1. Technical Field
The present invention relates generally to encryption technology in a virtualized environment using an auxiliary medium and, more particularly, to an apparatus and method for encryption in a virtualized environment using an auxiliary medium, which encrypt protection target data using data for encryption stored in the auxiliary medium in response to an encryption request from an application program and provide the encrypted protection target data.
2. Description of the Related Art
Recently, as the size of programs has increased and the complexity of programs has also risen, vulnerability to the security of operating systems or application programs has increased. Due to malicious code using such security vulnerability, a problem arises in that a session key or the like used in the encryption of files may be leaked, thus resulting in a serious damage, such as the leakage of protection target data.
Generally, in order to solve the problem of the leakage of protection target data attributable to malicious code, it is necessary to enable pieces of protection target data to be implemented in an environment completely isolated from malicious code.
Korean Patent Application Publication No. 2011-0089942 presents technology for virtualizing a program and efficiently installing and executing the program in an auxiliary medium.
However, the above conventional technology neither discloses nor suggests a configuration for preventing protection target data from leaking due to malicious code by allowing a hypervisor to acquire data for encryption from an auxiliary medium in response to an encryption request from an application program through a hypervisor call for providing a virtualization interface, to encrypt the protection target data using the data for encryption and to provide the encrypted data to the application program.
Further, the conventional technology does not describe a detailed configuration in which data for encryption is received with the data encrypted using an internal key, and the encrypted data for encryption is decrypted using the internal key and then the data for encryption is acquired and is stored in a separate memory page, and in which when external access to the memory page is gained, external access is denied. Furthermore, the conventional technology does not describe a detailed configuration in which an auxiliary medium including the data for encryption, stored in an environment in which a connection to a network is not made, is used, and thus the protection target data is prevented from leaking due to malicious code from the time when the protection target data was initially recorded on the auxiliary medium. In addition, the conventional technology does not describe a detailed configuration in which an auxiliary medium including a tamper-resistant sensor is used, and thus the auxiliary medium is prevented from being physically manipulated.
Therefore, new technology for virtualization in a virtualized environment using an auxiliary medium is urgently required, which includes a configuration in which a hypervisor acquires data for encryption from an auxiliary medium in response to an encryption request from an application program through a hypervisor call for providing a virtualization interface, encrypts the protection target data using the data for encryption, and provides the encrypted data to the application program, thus preventing the protection target data from leaking due to malicious code, a configuration which receives the data for encryption with the data encrypted using the internal key, decrypts the encrypted data for encryption using the internal key, and then acquires the data for encryption, a configuration which stores the data for encryption in a separate memory page, and denies external access to the memory page when external access is gained, a configuration which uses an auxiliary medium including the data for encryption stored in an environment in which a connection to a network is not made, thus preventing the protection target data from leaking due to malicious code from the time when the protection target data was initially recorded on the auxiliary medium, and a configuration which uses an auxiliary medium including a tamper-resistant sensor, thus preventing the physical manipulation of the auxiliary medium and more securely executing an application program in the virtualized environment.