CN101938497B - Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof - Google Patents
Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof Download PDFInfo
- Publication number
- CN101938497B CN101938497B CN2010102921101A CN201010292110A CN101938497B CN 101938497 B CN101938497 B CN 101938497B CN 2010102921101 A CN2010102921101 A CN 2010102921101A CN 201010292110 A CN201010292110 A CN 201010292110A CN 101938497 B CN101938497 B CN 101938497B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- file
- document
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000007726 management method Methods 0.000 claims description 58
- 238000001914 filtration Methods 0.000 claims description 6
- 238000012423 maintenance Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof. The multistage security file structure comprises a plurality of security levels for distinguishing files in different security levels, and each security level comprises a plurality of file sets not overlapped with each other; each file set comprises a root node as well as a left child node and a right child node which are based on the root node, wherein the left child nodes are member sets capable of accessing the file sets, the right child nodes are files in the file sets, and the root nodes store working secret keys for the member sets to access the files; and apart from containing the files in per se, the right nodes of the file set in a higher security level also contain file sets in the security level one level lower than the file set in the higher security level. The multistage security file structure is used for carrying out distinguishing management to user access authorities and realizes the multistage protecting management of computer files by matching with the control of the user access authorities; and meanwhile, the soft and hard life cycles of the secret keys are increased so that new secret keys and old secrete keys are effectively substituted, thereby the safe use of the secrete keys is realized.
Description
Technical Field
The present invention relates to a computer file system, and more particularly, to a multi-level security document group setting method of a computer file system, and a file access control and key management user terminal, a service terminal, a system and a method thereof.
Background
The traditional computer file system does not support user access right control, does not encrypt and store files, and does not distinguish and treat important files and common files, so that the files can be copied and spread at will, which is not beneficial to the safety of file contents.
Some computer file systems support encryption of files, but they do not guarantee the security of the encryption key. The key security of file encryption is crucial to the file security, and once the encryption key is illegally acquired, the file protection is brought with danger.
For example, the invention patent with publication number CN 1567255a discloses a storage and access control method for a secure file system, which applies a digital signature technology and an encryption technology to the file system, and prevents the file from being tampered by digitally signing the file and performing originality authentication; according to different security requirements of file storage, different encryption algorithms and encryption strengths are adopted for encrypting the stored files, and the contents of information leakage and the like caused by file stealing are prevented.
However, the above prior art has the following disadvantages: 1. the access authority of the user is not distinguished and controlled, and flexible file classification management cannot be realized; 2. the problem of updating the file encryption key cannot be solved, and the security requirement of file encryption protection cannot be well met.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a multi-level security document group setting method, a file access control and key management user terminal, a service terminal, a system and a method thereof.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a multi-level security document group setting method is constructed, wherein the method comprises the following steps:
setting a plurality of security levels for distinguishing documents with different security levels, wherein each security level is provided with a plurality of document groups which are not overlapped with each other;
each document group is set to comprise a root node, a left child node and a right child node based on the root node;
the left child node is set as a member group which can access the document group, the right child node is set as a document in the document group, and the root node stores a work key for the member group to access the document;
the right child node of the document group with a higher security level is set to contain a document group with a lower security level than the right child node of the document group with a higher security level, and the member of the document group with a higher security level has the working key of the document group with a lower security level by default.
The invention relates to a multi-stage security document group setting method, wherein the document group is marked by a number Kim, wherein i represents the security level of a document in the document group, and m represents the document group sequence number corresponding to the document group in the security level; each document group is set to adopt a self number as a root node; wherein i and m are natural numbers.
The invention relates to a method for setting a multi-level security document group, wherein a document contained in a right child node is set to comprise file content and a file tail; wherein,
the file end comprises: file encryption identification, file access authority identification and key version number;
the file access authority identification is composed of a file security level and the belonging document group information.
