Summary of the invention
The object of the invention is to propose a kind of file cloud storage system that is adapted to pass through and realize the shared file encryption system of file security, to overcome the deficiency of existing scheme.
To achieve these goals, the technical solution adopted in the present invention is:
Towards a shared secure file catalogue file encryption system, described file encryption system comprises secure file catalogue, file encryption filter and file encryption filter assisted process, wherein:
Secure file catalogue a: file directory of the selected computer file system that carries out safeguard protection of user, the file of preserving in described secure file catalogue, and the file of preserving in subordinate's file directory of secure file catalogue is the encrypt file of automatically being encrypted generation by file encryption filter, described encrypt file has same file suffixes with the file before encryption, before and after file encryption, keeps file type constant, described secure file catalogue and subordinate's file directory thereof are provided with or have inherited file decryption control strategy, the file decryption control strategy of a file directory (arrange or inherit) has specified default deciphering control strategy and the authorized user of the encrypt file under file directory, if a file directory in secure file catalogue (comprising direct subordinate or the indirect subordinate file directory of secure file catalogue) does not arrange file decryption control strategy, this file directory is inherited the file decryption control strategy of its higher level's file directory, if a file directory in secure file catalogue does not arrange file decryption control strategy, its higher level's file directory does not arrange file decryption control strategy yet, the file decryption control strategy of its higher level's file directory is inherited the more file decryption control strategy of upper level file directory, with north on this until inherit a file decryption control strategy that is provided with higher level's file directory of file decryption control strategy, the file decryption control strategy of described file directory comprises for personal user's individual deciphers control strategy and the colony's deciphering control strategy for group user, wherein, one of file directory individual's deciphering control strategy specify a concrete personal user have deciphering individual decipher control strategy for or the file directory that acts under the authority of close encrypt file, and colony of file directory deciphering control strategy specify to have user's (as belonged to certain group or having certain role's user) of given feature or the user that meets specified criteria have deciphering colony decipher control strategy for or the file directory that acted under the authority of encrypt file, the described individual by file directory decipher control strategy license can enabling decryption of encrypted file personal user be called individual's deciphering control strategy for or the file directory that acted on and the individual authorized user of encrypt file, described individual authorized user is divided into again leading subscriber and domestic consumer, described leading subscriber refers to user's (different file directorys can have different leading subscribers) that can the file decryption control strategy of the file directory in secure file catalogue (comprising secure file catalogue self) and encrypt file be managed and the encrypted public key of encrypt file is upgraded, described by the license of the colony of file directory deciphering control strategy can enabling decryption of encrypted file user be called colony's deciphering control strategy for or the file directory that acted on and colony's authorized user of encrypt file, a file decryption control strategy of described file directory (comprising individual's deciphering control strategy and colony's deciphering control strategy) institute for or the file directory of effect refer to setting or inherited the file directory of this file control strategy, a file decryption control strategy of described file directory for or the encrypt file that acts on refer to directly leave in this file decryption control strategy for or the file directory that acts under encrypt file, described secure file catalogue generates in the time creating has a default individual for creating user to decipher control strategy, the establishment user of regulation secure file catalogue is the leading subscriber of secure file catalogue, thereby has the authority of the file decryption control strategy of file directory in Administrative Security file order and encrypt file, when generating, automatically inherits an encrypt file file decryption control strategy of place file directory, the individual of an encrypt file deciphers control strategy and has specified that the individual authorized user that can decipher this encrypt file comprises leading subscriber and domestic consumer, colony's deciphering control strategy of an encrypt file has specified to decipher colony's authorized user of this encrypt file, the data of each encrypt file in secure file catalogue (comprising the encrypt file in the subprime directory of secure file catalogue) comprise two parts: file data and file decryption control data, the file data of encrypt file is to adopt through a random symmetric key generating the data that form after symmetric key cipher algorithm for encryption by the non-encrypted file data of the original before the corresponding encryption of encrypt file, the symmetric key of described random generation is called file encryption key, the file decryption control data of encrypt file produce according to the file decryption control strategy of this encrypt file, decipher control strategy and colony's deciphering control strategy corresponding to the individual of encrypt file, the file decryption control data of encrypt file comprise that data are controlled in individual's deciphering and data are controlled in colony's deciphering, wherein, people deciphers and controls the file encryption key that PKI that data comprise each individual authorized user of uses (every of encrypt file individual's deciphering control strategy defined) encrypt file encrypts respectively and (have how many individual individual authorized users, the file encryption key that just has the PKI of the how many parts of individual authorized users of use to encrypt respectively), and colony's deciphering control strategy that data comprise the file encryption key of encrypting by shared encrypted public key and the encrypt file of encrypting with file encryption key is controlled in colony's deciphering, described shared encrypted public key is a public PKI that the file encryption key of encrypt file is encrypted, and its corresponding private key is for the file decryption processing of colony's authorized user, the file decryption control data of described encrypt file produce in the time that encrypt file generates, the file decryption control data of described encrypt file change through leading subscriber revised file deciphering control strategy after encrypt file generates,
