CN100525176C - Preventing system for information leakage under cooperative work environment and its realizing method - Google Patents

Preventing system for information leakage under cooperative work environment and its realizing method Download PDF

Info

Publication number
CN100525176C
CN100525176C CNB2003101149373A CN200310114937A CN100525176C CN 100525176 C CN100525176 C CN 100525176C CN B2003101149373 A CNB2003101149373 A CN B2003101149373A CN 200310114937 A CN200310114937 A CN 200310114937A CN 100525176 C CN100525176 C CN 100525176C
Authority
CN
China
Prior art keywords
client
user
service end
file
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2003101149373A
Other languages
Chinese (zh)
Other versions
CN1617487A (en
Inventor
梁中骐
李路
宋劲松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENG'ANDING INFORMATION TECHNOLOGY Co Ltd BEIJING
Original Assignee
CHENG'ANDING INFORMATION TECHNOLOGY Co Ltd BEIJING
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENG'ANDING INFORMATION TECHNOLOGY Co Ltd BEIJING filed Critical CHENG'ANDING INFORMATION TECHNOLOGY Co Ltd BEIJING
Priority to CNB2003101149373A priority Critical patent/CN100525176C/en
Publication of CN1617487A publication Critical patent/CN1617487A/en
Application granted granted Critical
Publication of CN100525176C publication Critical patent/CN100525176C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

This invention relates to an information leakage protection system of the network safety technological field under co-operative working environment including a customer and a service end, the customer end is mounted on each computer operating protected documents for carrying out protection operation, the service end is mounted on an independent computer in the network for monitoring and controlling computers of the customer end, management certificates and cryptographic keys. The method includes: verifying identity and limit of authority of the user, monitoring the opened documents timely, ciphering the stored contents, in this way, contents stored in the disk are always ciphered information to ensure that documents are always ciphered copied to any places.