The invention discloses a method for setting a multi-stage security document group, wherein a working key is set to comprise the following steps: file access control authority identification, a key version number, a key control symbol, key material, a random number, a key soft life cycle and a key hard life cycle;
wherein, the hard life cycle of the secret key is the life cycle of the secret key set by the computer system; the key soft life cycle is the key expiration time caused by other reasons before the key hard life cycle is finished.
The invention also provides a file access control and key management user terminal based on the multi-level security file set setting method, which comprises the following steps:
the user login server authentication module is used for acquiring a user ID, a user key and user login time and sending the user ID, the user key and the user login time to the service terminal;
the key generation and use module is used for generating a working key and realizing alternation between a new key and an old key through a key soft and hard life cycle and a key control symbol;
and the file management module is used for storing files and sending the file protection range information corresponding to the logged user ID to the service terminal.
The invention also provides a file access control and key management service terminal based on the multistage security file set setting method, which comprises the following steps:
the user authentication module is used for carrying out legality authentication on the user according to the user key stored by the server, and after the legal user passes through, generating a key which is communicated and shared with the user terminal according to the user key and the login time and is used for transmitting feedback information;
the authority configuration module is used for finishing the change of the user authority and determining the user authority;
the key management module is used for completing the distribution, updating and maintenance of keys;
the file management module is used for grading and grouping files and sending the grade and group information of the files to the key management module;
and the key control module is used for determining the key material distributed to the user through comprehensive consideration of user authority configuration, user limited authority and file information protected by the user side.
The invention also provides a file access control and key management system based on the multistage security file set setting method, which comprises the user terminal and a service terminal in communication connection with the user terminal.
The invention also provides a file access control and key management method based on the multi-level security file set setting method, which comprises the following steps:
acquiring a user ID, a user key and user login time;
carrying out legality authentication on a user according to a user key stored by a server, and after the legal user passes through, generating a key which is communicated and shared with a user terminal according to the user key and login time so as to transmit feedback information of the server terminal;
according to the file protection range information corresponding to the logged-in user ID, classifying and grouping files to complete the distribution, updating and maintenance of the key;
determining a key material distributed to a user by comprehensively considering user right configuration, user limited right and file information protected by a user side;
a working key is generated based on the assigned keying material.
The file access control and key management method of the present invention, wherein the step of determining the key material allocated to the user by comprehensively considering the user right configuration, the user restricted right and the file information protected by the user side, specifically comprises the following steps:
acquiring a user default authority;
filtering the limited authority of the user;
filtering keys that the user does not need to use;
the keying material ultimately assigned to the user is determined.
The file access control and key management method of the invention, wherein the updating process of the key comprises the following steps:
checking whether a key hard life cycle of the key expires;
if the hard life cycle of the secret key expires, setting a secret key control character of the secret key of a newer version to replace the old secret key and clearing the old secret key;
if the hard life cycle of the secret key is not expired, judging whether the soft life cycle of the secret key is expired;
if the soft life cycle of the key expires, acquiring the key identifier of the new version of the key, setting the new key, setting the key control symbol of the key of the old version of the key, and updating the key information of the tree structure;
if the key soft lifecycle has not expired, the check is completed.
The invention carries out hierarchical encrypted storage on the file by adopting a multi-level confidential document group setting method, can normally read and write the file as long as a user has enough authority, does not influence the file sharing of a legal user, and simultaneously meets the requirement of the security of the file.
Based on the multi-stage security document group setting method, the user access authority is distinguished and managed, and the access authority of the user can be flexibly set by matching with the control of the user access authority, so that the detailed management of document classification is achieved. The identity of the user entering the file protection area is verified, and the legal user can enter the file protection area to prevent unauthorized access and forbid any operation of the illegal user on the protected file. The multi-level protection management of the computer files is realized.