File encryption filter: comprise being kept at file in described secure file catalogue file in the subprime directory of secure file catalogue be automatically encrypted with the driving stack that is inserted into computer file system of decryption processing in the driving of a filter type; In the time that a process (trusted or non-trusted process) is saved in a unencrypted file in subordinate's file directory that secure file catalogue comprises secure file catalogue, described file encryption filter is encrypted automatically to the file of preserving; In the time that a process is opened a unencrypted file in the subprime directory that a unencrypted file in secure file catalogue comprises secure file catalogue, described file encryption filter first becomes encrypt file by unencrypted file encryption, and then carries out follow-up operational processes; File encryption filter, a unencrypted file encryption is become in the process of an encrypt file, generates the file decryption control data of encrypt file according to the file decryption control strategy of the file directory at file place (arrange or inherit); In the time that a trusted process comprises that to the encrypt file in described secure file catalogue encrypt file in subordinate's file directory of secure file catalogue reads or deposits write operation, file encryption filter is decrypted or encryption reading or deposit the file data of writing automatically; In the time that a non-trusted process comprises that to the encrypt file in described secure file catalogue encrypt file in subordinate's file directory of secure file catalogue carries out read operation, the file data that described file encryption filter does not read non-trusted process is decrypted processing; Described trusted process is the program process that is allowed to read with plaintext form the file data of encrypt file; Described non-trusted process is the program process that is not allowed to read with clear-text way the file data of encrypt file; Described trusted process and non-trusted process are determined when the system development by described file encryption system developer and are dynamically updated by online updating mode, or set by the user's manual configuration that uses file encryption system; Share while using for uploading or be synchronized to file cloud storage system (or general file storage system) when the encrypt file in described secure file catalogue comprises encrypt file in the subprime directory of secure file catalogue, the client of file cloud storage system is set to non-trusted process; Described file encryption filter provides the file decryption control strategy of right mouse button menu for the file directory to secure file catalogue (comprising secure file catalogue self) and encrypt file (comprising individual's deciphering control strategy and colony's deciphering control strategy) and manages, comprise setting, amendment, remove deciphering control strategy, and the encrypted public key in the file decryption control data of encrypt file (comprising PKI and the shared encrypted public key of individual authorized user) is upgraded to operation;
File encryption filter assisted process: one operates in the program process of (User Mode) (or client layer or application layer) under subscriber computer operating system user model, has been responsible for the operational processes that file encryption filter can not complete at System kernel mode (Kernel Mode) (or inner nuclear layer);
In the time that a user manages operation by right mouse button menu to the deciphering control strategy of the file directory in secure file catalogue and encrypt file or while being encrypted the encrypted public key renewal operation of file, file encryption filter or file encryption filter assisted process first determine whether user is a leading subscriber of file directory or encrypt file, if, continue operational processes, otherwise, hang up processing.
When the encrypted public key that by right mouse button menu, the file decryption control strategy of the file directory in secure file catalogue and encrypt file is managed to when operation or be encrypted file as a user is upgraded operation, described file encryption filter or file encryption filter assisted process determine whether user is a leading subscriber of file directory or encrypt file as follows:
If what user operated by right mouse button menu is a file directory, file encryption filter or file encryption filter assisted process are first obtained the file decryption control strategy of the operated file directory of user, then check determine subscriber computer this locality (in crypto module) whether have in file decryption control strategy one individual's deciphering control strategy for the private key of leading subscriber, if have, determine that user is a leading subscriber of file directory, otherwise uncertain user is a leading subscriber of file directory;
If what user operated by right mouse button menu is an encrypt file, the individual that file encryption filter or file encryption filter assisted process are first obtained in the file decryption control data of file deciphers control data, then check and determine whether a guy deciphers the corresponding private key of PKI of controlling the leading subscriber in data, file encryption key being encrypted in subscriber computer this locality (in crypto module), if have, determine that user is the leading subscriber of encrypt file, otherwise uncertain user is a leading subscriber of encrypt file.
