CN105516056B - Encrypt file protecting system and its guard method - Google Patents
Encrypt file protecting system and its guard method Download PDFInfo
- Publication number
- CN105516056B CN105516056B CN201410493178.4A CN201410493178A CN105516056B CN 105516056 B CN105516056 B CN 105516056B CN 201410493178 A CN201410493178 A CN 201410493178A CN 105516056 B CN105516056 B CN 105516056B
- Authority
- CN
- China
- Prior art keywords
- client
- document
- encryption
- server
- client device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
A kind of encryption file protecting system of present invention offer and its guard method, apply between client device and server.When client device requires to download file, server is encrypted, and client device is enabled to download after verification client device has download permission according to key-pair file corresponding with client device.When client device is intended to open encryption file, the information of client device is transmitted to server, to confirm that client device is the authorized client that can open encryption file.If client device is authorized client really, then is decrypted using the key pair encryption file that client device itself is held, and opens the file after decryption using rule according to server record.Thus, can avoid file by illegal download, and it is illegally copied on unauthorized client end and uses after downloading.
Description
Technical field
The present invention relates to a kind of protection system and guard method, a kind of protection system more particularly, to encryption file and
Guard method.
Background technology
Since numerical data, such as file, archives, video-audio data etc. are easy to via media such as network, CD or Portable disks
It is transmitted and is downloaded by illegal, therefore all the time, how important numerical data is effectively protected, actually this technology is led
Considerable research and development project in domain.
In general, important numerical data itself can be encrypted via key, to ensure the holder of only key
Encrypted numerical data can be opened.However, with the rapid development of science and technology, real existing many technologies can be on the market
The third party is assisted illegally to crack encryption data, in other words, the protection being encrypted with key pair numerical data merely
Mode cannot be satisfied the demand of user.
Furthermore general company and enterprise are in order to ensure the safety of classified papers, therefore for storing the clothes of classified papers
Being engaged in device usually all can be by encryption.However, when those classified papers are supplied to client, the supplier of internal employee or outside
After being downloaded, which is that can not carry out management and control and tracking to the classified papers that those are downloaded.Thus, under those
Classified papers after load are easy illegally to be obtained and used by the third party, cause enterprise by serious damage.
Invention content
The main object of the present invention is to provide protection system and the guard method of a kind of encryption file, can be according to asking
It asks the key corresponding to the client device for downloading file real-time encrypted for file progress, is encrypted under file and request so as to enabling
The client device of load is bound together.
Another main purpose of the present invention is to provide protection system and the guard method of a kind of encryption file, can be in
When client device wants file opening, whether verification client device is authorized client, and whether judges client device
It can be that encryption file be decrypted to hold correct key, set so as to avoiding being illegally copied to other clients after file download
Standby upper use.
In order to achieve the above purpose, present invention is disclosed a kind of encryption document protection methods, apply to a client and set
It is standby with a server, wherein there is the client device Client Agent software, the servomechanism to have a server end management
Software, including:
A) the Client Agent software obtains an encryption file and carries out local side unlatching;
B) information of the client device is transmitted to the server;
C) server end management software judges whether the client device is that can open this to add according to the information received
One authorized client of ciphertext part;
If d) client device is the authorized client, the client that the Client Agent software judgement itself is held
Whether key can be that the encryption file is decrypted;
If e) client key that the Client Agent software is held can be the encryption file decryption, further to the clothes
Device end management software of being engaged in proposes inquiry, is set with confirming whether the current breakdown action of the client device meets the encryption file
Fixed one uses rule;And
If f) breakdown action meets use rule, it is a file to decrypt the encryption file, and uses rule according to this
Open this document.
As described above, wherein further including a step g:If the client device is not the authorized client or the client
The client key that agent software is held can not be that the encryption file decryption or the breakdown action do not meet use rule,
Then respond the forbidden message of the breakdown action.
As described above, wherein the information of the client device is the MAC addresses of the client device
The authorization code of (Media Access Control Address, MAC Address) and the Client Agent software.
As described above, in wherein step f, the application program in the client device is allowed by the Client Agent software
Open this document.
As described above, in wherein step c, which compares the information received, and should add
The preset authorization privilege data of ciphertext part, to judge whether the client device is the authorized client, wherein this is awarded
Power permissions data has recorded the shared object that the encryption file can be shared and use rule.
As described above, further including the following steps before wherein step a:
A01 a file application requests) are proposed to the server end management software;
A02) selection will carry out shared this document;
A03 the shared object of this document) is set;
A04) use rule of setting this document;And
A05) by the shared object and this use rule to be stored as the authorization privilege data of this document.
As described above, further including the following steps before wherein step a:
A11) the Client Agent software proposes the download request of this document to the server end management software;
A12) server end management software is taken out corresponding one according to the log-on message of the Client Agent software and is used
Person's data, wherein user's data storage is in the server;
A13) server end management software obtains the authorization privilege data of this document;
A14 user's data and the authorization privilege data) are compared, are somebody's turn to do with judging whether the Client Agent software has
The download permission of file;
A15) if there is the Client Agent software download permission of this document, the server end management software to make according to this
User's data obtain the corresponding client key, and the wherein client key is stored in the server;
A16) this document is encrypted using the client key, to generate the encryption file;And
A17 the encryption file) is provided to be downloaded for the Client Agent software.