Meanwhile, the invention also aims at the potential safety hazard of key leakage, and regularly or if necessary, the key is updated, so that the key is safe to use, and the safety of file encryption protection is ensured.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a block diagram of a multi-level protected file set according to a preferred embodiment of the present invention;
FIG. 2 is a key management diagram of the preferred embodiment of the present invention;
FIG. 3 is a flowchart of the document group key update of the preferred embodiment of the present invention;
FIG. 4 is a key control flow of the preferred embodiment of the present invention;
FIG. 5 is a diagram illustrating key distribution and user rights modification according to a preferred embodiment of the present invention;
FIG. 6 is a block diagram of the functional modules of the file access control and key management system in accordance with the preferred embodiment of the present invention;
FIG. 7 is a diagram illustrating the status of information interaction between functional modules of the file access control and key management system according to the preferred embodiment of the present invention.
Detailed Description
The multi-level confidential document set structure set by the multi-level confidential document set setting method of the embodiment of the invention is shown in fig. 1, and the embodiment comprises the following steps: setting a plurality of security levels for distinguishing documents with different security levels, wherein each security level is provided with a plurality of document groups which are not overlapped with each other; each document group is set to include a root node, and a left child node and a right child node based on the root node. The left child node is set as a member group which can access the document group, the right child node is set as a document in the document group, and the root node stores a work key for the member group to access the document. The right child node of the document group with a higher security level is set to contain a document group with a lower security level than the right child node of the document group with a higher security level, and the member of the document group with a higher security level has the working key of the document group with a lower security level by default.
In this embodiment, the document group is preferably set to adopt the number KimIdentifying, wherein i represents the security level of the document in the document group, and m represents the document group number corresponding to the document group in the security level; each document group is set to adopt its own number as a root node. Wherein i and m are natural numbers.
In this embodiment, preferably, the document included in the right child node is set to include the file content and the file end. Wherein, as shown in table 1 below, the file trailer includes: file encryption identification, file access authority identification and key version number. The file access authority identification is composed of a file security level and the belonging document group information.
TABLE 1 File Structure
As shown in table 2 below, the working key in each of the above embodiments is configured to include: file access control authority identification, key version number, key control symbol, key material, random number, key soft life cycle and key hard life cycle. Wherein, the hard life cycle of the secret key is the life cycle of the secret key set by the computer system; the soft life cycle of the key is the key expiration time caused by other reasons before the end of the hard life cycle of the key.
Table 2 key structure
The formation of the multilevel security document set structure in the above embodiment is described in detail with reference to fig. 1:
the document is first classified into several levels according to the security level, and here, it is assumed that the document is classified into three levels Pi (1 ≦ i ≦ 3), corresponding to three security levels, namely, a security level, a secret level and a secret level. Then, in each security level, the document sets Kim can be divided according to the actual needs of the enterprise (where i indicates which security level the document belongs to and m indicates which document set in the security level) that do not overlap each other.
Each document set has a different working key that is used to encrypt and decrypt the files in the document set. A document set may generate one such tree: the document set ID is the root node, the left child node (left child node) M is the set of members that can access the document set, and the right child node (right child node) D is the document in the document set, as shown in FIG. 1. Thus, the members of the group of members are associated with the files of the document group via the root node of the document group, which also means that the members of the group of members can manipulate the files belonging to the document group via the keys of the document group.
The right child node of the document group with a higher protection level becomes the right child node of the document group with a lower protection level than the right child node except for the document of the right child node. From top to bottom, and so on, these document groups represented in the form of a tree form a key management graph consisting of members, keys, and documents, as shown in fig. 2, assuming that each document group has two members and two files.
In the key management diagram, discussed with respect to the tree structure of a single document group as shown in fig. 2, members at a higher level of protection may by default possess working keys for the present group of documents and document groups at a lower level of protection through a relationship between layers. For example, a member under Kim may have a working key that keeps secret for the mth group of documents in level l, while having all working keys that are lower than the level l of privacy. And each document group is not overlapped with each other, and the accessible members of each document group are also not overlapped with each other, so that the distribution of the member work key, the update of the document group key, and the key update caused by the entry/exit of the members in the member group can be managed according to the key management diagram as shown in fig. 2.