In the time of file directory and encrypt file establishment or generation, described file encryption filter carries out title conversion to the title of the file directory in secure file catalogue and encrypt file, comprises the title of the encrypt file in subordinate's file directory and subordinate's file directory of secure file catalogue self and secure file catalogue is carried out to title conversion (being kept at name on storage medium and being the name after conversion); When open file operation (as file is enumerated) carries out name inverse transformation again carrying out file I/O when operation, thus (original) file directory title different with encrypt file title (as being shown as mess code) that when file encryption filter is not normally started, user or the being seen file directory title of program process adopt during with file directory and encrypt file establishment with encrypt file title.
Described file encryption filter generates as follows the file decryption control data of encrypt file in the time that the unencryption file in secure file catalogue comprises that unencryption file in subordinate's file directory of secure file catalogue is encrypted:
Obtain the file decryption control strategy (the file decryption control strategy that file directory directly arranges or the file decryption control strategy of succession) of unencryption file place file directory, and become the file decryption control strategy of encrypt file with this; Use every individual deciphering control strategy in the file decryption control strategy obtaining for the PKI of each individual authorized user respectively the file encryption key of random generation is encrypted, the individual who forms encrypt file deciphers control data, use shared encrypted public key to be encrypted the file encryption key of random generation and with file encryption key, control strategy is deciphered to by the colony in the file decryption control strategy obtaining to be encrypted, form colony's deciphering control data of encrypt file; The individual of formation is deciphered to the file decryption control data of controlling data and colony's deciphering control data merging formation encrypt file, then the file decryption control data of formation are put in encrypt file.
When user is comprised an encrypt file in subordinate's file directory of secure file catalogue is carried out to the setting of file decryption control strategy or when amendment an encrypt file in secure file catalogue by right mouse button menu, described file encryption filter or file encryption filter assisted process determine user be the leading subscriber of encrypt file after as follows file decryption control strategy set to leading subscriber or amendment process:
Use the individual of the private key enabling decryption of encrypted file of the current leading subscriber that is carrying out the setting of file decryption control strategy or retouching operation to decipher the file encryption key of the public key encryption of controlling the current leading subscriber of use in data; Then use every individual's deciphering control strategy institute in the file decryption control strategy of current leading subscriber setting or amendment for each individual authorized user comprise that the PKI of current leading subscriber is encrypted file encryption key respectively, the individual of formation encrypt file deciphers control data; Use shared encrypted public key to be encrypted file encryption key and with file encryption key, control strategy is deciphered to by the colony in the file decryption control strategy of current leading subscriber setting or amendment to be encrypted, data are controlled in the colony's deciphering that forms encrypt file; The individual of formation is deciphered to the file decryption control data of controlling data and colony's deciphering control data merging formation encrypt file, finally by original file decryption control data in the file decryption control data replacement encrypt file forming;
In the file decryption control strategy of or amendment set at current leading subscriber, arrange or the file decryption control strategy of always set or amendment of the current leading subscriber of retouching operation in individual's deciphering control strategy for leading subscriber.
When user comprises when the file decryption control strategy of an encrypt file in subordinate's file directory of secure file catalogue is removed an encrypt file in secure file catalogue by right mouse button menu, described file encryption filter or file encryption filter assisted process are processed clear operation as follows determining after user is the leading subscriber of encrypt file:
The colony deciphering of removing encrypt file is controlled data and individual's deciphering and is controlled in data except using the file encryption key of useful other public key encryptions of institute the file encryption key of the public key encryption that is carrying out the leading subscriber of clear operation and using the colony that file encryption key is encrypted to decipher control strategy.
In the time that user carries out the setting of file decryption control strategy or amendment by right mouse button menu to a file directory in secure file catalogue, after the leading subscriber that described file encryption filter or file encryption filter assisted process are file directorys definite user, file decryption control strategy set to leading subscriber or amendment is processed as follows:
The file decryption control strategy of the file directory that the file decryption control strategy replacement management user of use leading subscriber setting or amendment is operating, wherein, in the file decryption control strategy of or amendment set at leading subscriber, arranging or the file decryption control strategy of always set or amendment of the leading subscriber of retouching operation in individual's deciphering control strategy for leading subscriber; The file decryption control strategy that is arranging or revising for leading subscriber for or each encrypt file of acting on, encrypt file is arranged by right mouse button menu by leading subscriber or processing mode when the operation of revised file deciphering control strategy to arranging or the file decryption control strategy of amendment is processed.
In the time that user removes file decryption control strategy by right mouse button menu to a file directory in secure file catalogue, after the leading subscriber that described file encryption filter or file encryption filter assisted process are file directorys definite user, as follows the operation of leading subscriber removing file decryption control strategy is processed:
Remove leading subscriber and decipher the every other file decryption control strategy control strategy by the individual except the leading subscriber for operating in the file decryption control strategy of the file directory of right mouse button menu operation, comprise individual's deciphering control strategy and colony's deciphering control strategy; The file decryption control strategy of removing for leading subscriber for or each encrypt file of effect, by right mouse button menu, encrypt file is removed to the processing that the processing mode in file decryption control strategy when operation is removed file decryption control strategy by leading subscriber.
When user comprises that to an encrypt file in secure file catalogue an encrypt file in subordinate's file directory of secure file catalogue is encrypted to PKI upgrades when operation by right mouse button menu, described file encryption filter or file encryption filter assisted process are after definite user is the leading subscriber of encrypt file, check leading subscriber be encrypted PKI upgrade operation for the file decryption control data of encrypt file in each PKI that file encryption key is encrypted, comprise PKI and the shared encrypted public key of the authorized user that file encryption key is encrypted, determine whether each checked PKI has the PKI of renewal, if have, first with the individual who is being encrypted PKI and upgrades the private key enabling decryption of encrypted file of the current leading subscriber of operation decipher control in data by the file encryption key of current leading subscriber public key encryption, then the file encryption key again deciphering being obtained with the PKI upgrading is encrypted, afterwards with the file encryption key of the original public key encryption of use in the file decryption control data of the file encryption key Substitution encryption file after re-encrypted.
In the time that user comprises that to a file directory in secure file catalogue secure file catalogue self is encrypted PKI renewal operation by right mouse button menu, described file encryption filter or file encryption filter assisted process are after definite user is the leading subscriber of encrypt file, each encrypt file in the file directory operating for leading subscriber comprises the encrypt file in subordinate's file directory of the file directory that leading subscriber operating, processing mode while encrypt file being encrypted to PKI renewal operation by leading subscriber by right mouse button menu is encrypted the processing that PKI upgrades.
Can see from the above description, the present invention is by encrypting based on the transparent file of file encryption filter and for the setting of the file decryption control strategy of secure file catalogue and subordinate's file directory thereof, realize the automatic generation of the automatic encryption of the shared file in file directory and the deciphering control data of encrypt file, avoid user repeatedly to carry out craft to shared file and encrypt and tactful setting operation.Further, the present invention carries out title conversion by the file directory title in secure file catalogue and file name, the file directory title and the file name that when when file encryption filter is not normally started, user or the being seen file directory title of program process create from file directory and encrypt file with encrypt file title, adopt are different, such as being shown as mess code, reminding user file encryption filter not yet starts, avoid because file encryption filter does not normally start and makes the file in secure file catalogue not encrypted, and the file of avoiding uploading to file cloud storage system is not encrypted.When for the storage of file cloud, be set to non-trusted process by the client of file cloud storage system, the file for shared that makes to upload to file cloud storage system is encrypted, and can between the user who authorizes, realize safety and share.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
System of the present invention can be at another patent application of the applicant " a kind of file encryption system towards shared file " (number of patent application: implement on the basis of the shared file encipherment scheme 201410151619.2), permitted many-sided enforcement and the enforcement in patent application 201410151619.2 and be the same or similarly or expansion in the above, specific as follows.
Public-key cipher technology: the public-key cipher technology using for encrypt file is with in patent application 201410151619.2, can use encryption technology (the Identity Based Encryption based on mark, IBE), comprise and expand the use of identify label and the enforcement of IBE cipher key service system.
Individual authorized user and colony's authorized user: the individual authorized user in the present invention is corresponding to the individual sharing users in patent application 201410151619.2, but individual authorized user in the present invention is further divided into again leading subscriber and domestic consumer; Colony of the present invention authorized user is corresponding to the colony's sharing users in patent application 201410151619.2.
