CN106650492A - Multi-device file protection method and device based on security catalog - Google Patents
Multi-device file protection method and device based on security catalog Download PDFInfo
- Publication number
- CN106650492A CN106650492A CN201611152430.0A CN201611152430A CN106650492A CN 106650492 A CN106650492 A CN 106650492A CN 201611152430 A CN201611152430 A CN 201611152430A CN 106650492 A CN106650492 A CN 106650492A
- Authority
- CN
- China
- Prior art keywords
- file
- key
- user
- equipment
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000004224 protection Effects 0.000 title claims abstract description 120
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012806 monitoring device Methods 0.000 claims description 20
- 150000003839 salts Chemical class 0.000 claims description 13
- 238000013475 authorization Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 11
- 238000005538 encapsulation Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000012986 modification Methods 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 2
- 238000011897 real-time detection Methods 0.000 claims 1
- 238000012544 monitoring process Methods 0.000 abstract description 2
- 238000004806 packaging method and process Methods 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 9
- 230000007812 deficiency Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000007596 consolidation process Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Document Processing Apparatus (AREA)
Abstract
The invention discloses an efficient multi-device file protection method and device based on a security catalog. The device comprises a device management module, a folder monitor and a file protection module. The method comprises the following steps: verifying a user through a self-defined user ticket, so as to enable the user identity to be accurately verified in the condition that the security of user passwords is guaranteed; customizing a new file format, and packaging the original sensitive file in a unified format file, so as to ensure that files with any formats can be subjected to encipherment protection by the device; providing efficient and portable cross-device file protection support for the user in a mode serving device information as a part of device key; continuously monitoring the user behavior in real time through a file monitor, so as to perform file protection. The device can provide secure and transparent sensitive file protection for the user, automatically detect the user behavior, automatically protect files in real time, and can further provide efficient and portable cross-device file protection support for the user.
Description
Technical field
The invention belongs to areas of information technology, it is related to digital document content protection technology, more particularly to one kind can be across setting
For the document protection method based on security catalog and device that use and protect fileinfo.
Background technology
With the fast development of information technology, file digitization has become more popular, and the thing followed also has deposits
Store up the safety problem of information hereof.Big companies and mechanism often buy special file protecting system and come to company
Classified papers are managed and protect, however, such file protecting system is because of aspects such as its expensive price and deployment requirements
Reason, is not particularly suited for the protection of personal information.In addition, in addition to special file protecting system, various files protect work
Tool is also developed more and more and used, however, these file protection instrument acquiescences being widely used are currently installed on instrument
Equipment be unique protected information carrier.This method for being managed in units of non-user by equipment and protecting file is not
Support that user shares and protect file in multiple equipment.In fact, the raising of development and the user's request with science and technology, mobile
Equipment such as flat board, mobile phone etc. also become the platform that user uses its sensitive information.It is existing with the increase of the equipment that user possesses
Various unit files protection instrument can not meet the demand of user.For the user for possessing multiple equipment, more need
Want one kind can be in units of user, it is adaptable to the file protection device of the multiple equipment of same user.And existing file is protected
Shield technology can only be in the enterprising style of writing part protection of user equipment, it is difficult to which satisfaction possesses the file protection of the user of multiple equipment
Demand, it is impossible to provide the user efficiently portable striding equipment file protection and support.
The content of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of efficient many equipment text based on security catalog
Part guard method and device, provide the user the sensitive document protection of safety transparent, can automatically detect user behavior and reach reality
When automatic protection file purpose, additionally it is possible to provide the user efficiently portable striding equipment file protection and support.
The present invention principle be:Security catalog is a storage sensitive document and provides the catalogue of automatic protection functions.This
Invention devises a kind of efficient many collaborative share document protection methods and device based on security catalog, overcomes existing file to protect
Technology can only provide the user the sensitive document of safety transparent in the deficiency of the enterprising style of writing part protection of user equipment, realization
Defencive function, and can automatically detect user behavior and cause real-time automatic protection file, additionally it is possible to provide the user efficiently
Portable striding equipment file protection is supported.Meanwhile, in order to overcome existing file protection software to protect the file of specific format
This defect, invention defines a kind of new unified secure file structure, extends the protection domain of file so that arbitrarily
The file of form can be packed according to the structure and be protected, and the user to hold many equipment provides a kind of text of striding equipment
Part protected mode so that user transparent can advantageously operate protected file.In order to ensure the security of file, Ren He
File in security catalog can be protected dynamically in real time, prevent from being brought because user's forgetting is encrypted file
Fileinfo is revealed.
The present invention provide technical scheme be:
A kind of multiple device file guard method based on security catalog, create device management module, file monitor and
File protection module, by defining new unified security file structure and creating security catalog so that the file of arbitrary format is all
Can be packed according to the secure file structure, then based on security catalog, realize many collaborative share file protections;Including as follows
Step:
A) many facility informations, including management equipment information table, generation device keyses, generation are managed by device management module
Device authentication code, returning equipment key etc.;
B) by file protection module, unified secure file structure is defined, by original according to secure file structure weight
New encapsulation, generation new file is safeguard construction file;Specifically include:
B1) file encryption key is generated
Generate file encryption key specifically:File protection module uses each device keyses traversal encrypted file-encryption
After ciphering key EK (Content Encryption Key), the file encryption key ciphertext with authorisation device binding is generated, using system
System key produces key authentication code, and then according to device keyses quantity and the file key ciphertext of each apparatus bound and corresponding
The information such as device authentication code, generate the file key ciphertext item of agent-protected file;
B2) safeguard construction file is generated
After file encryption key is received, the content information of sensitive document is encrypted and (is calculated using symmetric cryptography
Method), and the information such as file encryption key, raw filename are encapsulated as into secure file structure as file header;
In the present invention, unified security file structure includes file header and file content;File content is after original encryption
Ciphertext, file header include file total length, filename length, random salt R, file key for preventing text guessing attack
The eap-message digest of ciphertext, the message authentication code of original document, original document length and file header;Wherein, file key ciphertext
Including ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication code;Ciphertext total length log file
The total length of key ciphertext;Cipher-text information total item record with each authorisation device binding cipher-text information sum (with currently always award
Power equipment number) it is consistent;Key authentication code is by formulaProduce, for verifying file decryption during equipment
The correctness of the file key of recovery;
C) sensitive document is stored by security catalog, authorized user can carry out file operation into security catalog;
D) when user carries out file operation into security catalog, by the intrinsic function for calling file monitoring device, in real time
User behavior in monitoring security catalog;Security catalog is based on again, carries out many collaborative share file protections;
D1) when user carries out Document Editing operation (for example, opening a protected file), file monitoring device is detected
The opening operation of user, sends to file protection module and implements decryption with request for users to use to file;
D2) file protection module is received after the Fileview request of file monitoring device transmission, first verifies that request is opened
The integrality of file, specifically:Obtain the content of file header;Generate the eap-message digest of current file head content and and be stored in text
File header summary in part head is contrasted;The integrality of the information stored in verify file header, it is ensured that store in file header
Relevant information be not tampered with;Reproducing device decruption key, specifically:The salt R recorded in agent-protected file head is read, is sent out
Give device management module;
D3) device management module obtains the hardware information Dev of this equipmentinfo, using encryption function Ga, with system key Ks
With the device keyses K that salt R produces the equipment for parameterD=Ga({Devinfo,R,Ks), while generating hardware information DevinfoList
To hash value, file protection module is sent in the lump;
D4) file protection module generates file decryption key and checks its integrality, specifically:Read the text in file header
Part key ciphertext, travels through All Files key cipher-text information item<ECKi,HDi>, and read out the device authentication code in each item
HDi, the unidirectional hash value of the local equipment hardware information generated with device management module is contrasted one by one, if a certain item numbering
Device authentication code for the file key cipher-text information of i is identical with the unidirectional hash value of the hardware information of current device, says
The bright cipher-text information corresponds to the equipment, if can match without one, illustrates that the equipment is illegal or deleted, terminates
Fileview process;For the file key cipher-text information item for matching, decrypted in the cipher-text information item using device keyses
File key ciphertextObtain file content ciphering key EK, inspectionIt is close with file key
Whether the key authentication code stored in text is equal, unequal then decryption failure, terminates Fileview process;
D5) file protection module recovers protected file, specifically:File protection module uses file content ciphering key EK
To being decrypted by the file of the protection, and original document is reverted to, for users to use.
When the file operation that user is carried out is to change file, user have modified after a sensitive document, the summary of file
Information there occurs change, and file monitoring device detects the act of revision of user, and circular document protection module is carried out again to file
Encryption encapsulation.File protection module generates new file encryption key to the content of original from newly encrypting and be packaged into new
Secure file structure is stored in security catalog.
The present invention also provides a kind of multiple device file based on security catalog for realizing above-mentioned multiple device file guard method
Protection device, including device management module, file monitor and file protection module;
Device management module:Device management module includes user's registration and authentication unit, device management unit and equipment
Key generating unit;Wherein, user's registration with verify for realize to ask access safety catalogue user access control with
Security catalog information initializing;Equipment control is used for all registration equipment of one validated user of management, including the addition of equipment
And deletion;The changeability of the equipment possessed in view of user, the equipment for defining the protected sensitive document of user's establishment is this article
Protected sensitive document can be shared with other equipment by the source device of part, source device, be shared the user of protected file
Equipment (such as notebook, flat board) is shared equipment;Present invention uses self-defining user ticket is carrying out user identity
Checking, user ticket is transparent for user;Device keyses signal generating unit uses system key KsEquipment is produced with salt R
Device keyses;
File monitor:The process that file monitor runs always as a backstage, the safe mesh of lasting detection
User operation in record simultaneously responds in real time, used as user and the interactive bridge of agent-protected file;Once user is in safety
Carry out affecting the operation of file security in catalogue, file monitoring device can real-time detect these operations and circular document is protected
Shield module is protected to file;User without the need for be encrypted operation to file manually, it is all of encrypt encapsulation process all can be
User creates or changes and is automatically performed after file;
File protection module:File protection module is the nucleus module of this device, is responsible for providing safeguard protection to file;This
Invention does not consider original form of file during protection service is provided, but extracts file content and be encrypted it
After be re-packaged into secure file structure;Secure file structure includes file header and file content two large divisions, and file content is
Ciphertext after original encryption, file header includes file total length, filename length, for preventing the random of text guessing attack
The eap-message digest of salt R, file key ciphertext, the message authentication code of original document, original document length and file header;Wherein,
File key ciphertext (see Fig. 4) includes ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication
Code;The total length of ciphertext total length log file key ciphertext;Cipher-text information total item records close with the binding of each authorisation device
Literary information sum (consistent with current total authorisation device number);Key authentication code is by formulaProduce, for testing
The correctness of the file key that equipment recovers during card file decryption;And there is provided a kind of file protection side of striding equipment
Formula so that file can be shared between the security catalog of legitimate device.A kind of such file protection unrelated with file format
Device can farthest meet user's request, rather than specific file can only be encrypted, and increased the invention
Practicality.
Compared with prior art, the invention has the beneficial effects as follows:
The present invention provides a kind of efficient multiple device file guard method and device based on security catalog, provides the user
The sensitive document protection of safety transparent, can automatically detect the purpose that user behavior reaches real-time automatic protection file, additionally it is possible to
Provide the user efficiently portable striding equipment file protection to support.Specifically, the present invention has advantages below:
First, user can as needed in extent of competence operation file.For any entrance security catalog user and
Speech, is directly verified using the self-defining user ticket of this device rather than to user using the password of user input,
The identity of user can be correctly verified in the case where the safety conditions of password of user are ensured;
Secondly, it is contemplated that the ease of use of user, while realizing for sensitive document is comprehensively protected in real time, the invention
Devise a file monitoring device.Monitor monitors always the file operation behavior of security catalog as backstage finger daemon, when
User in the newly-built file of security catalog, or from alternative document folder copy catalogue in security catalog, file monitoring device energy
Simultaneously circular document management assembly carries out encrypting and protecting files for enough detections immediately.After user modifies to sensitive document, file
Monitor can also monitor the behavior and circular document management assembly carries out re-encrypted to amended file.File monitoring
Device enables the behavior of user persistently and in real time to be detected, and user need not particularly select some files to encrypt, energy
Enough situations for effectively preventing user from forgeing encryption due to carelessness after newly-built sensitive document;
Again, a kind of self-defined new file form of the invention, original sensitive document is encapsulated in consolidation form file,
So that the file of arbitrary format can the encrypted protection under the device.Finally, for existing file protection instrument can only with
The deficiency of the enterprising style of writing part protection of one equipment at family, the invention also by using facility information as a device keyses part side
Formula, provides the user efficiently portable striding equipment file protection and supports.
Description of the drawings
The system architecture diagram of the multiple device file protection device that Fig. 1 is provided for the present invention.
The FB(flow block) of the multiple device file guard method that Fig. 2 is provided for the present invention.
Fig. 3 is the schematic flow sheet of user access control in the embodiment of the present invention.
Fig. 4 is the composition structure chart of the file key ciphertext that secure file structure of the present invention includes.
Specific embodiment
Below in conjunction with the accompanying drawings, the present invention is further described by embodiment, but limits the model of the present invention never in any form
Enclose.
The present invention provides a kind of efficient multiple device file guard method and device based on security catalog, provides the user
The sensitive document protection of safety transparent, can automatically detect the purpose that user behavior reaches real-time automatic protection file, additionally it is possible to
Provide the user efficiently portable striding equipment file protection to support.
The system architecture diagram of the multiple device file protection device that Fig. 1 is provided for the present invention, including device management module, text
Part presss from both sides monitor and file protection module;Realize the multiple device file based on security catalog to protect.
The FB(flow block) of the multiple device file guard method that Fig. 2 is provided for the present invention.In following examples, user pacifies at it
The equipment end for having filled file protection device creates a shared security catalog, realizes on this basis based on security catalog
Multiple device file protection, specifically include following steps:
1) user creates security catalog
User enters the equipment for being mounted with file protection device, and in equipment end an installation path is selected, to file protection
Device application creates a security catalog.
The security catalog path that user selects will be processed and stored in device, while user management module is being received
Its ID and ticket can be generated after user profile, user ticket is by formula (1) generation:
Wherein, passworduUser cipher, ID refers to the user name of the user, be also the user in a device
Unique mark.H () represents one-way Hash function, it is ensured that even if ticket is compromised, attacker also cannot by ticket come
Backwards calculation goes out the information such as user cipher.
2) user's registration and checking
User is mounted with the equipment end of file protection device before the file of safe operation catalogue arbitrary, it is necessary first to
Input account number cipher carries out authentication.Device does not directly verify the account number cipher of user, it is therefore an objective to do not disclosing user cipher
In the case of verify user identity legitimacy.The detailed process of user authentication is shown in Fig. 2, when a user input user name password
When being logged in, device management module can generate interim ticket for him automatically, while decrypt obtaining the user corresponding to the peace
The correct ticket of full catalogue is simultaneously contrasted, and if only if both it is completely the same when user be just authenticated to be it is legal and allow into
Entering security catalog carries out file operation.
3) validated user new files
Validated user uses the invention newly-built file in security catalog.File monitoring device designed by the invention will
Intrinsic function can be called to monitor the user behavior in security catalog in real time, when this " new files " for detecting user are operated
When, file monitoring device immediately to file protect by circular document protection module.File protection module receives file monitoring device
File protection request.
4) file protection module request device keyses
Device management module obtains the device hardware information of this equipment, and decryption device information table checks facility information table
After integrality, the equipment unique mark of all associated authorization equipment, facility information summary, facility information triplet information collection are obtained
CloseAccording to device keyses generation method KD=Ga({Devinfo,R,
Ks) produce the device keyses of each authorisation deviceGenerate device keyses.
5) returning equipment key
The device keyses of generation and corresponding device authentication code are returned to file protection module by device management module.
6) file encryption key is generated
File protection module is generated close with the file of the authorisation device binding using each device keys traversal encryption CEK
Key (file encryption key), using system key key authentication code is produced, and then according to device keyses quantity and each apparatus bound
File key ciphertext and the information such as corresponding device authentication code, generate the file key ciphertext item of agent-protected file.
7) safeguard construction file is generated
File protection module after file encryption key is received, using content of the symmetric encipherment algorithm to sensitive document
Information is encrypted, and by information such as file encryption key, raw filenames as file header, is encapsulated as a kind of secure file knot
Structure.
8) user opens a protected file
User opens and reads a protected file.File monitoring device detects the opening operation of user, circular document
Protection module implements decryption to file with for users to use.
9) file integrality is opened in checking
File protection module is received after the Fileview request of file monitoring device transmission, obtains the content of file header, raw
Eap-message digest into current file head content is simultaneously contrasted with the file header summary being stored in file header, to verify file header
The integrality of the information of middle storage, it is ensured that the relevant information stored in file header is not tampered with
10) equipment decruption key is generated
File protection module reads the salt R recorded in agent-protected file head, is sent to device management module.Equipment control mould
Block obtains the hardware information Dev of this equipmentinfo, using system key KsWith the equipment decruption key K that salt R produces the equipmentD=Ga
({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, file protection module is sent in the lump.
Due to adopting symmetric cryptography, encryption key and decruption key are a keys.
11) generate file decryption key and check its integrality
File protection module reads the file key ciphertext in file header, travels through All Files key cipher-text information item<
ECKi,HDi>, and read out the device authentication code HD in each itemi, the local equipment hardware information generated with device management module
Unidirectional hash value contrasted one by one, if a certain item numbering be i cipher-text information device authentication code it is hard with current device
The unidirectional hash value of part information is identical, illustrates that the cipher-text information, corresponding to the equipment, if can match without one, is said
The bright equipment is illegal or deleted, terminates Fileview process.For the file key cipher-text information item for matching, use
Device keyses decrypt the file key ciphertext in the cipher-text information itemFile content ciphering key EK is obtained,
InspectionIt is whether equal with the key authentication code stored in file key ciphertext, unequal then decryption failure, eventually
Only Fileview process.
12) file protection module recovers protected file
File protection module, to being decrypted by the file of the protection, and is reverted to original using file content ciphering key EK
File, for users to use.
13) user's modification file
User have modified after a sensitive document, and the summary info of file there occurs change, and file monitoring device detects use
The act of revision at family, circular document protection module carries out re-encrypted encapsulation to file.File protection module generates new file
Encryption key is stored in security catalog from newly encrypting and be packaged into new secure file structure to the content of original.
As can be seen that the present invention has the effect that from above-described embodiment:
Popular file protection software is all based on specific form for the protection of file.For some non-software refer to
Fixed form, it is impossible to protected using software.And the small business of reality manage sensitive document when, the species of file is past
Toward very many and be difficult to predict, in this case, file protection software cannot provide complete to enterprise's sensitive document
The reliable safeguard measure in face.The file protection device that the invention is proposed is a kind of unrelated device of file format, no matter original text
What the form of part is, all encrypted can be encapsulated as a kind of unified form, and overcoming existing file encryption software can only add
The defect of the file of close specific format;
For big companies, generally use some expensive dedicated system to protect the safety of fileinfo
Property.But for the personal user of file protection demand is equally possessed, some local file systems based on equipment are more
It is suitable to select.In recent years, the various protecting data encryption technologies for computer file system constantly develop it is perfect, wherein,
Encrypted file system (EFS) is with its higher ease for use and security by extensive concern.User accounts of the EFS based on operating system
And rights management, integrate with file system, it is fully transparent to user.EFS thinks that equipment room is separate, even if to not
Same equipment uses identical administrator's password, and the safety that can not carry out classified papers in equipment room is shared.Particularly, only
The windows subregions of NTFS format can just use EFS encryption technologies.Also, by sensitive document from the text with cryptographic attributes
During non-encrypted file folder is copied in part folder, file can be decrypted automatically, it is meant that transmitting sensitive document in distinct device will
File can be caused to be decrypted automatically and exposed, therefore EFS can not meet the management of user's striding equipment, the demand of protection sensitive document,
And the present invention exactly compensate for this defect, can only be in the enterprising style of writing part of user equipment for existing file protection instrument
The deficiency of protection, the present invention can also provide the user efficiently portable striding equipment file protection and support.
It should be noted that the purpose for publicizing and implementing example is help further understands the present invention, but the skill of this area
Art personnel be appreciated that:In without departing from the present invention and spirit and scope of the appended claims, various substitutions and modifications are all
It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim
The scope that book is defined is defined.
Claims (10)
1. a kind of multiple device file guard method based on security catalog, by creating device management module, file monitor
With file protection module, unified secure file structure and establishment security catalog is defined so that the file of arbitrary format can
It is packed according to the secure file structure, then based on security catalog, realize many collaborative share file protections;Including following step
Suddenly:
A) many facility informations, including management equipment information table, generation device keyses, generation equipment are managed by device management module
Identifying code, returning equipment key;
B) by file protection module, unified secure file structure is defined, by original according to the secure file structure weight
New encapsulation, generation new file is safeguard construction file;Specifically include B1)~B2):
B1) file encryption key is generated:File protection module uses each device keyses traversal encryption file content key
CEK, generates the file key ciphertext item with the binding of corresponding authorisation device, and using system key key authentication code, Jin Ersheng are produced
Into the file key ciphertext item of agent-protected file, content includes the file key ciphertext of device keyses quantity and each apparatus bound
With corresponding device authentication code;
B2) safeguard construction file is generated:Content information of the file protection module after file key is received, to sensitive document
It is encrypted, and file key and raw filename information is encapsulated as into secure file structure as file header;The safety
File structure includes file header and file content;File content is the ciphertext after original encryption;File header includes file overall length
Degree, filename length, the random salt R for preventing text guessing attack, file key ciphertext, the message authentication of original document
Code, original document length, the eap-message digest of file header;The file key ciphertext includes ciphertext total length, the total item of cipher-text information
Number, file key cipher-text information and key authentication code;The total length of the ciphertext total length log file key ciphertext;It is described close
Literary information total item records consistent with the cipher-text information sum of each authorisation device binding;The key authentication code is by formulaProduce, for verifying file decryption during equipment recover file key correctness;
C) sensitive document is stored by security catalog, authorized user can carry out file operation into security catalog;
D) when user carries out file operation into security catalog, by the intrinsic function for calling file monitoring device, monitor in real time
User behavior in security catalog;Security catalog is based on again, carries out many collaborative share file protections;Including D1)~D5):
D1) when user carries out Document Editing to be operated, file monitoring device detects user operation, sends right to file protection module
File implements decryption with request for users to use;
D2) file protection module is received after the file operation requests of file monitoring device transmission, first verifies that file is opened in request
Integrality;Reproducing device decruption key, is sent to device management module;
D3) device management module obtains the hardware information Dev of equipmentinfo, using system key KsThe equipment is produced with random salt R
Device keyses KD=Ga({Devinfo,R,Ks), GaFor encryption function;The hardware information Dev of equipment is generated simultaneouslyinfoIt is unidirectional
Hash value, is sent in the lump file protection module;
D4) file protection module generates file decryption key and check continuity:The letter in file key ciphertext item is recognized first
Whether breath matches with current device;For the file key cipher-text information item of matching, obtain file content ciphering key EK and examined
Test;
D5) file protection module recovers protected file:File protection module is using file content ciphering key EK to protected text
Part is decrypted, and reverts to original document, for users to use.
2. multiple device file guard method as claimed in claim 1, is characterized in that, using being transparent self-defining for user
User ticket is carrying out the authentication vs. authorization of user identity;The user ticket is by formula (1) generation:
Wherein, passworduIt is user cipher;ID is the user name of the user, is also the unique mark of the user;H () is single
To hash function.
3. multiple device file guard method as claimed in claim 1, is characterized in that, step A) the generation device keyses are concrete
It is:Device management module obtains the device hardware information of equipment, and decryption device information table checks the integrality of facility information table
Afterwards, equipment unique mark, facility information summary, the facility information triplet information set of all associated authorization equipment are obtainedProduce the device keyses of each authorisation device
Wherein, KsFor system key, R is random salt, GaFor encryption function.
4. multiple device file guard method as claimed in claim 1, is characterized in that, step B2) symmetric encipherment algorithm is used to quick
The content information of sense file is encrypted.
5. multiple device file guard method as claimed in claim 1, is characterized in that, step D) when the file operation that user is carried out is
During modification file, after user changes a sensitive document, the summary info of file changes, and file monitoring device detects use
The act of revision at family, circular document protection module carries out re-encrypted encapsulation to file;File protection module generates new file
Content re-encrypted of the encryption key to original, and be packaged into new secure file structure and be stored in security catalog.
6. multiple device file guard method as claimed in claim 1, is characterized in that, step D2) file protection module receives text
After the file operation requests that part monitor sends, checking request opens the integrality of file, especially by acquisition file header
Hold, generate the eap-message digest of current file head content and contrasted with the file header summary being stored in file header, it is thus right
The integrality of the information stored in file header is verified.
7. multiple device file guard method as claimed in claim 1, is characterized in that, step D2) the generation equipment decruption key,
Specifically:File protection module reads the random salt R recorded in agent-protected file head, is sent to device management module;Equipment pipe
Reason module obtains the hardware information Dev of equipmentinfo, using system key KsWith the equipment decruption key that random salt R produces the equipment
KD=Ga({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, be sent to file protection module.
8. multiple device file guard method as claimed in claim 1, is characterized in that, step D4) the file protection module generation
File decryption key simultaneously checks its integrality, specifically includes:The file key ciphertext in file header is read, traversal All Files is close
Key cipher-text information item<ECKi,HDi>, and read out the device authentication code HD in each itemi, the sheet generated with device management module
The unidirectional hash value of machine equipment hardware information is contrasted one by one, when numbering be i cipher-text information device authentication code with it is current
When the unidirectional hash value of the hardware information of equipment is identical, the cipher-text information corresponds to the equipment;When one can not
During matching, terminate file operation process;For the file key cipher-text information item for matching, using device keyses the ciphertext is decrypted
File key ciphertext in item of informationObtain file content ciphering key EK, inspection
Whether equal with the key authentication code stored in file key ciphertext, the decryption failure if unequal terminates file operation process.
9. a kind of multiple device file protection device based on security catalog, including device management module, file monitor and text
Part protection module, the file for providing striding equipment is protected so that file can be shared between the security catalog of legitimate device;Its
It is characterized in that:
The device management module includes user's registration and authentication unit, device management unit and device keyses signal generating unit;Institute
State user's registration is used to realize the access control and security catalog information of the user to asking access safety catalogue with authentication unit
Initialization;The device management unit is used to manage all registration equipment of validated user;The device keyses signal generating unit is used
In generation device keyses;
The file monitor is the process of running background, for constantly detecting the user operation in security catalog simultaneously in real time
Response;Once user has carried out affecting the operation of file security, the real-time detection of file monitoring device simultaneously to notify in security catalog
The file protection module is protected to file;
The file protection module is used to provide safeguard protection to file;Extracting first needs file content to be protected to carry out adding
It is close, secure file structure is re-packaged into afterwards;File protection module receives the file request that the file monitoring device sends
Afterwards, the integrality of the file of request is first verified that;Reproducing device decruption key, according to the device keyses of equipment, generates file
Decruption key simultaneously checks its integrality;Finally to being decrypted by the file of the protection, and original document is reverted to, made for user
With.