Description

Leakage of information crime prevention system and its implementation under a kind of cooperative working environment
Technical field
The present invention relates to the network security technology field, leakage of information crime prevention system and its implementation under particularly a kind of cooperative working environment.
Background technology
Rapid development of network technique makes increasing company, mechanism improve operating efficiency by internal network or VPN net etc.But network has also brought a lot of information security hidden danger when having improved operating efficiency.
Mostly the focus of current information security study is the solution that threatens from internet security, or to the strick precaution of attacking from internal network with to the go beyond one's commission restriction of the information of obtaining of inner network members.Should how to prevent the problem of leakage of information down to relatively large network work environment, for example how a manufacturing industry company prevents that the rival from using it by the electronic drawings and archives problem that not clear channel illegally obtains easily, also lacks effective solution route up to now.
The characteristics of information security hidden danger under the networked coordination operational environment, the many employees that are organization internal are because need of work can normally touch various e-files with external privacy requirements.The e-file that will protect in the network is often widely distributed, because need of work, these files not only are stored on the server in the network, (for example also may be dispersed on employee's the personal computer, a large product is in design process, and its thousands of electronic drawings and archives will be by many engineers collaborative design on different computers); Also can not encrypt fully in advance these files, because constantly there is new file from different computers, the process of collaborative work, dynamically producing continuously.Like this, just exist many potential outlets and can leak the file that needs protection, regardless of being by network or passing through mobile memory medium.
How preventing the illegal leakage of these e-files, has not been that general information security method can solve.Mostly existing solution route is the execution of the system of emphasizing, as monitoring to server access, and the restriction that internal clerks or staff members in a department industrial and commercial bank is, limited safety guarantee---do not allow to encrypt as sending mail, be checked or the like.
Summary of the invention
In view of this, main purpose of the present invention provides the information protection solution in a kind of enterprise network, to solve the leakage of information problem under the cooperative working environment.Leakage of information crime prevention system and its implementation under a kind of cooperative working environment are provided for this purpose.
Another object of the present invention is to provide a kind of information protection way, to improve the reliability and the flexibility of leakage of information protection.
Technical scheme of the present invention
Leakage of information crime prevention system under the cooperative working environment, be made up of client and service end two parts: client is installed on the computer of every needs operation protected file, is used for the execute protection operation; Service end is installed on the independent computer in the network; be used for the computer of execution monitoring and control client, management certificate and key are made authentication operation in client to the operation of protected file to the user; it is characterized in that client is connected by network with service end.
The method of work step of leakage of information crime prevention system under the cooperative working environment:
Step 201 in the time will operating protected file on the client, is at first verified user's identity and authority;
Step 202 after authentication is passed through, is carried out decryption oprerations, and operation information is sent to the server end record before opening protected file;
Step 203 monitors constantly to the file that is opened, and judges that whether file is to open after decrypted;
Step 204, as the file that is opened edited the back and preserves, and then does encryption to preserving content, the content that is kept at like this on the disk all is information encrypted forever, has guaranteed that like this file is copied to other places by any way.
By said method as can be seen; the invention provides leakage of information crime prevention system and method for work thereof under the cooperative working environment; to dynamically being dispersed in the protected file of each computer in the network; adopt the method that fundamentally prevents leakage of information; the i.e. leakage of information that no matter from what channel causes, the file that obtains is all encrypted.Also prevented from simultaneously to come declassified document and illegal computer to be connected into declassified document in the collaborative work network at other local client softwares of installing that break away from cooperative working environment.On the availability of system, different operating rights can be set to different users; When file is will be with the outside mutual, the authorized person is provided schemes such as manual encryption and decryption; The whole system scheme is complete, has fundamentally solved the leakage of information problem under the cooperative working environment, and various applied environments have all been done consideration, the availability height.
Description of drawings
Fig. 1 is a leakage of information crime prevention system schematic diagram of the present invention.
The technology realization flow figure that Fig. 2 takes precautions against for leakage of information of the present invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below by specific embodiment, the present invention is described in more detail.
Fig. 1 is the schematic diagram of leakage of information crime prevention system.As shown in the figure, crime prevention system mainly comprises by two parts and forming: client and service end.Client is installed in every to be needed to operate on the computer of protected file, is used for the execute protection operation.Service end is installed on the independent computer in the network, is used for the computer of execution monitoring and control client, and management certificate and key are made operations such as authentication to the operation of protected file in client to the user.Be characterised in that client is connected by network with service end.Each functional character composite set of Fig. 1 has constituted system of the present invention.
Service end has with lower device: supervising device 1, identification authentication system 2, database 3, certificate and key management apparatus 4, remote control 5 and data transmission device 6.Be characterised in that data transmission device 6 is connected with supervising device 1, identification authentication system 2, database 3, certificate and key management apparatus 4, remote control 5 respectively by data/address bus.
Client has with lower device: data transmission device 7, key management apparatus 8, dynamic encryption and decryption device 10, key generating device 11, protection authority setting device 12, certification authentication device 13 and certificate generating apparatus 14.Be characterised in that; key management apparatus 8 is connected to data transmission device 7 and dynamic encryption and decryption device 10, key generating device 11; certificate generating apparatus 14 is connected in data transmission device 7 by certification authentication device 13, and protection authority setting device 12 is connected in key generating device 11.
If give in-house network outer personnel, also to pass through manual ciphering and deciphering device 9 to protected file.
Key is used for the encryption and decryption file, and rivest, shamir, adelman is used in the encryption of file.Certificate is that checking user's legitimacy is used, sets up CA (CertificateAuthority certificate verification center) authentication center in service end, uses the certificate authentication mode to determine user's identity and authority thereof.
Protection authority setting device 12 is used for using when user's initial encryption file, carries out the authority set-up mode that the user selects.Authority comprises that the user of different identity is to authorities such as the reading and writing of file, execution, printing, screen copies.