Secure file catalogue: secure file catalogue can be any file directory of subscriber computer file system, user can be secure file catalogue by certain file directory of right mouse button menu designated computer file system, or cancel the secure file catalogue that arranged, relevant configuration information can leave in the file directory that file encryption system program deposits.
File decryption control strategy: the colony's deciphering control strategy in the present invention is corresponding to the colony's sharing policy in patent application 201410151619.2; Individual's deciphering control strategy of the present invention does not have correspondence in patent application 201410151619.2; The form of individual's deciphering control strategy of the present invention and colony's deciphering control strategy can customize (text or XML) or adopts standard criterion form (as XACML, eXtensible Access Control Markup Language).For depositing of the file decryption control strategy of each file directory and encrypt file in secure file catalogue (comprise individual and colony decipher control strategy), can adopt and leave concentratedly or disperse the mode of depositing, such as, leave concentratedly in a toy data base on subscriber computer, or the file of the file decryption control strategy that comprises All Files catalogue and encrypt file (being strategy file) is left in the file directory that file encryption system program deposits, or the strategy file of the file decryption control strategy that comprises All Files catalogue and encrypt file is left in secure file catalogue (root), or a file directory and the strategy file that is directly stored in the file decryption control strategy of the encrypt file under this file directory are deposited to (dispersion storage scheme) under this file directory.
If leaving concentratedly in secure file catalogue or dispersion, the strategy file of preservation file decryption control strategy leaves in each file directory of secure file catalogue, the filename of strategy file also carries out name conversion and preserves with the form of hidden file, file encryption filter, in the time processing file enumeration operation, does not return to the information of enumerating to strategy file.In order to ensure the safety of file decryption control strategy, prevent unauthorized amendment, the private key digital signature that strategy file can be deciphered the leading subscriber of control strategy with (last) setting or revised file.
Encrypt file: the specific embodiments (being the formation of file data) of encrypted file data is in fact the same with the embodiment of the encrypt file in patent application 201410151619.2, just the individual in the file decryption control data of the encrypt file in the present invention deciphers control data, corresponding to the PKI of the individual sharing users of use in the key data of the encrypt file in application for a patent for invention 201410151619.2, file encryption key is encrypted to rear formed data, the file encryption key that the colony's deciphering control data in the file decryption control data of the encrypt file in the present invention are encrypted corresponding to the shared encrypted public key of the use in the key data of the encrypt file in application for a patent for invention 201410151619.2 and the colony's sharing policy with file encryption key encryption.Should be noted, although the individual that encrypt file includes or indirectly comprise encrypt file deciphers control strategy and colony's deciphering control strategy, in the file decryption control strategy database in secure file catalogue or strategy file, still preserve the file decryption control strategy of encrypt file.
File encryption filter: file encryption filter can be in patent application 201410151619.2 expansion on the basis of file encryption filter, increase file encryption function of the present invention.
File encryption filter assisted process: can use any application-development technologies exploitation that is suitable for subscriber computer.Data exchange mechanism between inner nuclear layer and the client layer that operating system provides (data exchange mechanism between inner nuclear layer and the client layer providing as Windows) can be provided exchanges data between file encryption filter assisted process and file encryption filter.
File name and the conversion of file directory title: a kind of embodiment of file name and the conversion of file directory title is that low 7 of each byte of the byte serial of name are carried out to ring shift left or move to right 1; Or by low 7 merging of all bytes of the byte serial of name, after merging, carry out ring shift left or move to right 1, then by the data after displacement by every 7 the corresponding bytes that are assigned to the byte serial of name; Or directly file name and file directory title are carried out to Base64 coding (this scheme can change the length of name).Name conversion is to carry out in the time of file directory or encrypt file establishment; In the time carrying out file I/O operation, carry out inverse transformation (as carrying out shift reverse or Base64 decoding).File name and the conversion of file directory title and inverse transformation are undertaken by file encryption filter.
PKI upgrades: the same with patent application 201410151619.2 of the meaning of the PKI of renewal of the present invention.
The deciphering of encrypt file: the embodiment of individual authorized user decryption sharing encrypt file of the present invention is identical with the embodiment of the individual sharing users decryption sharing encrypt file in patent application 201410151619.2; The embodiment of the colony's authorized user decryption sharing encrypt file in the present invention is identical with the scheme of the colony's sharing users decryption sharing encrypt file in patent application 201410151619.2, comprises for the user of colony and implements file decryption server and the identity management system in patent application 201410151619.2.
Other aspects that realize for technology are self-explantory for the technology developer of association area.