CN106650492A - Multi-device file protection method and device based on security catalog - Google Patents

Multi-device file protection method and device based on security catalog Download PDF

Info

Publication number
CN106650492A
CN106650492A CN201611152430.0A CN201611152430A CN106650492A CN 106650492 A CN106650492 A CN 106650492A CN 201611152430 A CN201611152430 A CN 201611152430A CN 106650492 A CN106650492 A CN 106650492A
Authority
CN
China
Prior art keywords
file
key
user
equipment
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611152430.0A
Other languages
Chinese (zh)
Other versions
CN106650492B (en
Inventor
沈熳婷
俞银燕
汤帜
崔晓瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peking University
Original Assignee
Peking University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University filed Critical Peking University
Priority to CN201611152430.0A priority Critical patent/CN106650492B/en
Publication of CN106650492A publication Critical patent/CN106650492A/en
Application granted granted Critical
Publication of CN106650492B publication Critical patent/CN106650492B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/16Program or content traceability, e.g. by watermarking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Document Processing Apparatus (AREA)

Abstract

The invention discloses an efficient multi-device file protection method and device based on a security catalog. The device comprises a device management module, a folder monitor and a file protection module. The method comprises the following steps: verifying a user through a self-defined user ticket, so as to enable the user identity to be accurately verified in the condition that the security of user passwords is guaranteed; customizing a new file format, and packaging the original sensitive file in a unified format file, so as to ensure that files with any formats can be subjected to encipherment protection by the device; providing efficient and portable cross-device file protection support for the user in a mode serving device information as a part of device key; continuously monitoring the user behavior in real time through a file monitor, so as to perform file protection. The device can provide secure and transparent sensitive file protection for the user, automatically detect the user behavior, automatically protect files in real time, and can further provide efficient and portable cross-device file protection support for the user.

Description

A kind of multiple device file guard method and device based on security catalog
Technical field
The invention belongs to areas of information technology, it is related to digital document content protection technology, more particularly to one kind can be across setting For the document protection method based on security catalog and device that use and protect fileinfo.
Background technology
With the fast development of information technology, file digitization has become more popular, and the thing followed also has deposits Store up the safety problem of information hereof.Big companies and mechanism often buy special file protecting system and come to company Classified papers are managed and protect, however, such file protecting system is because of aspects such as its expensive price and deployment requirements Reason, is not particularly suited for the protection of personal information.In addition, in addition to special file protecting system, various files protect work Tool is also developed more and more and used, however, these file protection instrument acquiescences being widely used are currently installed on instrument Equipment be unique protected information carrier.This method for being managed in units of non-user by equipment and protecting file is not Support that user shares and protect file in multiple equipment.In fact, the raising of development and the user's request with science and technology, mobile Equipment such as flat board, mobile phone etc. also become the platform that user uses its sensitive information.It is existing with the increase of the equipment that user possesses Various unit files protection instrument can not meet the demand of user.For the user for possessing multiple equipment, more need Want one kind can be in units of user, it is adaptable to the file protection device of the multiple equipment of same user.And existing file is protected Shield technology can only be in the enterprising style of writing part protection of user equipment, it is difficult to which satisfaction possesses the file protection of the user of multiple equipment Demand, it is impossible to provide the user efficiently portable striding equipment file protection and support.
The content of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of efficient many equipment text based on security catalog Part guard method and device, provide the user the sensitive document protection of safety transparent, can automatically detect user behavior and reach reality When automatic protection file purpose, additionally it is possible to provide the user efficiently portable striding equipment file protection and support.
The present invention principle be:Security catalog is a storage sensitive document and provides the catalogue of automatic protection functions.This Invention devises a kind of efficient many collaborative share document protection methods and device based on security catalog, overcomes existing file to protect Technology can only provide the user the sensitive document of safety transparent in the deficiency of the enterprising style of writing part protection of user equipment, realization Defencive function, and can automatically detect user behavior and cause real-time automatic protection file, additionally it is possible to provide the user efficiently Portable striding equipment file protection is supported.Meanwhile, in order to overcome existing file protection software to protect the file of specific format This defect, invention defines a kind of new unified secure file structure, extends the protection domain of file so that arbitrarily The file of form can be packed according to the structure and be protected, and the user to hold many equipment provides a kind of text of striding equipment Part protected mode so that user transparent can advantageously operate protected file.In order to ensure the security of file, Ren He File in security catalog can be protected dynamically in real time, prevent from being brought because user's forgetting is encrypted file Fileinfo is revealed.
The present invention provide technical scheme be:
A kind of multiple device file guard method based on security catalog, create device management module, file monitor and File protection module, by defining new unified security file structure and creating security catalog so that the file of arbitrary format is all Can be packed according to the secure file structure, then based on security catalog, realize many collaborative share file protections;Including as follows Step:
A) many facility informations, including management equipment information table, generation device keyses, generation are managed by device management module Device authentication code, returning equipment key etc.;
B) by file protection module, unified secure file structure is defined, by original according to secure file structure weight New encapsulation, generation new file is safeguard construction file;Specifically include:
B1) file encryption key is generated
Generate file encryption key specifically:File protection module uses each device keyses traversal encrypted file-encryption After ciphering key EK (Content Encryption Key), the file encryption key ciphertext with authorisation device binding is generated, using system System key produces key authentication code, and then according to device keyses quantity and the file key ciphertext of each apparatus bound and corresponding The information such as device authentication code, generate the file key ciphertext item of agent-protected file;
B2) safeguard construction file is generated
After file encryption key is received, the content information of sensitive document is encrypted and (is calculated using symmetric cryptography Method), and the information such as file encryption key, raw filename are encapsulated as into secure file structure as file header;
In the present invention, unified security file structure includes file header and file content;File content is after original encryption Ciphertext, file header include file total length, filename length, random salt R, file key for preventing text guessing attack The eap-message digest of ciphertext, the message authentication code of original document, original document length and file header;Wherein, file key ciphertext Including ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication code;Ciphertext total length log file The total length of key ciphertext;Cipher-text information total item record with each authorisation device binding cipher-text information sum (with currently always award Power equipment number) it is consistent;Key authentication code is by formulaProduce, for verifying file decryption during equipment The correctness of the file key of recovery;
C) sensitive document is stored by security catalog, authorized user can carry out file operation into security catalog;
D) when user carries out file operation into security catalog, by the intrinsic function for calling file monitoring device, in real time User behavior in monitoring security catalog;Security catalog is based on again, carries out many collaborative share file protections;
D1) when user carries out Document Editing operation (for example, opening a protected file), file monitoring device is detected The opening operation of user, sends to file protection module and implements decryption with request for users to use to file;
D2) file protection module is received after the Fileview request of file monitoring device transmission, first verifies that request is opened The integrality of file, specifically:Obtain the content of file header;Generate the eap-message digest of current file head content and and be stored in text File header summary in part head is contrasted;The integrality of the information stored in verify file header, it is ensured that store in file header Relevant information be not tampered with;Reproducing device decruption key, specifically:The salt R recorded in agent-protected file head is read, is sent out Give device management module;
D3) device management module obtains the hardware information Dev of this equipmentinfo, using encryption function Ga, with system key Ks With the device keyses K that salt R produces the equipment for parameterD=Ga({Devinfo,R,Ks), while generating hardware information DevinfoList To hash value, file protection module is sent in the lump;
D4) file protection module generates file decryption key and checks its integrality, specifically:Read the text in file header Part key ciphertext, travels through All Files key cipher-text information item<ECKi,HDi>, and read out the device authentication code in each item HDi, the unidirectional hash value of the local equipment hardware information generated with device management module is contrasted one by one, if a certain item numbering Device authentication code for the file key cipher-text information of i is identical with the unidirectional hash value of the hardware information of current device, says The bright cipher-text information corresponds to the equipment, if can match without one, illustrates that the equipment is illegal or deleted, terminates Fileview process;For the file key cipher-text information item for matching, decrypted in the cipher-text information item using device keyses File key ciphertextObtain file content ciphering key EK, inspectionIt is close with file key Whether the key authentication code stored in text is equal, unequal then decryption failure, terminates Fileview process;
D5) file protection module recovers protected file, specifically:File protection module uses file content ciphering key EK To being decrypted by the file of the protection, and original document is reverted to, for users to use.
When the file operation that user is carried out is to change file, user have modified after a sensitive document, the summary of file Information there occurs change, and file monitoring device detects the act of revision of user, and circular document protection module is carried out again to file Encryption encapsulation.File protection module generates new file encryption key to the content of original from newly encrypting and be packaged into new Secure file structure is stored in security catalog.
The present invention also provides a kind of multiple device file based on security catalog for realizing above-mentioned multiple device file guard method Protection device, including device management module, file monitor and file protection module;
Device management module:Device management module includes user's registration and authentication unit, device management unit and equipment Key generating unit;Wherein, user's registration with verify for realize to ask access safety catalogue user access control with Security catalog information initializing;Equipment control is used for all registration equipment of one validated user of management, including the addition of equipment And deletion;The changeability of the equipment possessed in view of user, the equipment for defining the protected sensitive document of user's establishment is this article Protected sensitive document can be shared with other equipment by the source device of part, source device, be shared the user of protected file Equipment (such as notebook, flat board) is shared equipment;Present invention uses self-defining user ticket is carrying out user identity Checking, user ticket is transparent for user;Device keyses signal generating unit uses system key KsEquipment is produced with salt R Device keyses;
File monitor:The process that file monitor runs always as a backstage, the safe mesh of lasting detection User operation in record simultaneously responds in real time, used as user and the interactive bridge of agent-protected file;Once user is in safety Carry out affecting the operation of file security in catalogue, file monitoring device can real-time detect these operations and circular document is protected Shield module is protected to file;User without the need for be encrypted operation to file manually, it is all of encrypt encapsulation process all can be User creates or changes and is automatically performed after file;
File protection module:File protection module is the nucleus module of this device, is responsible for providing safeguard protection to file;This Invention does not consider original form of file during protection service is provided, but extracts file content and be encrypted it After be re-packaged into secure file structure;Secure file structure includes file header and file content two large divisions, and file content is Ciphertext after original encryption, file header includes file total length, filename length, for preventing the random of text guessing attack The eap-message digest of salt R, file key ciphertext, the message authentication code of original document, original document length and file header;Wherein, File key ciphertext (see Fig. 4) includes ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication Code;The total length of ciphertext total length log file key ciphertext;Cipher-text information total item records close with the binding of each authorisation device Literary information sum (consistent with current total authorisation device number);Key authentication code is by formulaProduce, for testing The correctness of the file key that equipment recovers during card file decryption;And there is provided a kind of file protection side of striding equipment Formula so that file can be shared between the security catalog of legitimate device.A kind of such file protection unrelated with file format Device can farthest meet user's request, rather than specific file can only be encrypted, and increased the invention Practicality.
Compared with prior art, the invention has the beneficial effects as follows:
The present invention provides a kind of efficient multiple device file guard method and device based on security catalog, provides the user The sensitive document protection of safety transparent, can automatically detect the purpose that user behavior reaches real-time automatic protection file, additionally it is possible to Provide the user efficiently portable striding equipment file protection to support.Specifically, the present invention has advantages below:
First, user can as needed in extent of competence operation file.For any entrance security catalog user and Speech, is directly verified using the self-defining user ticket of this device rather than to user using the password of user input, The identity of user can be correctly verified in the case where the safety conditions of password of user are ensured;
Secondly, it is contemplated that the ease of use of user, while realizing for sensitive document is comprehensively protected in real time, the invention Devise a file monitoring device.Monitor monitors always the file operation behavior of security catalog as backstage finger daemon, when User in the newly-built file of security catalog, or from alternative document folder copy catalogue in security catalog, file monitoring device energy Simultaneously circular document management assembly carries out encrypting and protecting files for enough detections immediately.After user modifies to sensitive document, file Monitor can also monitor the behavior and circular document management assembly carries out re-encrypted to amended file.File monitoring Device enables the behavior of user persistently and in real time to be detected, and user need not particularly select some files to encrypt, energy Enough situations for effectively preventing user from forgeing encryption due to carelessness after newly-built sensitive document;
Again, a kind of self-defined new file form of the invention, original sensitive document is encapsulated in consolidation form file, So that the file of arbitrary format can the encrypted protection under the device.Finally, for existing file protection instrument can only with The deficiency of the enterprising style of writing part protection of one equipment at family, the invention also by using facility information as a device keyses part side Formula, provides the user efficiently portable striding equipment file protection and supports.
Description of the drawings
The system architecture diagram of the multiple device file protection device that Fig. 1 is provided for the present invention.
The FB(flow block) of the multiple device file guard method that Fig. 2 is provided for the present invention.
Fig. 3 is the schematic flow sheet of user access control in the embodiment of the present invention.
Fig. 4 is the composition structure chart of the file key ciphertext that secure file structure of the present invention includes.
Specific embodiment
Below in conjunction with the accompanying drawings, the present invention is further described by embodiment, but limits the model of the present invention never in any form Enclose.
The present invention provides a kind of efficient multiple device file guard method and device based on security catalog, provides the user The sensitive document protection of safety transparent, can automatically detect the purpose that user behavior reaches real-time automatic protection file, additionally it is possible to Provide the user efficiently portable striding equipment file protection to support.
The system architecture diagram of the multiple device file protection device that Fig. 1 is provided for the present invention, including device management module, text Part presss from both sides monitor and file protection module;Realize the multiple device file based on security catalog to protect.
The FB(flow block) of the multiple device file guard method that Fig. 2 is provided for the present invention.In following examples, user pacifies at it The equipment end for having filled file protection device creates a shared security catalog, realizes on this basis based on security catalog Multiple device file protection, specifically include following steps:
1) user creates security catalog
User enters the equipment for being mounted with file protection device, and in equipment end an installation path is selected, to file protection Device application creates a security catalog.
The security catalog path that user selects will be processed and stored in device, while user management module is being received Its ID and ticket can be generated after user profile, user ticket is by formula (1) generation:
Wherein, passworduUser cipher, ID refers to the user name of the user, be also the user in a device Unique mark.H () represents one-way Hash function, it is ensured that even if ticket is compromised, attacker also cannot by ticket come Backwards calculation goes out the information such as user cipher.
2) user's registration and checking
User is mounted with the equipment end of file protection device before the file of safe operation catalogue arbitrary, it is necessary first to Input account number cipher carries out authentication.Device does not directly verify the account number cipher of user, it is therefore an objective to do not disclosing user cipher In the case of verify user identity legitimacy.The detailed process of user authentication is shown in Fig. 2, when a user input user name password When being logged in, device management module can generate interim ticket for him automatically, while decrypt obtaining the user corresponding to the peace The correct ticket of full catalogue is simultaneously contrasted, and if only if both it is completely the same when user be just authenticated to be it is legal and allow into Entering security catalog carries out file operation.
3) validated user new files
Validated user uses the invention newly-built file in security catalog.File monitoring device designed by the invention will Intrinsic function can be called to monitor the user behavior in security catalog in real time, when this " new files " for detecting user are operated When, file monitoring device immediately to file protect by circular document protection module.File protection module receives file monitoring device File protection request.
4) file protection module request device keyses
Device management module obtains the device hardware information of this equipment, and decryption device information table checks facility information table After integrality, the equipment unique mark of all associated authorization equipment, facility information summary, facility information triplet information collection are obtained CloseAccording to device keyses generation method KD=Ga({Devinfo,R, Ks) produce the device keyses of each authorisation deviceGenerate device keyses.
5) returning equipment key
The device keyses of generation and corresponding device authentication code are returned to file protection module by device management module.
6) file encryption key is generated
File protection module is generated close with the file of the authorisation device binding using each device keys traversal encryption CEK Key (file encryption key), using system key key authentication code is produced, and then according to device keyses quantity and each apparatus bound File key ciphertext and the information such as corresponding device authentication code, generate the file key ciphertext item of agent-protected file.
7) safeguard construction file is generated
File protection module after file encryption key is received, using content of the symmetric encipherment algorithm to sensitive document Information is encrypted, and by information such as file encryption key, raw filenames as file header, is encapsulated as a kind of secure file knot Structure.
8) user opens a protected file
User opens and reads a protected file.File monitoring device detects the opening operation of user, circular document Protection module implements decryption to file with for users to use.
9) file integrality is opened in checking
File protection module is received after the Fileview request of file monitoring device transmission, obtains the content of file header, raw Eap-message digest into current file head content is simultaneously contrasted with the file header summary being stored in file header, to verify file header The integrality of the information of middle storage, it is ensured that the relevant information stored in file header is not tampered with
10) equipment decruption key is generated
File protection module reads the salt R recorded in agent-protected file head, is sent to device management module.Equipment control mould Block obtains the hardware information Dev of this equipmentinfo, using system key KsWith the equipment decruption key K that salt R produces the equipmentD=Ga ({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, file protection module is sent in the lump.
Due to adopting symmetric cryptography, encryption key and decruption key are a keys.
11) generate file decryption key and check its integrality
File protection module reads the file key ciphertext in file header, travels through All Files key cipher-text information item< ECKi,HDi>, and read out the device authentication code HD in each itemi, the local equipment hardware information generated with device management module Unidirectional hash value contrasted one by one, if a certain item numbering be i cipher-text information device authentication code it is hard with current device The unidirectional hash value of part information is identical, illustrates that the cipher-text information, corresponding to the equipment, if can match without one, is said The bright equipment is illegal or deleted, terminates Fileview process.For the file key cipher-text information item for matching, use Device keyses decrypt the file key ciphertext in the cipher-text information itemFile content ciphering key EK is obtained, InspectionIt is whether equal with the key authentication code stored in file key ciphertext, unequal then decryption failure, eventually Only Fileview process.
12) file protection module recovers protected file
File protection module, to being decrypted by the file of the protection, and is reverted to original using file content ciphering key EK File, for users to use.
13) user's modification file
User have modified after a sensitive document, and the summary info of file there occurs change, and file monitoring device detects use The act of revision at family, circular document protection module carries out re-encrypted encapsulation to file.File protection module generates new file Encryption key is stored in security catalog from newly encrypting and be packaged into new secure file structure to the content of original.
As can be seen that the present invention has the effect that from above-described embodiment:
Popular file protection software is all based on specific form for the protection of file.For some non-software refer to Fixed form, it is impossible to protected using software.And the small business of reality manage sensitive document when, the species of file is past Toward very many and be difficult to predict, in this case, file protection software cannot provide complete to enterprise's sensitive document The reliable safeguard measure in face.The file protection device that the invention is proposed is a kind of unrelated device of file format, no matter original text What the form of part is, all encrypted can be encapsulated as a kind of unified form, and overcoming existing file encryption software can only add The defect of the file of close specific format;
For big companies, generally use some expensive dedicated system to protect the safety of fileinfo Property.But for the personal user of file protection demand is equally possessed, some local file systems based on equipment are more It is suitable to select.In recent years, the various protecting data encryption technologies for computer file system constantly develop it is perfect, wherein, Encrypted file system (EFS) is with its higher ease for use and security by extensive concern.User accounts of the EFS based on operating system And rights management, integrate with file system, it is fully transparent to user.EFS thinks that equipment room is separate, even if to not Same equipment uses identical administrator's password, and the safety that can not carry out classified papers in equipment room is shared.Particularly, only The windows subregions of NTFS format can just use EFS encryption technologies.Also, by sensitive document from the text with cryptographic attributes During non-encrypted file folder is copied in part folder, file can be decrypted automatically, it is meant that transmitting sensitive document in distinct device will File can be caused to be decrypted automatically and exposed, therefore EFS can not meet the management of user's striding equipment, the demand of protection sensitive document, And the present invention exactly compensate for this defect, can only be in the enterprising style of writing part of user equipment for existing file protection instrument The deficiency of protection, the present invention can also provide the user efficiently portable striding equipment file protection and support.
It should be noted that the purpose for publicizing and implementing example is help further understands the present invention, but the skill of this area Art personnel be appreciated that:In without departing from the present invention and spirit and scope of the appended claims, various substitutions and modifications are all It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim The scope that book is defined is defined.

Claims (10)

1. a kind of multiple device file guard method based on security catalog, by creating device management module, file monitor With file protection module, unified secure file structure and establishment security catalog is defined so that the file of arbitrary format can It is packed according to the secure file structure, then based on security catalog, realize many collaborative share file protections;Including following step Suddenly:
A) many facility informations, including management equipment information table, generation device keyses, generation equipment are managed by device management module Identifying code, returning equipment key;
B) by file protection module, unified secure file structure is defined, by original according to the secure file structure weight New encapsulation, generation new file is safeguard construction file;Specifically include B1)~B2):
B1) file encryption key is generated:File protection module uses each device keyses traversal encryption file content key CEK, generates the file key ciphertext item with the binding of corresponding authorisation device, and using system key key authentication code, Jin Ersheng are produced Into the file key ciphertext item of agent-protected file, content includes the file key ciphertext of device keyses quantity and each apparatus bound With corresponding device authentication code;
B2) safeguard construction file is generated:Content information of the file protection module after file key is received, to sensitive document It is encrypted, and file key and raw filename information is encapsulated as into secure file structure as file header;The safety File structure includes file header and file content;File content is the ciphertext after original encryption;File header includes file overall length Degree, filename length, the random salt R for preventing text guessing attack, file key ciphertext, the message authentication of original document Code, original document length, the eap-message digest of file header;The file key ciphertext includes ciphertext total length, the total item of cipher-text information Number, file key cipher-text information and key authentication code;The total length of the ciphertext total length log file key ciphertext;It is described close Literary information total item records consistent with the cipher-text information sum of each authorisation device binding;The key authentication code is by formulaProduce, for verifying file decryption during equipment recover file key correctness;
C) sensitive document is stored by security catalog, authorized user can carry out file operation into security catalog;
D) when user carries out file operation into security catalog, by the intrinsic function for calling file monitoring device, monitor in real time User behavior in security catalog;Security catalog is based on again, carries out many collaborative share file protections;Including D1)~D5):
D1) when user carries out Document Editing to be operated, file monitoring device detects user operation, sends right to file protection module File implements decryption with request for users to use;
D2) file protection module is received after the file operation requests of file monitoring device transmission, first verifies that file is opened in request Integrality;Reproducing device decruption key, is sent to device management module;
D3) device management module obtains the hardware information Dev of equipmentinfo, using system key KsThe equipment is produced with random salt R Device keyses KD=Ga({Devinfo,R,Ks), GaFor encryption function;The hardware information Dev of equipment is generated simultaneouslyinfoIt is unidirectional Hash value, is sent in the lump file protection module;
D4) file protection module generates file decryption key and check continuity:The letter in file key ciphertext item is recognized first Whether breath matches with current device;For the file key cipher-text information item of matching, obtain file content ciphering key EK and examined Test;
D5) file protection module recovers protected file:File protection module is using file content ciphering key EK to protected text Part is decrypted, and reverts to original document, for users to use.
2. multiple device file guard method as claimed in claim 1, is characterized in that, using being transparent self-defining for user User ticket is carrying out the authentication vs. authorization of user identity;The user ticket is by formula (1) generation:
Ticket u = H ( password u &CirclePlus; I D ) - - - ( 1 )
Wherein, passworduIt is user cipher;ID is the user name of the user, is also the unique mark of the user;H () is single To hash function.
3. multiple device file guard method as claimed in claim 1, is characterized in that, step A) the generation device keyses are concrete It is:Device management module obtains the device hardware information of equipment, and decryption device information table checks the integrality of facility information table Afterwards, equipment unique mark, facility information summary, the facility information triplet information set of all associated authorization equipment are obtainedProduce the device keyses of each authorisation device Wherein, KsFor system key, R is random salt, GaFor encryption function.
4. multiple device file guard method as claimed in claim 1, is characterized in that, step B2) symmetric encipherment algorithm is used to quick The content information of sense file is encrypted.
5. multiple device file guard method as claimed in claim 1, is characterized in that, step D) when the file operation that user is carried out is During modification file, after user changes a sensitive document, the summary info of file changes, and file monitoring device detects use The act of revision at family, circular document protection module carries out re-encrypted encapsulation to file;File protection module generates new file Content re-encrypted of the encryption key to original, and be packaged into new secure file structure and be stored in security catalog.
6. multiple device file guard method as claimed in claim 1, is characterized in that, step D2) file protection module receives text After the file operation requests that part monitor sends, checking request opens the integrality of file, especially by acquisition file header Hold, generate the eap-message digest of current file head content and contrasted with the file header summary being stored in file header, it is thus right The integrality of the information stored in file header is verified.
7. multiple device file guard method as claimed in claim 1, is characterized in that, step D2) the generation equipment decruption key, Specifically:File protection module reads the random salt R recorded in agent-protected file head, is sent to device management module;Equipment pipe Reason module obtains the hardware information Dev of equipmentinfo, using system key KsWith the equipment decruption key that random salt R produces the equipment KD=Ga({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, be sent to file protection module.
8. multiple device file guard method as claimed in claim 1, is characterized in that, step D4) the file protection module generation File decryption key simultaneously checks its integrality, specifically includes:The file key ciphertext in file header is read, traversal All Files is close Key cipher-text information item<ECKi,HDi>, and read out the device authentication code HD in each itemi, the sheet generated with device management module The unidirectional hash value of machine equipment hardware information is contrasted one by one, when numbering be i cipher-text information device authentication code with it is current When the unidirectional hash value of the hardware information of equipment is identical, the cipher-text information corresponds to the equipment;When one can not During matching, terminate file operation process;For the file key cipher-text information item for matching, using device keyses the ciphertext is decrypted File key ciphertext in item of informationObtain file content ciphering key EK, inspection Whether equal with the key authentication code stored in file key ciphertext, the decryption failure if unequal terminates file operation process.
9. a kind of multiple device file protection device based on security catalog, including device management module, file monitor and text Part protection module, the file for providing striding equipment is protected so that file can be shared between the security catalog of legitimate device;Its It is characterized in that:
The device management module includes user's registration and authentication unit, device management unit and device keyses signal generating unit;Institute State user's registration is used to realize the access control and security catalog information of the user to asking access safety catalogue with authentication unit Initialization;The device management unit is used to manage all registration equipment of validated user;The device keyses signal generating unit is used In generation device keyses;
The file monitor is the process of running background, for constantly detecting the user operation in security catalog simultaneously in real time Response;Once user has carried out affecting the operation of file security, the real-time detection of file monitoring device simultaneously to notify in security catalog The file protection module is protected to file;
The file protection module is used to provide safeguard protection to file;Extracting first needs file content to be protected to carry out adding It is close, secure file structure is re-packaged into afterwards;File protection module receives the file request that the file monitoring device sends Afterwards, the integrality of the file of request is first verified that;Reproducing device decruption key, according to the device keyses of equipment, generates file Decruption key simultaneously checks its integrality;Finally to being decrypted by the file of the protection, and original document is reverted to, made for user With.
10. multiple device file protection device as claimed in claim 9, is characterized in that, the secure file structure includes file header With file content two large divisions, file content is the ciphertext after original encryption, and file header includes that file total length, filename are long Degree, the random salt R for preventing text guessing attack, file key ciphertext, the message authentication code of original document, original document are long The eap-message digest of degree and file header;File key ciphertext includes ciphertext total length, cipher-text information total item, file key ciphertext letter Breath and key authentication code;The total length of ciphertext total length log file key ciphertext;Cipher-text information total item is recorded and each mandate The cipher-text information sum of apparatus bound;Key authentication code is by formulaProduce, for verifying file decryption process The correctness of the file key that middle equipment recovers.
CN201611152430.0A 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog Active CN106650492B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611152430.0A CN106650492B (en) 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611152430.0A CN106650492B (en) 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog

Publications (2)

Publication Number Publication Date
CN106650492A true CN106650492A (en) 2017-05-10
CN106650492B CN106650492B (en) 2019-06-07

Family

ID=58822519

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611152430.0A Active CN106650492B (en) 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog

Country Status (1)

Country Link
CN (1) CN106650492B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110362984A (en) * 2019-06-28 2019-10-22 北京思源互联科技有限公司 Method and device for operating service system by multiple devices
CN111967059A (en) * 2020-08-11 2020-11-20 广东堡塔安全技术有限公司 Website tamper-proofing method and system and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296199A1 (en) * 2001-12-12 2011-12-01 Pervasive Security Systems, Inc. Method and system for protecting electronic data in enterprise environment
CN104125069A (en) * 2014-07-07 2014-10-29 武汉理工大学 Secure file catalogue file encryption system towards sharing
CN105740725A (en) * 2016-01-29 2016-07-06 北京大学 File protection method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110296199A1 (en) * 2001-12-12 2011-12-01 Pervasive Security Systems, Inc. Method and system for protecting electronic data in enterprise environment
CN104125069A (en) * 2014-07-07 2014-10-29 武汉理工大学 Secure file catalogue file encryption system towards sharing
CN105740725A (en) * 2016-01-29 2016-07-06 北京大学 File protection method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JAEHONG PARK, RAVI SANDHU: "The UCONABC Usage Control Model", 《ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY》 *
MANTING SHEN, YINYAN YU, 等: "An Efficient Safe Directory Based File Protection Mechanism", 《2016 IEEE 40TH ANNUAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110362984A (en) * 2019-06-28 2019-10-22 北京思源互联科技有限公司 Method and device for operating service system by multiple devices
CN110362984B (en) * 2019-06-28 2021-04-30 北京思源理想控股集团有限公司 Method and device for operating service system by multiple devices
CN111967059A (en) * 2020-08-11 2020-11-20 广东堡塔安全技术有限公司 Website tamper-proofing method and system and computer readable storage medium

Also Published As

Publication number Publication date
CN106650492B (en) 2019-06-07

Similar Documents

Publication Publication Date Title
CN107947922B (en) Digital file management method and system based on block chain technology
CN103530570B (en) A kind of electronic document safety management system and method
CN105740725B (en) A kind of document protection method and system
CN101311950B (en) Electronic stamp realization method and device
CN101895578B (en) Document monitor and management system based on comprehensive safety audit
CN109923548A (en) Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process
CN101430752B (en) Sensitive data switching control module and method for computer and movable memory device
CN104123508B (en) Design method based on intranet data security protection engine
US20020174369A1 (en) Trusted computer system
CN106533693B (en) Access method and device of railway vehicle monitoring and overhauling system
CN111581659B (en) Method and device for calling electronic evidence
KR20150128328A (en) Method of providing digital evidence collecting tools, apparatus and method of collecting digital evidence of mobile devices based on domain isolation
JP2007011511A (en) Method for preventing information leak
CN104636675A (en) System and method for providing safety protection for database
NL2033980A (en) New method for trusted data decryption based on privacy-preserving computation
JP4471129B2 (en) Document management system, document management method, document management server, work terminal, and program
Petrov Android password managers and vault applications: data storage security issues identification
CN106650492B (en) A kind of multiple device file guard method and device based on security catalog
CN103488948A (en) Method and device for achieving data security of operation system
KR101497067B1 (en) Electric document transfer method and apparatus based digital forensic
KR101315482B1 (en) Secret information reading service system using by a writer authentication and the control method thereof
TWI381285B (en) Rights management system for electronic files
CN100525176C (en) Preventing system for information leakage under cooperative work environment and its realizing method
TWI444849B (en) System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof
JP2007200229A (en) Software management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant