Applied Mechanics and Materials Vols.

433-435 (2013) pp 1742-1746 Online: 2013-10-15

© (2013) Trans Tech Publications, Switzerland
doi:10.4028/www.scientific.net/AMM.433-435.1742

File Transparent Encryption System Design Based on Security Directory

Yuan Wu1, a, Xiaochun Chen2,b

1
South Area of Hi-Tech park, Nanshan, Shenzhen, China
2
South Area of Hi-Tech park, Nanshan, Shenzhen, China
3
Key Laboratory of EDA in Shenzhen
a b
[email protected], [email protected]

Keywords: Minifilter; transparent filter; path filtering

Abstract. Using the Minifilter framework and AES group encryption algorithm, the paper develops a
filter driver for encrypting the file of particular types under the security directory. The principle of the
file system filter driver is discussed here, and makes a special research about the file operation process
especially for word format. This paper also makes a deep analysis of transformation mechanism
between the plaintext and ciphertext, and the implementation algorithms of encryption and
decryption. Finally, the paper describes the method of path filtering in detail.

Introduction
Now with the popularity of Internet, it brings enormous convenient for people and also brings some
potential problems, more and more people are concerned about information security, especially
enterprise, the security of confidential documents is especially important. Insiders’ active leaks and
external competitors’ illegal stealing will cause irreparable damage to the enterprise.
The traditional encryption software at the application layer requires the user to manually encrypt
and set the password. Operate Cumbersome and easy to miss information, once the password is
stolen, confidential information will be leaked, therefore this encryption security is not high.
For the security of document, Microsoft introduced the EFS(Encrypting File System).EFS belongs
to device driver layer encryption, its principle is complex and difficult to develop, moreover, EFS is
only applicable to NTFS file system format.
The filter driver encryption technology combines the advantages of the traditional encryption
technology, and can realize transparent encryption and decryption by using different encryption
algorithm, which is flexible, high safety and wide application range. Traditional filter driver
encryption and decryption based on file system uses Sfilter framework, Using a new type of Minifilter
framework to develop filter driver, can decrease the complexity and improve the stability, wider
application platform. What is more, it is able to reduce the workload of developers, so people can
spend more time on the realization of driver functions.

Principle of File System Filter Driver

As shown in Fig. 1, file operation requests (such as new, open, read and write, save) via the I/O
Manager to file system driver in the form of IRP (I/O Request Packet). And in this process, the I/O
request packet intercepted by filter driver, the filter driver process it accordingly depending on
different IRP (such as write encryption, read decryption), and the data after processed will be stored in
the disk. So the file on disk that the user open is processed data. The file moves to another computer
will be the ciphertext, which can protect confidential files not be leaked. On the local computer, file
system filter driver can decrypt the file when the user read it, and the open file is plaintext. In general,
the whole encryption and decryption process can be completed by filter driver without user’s
participation, and realize the true meaning of transparent encryption and decryption.

All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of Trans
Tech Publications, www.ttp.net. (ID: 149.171.67.164, University of New South Wales, Sydney, Australia-09/07/15,03:44:06)
 Applied Mechanics and Materials Vols. 433-435 1743

User request User mode

I/O manager Cache manager

Filter driver

Kernel
mode
File system driver

Disk driver Logical

volume
Fig. 1.Principle of file system filter driver

File Operation Process

As you can see in Fig. 2, there are three kinds of file data: data in the form of plaintext that is used in
application, data in the form of plaintext/ciphertext that is stored in the cache, data in the form of
ciphertext that is stored in disk. File operation involves three kinds of read and write operations:
buffer read and write, page read and write, non buffer read and write. As the saying goes, “write
encryption, read decryption”. It raises doubts, since there are many kinds of read and write operations,
which one should be encrypted and decrypted?
Data in the application (plaintext)

Buffer Buffer
write read

Un- Un-
buffer Data in cache (plaintext / ciphertext) buffer
write read

Page Page
write read

Data in the disk (ciphertext)

Fig. 2.The relationship between the three different forms of file data
Considering that not all applications read and write files are buffered read and write, such as
notepad files read and write files by memory mapping (Mapping the file into memory space, you just
need to access the memory space when access the file content process).And memory mapping can not
be captured by the filter driver, also can not be encrypted and decrypted. page to read and write is
always exist Regardless of whether you use a memory-mapped file, therefore you can encrypt and
decrypt the page read and write requests without taking into account other conditions. Now we use a
word file as example to introduce file data operation process.
1744 Advances in Mechatronics and Control Engineering II

We must pay attention to the cache problem in actual development, because bad treatment will also
bring a lot of loopholes. Office will automatically add 10KB of data in front of the Word document
that can be used to define the format of word document, when create a new word document, and write
operation is bound to happen. So there will be a phenomenon that we are unwilling to see: Create a
new word document, open it, and find it have been encrypted, can not be opened. Similarly, if there is
no treatment for clearing the cache, when finished writing the data and saved in Word, then open it,
the file is encrypted and can not be opened, but will not be decrypted transparently. Why?
The cause of this problem is that when writing data will involve the write operations, which is
captured by the filter driver, and will naturally encrypt the data. Data has been stored in the cache after
the write operation, when open the new word document, application reads data directly from the cache
and don’t need to read data from the disk. Only using buffer to read, not page reading, consequently,
the filter driver will not decrypt data. It involves a variety of read and writes operations and
conversion between plaintext and ciphertext, and we can see the data changes through the Fig. 3 (a).
Hence, we need to clear the cache after applications finish reading and writing data. Word
completes writing data, and then clears the cache, when the application opens Word again, data will
be read from disk because there is no file data in the cache, and then page read operation will happen,
is captured by the filter driver and decrypt the data. So the data that user read is plaintext (see Fig. 3
(b)).
Write data to word file

write
read
The data in the cache Read data from word file

write read

read
Cache data is ciphertext Read ciphertext data

write

The disk

(a) Read and write data process of word file (unclear buffer)
Write data to word file

write
read
Is the cache has data? Read data from word file

no write

Cache data is ciphertext

read write
decrypt

The disk Read plaintext data

read
(b) Read and write data process of word file (clear buffer)
Fig. 3.Read and write data process of word file
 Applied Mechanics and Materials Vols. 433-435 1745

Due to the particularity of word files, there is a lot to deal with; otherwise all sorts of problems will
occur. In the process of writing data to the word, there will produce a temporary file (tmp file) through
file spy tracking detection, and write the data to the temporary file first, then delete the original doc
file, finally rename this tmp file to the original file. This involves the handling of temporary files.
From the special mechanism of writing file in Word，we know that must decrypt the tmp files if we
wish to encrypt and decrypt the file content in Word, because the Word file is obtained by renaming
the tmp files.
A new problem will be generated when dealing with a temporary file, and which is often
encountered in the practical driver development, When you create a new Word, finish writing the data,
then click Save, appear " memory or disk space is insufficient, save failed", can not be saved. The
reason of the problem is that the length of the file has changed after the above processing, previously
allocated memory space for data storage is not enough, and need to reallocate the memory to solve this
problem.

File Path Filtering

We can only encrypt the confidential documents under the specified directory (security directory) and
just skip the files in other directory without affecting normal use of the unclassified document. Fig. 4
indicates the path filtering process, specific method of filtering the file path will be presented below.

Get file path

Security directory?

no no yes

Subdirectory?

yes
no

Secret document?
no
yes
Not to deal with Encryption and decryption

Fig. 4.Path filtering process

FltGetFileNameInformation and FltParseFileNameInformation can be called in PostCreate, these

two functions have the same parameter, and the data structure type of this parameter is
PFLT_FILE_NAME_INFORMATION. There are two domains related to the file path in
PFLT_FILE_NAME_INFORMATION: Volume and ParentDir. Volume represents the drive letter
that is connected to the file, it is a device name(such as “Device \ HardDiskVolume2” represents the D
disk), and which is different from the symbolic link name(such as “D:”). ParentDir represents the
detailed file path(remove drive letter). We can make comparisons between Volume and ParentDir
about the specified security directory, if the two are completely consistent, we encrypt it. During the
comparison, we should pay attention to whether the string format is consistent, if it is inconsistent,
string conversion is required.
1746 Advances in Mechatronics and Control Engineering II

The files in the security directory can now perform transparent encryption and decryption
operation, but is restricted to the first directory (file path and security directory are exactly the same).
In a practical application, multiple types of documents require the user to classify, and there are
multiple or multi-level subdirectories in the security directory, so still need to deal with the files in the
subdirectory of the security directory. Function strstr can be called to find whether it contains security
directory (string) from ParentDir, if any, this means that the file path is the subdirectory of the security
directory, also need to carry on the encryption and decryption process.
After treatments above, we can complete the transparent encryption and decryption of the
confidential documents under the security directory (including its subdirectories). What is more, other
security directory and unclassified documents would not be affected.

Conclusions
This paper takes Minifilter as a model to design a filter drive system which can do transparent
encryption and decryption on the document of specified type in a security directory, and emphatically
analyze the operation process of file data. In the future, we will do multi-platform test and
compatibility test with anti-virus software to make the system safer and more stable.

References
[1] Xiaobo Li. The Research and Implementation of Windows File Protection System Based on File
Filter Driver [D], master's degree thesis, Shanghai Jiaotong University (2010).
[2] Mingwei Zhao, Rui Mao, Rongan Kang: Computer Engineering Vol. 35 (2009).
[3] Wen Tan, Xiao Yang, Jianlei Shao: Windows kernel security programming [M], Electronic
Industry Press, Beijing (2009).
[4] Nagar R. Windows NT file system internals [M]. New York: O. Reilly & Associates, (1997).
[5] Jie Ling, Jizhong Li. An Improved Security Technique for the Terminal Sensitive Documents
[R]. Computer Sciences and Convergence Information Technology, 5th International Conference
on: 1028-1031, (2010).
Advances in Mechatronics and Control Engineering II
10.4028/www.scientific.net/AMM.433-435

File Transparent Encryption System Design Based on Security Directory

10.4028/www.scientific.net/AMM.433-435.1742