The invention also provides a file access control and key management method based on the above multistage security document group setting method, wherein the method comprises the following steps:
acquiring a user ID, a user key and user login time;
carrying out legality authentication on a user according to a user key stored by a server, and after the legal user passes through, generating a key which is communicated and shared with a user terminal according to the user key and login time so as to transmit feedback information of the server terminal;
according to the file protection range information corresponding to the logged-in user ID, classifying and grouping files to complete the distribution, updating and maintenance of the key;
determining a key material distributed to a user by comprehensively considering user right configuration, user limited right and file information protected by a user side;
a working key is generated based on the assigned keying material.
In the above embodiment, the step of determining the key material allocated to the user, that is, the key control, is performed by comprehensively considering the user right configuration, the user restricted right, and the file information protected by the user side, and the flowchart is shown in fig. 4, and specifically includes the following steps: acquiring a user default authority; filtering the limited authority of the user; filtering keys that the user does not need to use; the keying material ultimately assigned to the user is determined.
In the above embodiment, the flowchart of the process for completing the update of the document group key is shown in fig. 3, and includes the following steps: checking whether a key hard life cycle of the key expires; if the hard life cycle of the secret key expires, setting a secret key control symbol of a newer version of the secret key, replacing the old secret key, clearing the old secret key, updating the secret key information of the tree structure, and finishing updating; if the hard life cycle of the secret key is not expired, judging whether the soft life cycle of the secret key is expired; if the soft life cycle of the key expires, acquiring the key identification of the new version of the key, setting a new key, setting the key control symbol of the old version of the key, updating the key information of the tree structure, and finishing updating; if the key soft lifecycle has not expired, the check is completed.
The document group key is updated, a new key version number is set according to the key version number of the old key, specifically, the last bit of the key version number of the old key is inverted to obtain the key version number of the new key, so that the new key can be distinguished from the old key, and the new key can be easily obtained according to the file access control authority identifier and the key version number of the old key. Then, the material and life cycle of the updated key are set, and the old and new key control symbols of the new key are set to 11, which is different from the old key, and the old and new key control symbols of the old key are set to 10, which indicates that the old and new keys exist at the same time. In the key management graph structure, the node information of the document group is stored. When the server distributes the key to the user, only the key information on the related document group node needs to be read, and when the new and old keys exist at the same time, the new and old versions are all sent to the user. When the server finds that the hard life cycle of the old key is over, the server replaces the old key with the new key, namely, the information of the old key is cleared from the document set node, and the new key and the old key control character of the new key are set to 00.
When a file needs to be read by using a key, firstly, the access authority of a user is matched, if the access authority is legal, then, an identifier which is consistent with a file header (file access authority identifier + key version number) is searched in a working key list of the user, and then, the content of the working key is taken out to decrypt the file content. After the file writing operation is completed, when the file is stored in the disk, the content of the file needs to be encrypted. Firstly, whether the encryption key of the file should be updated is judged through the new and old key control symbols of the file, and if the control symbols are 10, the encryption key of the file is in the new and old alternation stage. The last bit of the key version number in the file header is inverted, then the identifier which is consistent with the (file access authority identifier + key version number) is searched in the working key list of the user, and the key is taken out to encrypt and store the file.
It should be understood that the correspondence relationship between the user, the key and the file mentioned in the key management diagram (fig. 2) of the present invention is a logical relationship, and the management of the user right and the key can be understood and realized more intuitively through the form of the diagram, but there are many ways that such a logical relationship can be expressed, and therefore, the present invention is not limited to the content expressed in the diagram.
The invention also provides a file access control and key management user terminal based on the multi-stage security document group setting method, which is in communication connection with a service terminal and comprises a user login server authentication module, a key generation and use module and a file management module. The system comprises a user login server authentication module, a service terminal and a user login server authentication module, wherein the user login server authentication module is used for acquiring a user ID, a user key and user login time and sending the user ID, the user key and the user login time to the service terminal; the key generation and use module is used for generating a working key and realizing alternation between a new key and an old key through a key soft and hard life cycle and a key control symbol; and the file management module is used for storing files and sending the file protection range information corresponding to the logged user ID to the service terminal.
The invention also provides a file access control and key management service terminal based on the multi-level security document group setting method, which comprises a user authentication module, an authority configuration module, a key management module, a file management module and a key control module. The user authentication module is used for carrying out legality authentication on a user according to a user key stored by the server, and after the legal user passes through the user authentication module, a key which is communicated and shared with the user terminal is generated according to the user key and login time and is used for transmitting feedback information of the service terminal; the authority configuration module is used for finishing the change of the user authority and determining the user authority; the key management module is used for completing the distribution, updating and maintenance of keys; the file management module is used for grading and grouping files and sending the grade and group information of the files to the key management module; and the key control module is used for determining the key material distributed to the user through comprehensive consideration of user authority configuration, user limited authority and file information protected by the user side.
The present invention also provides a file access control and key management system based on the multi-level security document set setting method in the foregoing embodiment, as shown in fig. 6, including the user terminal and the service terminal in the foregoing embodiment, where information interaction between the user terminal and the service terminal is shown in fig. 7. A user login server authentication module of a user terminal needs to provide information such as a user ID, a user key, login time and the like to a server and wait for feedback of the server; the key generation and use module is mainly responsible for the coordination between the generation of the file working key and the new and old keys: only when entering the file protection area, the file working key is generated, and when the user exits the file protection area, the module destroys all the working keys so as to achieve the safety of key use; seamless alternation of new and old keys is realized through the key soft and hard life cycle, the key control symbol and the like, and users do not need to participate. The file management module is responsible for the file range protected by the user terminal, and the server terminal needs to control the distributed key material according to the file existence information provided by the module.
The user authentication module of the service terminal is responsible for login authentication of a user, legality authentication is carried out on the user by using a user key stored in the server, and after the legal user passes the authentication, the module generates a key which is communicated and shared with the user terminal by using the user key and login time and is used for transmitting feedback information of the server. And the authority configuration module is responsible for changing the authority of the user and determining the authority of the user. The key management module is the most important, and is responsible for distributing, updating, maintaining and the like of the keys through the key management module to realize the use safety of the keys. The file management module is mainly responsible for grading and grouping files and then transmitting the information to the key management module. The key control module has the function of controlling the key materials which are distributed to the users by the server, and determines the key materials distributed to the users by comprehensively considering user authority configuration, user limited authority and file information protected by the user side.
In the system of this embodiment, as shown in fig. 5, when the key is assigned and the user right is changed, at the user terminal and the server, the tasks to be completed by the communication between them and the internal processing of each of them respectively include:
at a user terminal: the user logs in the authentication, and sends the login time as a random number to the server, and the login time T is stored at the user terminal. The user generates a user key using his own login key and login time, decrypts the key material returned by the server key management/key control module and generates a work key for the file.
At a server side: the server determines the authority of the user according to the ID of the user in the key management diagram, and then determines which keys should be distributed by the user in cooperation with the key control module. The server generates a user key using the user login key, encrypts key material to be distributed, and transmits the encrypted key material to the user. When a business employee exits the business, the keys used by the employee when working must be updated. And determining which document group keys need to be updated according to the ID and authority policy management of the employee, wherein the updating operation is similar to the updating of the document group keys. When a new employee joins the enterprise, the employee need only be added to the document group to which he belongs. When the enterprise staff moves among enterprise departments and the authority is changed, the keys of which document groups need to be updated can be determined according to the ID and authority strategy management of the staff in the key management graph.
The invention carries out hierarchical encrypted storage on the file by adopting a multi-level confidential document group setting method, can normally read and write the file as long as a user has enough authority, does not influence the file sharing of a legal user, and simultaneously meets the requirement of the security of the file.
Based on the multi-stage security document group setting method, the user access authority is distinguished and managed, and the access authority of the user can be flexibly set by matching with the control of the user access authority, so that the detailed management of document classification is achieved. The identity of the user entering the file protection area is verified, and the legal user can enter the file protection area to prevent unauthorized access and forbid any operation of the illegal user on the protected file. The multi-level protection management of the computer files is realized.
Meanwhile, the invention also aims at the potential safety hazard of key leakage, and regularly or if necessary, the key is updated, so that the key is safe to use, and the safety of file encryption protection is ensured.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.
Claims (10)
1. A method for setting a multi-level security document group, comprising the steps of:
setting a plurality of security levels for distinguishing documents with different security levels, wherein each security level is provided with a plurality of document groups which are not overlapped with each other;
each document group is set to comprise a root node, a left child node and a right child node based on the root node;
the left child node is set as a member group which can access the document group, the right child node is set as a document in the document group, and the root node stores a work key for the member group to access the document;
the right child node of the document group with higher security level is set to contain a document group with one level lower than the security level of the right child node except the document of the right child node, and the member in the document group with higher security level has the working key of the document group with lower security level by default;
the working key is set to further comprise a file access control authority identifier and a key version number, the document group is also used for updating keys, the key version number of a new working key is set according to the key version number of an old working key, the last bit of the key version number of the old working key is negated to obtain the key version number of the new working key, and the new key is obtained according to the file access control authority identifier of the old working key and the key version number of the new working key.
2. The method of claim 1, wherein the document group is set to adopt a number KimIdentifying, wherein i represents the security level of the document in the document group, and m represents the document group number corresponding to the document group in the security level; each document group is set to adopt a self number as a root node; wherein i and m are natural numbers.
3. The method of claim 1, wherein the document included in the right child node is arranged to include a file content and a file end; wherein,
the file end comprises: file encryption identification, file access authority identification and key version number;
the file access authority identification is composed of a file security level and the belonging document group information.
4. The method of claim 1, wherein the setting of the working key further comprises: a key control symbol, key material, a random number, a key soft life cycle and a key hard life cycle;
wherein, the hard life cycle of the secret key is the life cycle of the secret key set by the computer system; the key soft life cycle is the key expiration time caused by other reasons before the key hard life cycle is finished.
5. A file access control and key management user terminal based on the method for setting a multi-level security document set of claim 1, comprising:
the user login server authentication module is used for acquiring a user ID, a user key and user login time and sending the user ID, the user key and the user login time to the service terminal;
the key generation and use module is used for generating a working key and realizing alternation between a new key and an old key through a key soft and hard life cycle and a key control symbol;
and the file management module is used for storing files and sending the file protection range information corresponding to the logged user ID to the service terminal.
6. A file access control and key management service terminal based on the multi-level security document set setting method of claim 1, comprising:
the user authentication module is used for carrying out legality authentication on the user according to the user key stored by the server, and after the legal user passes through, generating a key which is communicated and shared with the user terminal according to the user key and the login time and is used for transmitting feedback information;
the authority configuration module is used for finishing the change of the user authority and determining the user authority;
the key management module is used for completing the distribution, updating and maintenance of keys;
the file management module is used for grading and grouping files and sending the grade and group information of the files to the key management module;
and the key control module is used for determining the key material distributed to the user through comprehensive consideration of user authority configuration, user limited authority and file information protected by the user side.
7. A file access control and key management system based on the multi-level security document set setting method of claim 1, comprising the user terminal of claim 5 and the service terminal of claim 6 communicatively connected to the user terminal.
8. A file access control and key management method based on the multi-level security document set setting method of claim 1, comprising the steps of:
acquiring a user ID, a user key and user login time;
carrying out legality authentication on a user according to a user key stored by a server, and after the legal user passes through, generating a key which is communicated and shared with a user terminal according to the user key and login time so as to transmit feedback information of the server terminal;
according to the file protection range information corresponding to the logged-in user ID, classifying and grouping files to complete the distribution, updating and maintenance of the key;
determining a key material distributed to a user by comprehensively considering user right configuration, user limited right and file information protected by a user side;
a working key is generated based on the assigned keying material.
9. The method for file access control and key management as claimed in claim 8, wherein said step of determining the keying material assigned to the user by comprehensively considering the user right configuration, the user restricted right and the file information protected by the user side comprises the steps of:
acquiring a user default authority;
filtering the limited authority of the user;
filtering keys that the user does not need to use;
the keying material ultimately assigned to the user is determined.
10. The file access control and key management method of claim 8, wherein the completion of the key update process comprises the steps of:
checking whether a key hard life cycle of the key expires;
if the hard life cycle of the secret key expires, setting a secret key control character of the secret key of a newer version to replace the old secret key and clearing the old secret key;
if the hard life cycle of the secret key is not expired, judging whether the soft life cycle of the secret key is expired;
if the soft life cycle of the key expires, acquiring the key identifier of the new version of the key, setting the new key, setting the key control symbol of the key of the old version of the key, and updating the key information of the tree structure;
if the key soft lifecycle has not expired, the check is completed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102921101A CN101938497B (en) | 2010-09-26 | 2010-09-26 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102921101A CN101938497B (en) | 2010-09-26 | 2010-09-26 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101938497A CN101938497A (en) | 2011-01-05 |
| CN101938497B true CN101938497B (en) | 2013-01-30 |
Family
ID=43391626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102921101A Expired - Fee Related CN101938497B (en) | 2010-09-26 | 2010-09-26 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101938497B (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102271332B (en) * | 2011-07-18 | 2017-09-12 | 中兴通讯股份有限公司 | End message time slot scrambling and device |
| CN102938762B (en) * | 2012-10-26 | 2015-09-09 | 深圳出入境检验检疫局信息中心 | A kind of file safety management system based on mobile terminal |
| CN104517062A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Method and device for sub authority document management based on document object model |
| CN103746798B (en) * | 2013-12-12 | 2017-12-26 | 中国科学院深圳先进技术研究院 | A kind of data access control method and system |
| CN104182503A (en) * | 2014-08-18 | 2014-12-03 | 上海众恒信息产业股份有限公司 | Cloud platform data access safety isolation method |
| CN105389364B (en) * | 2015-11-06 | 2020-02-04 | 中国科学院自动化研究所 | Digital cultural relic safety sharing system |
| CN105426776A (en) * | 2015-11-13 | 2016-03-23 | 浪潮软件集团有限公司 | Electronic document management device and method |
| CN105930742A (en) * | 2016-04-18 | 2016-09-07 | Ubiix有限公司 | Enterprise archive monitoring, transmitting and retransmitting method and device and applied communication equipment |
| CN106603509B (en) * | 2016-11-29 | 2020-07-07 | 中科曙光信息技术无锡有限公司 | Enterprise document management method |
| CN107368749B (en) * | 2017-05-16 | 2020-09-15 | 阿里巴巴集团控股有限公司 | File processing method, device, equipment and computer storage medium |
| CN108427889A (en) * | 2018-01-10 | 2018-08-21 | 链家网(北京)科技有限公司 | Document handling method and device |
| CN110493168A (en) * | 2018-07-19 | 2019-11-22 | 江苏恒宝智能***技术有限公司 | Medical curative effect based on asymmetric encryption techniques monitors sharing method |
| CN109284426B (en) * | 2018-08-23 | 2021-02-19 | 中信天津金融科技服务有限公司 | Multi-data document classification system based on permission level |
| CN109408464A (en) * | 2018-10-10 | 2019-03-01 | 广州力挚网络科技有限公司 | A kind of graded access method and apparatus |
| CN109614792B (en) * | 2018-11-29 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Hierarchical file key management method |
| CN109635905B (en) * | 2018-12-06 | 2022-09-02 | 南京中孚信息技术有限公司 | Two-dimensional code generation method, device and system |
| CN109743292A (en) * | 2018-12-12 | 2019-05-10 | 杭州安恒信息技术股份有限公司 | A kind of method and system of shared data cascade protection |
| CN111259435A (en) * | 2020-01-09 | 2020-06-09 | 平安科技(深圳)有限公司 | Contract encryption and decryption method and device and computer readable storage medium |
| CN111782911A (en) * | 2020-07-24 | 2020-10-16 | 三一重能有限公司 | Document management method and system and electronic equipment |
| CN111984590A (en) * | 2020-09-01 | 2020-11-24 | 冠群信息技术(南京)有限公司 | System and method for identifying, filing and storing paper documents |
| CN112214656B (en) * | 2020-09-15 | 2022-08-19 | 湖南汽车工程职业学院 | Scientific research document management system convenient for searching safety |
| CN116108423B (en) * | 2023-04-12 | 2023-06-20 | 福昕鲲鹏(北京)信息科技有限公司 | Rights management method and device for open format document OFD |
| CN118133322B (en) * | 2024-05-06 | 2024-07-19 | 上海合见工业软件集团有限公司 | EDA software design data sharing method, electronic device and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859086A (en) * | 2005-12-31 | 2006-11-08 | 华为技术有限公司 | Content grading access control system and method |
| CN101047978A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method for updating key in user's set |
| CN101442404A (en) * | 2008-12-30 | 2009-05-27 | 北京中企开源信息技术有限公司 | Multilevel management system and method for license |
| CN101605137A (en) * | 2009-07-10 | 2009-12-16 | 中国科学技术大学 | Safe distribution file system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7606801B2 (en) * | 2005-06-07 | 2009-10-20 | Varonis Inc. | Automatic management of storage access control |
-
2010
- 2010-09-26 CN CN2010102921101A patent/CN101938497B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859086A (en) * | 2005-12-31 | 2006-11-08 | 华为技术有限公司 | Content grading access control system and method |
| CN101047978A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method for updating key in user's set |
| CN101442404A (en) * | 2008-12-30 | 2009-05-27 | 北京中企开源信息技术有限公司 | Multilevel management system and method for license |
| CN101605137A (en) * | 2009-07-10 | 2009-12-16 | 中国科学技术大学 | Safe distribution file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101938497A (en) | 2011-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101938497B (en) | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof | |
| US9858433B2 (en) | Cryptographic role-based access control | |
| US9031876B2 (en) | Managing keys for encrypted shared documents | |
| US8856530B2 (en) | Data storage incorporating cryptographically enhanced data protection | |
| US9286481B2 (en) | System and method for secure and distributed physical access control using smart cards | |
| US20080310619A1 (en) | Process of Encryption and Operational Control of Tagged Data Elements | |
| US20070014399A1 (en) | High assurance key management overlay | |
| CN109190384B (en) | Multi-center block chain fusing protection system and method | |
| CN101925913A (en) | Method and system for encrypted file access | |
| CN103109300A (en) | Application of differential policies to at least one digital document | |
| CN106203137B (en) | A kind of classified papers access safety system | |
| EP2575070A1 (en) | Classification-based digital rights management | |
| CN1416493A (en) | Key and lock device | |
| CN110889121A (en) | Method, server and storage medium for preventing data leakage | |
| CN104239812A (en) | Local area network data safety protection method and system | |
| CN106022159B (en) | ERP data processing methods based on cloud computing | |
| US11233642B2 (en) | Regulating document access | |
| CN107070881B (en) | Key management method, system and user terminal | |
| CN105681034A (en) | Document secret management method and system based on digital labels | |
| CN102984125A (en) | System and method of isolating mobile data | |
| CN113127927B (en) | Attribute reconstruction encryption method and system for license chain data sharing and supervision | |
| CN109302400B (en) | Asset password exporting method for operation and maintenance auditing system | |
| KR20080028198A (en) | Method and system for secure management of personal digital assets | |
| CN100550735C (en) | The method of multifunction intelligent key equipment and security control thereof | |
| Faragallah et al. | Multilevel security for relational databases |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130130 Termination date: 20180926 |