As described above, when wherein the server end management software generates the encryption file, by the information of the client device
The time downloaded with request is put into the encryption file, and the encryption document protection method further includes a step h:By the client
The time that the information of end equipment is downloaded with request in a manner of watermark Dynamic Announce on by unlatching this document.
As described above, further including the following steps before wherein step a:
A21) the Client Agent software is installed in the client device;
A22) the Client Agent software is connected to the server after starting and is first logged into;
A23) log-on message of the Client Agent software is stored as user's data by the server end management software,
And generate the exclusive client key of the Client Agent software according to user's data;
A24) server end management software records the client key, and enables the client key and user's data
Generate association;And
A25) Client Agent software records client key.
As described above, wherein further including a step i:After step f, which returns an opening imformation and extremely should
Server end management software.
In order to achieve the above object, present invention further teaches a kind of encryption file protecting systems, including:
One Client Agent software is installed on a client device, including:
One permission filtering module is intended to the information that the when of opening an encryption file transmits the client device in the client device
To a server, to confirm that the client device is to be allowed to open an authorized client of the encryption file;And
One file decryption execution module, after confirming that the client device is the authorized client, using the client generation
It is a file that the client key that reason software is held, which decrypts the encryption file, and meets this document quilt in current breakdown action
This document is opened when the one of setting is using rule, wherein this is stored in the server using rule;
One server end management software is installed on server by network connection with the client device, including:
One permission filters management module, is linked up with the permission filtering module, to pass through the validation of information of reception client
Whether end equipment is the authorized client;
One key management module, when the Client Agent software is logged in the server for the first time, according to the client
The log-on message of end agent software makes the exclusive client key, and the wherein client key is recorded in the client simultaneously
Agent software and the server end management software;
One encryption and decryption control module, have one download encrypting module, in receive the Client Agent software to this document
It when downloading request, obtains the Client Agent software corresponding client key and this document is encrypted, should be added with generating
Ciphertext part;And
One data control hinge, to handle, integrate with convert the permission filtering management module, the key management module and
The data of the encryption and decryption control module and instruction.
As described above, wherein server key encryption of this document through the server, the encryption and decryption control module also have
There is a download deciphering module, when receiving download request of the Client Agent software to this document, obtains the server key
This document is decrypted to generate an original document, and enables the download encrypting module with the client key to the original document
It is encrypted, to generate the encryption file.
As described above, wherein the Client Agent software further includes a client encrypting module, compiled in the client device
It collects after completing an archive files, the client key held using the Client Agent software adds this document archives
It is close, and encrypted this document archives are uploaded to the server and stored by the client device.
As described above, wherein the encryption and decryption control module also has:
One upload deciphering module obtains the corresponding client key of the client device after receiving this document archives
This document archives are decrypted, to generate an original document archives;And
One uploads encrypting module, obtains the preset server key of the server and adds to the original document archives
It is close, to generate this document.
As described above, wherein the server stores a usage record data, the usage record data record client
Opening imformation of the equipment to the encryption file.
As described above, wherein the server stores an authorization privilege data of this document, the authorization privilege data record
This document this using rule and a shared object, wherein the permission filtering management module by the information of the client device with
The shared object of this document is compared, to confirm whether the client device is the authorized client.
The attainable technique effect of institute is that the server downloads the request of file receiving to the present invention against existing technologies
When, it can first confirm whether the client device for sending out request has the download permission of this document, avoid this document by non-whereby
The download of method.In addition, the server can use key corresponding with the client device downloaded is asked to carry out for this document
It encrypts and generates the encryption file.Whereby, the client device which downloads with request can be bound together, is shut out
Others device replication absolutely uses the encryption file.
Further, when client device will open the encryption file, it need to judge that the client device is by the server
It is no to be allowed to open the authorized client of the encryption file, and the client device also need the key by holding in advance come
The encryption file is decrypted.Thus, which the possibility that the encryption file is illegally used can be excluded further.
In addition, when this document is required shared on that server, it can also be in the use for setting this document on the server
Rule.Thus, when the client device opens the encryption file, also need to abide by preset use rule, such as
This can avoid this document by unconfined abuse.