After the protection authority was provided with, key generating device 11 was used to carry out the operation of initial encryption file, and write down and manage encrypted file and corresponding key thereof by key management apparatus 8.Key management apparatus 8 also sends relevant information to service end by data transmission device 6,7 and preserves.When service end Long-distance Control client, carry out associative operation by key management apparatus 8.
Key management apparatus 8 records and management protected file and corresponding key thereof, when client need be opened protected file, key management apparatus provided correct key.
Dynamic encryption and decryption device 10 is dynamically deciphered according to key-pair file when opening protected file, makes the user can be according to the authority reading and writing of files.When protected file was preserved, 10 pairs of file dynamic encryption of dynamic encryption and decryption device guaranteed that the file that leaves on the disk exists with encrypted form forever, reaches the effect that prevents leakage of information.
Data transmission device 6,7 transmits data message in the mode of encrypting by network between client and service end.
In client, also have certificate generating apparatus 14, this device is used for some features according to hardware on the computer, the sequence number of hard disk for example, the MAC of network interface card (Media AccessControl media access control layer) address etc. Generates Certificate.Guarantee to move the legitimacy of protected file computer with this certificate, prevent that client is installed in illegal acquired information on the counterfeit computer.This device also generates corresponding certification authentication user identity according to some personal information of user; the user carries the certificate of oneself with media such as mobile disks, can both use protected file with oneself identity and authority on other computers in in-house network or self-defining secure group.
Certification authentication device 13 is used to verify whether user or computer be legal, if user or computer are illegal, certification authentication device 13 in time stops operation and notification service ends.Certification authentication device 13 also is responsible for related credentials is sent to service end, and obtains the checking result from the identification authentication system 2 of service end when checking.
Data transmission device 6,7 usefulness cipher modes transmit various information between client and service end; after information is sent to service end; service end is carried out various management to client; if leave in-house network; do not connect service end, client just can not be worked, and protected file is to preserve on computers with the form of encrypting; do not have the deciphering of client, fileinfo can not leak.
The database 3 of service end is used to deposit information such as the user profile, key, certificate, user's operation of client.User profile, key and certificate are kept in the database of service end, when client needs key and certificate, download from service end, and user right information is included in the user profile.
Supervising device 1 is used to show the operating state of all clients of accepting management, only adds a client in supervising device 1, and the computer that this client is installed could operate as normal.
Remote control 5 is used for management and controls all clients.Make service end long-rangely do various configurations, strengthen preventing the dynamics of leakage of information client.5 pairs of clients of remote control send various command, and these orders are sent to client by data transmission device 6,7.Typical order is as allowing a computer that client is installed quit work, give the user who works on this computer that special authority etc. is set.
Certificate and key management apparatus 4 are used for the certificate and the key of management database, can inquire about specific certificate and key in service end, after receiving client-requested, certificate or key that management devices 4 finds client to need pass to client by data transmission device 6,7.
Identification authentication system 2 determines whether the user can operate, with what limiting operation protected file.When client had protected file to be operated, client sent a request to service end, was determined whether and can be operated by identification authentication system, determined it is illegal operation requests as identification authentication system, and then return results stops this operation to client by client.
Fig. 2 is technology realization flow figure of the present invention, referring to Fig. 2, the implementation method of Tempest of the present invention is further specified.
In the time will operating protected file on the client, at first verify user's identity and authority, the legitimacy of computer.User's identity identifies with multiple mode, as unique certificate of user account number, user, user's fingerprint sign etc.Different users uses same computer also to differentiate by user's identity, guarantees that different users has different operating rights on a computer.The legitimacy of computer also will verify, determines the legitimacy of computer, for example the hard disk sequence number of computer, the hardware address of network interface card etc. by getting hardware identifier on the computer.
Step 201, the legitimacy of identifying user identity and computer are by sending request to service end, by 2 checkings of service end identification authentication system, and user's authority are sent to client.The authority of client after according to server authentication operated by 10 pairs of protected files of dynamic encryption and decryption device, if authentication failed does not then allow protected file is operated.Legitimacy by network verification user identity and computer just guarantees to leave behind the internal network can not operation file, has solved internal file and has been taken out of the problem of leaking behind the internal network by all means; Even also guaranteed to operate shielded file, prevented leakage of information if external computer inserts internal network.If externally operate protected file, can guarantee that the file that passes out network all passes through checking by passing out network after keeper's deciphering.
Step 202 after authentication is passed through, is carried out decryption oprerations by dynamic encryption and decryption device 10, and operation information is sent to the server end record before opening protected file.Concerning the user, decryption oprerations is transparent, imperceptible decryption oprerations.The user feels is that protected file is employed software and has normally opened.And if the checking of step 201 is not passed through, then the user can see that application software returns the report file of not opening.The novelty of this step operation is that the user also is to use normal application software operation protected file, and decryption oprerations is transparent, has solved the problem of common encryption and decryption action need third party encryption and decryption instrument conversion.
Step 203 monitors constantly to the file that is opened, and judges that whether decrypted file open after, in this way, then according to the active user authority of this file is controlled, and prevents the leakage of information.Even the new file that dynamically produces on this computer also can be encrypted by dynamic encryption and decryption device 10 during preservation automatically.
Step 204, as the file that is opened edited the back and preserves, and then does encryption to preserving content.The content that is kept at like this on the disk all is information encrypted forever, has guaranteed that like this file is copied to other places by any way and all encrypts.The novelty of this step operation is that being kept at disk by protected file goes forward with regard to method of encrypting; block the approach of leakage of information from the source; solved when blocking various leakage of information approach and prevent leakage of information and all will develop the corresponding techniques salvo, and can not block the problem of all leakage of information approach every kind of leakage of information approach.For example, the method that original leakage of information is taken precautions against may be developed a kind of leakage of information means that prevent at Email, develops a kind of leakage of information means etc. that prevent again at portable hard drive, and is hard to guard against.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (5)

1, leakage of information crime prevention system under a kind of cooperative working environment, be made up of client and service end two parts: client is the computer of every needs operation protected file, is used for the execute protection file operation; Service end is mounted in the computer in the network; the authority that is used for execution monitoring and control client; management certificate and key; the user is made authentication operation in the operation to protected file; the legal identity of service end checking user side, the operation information of recording user, and to the rights of using of the file opened, carry out encryption to preserving content, it is characterized in that; client is connected by network with service end, and service end has with lower device:
Supervising device (1) is used to show the operating state of all clients of accepting management;
Identification authentication system (2), determine whether the user can operate, when client has protected file to be operated, client sends a request to service end, determine whether and to operate by the identification authentication system identifying user identity, and only by verifying the back user's authority is sent to client at user identity, after the server-side certificate client, before opening protected file, client is decrypted operation by the dynamic encryption and decryption device, and operation information is sent to the server end record, so that the file that is opened is monitored, and control according to active user's authority, prevent leakage of information, simultaneously the information that generates is encrypted;
The authority of client after according to server authentication carried out decryption oprerations by the dynamic encryption and decryption device, protected file operated, and operation information is sent to the server end record; If the identification authentication system authentication failed then determines it is illegal operation requests, then return results stops this operation to client by client, does not then allow protected file is operated;
Database Unit (3) is used to deposit user profile, key, certificate, the user's operation information of client; User profile, key and certificate are kept in the database of service end, when client needs key and certificate, from service end download user authority information;
Certificate and key management apparatus (4), the certificate and the key that are used for the database of management service end are after service end is inquired about specific certificate and key, received client-requested, the certificate or the key that find client to need pass to client by data transmission device (6);
Remote control (5) is used for management and controls all clients, and client is sent various command, and these orders are sent to client by data transmission device (6), to the authority of user's setting;
Data transmission device (6), be used for the transfer of data between client and the service end, service end manages client, if leave in-house network, do not connect service end, then the certification authentication device of client can not receive legitimacy information and the authority information that service end is returned, client can not be operated protected file, and protected file is to be kept on the computer of client with the form of encrypting, and does not have the deciphering of client, and fileinfo does not leak;
Data transmission device (6) is connected with supervising device (1), identification authentication system (2), Database Unit (3), certificate and key management apparatus (4), remote control (5) respectively by data/address bus.
According to leakage of information crime prevention system under the cooperative working environment of claim 1, it is characterized in that 2, client has with lower device:
Second data transmission device (7) is used for the transfer of data between client and the service end;
Key management apparatus (8), record and management protected file and corresponding key thereof;
Dynamic encryption and decryption device (10) is dynamically deciphered according to key-pair file when opening protected file, makes the user can be according to the authority reading and writing of files, when protected file is preserved, to the file dynamic encryption;
Key generating device (11) is used to carry out the operation of initial encryption file;
Protection authority setting device (12) is used for using when user's initial encryption file, carries out the authority set-up mode that the user selects;
Certification authentication device (13) is used to verify whether user or computer be legal;
Certificate generating apparatus (14) is used for the feature according to hardware on the computer, Generates Certificate;
Key management apparatus (8) is connected to second data transmission device (7) and dynamic encryption and decryption device (10), key generating device (11); certificate generating apparatus (14) is connected in second data transmission device (7) by certification authentication device (13), and protection authority setting device (12) is connected in key generating device (11).
3, the method that leakage of information is taken precautions against under a kind of cooperative working environment, its step is as follows:
Step 201, the legitimacy of identifying user identity is to send request by client to service end, when service end is proved to be successful, user's authority is sent to client, the authority of client after according to server authentication operated protected file, if authentication failed does not then allow protected file operation, then the user can see that application software returns the files and reports of not opening;
Step 202 after checking is passed through, is carried out decryption oprerations by the dynamic encryption and decryption device, and operation information is sent to the server end record before opening protected file;
Step 203, dynamic encryption and decryption device monitor constantly to the file that is opened, and judges that whether decrypted file open after, in this way, then according to the active user authority of this file controlled, and prevents the leakage of information; As not being to open after decrypted, service end monitors retouching operation to the file that is opened; Data transmission device transmits various information with cipher mode between client and service end, after information is sent to service end, service end is carried out various management to client, if leave in-house network, do not connect service end, then the certification authentication device of client can not receive legitimacy information and the authority information that service end is returned, client can not be operated protected file, and protected file is to be kept on the computer of client with the form of encrypting, do not have the deciphering of client, fileinfo can not leak;
Step 204, decrypted file are edited the back and are preserved, and then do encryption to preserving content, and the content that is kept at like this on the disk all is information encrypted forever, has guaranteed that like this file is copied to other places by any way and all encrypts.
According to the method for leakage of information crime prevention system under the cooperative working environment of claim 3, it is characterized in that 4, described user identity is that unique certificate of adopting user account number, user, user's fingerprint is as identify label.
5, according to the method for leakage of information crime prevention system under the cooperative working environment of claim 3, it is characterized in that, the legitimate verification of computer identifies to determine the legitimacy of computer as computer hardware by the hardware address of getting hard disk sequence number on the computer or network interface card.
CNB2003101149373A 2003-11-14 2003-11-14 Preventing system for information leakage under cooperative work environment and its realizing method Expired - Fee Related CN100525176C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2003101149373A CN100525176C (en) 2003-11-14 2003-11-14 Preventing system for information leakage under cooperative work environment and its realizing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2003101149373A CN100525176C (en) 2003-11-14 2003-11-14 Preventing system for information leakage under cooperative work environment and its realizing method

Publications (2)

Publication Number Publication Date
CN1617487A CN1617487A (en) 2005-05-18
CN100525176C true CN100525176C (en) 2009-08-05

Family

ID=34760246

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2003101149373A Expired - Fee Related CN100525176C (en) 2003-11-14 2003-11-14 Preventing system for information leakage under cooperative work environment and its realizing method

Country Status (1)

Country Link
CN (1) CN100525176C (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291244B (en) * 2007-04-16 2011-07-20 深圳市维信联合科技有限公司 Network security management method and system thereof
CN101068224B (en) * 2007-06-18 2010-07-28 北京亿企通信息技术有限公司 Information monitoring method in instant messaging system
CN101330383B (en) * 2007-06-19 2011-09-14 瑞达信息安全产业股份有限公司 Credible system for monitoring network resource based on user identification and action
CN101833625A (en) * 2010-05-11 2010-09-15 上海众烁信息科技有限公司 File and folder safety protection method based on dynamic password and system thereof
CN103716354B (en) * 2012-10-09 2017-02-08 慧盾信息安全科技(苏州)股份有限公司 Security protection system and method for information system
CN104376270A (en) * 2013-08-12 2015-02-25 深圳中兴网信科技有限公司 File protection method and system

Also Published As

Publication number Publication date
CN1617487A (en) 2005-05-18

Similar Documents

Publication Publication Date Title
US6002772A (en) Data management system
US6741991B2 (en) Data management system
US5745573A (en) System and method for controlling access to a user secret
US5956403A (en) System and method for access field verification
US7346769B2 (en) Method for selective encryption within documents
CN101512490B (en) Securing data in a networked environment
US20020046350A1 (en) Method and system for establishing an audit trail to protect objects distributed over a network
EP0864959A2 (en) Data management system
US20080310619A1 (en) Process of Encryption and Operational Control of Tagged Data Elements
US20060282674A1 (en) Data management system
US20030051172A1 (en) Method and system for protecting digital objects distributed over a network
CN105103488A (en) Policy enforcement with associated data
JP2006526851A (en) Data object management in dynamic, distributed and collaborative environments
US20030237005A1 (en) Method and system for protecting digital objects distributed over a network by electronic mail
CN106533693B (en) Access method and device of railway vehicle monitoring and overhauling system
CN105740725A (en) File protection method and system
CN114175580B (en) Enhanced secure encryption and decryption system
JP4755737B2 (en) Portable storage medium encryption system, data carrying method using the system, and portable storage medium
KR100286904B1 (en) System and method for security management on distributed PC
CN100525176C (en) Preventing system for information leakage under cooperative work environment and its realizing method
TWI381285B (en) Rights management system for electronic files
CN106650492B (en) A kind of multiple device file guard method and device based on security catalog
Reddy et al. Enterprise Digital Rights Management for Document Protection
JP2001312466A (en) Portable computer information management system
CN116506180A (en) Recruitment software privacy protection method and system based on encryption authorization

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090805

Termination date: 20101114