Design and Implementation of Windows Kernel-mode Cryptographic Service Interface
|School||Harbin Institute of Technology|
|Course||Instrument Science and Technology|
|Keywords||Windows kernel-mode security kernel-mode cryptographic service cryptographic service interface disk encryption|
A cryptographic service interface is an architecture that contains a collection offunctions and security mechanisms. The main objectives of it are to protect encryp-tion keys and similar sensitive data, hide the implementation details of cryptographicalgorithms, provide transparent cryptographic services to developers, and define con-solidate APIs for upper applications and lower cryptographic modules, thus allowingtheir independence developments. In this decade, with the development of computernetwork and information security, more and more applications require that the cryp-tographic services run at the level of operating system kernel. Therefore, it has greatsignificance in providing a direct, efficient, and universal solution for them by design-ing a kernel-mode cryptographic service interface.To provide efficient cryptographic services and uniform cryptographic APIs forthe kernel-mode security products, thus convenient for the selection and reuse of thecryptographic modules and algorithms, and improving the development efficiency andreliability of the products, this thesis designs an open, high-security, and practicalcryptographic service architecture in Windows kernel-mode. First, the cryptographicservice requirements in Windows kernel-mode are analyzed against concrete appli-cations. Then the relative cryptographic services, existing interface standards, andinterface implementation technologies are researched. After that, the design and im-plementation of a high compatible and expandable cryptographic service architecturebased on a traditional computer security model, which runs at the level of Windowskernel, are described in details.The architecture invokes a security kernel which is responsible for the messagedispatch, object management, and forcible object access control. It is the securityfoundation of the entire architecture, which isolates the outside applications from in-ternal objects, protects the sensitive data, by creating a security perimeter. On top ofthe kernel are various objects which abstract cryptographic services layered, such asencryption, hash, and key management, by layers. The layered model based on ob-jects makes the architecture has clear structure and ?exible expansibility, furthermore,compatible to the new algorithms and hardware cryptographic products. Finally, a disk encryption system based on the architecture is given. The supportsfrom the architecture to the system design and its security functions are analyzed.And the applications of the architecture in the encryption filter driver and user identityauthentication module based on C/R mechanism are described in details.Testing results and the application example of disk encryption show that, thearchitecture only needs a little overhead to achieve its security goals and guaranteethe compatibility and expansibility. Moreover, the architecture is a universal cryp-tographic framework, which can fulfill almost all security requirements in Windowskernel-mode and effectively improve the development efficiency and reliability of thesecurity products.