Description of the drawings
Fig. 1 is the system architecture diagram of the first specific embodiment of the present invention;
Fig. 2 is the system block diagrams of the first specific embodiment of the present invention;
Fig. 3 is the Client Agent software schematic diagram of the first specific embodiment of the present invention;
Fig. 4 is the server end management software schematic diagram of the first specific embodiment of the present invention;
Fig. 5 is the register flow path figure of the first specific embodiment of the present invention;
Fig. 6 is the file-sharing application flow chart of the first specific embodiment of the present invention;
Fig. 7 is the encryption file download flow chart of the first specific embodiment of the present invention;
Fig. 8 is the encryption file download flow chart of the second specific embodiment of the present invention;
Fig. 9 is the encryption file opening flow chart of the first specific embodiment of the present invention;
Reference numeral
1:Server 10:Server end management software
101:Data control hinge 102:Permission filters management module
103:Key management module 104:Encryption and decryption control module
1041:Download encrypting module 1042:Download decryption module
1043:Upload deciphering module 1044:Upload encrypting module
11:File 12:User's data
13:Client key 14:Authorization privilege data
15:Usage record data 16:Encryption
2:Client device 20:Client Agent software
201:Permission filtering module 202:File decryption execution module
203:Client encrypting module 21:Internal customer's end equipment
22:External client's end equipment 3:Network system
31:Coded communication pipeline S10~S18:Registration step
S20~S28:Apply for step S30~S42, S50~S56:Download step
S60~S76:Open step
Specific implementation mode
The now just preferred embodiment of the present invention, is described in detail with the accompanying drawings as follows.
Referring to Fig.1 with Fig. 2, the system architecture diagram and system block diagrams of the first specific embodiment respectively of the invention.This
Invention discloses a kind of protection system of encryption file and guard method, the system and this method mainly apply to a server 1
Between a client device 2.And as shown in Figure 1, the client device 2 signified in this case, including connected by internal network
One or more internal customer's end equipment 21 of the server 1 is connect, and one or more of the server 1 is connected by internet
Platform external client end equipment 22.If, can will be inside this specifically, the server 1 is the management server of an enterprises
Client device 2 is considered as the equipment that enterprises employee uses, and external client's end equipment 2 is considered as the enterprise external
The equipment that client or supplier use.As seen from Figure 1, it may include the plurality of client device 2 in the system in fact, be
Facilitate explanation, behind will be illustrated with the client device 2 of separate unit in specification.
Above-mentioned internal network and internet are referred to as a network system 3 by Fig. 2, the client device 2 and the server 1
It is mainly carried out by the coded communication pipeline 31 in the network system 3 online.However, how to be built in the network system 3
The coded communication pipeline 31 is found, belongs to the usual knowledge of the art, therefore does not repeat herein.
In the present embodiment, a Client Agent software 20 can be installed, and in the server 1 in the client device 2
There can be one server end management software 10 of installation.It is online to the server 1 when a user operates the client device 2, and is intended to
When the actions such as being uploaded, download, share, open, edit, delete to the file 11 stored in the server 1, mainly borrow
By the communication of the Client Agent software 20 and the server end management software 10, above-mentioned action is completed with assisting user.
The server 1 can mainly have a database (not shown), and this document of one or more parts is stored in the database
11, those files 11 can be to be uploaded in the server 1 after user edits on the client device 2, also can be user
The online editing program (not shown) direct editing provided via the server 1 forms, but is not limited.
In the present embodiment, after the client device 2 is mounted with the Client Agent software 20 and starts for the first time, you can
It is logged in the server 1 by the Client Agent software 20.And after the Client Agent software 20 is completed to log in, it should
In server 1 will the Client Agent software 20 log-on message, such as an authorization code is stored as user's data 12,
Wherein user's data 12 are corresponded to the Client Agent software 20.
It is noted that after the Client Agent software 20 first logs into, the server end management software 10 i.e. according to
According to the corresponding user's data 12 (that is, above-mentioned log-on message) of the Client Agent software 20, it is soft to generate the Client Agent
The exclusive client key 13 of part 20.The client key 13 is stored in the server 1, and at the same time by the client
Agent software 20 is recorded.Pass through the Client Agent software 20 request after the client device 2 days and downloads those files 11
When, which can use the corresponding client key 13 of the Client Agent software 20 to those files
11 are encrypted, and generate an encryption file 16 available for download.And when the client device 2 has successfully downloaded the encryption file
After 16, it can be decrypted by the client key 13 that the Client Agent software 20 records.
In the present embodiment, a Document Editing person or a system operator can propose a file application requests to the server 1,
Specifically, asking the server 1 that those files 11 is allowed to be shared, and set the mode being shared.For example, it sets
Those files 11, which can be shared, to be downloaded to which platform client device, can be downloaded/open, can be opened in which time
Several times, whether can be edited, whether can be printed.Also, those above-mentioned settings can be remembered by the server end management software 10
Record is an authorization privilege data 14 of those files 11.When the client device 2 has downloaded one of those files 11
When, only when the operation of the client device 2 meets the corresponding authorization privilege data 14 of this document 11, this document 11 just may be used
Opened, and this document 11 opened after be only capable of executing and meet the operations of the authorization privilege data 14.
With reference to Fig. 3, for the Client Agent software schematic diagram of the first specific embodiment of the present invention.As shown in figure 3, the visitor
Family end agent software 20 can mainly divide into a permission filtering module 201, a file decryption execution module 202 and a client and add
Close module 203.When the client device 2 has downloaded the encryption file 16, and opened by the Client Agent software 20
When, it need to be linked up by the permission filtering module 201 and the server end management software 10, to confirm the client device 2
Whether be can it is legal open the encryption file 16 authorized client.For example, the permission filtering module 201 is transmittable should
The information of client device 2 is to the server 1, to be confirmed and (be will be described in detail in a later process).If the client device 2
Really it is authorized client, then the client recorded with the Client Agent software 20 by this document decryption execution module 202
Key 13 is that the encryption file 16 is decrypted, to be reduced to this document 11.Also, this document decrypts execution module 202 in solution
This document 11 is opened after close success.
If it is noted that the client device 2 is the equipment of enterprises, which can be into
One step is limited by file protective policy (Policy) as defined in enterprise.For example, enterprise could dictate that internal all devices institute
The archive files (such as Word file, Excel file, PowerPoint files, pdf document etc.) of editor must all encrypt after again
It is uploaded to the server 1, to ensure the confidentiality of file.In this embodiment, if user operates in the client device 2
Document Editing software carries out the editor of archive files, then after the completion of this document archives editor, which can
It is that this document archives are encrypted (specifically, using the Client Agent software automatically by the client encrypting module 203
The client key 13 of 20 records is encrypted).Also, encrypted this document archives are uploaded to the server 1 again, with
It is stored as one of those files 11.
In the present embodiment, which is mainly the application software of similar driver, resident to be implemented in
The bottom of the client device 2, and can be linked up with the every application program installed in the client device 2.In above-mentioned reality
It applies in example, which can be dynamic by linking up, allowing or those application programs being forbidden to carry out this document
Work (such as opening, editor, automatically encryption, upload, printing, forwarding etc.).However, above are only the preferable specific reality of the present invention
Example, should not be as limit.
With reference to Fig. 4, for the server end management software schematic diagram of the first specific embodiment of the present invention.As shown in figure 4, should
Server end management software 10 can mainly divide into data control hinge 101, permission filtering management module 102, a key
Management module 103 and an encryption and decryption control module 104.It is the soft of the server end management software 10 that the data, which control hinge 101,
Part core, to handle, integrate and convert permission filtering management module 102, the key management module 103 and the encryption and decryption control
The data of molding block 104 and instruction.
Permission filtering management module 102 is linked up when proving program with the permission filtering module 201, is wanted with confirming
Whether the client device 2 for opening the encryption file 16 is authorized client.The key management module 103 is in the client generation
When reason software 20 first logs into, the client key 13 exclusive according to corresponding 12 dynamic making of user's data, and
Made all client keys 13 are managed.
The encryption and decryption control module 104 includes mainly that a download encrypting module 1041 and one downloads deciphering module 1042.When
When 2 this document 11 to be downloaded of client device, is taken out and corresponded to according to user's data 12 by the download encrypting module 1041
The client key 13, and this document 11 is encrypted using the client key 13, after generating the encryption file 16,
It is downloaded for the client device 2.
It is noted that in the present embodiment, the server 1 is first to this document 11 of the client device 2 request download
Replication actions are carried out, then multiple this documents 11 is encrypted.In other words, it is acted even across encryption and download, the clothes
Still possess original this document 11 in business device 1.
Depending on the file protective policy difference of enterprise, those files 11 for being stored in the server 1 may be without
Encrypted original document, it is also possible to by the encrypted file of a server key.If those files 11 have been subjected to the service
Device key is encrypted, then the server end management software 10 will generate the above-mentioned encryption file 16 under the client device 2
Before load, the download decryption module 1042 need to be first passed through and obtain the server key, and using the server key to this document
11 are decrypted, and after obtaining the original document of this document 11, then carry out above-mentioned duplication, encryption acts to original document, such as
This just will produce the encryption file 16 downloaded for the client device 2.
In addition, also may include that a upload deciphering module 1043 and one uploads encrypting module in the encryption and decryption control module 104
1044.As described in the text, it when which has edited an archive files and uploaded, may be protected because of the file of enterprise
The relationship of policy uploads again after first being encrypted with the client key 13.In this embodiment, when the server 1 receives the visitor
After this document archives that family end equipment 2 uploads, first taken according to corresponding user's data 12 by the upload deciphering module 1043
Go out the corresponding client key 13, and this document archives of upload are decrypted using the client key 13, to generate
One original document archives.Then the server key, then by the upload encrypting module 1044 is taken out, and with the server key pair
After the original document archives are encrypted, it is stored as one of those above-mentioned files 11.By above-mentioned module, can reach
Enable this document 11 either on the client device 2, on the server 1 or in transmission process, can all be encrypted
Protection.
With reference to Fig. 5, for the register flow path figure of the first specific embodiment of the present invention.To effectively use the protection of the present invention
Method, and the protection system is added, first, user need to install (the step of Client Agent software 20 in the client device 2
Rapid S10).Then, after the Client Agent software 20 starts for the first time, the server 1 can be online to be logged in (step
S12).In the present embodiment, which can be when the Client Agent software 20 logs in, by the Client Agent software 20
Log-on message is recorded as the Client Agent software 20 user's data 12.
After the Client Agent software 20 completion first logs into, the server end management software 10 is according to the client generation
User's data 12 of software 20 are managed, dynamic making is specific to the (step of client key 13 of the Client Agent software 20
Rapid S14), and enable the client key 13 be generated with user's data 12 and be associated with.After step S14, the server end pipe
Reason software 10 can store the client key 13 (step S16), and the client key 13 is enabled to be generated with user's data 12
Association.Meanwhile the server end management software 10 provides the client key 13 and gives the Client Agent software 20, to enable the visitor
Family end agent software 20 records the client key 13 (step S18).
By upper step S10 to step S18, which can be after installation is complete and starts for the first time, i.e.,
It is logged in the server 1.And after the completion of login, all stored in the server 1 and the Client Agent software 20
The exclusive client key 13 of the Client Agent software 20.
With reference to Fig. 6, for the file-sharing application flow chart of the first specific embodiment of the present invention.As described in the text, if
Any this document 11 in the server 1 is shared to miscellaneous equipment to download, then user's (such as Document Editing person or system pipes
Reason person) above-mentioned this document sharing request (step S20) can be proposed to the server end management software 10.In this document sharing request
In, which mainly needs the client device that selection will carry out shared this document 11 (step S22), set shared object
2 (step S24) and the use rule (step S26) for setting this document 11.Also, the user completes above-mentioned steps S20 extremely
After the setting of step S26, which is stored as above-mentioned setup parameter the authorization privilege of this document 11
Data 14 (step S28).Above-mentioned step S20 to step S26 does not simultaneously have the ordinal relation on executing, therefore is not with above-mentioned
Limit.
More specifically, selection will carry out shared this document 11 in step S22, and the as user wishes to allow
The file that the client device 2 of shared object is downloaded.The shared object set in step S24, the as user are uncommon
The authorized client for hoping this document 11 that can be downloaded and open.In step S24, which can set this shared pair
The MAC addresses (Media Access Control Address, MAC Address) of elephant or the shared object
User's data 12 of the Client Agent software 20 of interior installation, but be not limited.This set in step S26 makes
With rule, as the user wishes the action that can be operated after this document 11 is downloaded, such as the time, secondary that can be opened
It counts, whether can be edited, whether can be printed.It, should not be with however, described above is all only the preferred embodiments of the present invention
This is limited.
With reference to Fig. 7, for the encryption file download flow chart of the first specific embodiment of the present invention.When the client device 2
When asking to download this document 11, is mainly connected by the browser (Browser) on the client device 2 and log in this
Server 1, and ask download this document 11 (step S30) to the server end management software 10.Then, the server end management
Log-on message (information that herein means the Client Agent software 20) of the software 10 according to the client device 2, in the server 1
It is middle to take out corresponding user's data 12, and at the same time taking out the authorization privilege data 14 (step S32) of this document 11.It should
After step S32, which user's data 12 are compared with the authorization privilege data 14, to sentence
Whether the disconnected client device 2 (that is, the Client Agent software 20) has the download permission (step S34) of this document 11.If
The client device 2 does not have the download permission of this document 11, then the server end management software 20 refuses the client device 2
(step S36) is asked for the download of this document 11.
If the client device 2 has the download permission of this document 11,20 foundation of server end management software really
User's data 12 by taking out the corresponding client key 13 (step S38) in the server 1, and use the client
This document 11 is encrypted in end key 13, to generate the encryption file 16 (step S40).After step S40, the server end
Management software 20 allows the client device 2 to download the encryption file 16 (step S42).Signified download is dynamic in step S42
Make, can be that the client device 2 is downloaded automatically, or shows the download link of the encryption file 16, to enable user click download,
It is not limited.
It is noted that as described in the text, if this document 11 itself had carried out encryption by the server key,
Then before step S40, which can first obtain the server key, and with server key elder generation
After being decrypted this document 11 to obtain original document, then execute step S40.
In embodiment above-mentioned, the verification journey of the download request of this document 11 and the download permission of the client device 2
Sequence is executed by the Client Agent software 20.However, the file of enterprises may be provided to external visitor
Family or supplier are downloaded, and the equipment of client or supplier are installed without the Client Agent software 20.The present invention
The protection system and the guard method can be suitable for said circumstances simultaneously, detailed description are as follows.
With reference to Fig. 8, for the encryption file download flow chart of the second specific embodiment of the present invention.If this shared pair above-mentioned
As for external client's end equipment 22 (that is, being fitted without the Client Agent software 20), then the user equally needs first to this
Server end management software 10 proposes above-mentioned this document sharing request, and selects this document 11 to be sharing, concurrently sets this
The shared object of file 11 and the use are regular (step S50).In the present embodiment, which need to provide this shared pair simultaneously
An e-mail box for elephant, with profit, the shared object obtains the encryption file 16 (will be described in detail in a later process).
After step S50, which makes one group of specific key (step according to those setup parameters
S52 it is), and using the specific key that this document 11 is encrypted, to generate the encryption file 16 (step S54).Finally, should
The encryption file 16 and the specific key are supplied to the shared object (step S56) by server end management software 10 simultaneously.It should
In step S56, which can mainly generate the download link of the encryption file 16, and specific close together with this
Key is sent together to the e-mail box of the shared object, but is not limited.
With reference to Fig. 9, for the encryption file opening flow chart of the first specific embodiment of the present invention.The client device 2 is logical
It crosses after foregoing manner obtains the encryption file 16, local side unlatching (step S60) can be carried out.In the present invention, the client device 2
The encryption file 16 is directly mainly opened by the Client Agent software 20, or by pacifying in the client device 2
The application program (not shown) of dress opens the encryption file 16, and the application program is by the pipe of the Client Agent software 20
Reason, is not limited.
When the client device 2 will open the encryption file 16, which obtains the client and sets
Standby 2 information, and it is sent to the server 1 (step S62).In the present embodiment, the information of the client device 2 mainly can be such as
For the MAC Address of the client device 2 and the authorization code of the Client Agent software 20, but it is not limited.
After the server 1 receives the information of the client device 2, which is judged by the server end management software 10
Whether equipment 2 is to be allowed to open the authorized client (step S64) of the encryption file 16, that is, judges that the client device 2 is
No shared object being set for the encryption file 16.
Specifically, the server end management software 10 can be right by the information of the client device 2 and the encryption file 16
The authorization privilege data 14 answered are compared, to judge whether the client device 2 is the authorized client.If the server
End management software 10 thinks the authorized client that the client device 2 is not legal after judging, then the server end management software
10 respond the forbidden message of the breakdown action to the Client Agent software 20 (step S66).After step S66, the client
The end response user of agent software 20 encryption file 16 can not be opened, or forbid the application in the client device 2
The breakdown action that program executes the encryption file 16.
If the client device 2 is authorized client really, the client is then verified by the Client Agent software 20
Whether end key 13 can be that the encryption file 16 is decrypted (step S68).Specifically, the Client Agent software 20 passes through
Hold the client key 13 after above-mentioned logging program, and the encryption file 16 is to use to be specific to the Client Agent software
20 client key 13 is encrypted, if therefore downloading the client device 2 of the encryption file 16 and opening the encryption
The client device 2 of file 16 is identical, then the encryption file 16 can be properly decrypt, and vice versa.
If however, the Client Agent software 20 does not have the client key 13, or having held client key
The encryption file 16 can not be decrypted, then execute step S66, response user should add by the Client Agent software 20
Ciphertext part 16 can not be opened, or the application program in the client device 2 is forbidden to open 16 execution of encryption file
Start and makees.
If the encryption file 16 by 20 successful decryption of Client Agent software and can be reduced to this document 11, the client
Agent software 20 is held further to propose to inquire to the server 1, to confirm whether current breakdown action meets this document 11
This uses regular (step S70).In step S70, which receives the client by the server end management software 10
The inquiry of agent software 20, and the corresponding authorization privilege data 14 of this document 11 are inquired, current breakdown action is judged whereby
Whether use rule that this document 11 be set is met.For example, the opening time, whether correct, opening times reached the upper limit
Deng, but be not limited.When the Client Agent software 20 receives the response of the server 1, and confirm current breakdown action
Really meet when using rule of this document 11, this document 11 can be by unlatching (step S72).In the present embodiment, step S72
It is this document 11 directly to be opened by the Client Agent software 20, or allow the client to set by the Client Agent software 20
The application program in standby 2 opens this document 11.
If however, the server end management software 10 thinks that the breakdown action of the client device 2 does not meet this after judging
File 11 uses rule, after executing step S66, by the Client Agent software 20 response user 16 nothing of encryption file
Method is opened, or the breakdown action for forbidding the application program in the client device 2 to execute the encryption file 16.
In the present embodiment, it is necessary to confirm that the client device 2 is authorized client, the Client Agent software 20 record
The client key 13 can successful decryption and current breakdown action meet three conditions such as use rule of file simultaneously
When establishment, which could be opened.However, above-mentioned step S64, step S68 and step S70 are not held
Ordinal relation on row, and can be executed synchronously.
It is noted that when the server end management software 10 generates the encryption file 16, it can be simultaneously by the client
The information such as the time that the partial information (such as device name) of end equipment 2 and the client device 2 request are downloaded are added simultaneously
In the encryption file 16.After the client device 2 successfully opens the encryption file 16, those above-mentioned information will be with dynamic watermark
Mode be shown in open after this document 11 on (step S74).Finally, this document 11 is successfully opened in the client device 2
Afterwards, which is back to the server 1 (step S76) by opening imformation, to enable server 1 store and update
One usage record data 15.By the usage record data 15, administrative staff can be with those texts in the apparent server 1
Part 11 is opened in which by which platform client device time respectively.It whereby, can be according to when enterprise finds that file is illegally used
Judge it is which link is out of joint according to the usage record data 15.
The foregoing is merely the preferred embodiments of the present invention, and therefore, it does not limit scope of the presently claimed invention, therefore
Such as the equivalence changes carried out by the content of present invention are used, are similarly all included within the scope of the present invention.
Claims (16)
1. a kind of encryption document protection method, applies to a client device and a server, wherein the client device has
One Client Agent software, the server have a server end management software, which is characterized in that including:
A) the Client Agent software obtains an encryption file and carries out local side unlatching;
B) information of the client device is transmitted to the server;
C) server end management software judges whether the client device is that can open encryption text according to the information received
One authorized client of part;
If d) client device is the authorized client, the client key that the Client Agent software judgement itself is held
Whether can be that the encryption file is decrypted;
If e) client key that the Client Agent software is held can be the encryption file decryption, further to the server
Management software is held to propose inquiry, to confirm whether the current breakdown action of the client device meets what the encryption file was set
One uses rule;And
If f) breakdown action meets use rule, it is a file to decrypt the encryption file, and is opened using rule according to this
This document.
2. encryption document protection method according to claim 1, which is characterized in that further include a step g:If the client
The client key that equipment is not the authorized client or the Client Agent software is held can not be the encryption file solution
The close or breakdown action does not meet use rule, then responds the forbidden message of the breakdown action.
3. encryption document protection method according to claim 1, which is characterized in that the information of the client device is should
The authorization code of the MAC addresses of client device and the Client Agent software.
4. encryption document protection method according to claim 1, which is characterized in that in step f, by the Client Agent
Software allows the application program in the client device to open this document.
5. encryption document protection method according to claim 1, which is characterized in that in step c, the server end management
Software compares the information received and the preset authorization privilege data of the encryption file, to judge the client
Whether equipment be the authorized client, the shared object that wherein the authorization privilege data record encryption file can be shared
And this uses rule.
6. encryption document protection method according to claim 5, which is characterized in that further include following step before step a
Suddenly:
A01 a file application requests) are proposed to the server end management software;
A02) selection will carry out shared this document;
A03 the shared object of this document) is set;
A04) use rule of setting this document;And
A05) by the shared object and this use rule to be stored as the authorization privilege data of this document.
7. encryption document protection method according to claim 6, which is characterized in that further include following step before step a
Suddenly:
A11) the Client Agent software proposes the download request of this document to the server end management software;
A12) server end management software takes out corresponding user number according to the log-on message of the Client Agent software
According to wherein user's data storage is in the server;
A13) server end management software obtains the authorization privilege data of this document;
A14 user's data and the authorization privilege data) are compared, to judge whether the Client Agent software has this document
Download permission;
A15) if the Client Agent software has the download permission of this document, the server end management software is according to the user
Data obtain the corresponding client key, and the wherein client key is stored in the server;
A16) this document is encrypted using the client key, to generate the encryption file;And
A17 the encryption file) is provided to be downloaded for the Client Agent software.
8. encryption document protection method according to claim 7, which is characterized in that the server end management software generates should
When encrypting file, the time that the information of the client device is downloaded with request is put into the encryption file, and encryption text
Part guard method further includes a step h:The time that the information of the client device is downloaded with request dynamic in a manner of watermark is aobvious
It is shown in by unlatching this document.
9. encryption document protection method according to claim 7, which is characterized in that further include following step before step a
Suddenly:
A21) the Client Agent software is installed in the client device;
A22) the Client Agent software is connected to the server after starting and is first logged into;
A23) log-on message of the Client Agent software is stored as user's data by the server end management software, and according to
The exclusive client key of the Client Agent software is generated according to user's data;
A24) server end management software records the client key, and the client key is enabled to be generated with user's data
Association;And
A25) Client Agent software records client key.
10. encryption document protection method according to claim 1, which is characterized in that further include a step i:After step f,
The Client Agent software returns an opening imformation to the server end management software.
11. a kind of encryption file protecting system, which is characterized in that including:
One Client Agent software is installed on a client device, including:
One permission filtering module is intended to the when of opening an encryption file in the client device and transmits the information of the client device to one
Server, to confirm that the client device is to be allowed to open an authorized client of the encryption file;And
One file decryption execution module, it is soft using the Client Agent after confirming that the client device is the authorized client
It is a file that the client key that part is held, which decrypts the encryption file, and meets this document in current breakdown action and be set
One using rule when open this document, wherein this is stored in the server using rule;
One server end management software is installed on server by network connection with the client device, including:
One permission filters management module, links up with the permission filtering module, is set with the client by the validation of information of reception
Whether standby be the authorized client;
One key management module, when the Client Agent software is logged in the server for the first time, according to the client generation
The log-on message of reason software makes the exclusive client key, and the wherein client key is recorded in the Client Agent simultaneously
Software and the server end management software;
One encryption and decryption control module has one to download encrypting module, in the reception download of the Client Agent software to this document
It when request, obtains the Client Agent software corresponding client key and this document is encrypted, to generate encryption text
Part;And
One data control hinge, to handle, integrate and convert permission filtering management module, the key management module and should add
Decrypt data and the instruction of control module.
12. encryption file protecting system according to claim 11, which is characterized in that a clothes of this document through the server
Be engaged in device key encryption, the encryption and decryption control module also have one download deciphering module, in receive the Client Agent software to this
When the download request of file, obtains the server key and this document is decrypted to generate an original document, and enable the download
Encrypting module is encrypted the original document with the client key, to generate the encryption file.
13. encryption file protecting system according to claim 11, which is characterized in that the Client Agent software further includes
One client encrypting module is held after client device editor completes an archive files using the Client Agent software
The client key this document archives are encrypted, and encrypted this document archives are uploaded to by the client device
The server stores.
14. encryption file protecting system according to claim 13, which is characterized in that the encryption and decryption control module also has
Have:
One upload deciphering module obtains the corresponding client key of the client device to this after receiving this document archives
Archive files is decrypted, to generate an original document archives;And
One uploads encrypting module, obtains a server preset server key and the original document archives are encrypted, with
Generate this document.
15. encryption file protecting system according to claim 11, which is characterized in that the server stores one using note
Record data, opening imformation of the usage record data record client device to the encryption file.
16. encryption file protecting system according to claim 11, which is characterized in that the server stores this document
One authorization privilege data, this of the authorization privilege data record this document use rule and a shared object, wherein the permission mistake
The information of the client device is compared filter management module with the shared object of this document, to confirm that the client is set
Whether standby be the authorized client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410493178.4A CN105516056B (en) | 2014-09-24 | 2014-09-24 | Encrypt file protecting system and its guard method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410493178.4A CN105516056B (en) | 2014-09-24 | 2014-09-24 | Encrypt file protecting system and its guard method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105516056A CN105516056A (en) | 2016-04-20 |
| CN105516056B true CN105516056B (en) | 2018-10-26 |
Family
ID=55723704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410493178.4A Active CN105516056B (en) | 2014-09-24 | 2014-09-24 | Encrypt file protecting system and its guard method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105516056B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111314781B (en) * | 2018-12-11 | 2022-07-01 | 青岛海尔多媒体有限公司 | Local file encryption method, device, equipment and storage medium |
| CN112565447B (en) * | 2020-12-17 | 2022-09-09 | 南京维拓科技股份有限公司 | Encryption and decryption method and system matched with uploading and downloading in cloud environment and WEB file manager |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101174941A (en) * | 2006-11-01 | 2008-05-07 | 北京书生国际信息技术有限公司 | Off-line digital copyright protection method and device for mobile terminal document |
| CN102355463A (en) * | 2011-10-10 | 2012-02-15 | 厦门简帛信息科技有限公司 | Digital document encryption method |
| CN103108245A (en) * | 2011-11-15 | 2013-05-15 | ***股份有限公司 | Smart television payment secret key system and payment method based on smart television |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4614377B2 (en) * | 2000-03-01 | 2011-01-19 | キヤノン株式会社 | ENCRYPTED DATA MANAGEMENT SYSTEM AND METHOD, STORAGE MEDIUM |
-
2014
- 2014-09-24 CN CN201410493178.4A patent/CN105516056B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101174941A (en) * | 2006-11-01 | 2008-05-07 | 北京书生国际信息技术有限公司 | Off-line digital copyright protection method and device for mobile terminal document |
| CN102355463A (en) * | 2011-10-10 | 2012-02-15 | 厦门简帛信息科技有限公司 | Digital document encryption method |
| CN103108245A (en) * | 2011-11-15 | 2013-05-15 | ***股份有限公司 | Smart television payment secret key system and payment method based on smart television |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105516056A (en) | 2016-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11941132B2 (en) | Systems, devices and methods for protecting and exchanging electronic computer files | |
| US7302570B2 (en) | Apparatus, system, and method for authorized remote access to a target system | |
| JP6082166B2 (en) | Multiple permission data security and access | |
| JP5639660B2 (en) | Confirmable trust for data through the wrapper complex | |
| TWI479287B (en) | Control system, program delivery device, authentication server, program protection method, program delivery method and program delivery device | |
| CN100419616C (en) | Content usage device and network system, and license information acquisition method | |
| CN101689989B (en) | Method and device for creating and validating cryptographically secured documents | |
| CN103561034B (en) | A kind of secure file shared system | |
| US20020138442A1 (en) | Content provision device and method and license server capable of facilitating circulation of encrypted content data | |
| CN106027552A (en) | Method and system for accessing cloud storage data by user | |
| JP2003060636A (en) | Digital information security method and its system | |
| KR100697121B1 (en) | Data storage device | |
| CN103679050A (en) | Security management method for enterprise-level electronic documents | |
| CN112769808B (en) | Mobile fort machine for industrial local area network, operation and maintenance method thereof and computer equipment | |
| CN101743714A (en) | updating and validating documents secured cryptographically | |
| KR20050053569A (en) | Document preservation authority endowment method | |
| CN102138145B (en) | Cryptographically controlling access to documents | |
| CN107426223A (en) | Cloud file encryption and decryption method, encryption and decryption device and processing system | |
| CN105516056B (en) | Encrypt file protecting system and its guard method | |
| CN108494724B (en) | Cloud storage encryption system based on multi-authority attribute encryption algorithm | |
| CN112818401A (en) | Block chain health file management system | |
| CN115840683B (en) | Heterogeneous alliance chain monitoring method, system, device, equipment and storage medium | |
| JP4556277B2 (en) | Information processing apparatus and method, information processing system, and program storage medium | |
| CN101826964A (en) | Outgoing document security management system supporting collaboration | |
| TWI509458B (en) | Protection system for encrypted document and protection method for using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |