ) and accumulating the number of bytes (step S8). Check that the number of bytes is less than the count requested from the user process, and repeat step S8 if small. For example, if the accumulated number of blocks is smaller than the number of blocks obtained in step S7 (see step S9), step S8 is repeated until a linked list ⓐⓑⓒ ... ⓝ as shown in FIG. 2C is obtained. In the data structure of a file such as FIG. 2B, when a 40-byte write system request is received from a user process, the data portion is represented in plain text as in FIG. 2D, and the shaded portion in FIG. 2D is actually overwritten or newly written. Corresponds to the added area. The 16th byte position of each block is an area in which the effective data number of each block is recorded.

After the connection list as shown in FIG. 2C is configured in the memory through steps S8 and S9, a step of checking whether a connection list exists in the memory (step S10) is performed. That is, it is compared whether the pointer value indicated by the first linked list is null in operation results of steps S8 and S9 (step S10). If the comparison value in step S10 is not null, the connection list ⓐⓑⓒ ... ⓝ configured in memory is sequentially written to the storage device by 16 bytes (step S12), and the accumulated write bytes are smaller than the count requested from the user process. (Step S13). Step S12 is continued until the comparison value at step S13 is not null. If the comparison value in step S13 is null, the security level of the user process is copied to an unused reserved field of the i-node of the file. For this purpose, a security level field having a size of a predetermined bit, for example 32 bits, is additionally allocated to the reservation field of the i-node, and the security level of the user process is duplicated in the security level field. In the security level field, a MSB (Most Significant Bit), which is a predetermined number of bits, for example, an encryption flag of 1 bit, is assigned, and when the operation of writing the connection list to the storage device is terminated (steps S12 and S13), 1 is assigned to the MSB. A bit OR operation may indicate that the file is encrypted (step S14). After the step S14 proceeds, all allocated resources are released and return to the calling user process (step S15).

<Method of Automatic Block Decryption in Kernel Mode for Files Stored in Storage Device by Automatic Encryption Method According to the Present Invention>

FIG. 3A is a flowchart illustrating a series of processes occurring in kernel mode when there is a read system call (for example, sys_read: S16) in a UNIX-based OS to which the inventive concept is applied. In this case, sys_read (step S16) is a kernel function used when a user mode process requests a read function service from the kernel, which is collectively referred to as a read system call. Meanwhile, the automatic decryption method in the kernel mode described below is applied to a file encrypted by the automatic encryption method in the kernel mode according to the present invention described with reference to FIGS. 2A to 2D and stored in a storage device.

Referring to FIG. 3A, when a read system call is made through a system library function such as read, fread, fscanf, getw, or getc in a user process, the kernel performs a task requested by the user process. For example, read (fd, buf, 20) is a read execution example that reads 20 bytes from the file specified by the file descriptor fd and stores them in the buffer. In the automatic decryption method in the kernel mode according to the present invention, in order to determine whether a file to be read is an encrypted file (step S17), an i-node of a file is obtained using the delivered file descriptor fd, and the i Bitwise AND the MSB of the security level field owned by -node.

If it is determined in step S17 that the file designated by the file descriptor fd is not an encrypted file, the file is classified as a general document. Then, the part to be read based on the current file pointer is locked and read as much as the requested count from the storage device, and the contents are stored in the buffer transmitted from the user process (step S18). When returning from the system call, the process returns to the user process (step S19).

If it is determined in step S17 that the file designated by the file descriptor fd is an encrypted file, the process branches to the decryption routine according to the present invention. In the automatic decryption method in the kernel mode according to the present invention, since the decryption target data is encrypted by the block encryption method described with reference to FIGS. 2A to 2D, decryption is performed on a block basis even when decryption. In addition, when 16-byte blocks are used as the basic unit of encryption, the automatic decryption method in the kernel mode according to the present invention uses 16-byte blocks as the basic unit of decryption.

Therefore, in order to selectively decrypt the entire encrypted file or only some data in the file, it is necessary to check whether the current file pointer is located at the start of the block (step S20). The checking method divides the number of bytes corresponding to the current position of the file pointer by 16, which is the basic number of bytes forming a block, and determines that the rest is not the starting point of the block. If, in step S20, the number of bytes corresponding to the current position is divided by 16 and the remainder exists, the file pointer is moved to the start of the block (step S21). It then stores the distance the file pointer travels to the start of the block in a stack variable.

3B shows a file to be decrypted in advance for convenience of explanation. In the embodiment of the automatic decryption method according to the present invention, 20 bytes of a read system call is received from a user process and the current file pointer is deleted. The 13-15th byte area of the first block A, assuming that it is in the 13th byte position of one block A; 1-7th byte area of 2nd block B; A series of processes of decoding data stored in the 1-10th byte region of the third block C is illustrated.

Specifically, referring to FIGS. 3A and 3B, since the position of the current file pointer is not the start position of the first block A, the position of the file pointer is set to the start position of the block (1 byte position, 0 being 0). Stored in the stack variable). After reading and decoding each block sequentially (step S22), the 16th byte is referenced (step S22), and the valid data of each block is organized into a linked list in memory (step S22) and stored, and the number of valid data at the same time. Accumulate (step S22). At this time, the decryption key used to decrypt each block is a key used when encryption of the decryption target data is attempted using a symmetric key encryption algorithm such as SEED.

FIG. 3C shows a file having a data structure as shown in FIG. 3B, reads and decodes sequentially in block-by-block when there is a 20-byte read system call from a user mode process, and shades the valid data. Referring to Figure 3c, the 13-15th byte area of the first block (A); A 1-7 byte area of the second block B; It can be seen that only the 1-10 byte region of the third block C is selectively decoded.

3D illustrates a connection list configured in a memory while sequential decoding is performed for each block, and the configuration process is as follows. First, after decoding the first block A, the linked list ⓐ is formed in the memory while accumulating the number of bytes by referring to the 16th byte area. If the accumulated number of bytes is smaller than the count requested from the user process, the above connection list construction operation is continued for the second and third blocks, and the connection list ⓐⓑⓒ as shown in FIG. 3D is stored in the memory. Can be configured.

Subsequently, it is compared whether the pointer value indicated by the first linked list is null in the linked list for each block obtained by the steps S22 and S23 (step S24). If the comparison value in step S24 is not null, valid data of the connection list ⓐⓑⓒ configured in the memory is sequentially copied to the buffer received from the user's process (S26 and S27). Copying the valid data of each connection list to the buffer delivered from the user process continues until the number of data copied into the buffer is equal to the number of counts requested by the user process (step S27). After completing the operation of copying the valid data of the connection list to the buffer through the steps S26 and S27, the position of the file pointer is adjusted (step S28) and the contents of the buffer are returned to the user process. Becomes the same. On the other hand, if the comparison value in step S24 is null, the process returns to the user process (step S25).

FIG. 3f sequentially shows the order in which the file pointer moves in the operation made in step S20 using original characters. Specifically, when there is a system call to read 20 bytes from the file designated by the file descriptor fd from the user process and store it in the buffer, the file pointer is located in the 13th byte area (see?) Of the first block (A). However, since the file pointer is not at the beginning of the block, the file pointer is moved to the beginning of the block (see 2). After reading the first block A (the file pointer automatically moves to the first position (③) of the second block) and decoding it, the first block A corresponds to the first block A by referring to the number of valid data of the 16th byte. A linked list (see ⓐ in FIG. 3D) is constructed in memory. Subsequently, after reading the second block B (the file pointer automatically moves to the first position (④) of the third block), the second block B is decoded, and then decoded into the second block B with reference to the number of valid data of the 16th byte. A corresponding connection list (see ⓑ in FIG. 3D) is constructed in the memory. Since the cumulative number 10 of valid data of the connection list is smaller than the count 20 requested from the user process, the decoding process for the third block C is continued. As described above, after reading the third block C (the file pointer automatically moves to the first position (⑤) of the fourth block), after decoding it, the third block ( A connection list corresponding to C) (see ⓒ in FIG. 3D) is constructed. After the connection lists ⓐ and ⓑ are configured, since the accumulated valid data number is 10, only 10 data among the 13 data of the third block C are used to form the connection list ⓒ. After constructing the connection list ©, the file pointer is moved to the 11th byte area (⑥) of the third block again. Finally, the kernel releases all allocated resources and returns to the user processor (step S29).

Hereinafter, the method of calling the file pointer moving system for moving the file pointer by a predetermined byte as the data is automatically encrypted and decrypted in the kernel mode according to the present invention will be described. It demonstrates with reference to.

4A is a flowchart illustrating a process of calling a file pointer moving system in a kernel mode (sys_lseek; step S30) modified according to the present invention. Here, sys_lseek (step S30) collectively refers to a system call function used when a user mode process requests a file pointer movement service from the kernel.

Referring to FIG. 4A, when a system call is made through a system library function such as fseek or lseek in a user process, the kernel performs a task requested by the user process. For example, lseek (fd, offset, origin) is a kernel function that moves the file pointer by the number of bytes corresponding to the offset from the original file pointer location of the file specified by the file descriptor fd.

In the modified file pointer movement system call according to the present invention, whether or not the file to be read is an encrypted file (step S31) is obtained by using the passed file descriptor to obtain an i-node of the file, and the security that the i-node has. It can be determined by bitwise ANDing the MSB of the rank field to one.

As a result of the determination in step S31, if the file specified by the file descriptor fd is not an encrypted file, the file is classified as a general document. Then, the file pointer is moved by offset based on the origin received from the user process (step S32). Then, when the system call returns, the process returns to the user process (step S33).

As a result of the determination in step S31, if the file designated by the file descriptor fd is a file automatically encrypted according to the present invention, the file pointer adjustment step of origin is performed (step S34). For example, if the origin passed from the user process is 2, then the end of the file is adjusted; if 0, the file pointer is repositioned to the beginning of the file; if origin is 1, the file pointer is maintained. On the other hand, according to an embodiment of the present invention, the file automatically encrypted has a characteristic of knowing the number of valid data for each block only by reading the 16th byte position of each block by reading in units of blocks. Therefore, when it is determined that the file pointer adjusted in step S34 is the end of the file in preparation for reading the encrypted file according to the present invention, the position of the file pointer is moved in the negative direction by the size of the block. For example, if the block size is 16 bytes, the file pointer is moved by 16 bytes in the negative direction.

Subsequently, by checking the existence of the remainder by dividing the file size by 16, it is checked whether the file is normally encrypted (step S35). If the remainder is not calculated in step S35, in consideration of the fact that the number of valid data of the block is recorded in the last byte position of each block, each block is read sequentially and decoded, and then the valid data is stored in reference to the 16th byte area. Configure and store as a linked list in the accumulative number of valid data (step S37). In this case, the decryption may refer to a preferred embodiment of the automatic file decryption method in the kernel mode according to the present invention described with reference to FIGS. 3A to 3D. Of course, if the rest is calculated in step S35, since the file is not normally encrypted according to the present invention, the process returns to the user process (step S36).

On the other hand, in the step S37, the method of reading each block is different depending on the offset received from the user process. If the offset is a positive number, each block may be read and decoded by 16 bytes. However, if the offset is a negative number, 16 bytes are read and a 32-byte negative pointer adjustment is required. This will be clearer with reference to FIG. 4B showing an example of moving the file pointer in the case of + offset, and FIG. 4C illustrating an example of moving the file pointer in the case of -offset.

Referring to FIG. 4B, when the user process requests to move the file pointer by +20 bytes when the file pointer is at the position ① of the first block A, the file pointer is first moved to the first block A. ② Move to the position. Then, reading the first block A (the file pointer automatically moves to the position of ③), decrypting it, and then building a linked list in memory while accumulating the number of valid data; Reading the second block (the file pointer automatically moves to the position of ④), decoding the same, and constructing a linked list in memory while accumulating the number of valid data; After reading the third block (the file pointer automatically moves to the position ⑤), the decoding process is repeated, and the process of constructing a linked list in memory while accumulating the number of valid data is repeated. This process is repeated if the number of counts for the accumulated valid data is smaller than the offset (20). Therefore, when the connection list for the third block is configured in the memory, the connection list for data up to the 11th byte (the number of data of the first block A + the number of data of the second block 7 = 10 = 10) is configured in the memory. It ends.

Referring to FIG. 4C, if there is a request to move 20 bytes to the front of the file when the file pointer is at the position ① of the third block C, the position of the file pointer is first moved to the position ② of the third block C. Let's do it. Thereafter, reading the third block C (the file pointer automatically moves to the position ③ of the fourth block D), decoding the same, and constructing a connection list in memory while accumulating the number of valid data 10; Move the position of the file pointer to the position ④ of the second block B (adjust the position of the -32 byte file pointer), then read the second block B (the file pointer automatically moves to the position ⑤ of the third block C). Moving) configuring a connection list in a memory while accumulating the number of valid data (7) after decrypting it; Move the position of the file pointer to the position ⑥ of the first block A (-32 byte file pointer position adjustment), and then read the first block A (the file pointer moves to the position ⑦ of the second block B). Automatic movement) After decoding the data, the process of constructing the connection list in the memory is repeated while accumulating the number of valid data (3).

4D illustrates an example of a connection list to be configured in a memory after reading and decoding in units of blocks in the above-described manner.

4A and 4D, if the number of valid bytes is accumulated while configuring the connection list one block in the memory, and if the number is smaller than the offset requested from the user process, the above process (step S37) is repeatedly performed. Ⓑ Configure the ⓝ (step S37). In operation S37 and operation S38, the value of the pointer indicated by the first connection list is compared with NULL (operation S39). At this time, if the comparison value of S39 is NULL, the process returns to the user process (step S40). If the comparison value in step S39 is not null, the cumulative count is calculated by combining the nodes of the connection list configured in the memory (step S41), and it is determined whether the accumulated count is smaller than the offset (step S42), and the value becomes null. Repeat step S41. Then, the actual offset to which the file pointer is to be moved is calculated by considering the remaining portions of the blocks encrypted with 16 bytes except for the region containing valid data. In the case of the file pointer movement example shown in Fig. 4B, if a request for moving the file pointer by +20 bytes is requested by the file pointer movement system call, the file pointer is referred to as the 13th byte position (① of the first block A). ) Moves to the eleventh byte position (see ⑥) of the third block (C). However, since the actual offset to which the actual file pointer moves must also be at the 8-15th byte position, which is the null region of the second block B, the actual offset to which the file pointer moves is +28 bytes. If the actual offset obtained in step S43 is null, the process returns to the user process (step S44). If the actual offset obtained in step S43 is not null, the file pointer is moved by the actual offset (step S45). After proceeding to step S45, the allocated resources are released and the process returns to the user process (step S46).

A method of automatically encrypting and decrypting a file in the kernel mode and a method of moving a file pointer using the same in the kernel mode according to the present invention described above may be programmed and stored in a computer-readable recording medium. At this time, the flowcharts shown in Figs. 2A, 3A and 4A can be used as an algorithm when programming the methods according to the present invention. Those skilled in the art can easily program the methods according to the present invention if they recognize the flow diagrams and related descriptions posted in the above figures.

In the above described with reference to the accompanying drawings, preferred embodiments of the present invention in detail. However, the technical idea according to the present invention can be variously modified or improved by those of ordinary skill in the art.

According to an aspect of the present invention, since only the partial data required by the user process is encrypted or decrypted using the connection list in kernel mode, the processing speed is improved compared to the conventional method of encrypting and decrypting the file in the user mode.

According to another aspect of the present invention, the encryption and decryption of the data is performed in kernel mode in a strictly separated state from the address space of the user application, and the kernel having a security level selects the encryption of the data. Since data is stored in the storage device by forced encryption in the mode, security is ensured even if the storage device is illegally taken over by a third party.

According to another aspect of the present invention, the management of the encryption key is managed by the system security manager, thereby simplifying the key management of the general user.

Claims (18)

In the unit of a 1-byte size block including a first area where data is actually recorded and a second area where the number of data contained in the first area is stored, the second byte of newly requested data from the user process is stored. The automatic encryption method in the kernel mode of the Unix-like operating system (OS), (a) calculating the number of blocks necessary for encrypting the data of the second byte in consideration of the second byte and the number of bytes constituting the first region; (b) For each block calculated in step (a), copy write-required data in the first area as necessary in the buffer transferred from the user process, and store data in the first area in the second area. Encrypting the data contained in the first area and the second area by the first byte unit using a predetermined encryption algorithm and constructing a connection list of the corresponding block in a memory; And and (c) writing a connection list for each block configured in the memory to a storage device. According to claim 1, Before proceeding to step (b), Checking whether the current file pointer is at the beginning of the block and moving the location of the file pointer to the beginning of the block according to the result. The method of claim 1, And the second area is an area used for displaying the number of valid data contained in the first area, and is allocated to a predetermined position in the block. According to claim 1, wherein the number of blocks to be encrypted in step (a), And dividing the second byte by the number of bytes constituting the first region and adding 1 to the quotient of the integer. According to claim 1, After the step (c), And performing an encryption marking in a pre-allocated security level field of the reserved fields of the i-node of the encrypted file. The method of claim 1, wherein the encryption algorithm used in step (b) is a block encryption algorithm. 7. The method of claim 6, wherein the encryption key used in the block encryption algorithm is a key that is ported to a kernel image when the kernel is compiled and generated. The method of claim 7, wherein The encryption key is a seed encryption key of a predetermined bit generated by the user by specifying a unique string for generating a key and using the predetermined encryption algorithm. Way. The method of claim 8, The seed encryption key is re-encrypted by using the file-specific information of the i-node for each file as an encryption key whenever there is a write system call, and then used as an encryption key in the block encryption algorithm of step (b). How to automatically encrypt files in mode. According to claim 1, Before proceeding to step (a), (a1) allowing a user to input user information, including security level information, when the user logs in to a Unix system and authenticating the user in the system; (b1) recording the security level information of the user in the security level field of a predetermined number of bits allocated to the task structure of the user process when the authentication in step (a) is completed; And (c1) checking whether the security level information is included in the security level field of the task structure, and determining that the write requested data is a target to be encrypted, automatically encrypting the file in the kernel mode. How to. The method of claim 10, wherein after the step (c1), Copying the security level of the user included in the task structure of the process to the security level field assigned to the reserved field of the i-node of the file in which the data is encrypted and storing the file in kernel mode. How to encrypt automatically. Blocks data in the kernel mode of Unix-like operating systems when there is a system call to read a second byte of data from a file encrypted with a block of 1 byte size and store it in a buffer using a block encryption algorithm. About automatic decoding The block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted; (a) adjusting the position of the file pointer relative to the time of the read system call to the beginning of the block; (b) copying the block to memory from the block in which the file pointer is located; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in the memory with reference to the number of valid data stored in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte read requested. step; And and (c) copying the connection list obtained through the step (b) to the buffer. When a user process executes a system call command to move the file pointer by a second byte in a positive direction from a predetermined byte position in a file in which data is encrypted for each block having a size of 1 byte by a block encryption algorithm. , A method of moving a file pointer while automatically decrypting data block by block in the kernel mode of a Unix-like OS. The block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted; (a) adjusting a position of a current file pointer to the predetermined byte position; (b) checking whether the position of the file pointer adjusted through step (a) is the initial position of the block, and moving the position of the file pointer to the beginning of the block according to the result; (c) copying the block to the memory in order from the block in which the file pointer is located after the step (b); Block decryption using an encryption key used to encrypt the file; And continuing the link list construction process in the memory with reference to the number of valid data contained in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte. And (d) calculating a number of bytes that the file pointer should actually move using the connection list obtained through step (c), and actually moving the file pointer based on the calculated result. A method of moving a file pointer while automatically decrypting an encrypted file in mode. When the user process executes a system call command to move the file pointer by a second byte in the negative direction from a predetermined byte position in a file in which data is encrypted for each block having a size of 1 byte by the block encryption algorithm. , A method of moving a file pointer while automatically decrypting data block by block in the kernel mode of a Unix-like OS. The block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted; (a) adjusting a position of a current file pointer to the predetermined byte position; (b) checking whether the position of the file pointer adjusted through step (a) is the initial position of the block, and moving the position of the file pointer to the beginning of the block according to the result; (c) copying the block to the memory in order from the block in which the file pointer is located after the step (b); Block decryption using an encryption key used to encrypt the file; And a concatenation list structure in a memory with reference to the number of valid data contained in the second region of the decoded block; And moving the position of the file pointer by -2 times the block size until the number of valid data accumulated in the linked list coincides with the second byte. And (d) calculating a number of bytes that the file pointer should actually move using the connection list obtained through step (c), and actually moving the file pointer based on the calculated result. A method of moving a file pointer while automatically decrypting an encrypted file in mode. A second byte of a block size of a first byte including a first area in which data is actually recorded and a second area in which the number of data contained in the first area is stored. A recording medium that contains a program that can automatically encrypt in kernel mode of Unix-like OS. (a) a program module configured to calculate a number of blocks necessary for encrypting data of the second byte in consideration of the second byte and the number of bytes constituting the first region; (b) For each block calculated through the program module (a), write-write data is copied into the first area as necessary in the buffer transferred from the user process, and the second area is copied to the first area. A program module for storing the number of recorded data, and encrypting the data recorded in the first and second regions in units of the first byte using a block encryption algorithm and configuring a connection list of the corresponding block in a memory; And and (c) a program including a program module for writing a connection list for each block configured in the memory to a storage device. When there is a system call to read the second byte of data from the file whose data is encrypted for each block having the size of 1 byte by using the block encryption algorithm, the data is automatically decrypted block by block in the kernel mode of the Unix-like OS. A recording medium that contains a program that can be The block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted; (a) a program module for adjusting the position of the file pointer relative to the time when the read system call is made to the beginning of the block; (b) copying the block to memory from the block in which the file pointer is located; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in the memory with reference to the number of valid data stored in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte read requested. Program modules; And and (c) a program comprising a program module for copying the connection list obtained through the program module into the buffer. When a user process executes a system call command to move the file pointer by a second byte in a positive direction from a predetermined byte position in a file in which data is encrypted for each block having a size of 1 byte by a block encryption algorithm. Is a computer-readable recording medium containing a program that can move a file pointer while automatically decoding data block by block in the kernel mode of a Unix-like OS. The block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted; (a) a program module for adjusting a position of a current file pointer to the predetermined byte position; (b) a program module for checking whether the position of the file pointer adjusted through the program module is the first position of the block, and moving the position of the file pointer to the beginning of the block according to the result; (c) copying the block to the memory in order from the block in which the file pointer is located after the (b) program module is executed; Block decryption using an encryption key used to encrypt the file; And a process of constructing a linked list in a memory with reference to the number of valid data stored in the second area of the decoded block until the number of valid data accumulated in the linked list matches the second byte. module; And (c) a program module for calculating the number of bytes that the file pointer should actually move using the connection list obtained through the program module (c), and allowing the file pointer to actually move based on the calculated result. A computer-readable recording medium comprising a program. When a user process executes a system call command to move a file pointer by a second byte in a negative direction from a predetermined byte area in a file in which data is encrypted for each block having a size of 1 byte by a block encryption algorithm. Is a recording medium that contains a program that can move a file pointer while automatically decoding data block by block in the kernel mode of a Unix-like OS. The block includes a first area in which encrypted data is stored and a second area in which the number of valid data contained in the block is encrypted; (a) a program module for adjusting a position of a current file pointer to the predetermined byte position; (b) a program module for checking whether the position of the file pointer adjusted through the program module is the first position of the block, and moving the position of the file pointer to the beginning of the block according to the result; (c) copying the block into the memory, in sequence from the block in which the file pointer is located after the (b) program module is executed; Block decryption using an encryption key used to encrypt the file; And a concatenation list structure in a memory with reference to the number of valid data contained in the second region of the decoded block; And a program module for moving the position of the file pointer by -2 times the block size until the number of valid data accumulated in the linked list matches the second byte. And (c) a program module for calculating the number of bytes that the file pointer should actually move using the connection list obtained through the program module (c), and allowing the file pointer to actually move based on the calculated result. A computer-readable recording medium comprising a program.