10. multiple device file protection device as claimed in claim 9, is characterized in that, the secure file structure includes file header
With file content two large divisions, file content is the ciphertext after original encryption, and file header includes that file total length, filename are long
Degree, the random salt R for preventing text guessing attack, file key ciphertext, the message authentication code of original document, original document are long
The eap-message digest of degree and file header;File key ciphertext includes ciphertext total length, cipher-text information total item, file key ciphertext letter
Breath and key authentication code;The total length of ciphertext total length log file key ciphertext;Cipher-text information total item is recorded and each mandate
The cipher-text information sum of apparatus bound;Key authentication code is by formulaProduce, for verifying file decryption process
The correctness of the file key that middle equipment recovers.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611152430.0A CN106650492B (en) | 2016-12-14 | 2016-12-14 | A kind of multiple device file guard method and device based on security catalog |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611152430.0A CN106650492B (en) | 2016-12-14 | 2016-12-14 | A kind of multiple device file guard method and device based on security catalog |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106650492A true CN106650492A (en) | 2017-05-10 |
CN106650492B CN106650492B (en) | 2019-06-07 |
Family
ID=58822519
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611152430.0A Active CN106650492B (en) | 2016-12-14 | 2016-12-14 | A kind of multiple device file guard method and device based on security catalog |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106650492B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110362984A (en) * | 2019-06-28 | 2019-10-22 | 北京思源互联科技有限公司 | Method and device for operating service system by multiple devices |
CN111967059A (en) * | 2020-08-11 | 2020-11-20 | 广东堡塔安全技术有限公司 | Website tamper-proofing method and system and computer readable storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110296199A1 (en) * | 2001-12-12 | 2011-12-01 | Pervasive Security Systems, Inc. | Method and system for protecting electronic data in enterprise environment |
CN104125069A (en) * | 2014-07-07 | 2014-10-29 | 武汉理工大学 | Secure file catalogue file encryption system towards sharing |
CN105740725A (en) * | 2016-01-29 | 2016-07-06 | 北京大学 | File protection method and system |
-
2016
- 2016-12-14 CN CN201611152430.0A patent/CN106650492B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110296199A1 (en) * | 2001-12-12 | 2011-12-01 | Pervasive Security Systems, Inc. | Method and system for protecting electronic data in enterprise environment |
CN104125069A (en) * | 2014-07-07 | 2014-10-29 | 武汉理工大学 | Secure file catalogue file encryption system towards sharing |
CN105740725A (en) * | 2016-01-29 | 2016-07-06 | 北京大学 | File protection method and system |
Non-Patent Citations (2)
Title |
---|
JAEHONG PARK, RAVI SANDHU: "The UCONABC Usage Control Model", 《ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY》 * |
MANTING SHEN, YINYAN YU, 等: "An Efficient Safe Directory Based File Protection Mechanism", 《2016 IEEE 40TH ANNUAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110362984A (en) * | 2019-06-28 | 2019-10-22 | 北京思源互联科技有限公司 | Method and device for operating service system by multiple devices |
CN110362984B (en) * | 2019-06-28 | 2021-04-30 | 北京思源理想控股集团有限公司 | Method and device for operating service system by multiple devices |
CN111967059A (en) * | 2020-08-11 | 2020-11-20 | 广东堡塔安全技术有限公司 | Website tamper-proofing method and system and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106650492B (en) | 2019-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107947922B (en) | Digital file management method and system based on block chain technology | |
CN103530570B (en) | A kind of electronic document safety management system and method | |
CN105740725B (en) | A kind of document protection method and system | |
CN101311950B (en) | Electronic stamp realization method and device | |
CN101895578B (en) | Document monitor and management system based on comprehensive safety audit | |
CN109923548A (en) | Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process | |
CN101430752B (en) | Sensitive data switching control module and method for computer and movable memory device | |
CN104123508B (en) | Design method based on intranet data security protection engine | |
US20020174369A1 (en) | Trusted computer system | |
CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
CN111581659B (en) | Method and device for calling electronic evidence | |
KR20150128328A (en) | Method of providing digital evidence collecting tools, apparatus and method of collecting digital evidence of mobile devices based on domain isolation | |
JP2007011511A (en) | Method for preventing information leak | |
CN104636675A (en) | System and method for providing safety protection for database | |
NL2033980A (en) | New method for trusted data decryption based on privacy-preserving computation | |
JP4471129B2 (en) | Document management system, document management method, document management server, work terminal, and program | |
Petrov | Android password managers and vault applications: data storage security issues identification | |
CN106650492B (en) | A kind of multiple device file guard method and device based on security catalog | |
CN103488948A (en) | Method and device for achieving data security of operation system | |
KR101497067B1 (en) | Electric document transfer method and apparatus based digital forensic | |
KR101315482B1 (en) | Secret information reading service system using by a writer authentication and the control method thereof | |
TWI381285B (en) | Rights management system for electronic files | |
CN100525176C (en) | Preventing system for information leakage under cooperative work environment and its realizing method | |
TWI444849B (en) | System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof | |
JP2007200229A (en) | Software management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |