CN113656817A - Data encryption method - Google Patents
Data encryption method Download PDFInfo
- Publication number
- CN113656817A CN113656817A CN202110933174.3A CN202110933174A CN113656817A CN 113656817 A CN113656817 A CN 113656817A CN 202110933174 A CN202110933174 A CN 202110933174A CN 113656817 A CN113656817 A CN 113656817A
- Authority
- CN
- China
- Prior art keywords
- file
- type
- picture
- encryption
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000005540 biological transmission Effects 0.000 claims abstract description 78
- 238000012544 monitoring process Methods 0.000 claims abstract description 24
- 238000012163 sequencing technique Methods 0.000 claims description 14
- 230000002427 irreversible effect Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000002093 peripheral effect Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
- G06F9/452—Remote windowing, e.g. X-Window System, desktop virtualisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Human Computer Interaction (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a data encryption method. Wherein, the method comprises the following steps: starting a USB transmission channel; starting a safety mode of a USB transmission channel to monitor a current cache region under the condition that the physical environment of the target object is detected not to meet the preset condition; and determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises the following steps: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; determining an encryption strategy according to the type of the file; and after the encryption of the file is finished, transmitting the file to the terminal through the USB transmission channel. The method and the device solve the technical problems that file data possibly existing in file transmission from a host to a zero terminal based on the USB channel is easy to leak and the safety is poor after the USB channel is opened in a VDI application scene.
Description
Technical Field
The application relates to the field of data processing, in particular to a data encryption method.
Background
Desktop Virtualization (VDI) refers to virtualizing the end systems (also called desktops) of computers to achieve security and flexibility in desktop use. The desktop system belonging to our individual can be accessed by any device, anywhere, and at any time over a network. By utilizing the virtualization technology, various physical devices are virtualized, so that the utilization rate of resources is effectively improved, the cost is saved, and the application quality is improved. Under the support of virtualization technology, the connection between network software and hardware equipment can be more flexible, and the expansibility can also be greatly improved. The cloud desktop utilization virtualization technology is essentially used for uniformly storing and managing various user information, and through simple network access equipment, a user side can enter the cloud desktop to realize centralized management and realize efficient resource sharing.
With the development and maturity of cloud computing, the use scene of the cloud desktop is more and more extensive, and a plurality of industries such as colleges and universities, medical treatment, government and the like begin to gradually popularize the cloud desktop for office work, and the cloud desktop is an integral trend in the future. However, in the related art, in such a VDI application scenario, a host usually copies a file to a zero terminal based on a USB channel, but after the USB channel is opened, a security monitoring mechanism is often lacked, which easily causes a leakage of the copied file and has poor security.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a data encryption method, which is used for at least solving the technical problems that file data possibly existing in file transmission from a host to a zero terminal based on a USB channel is easy to leak and the safety is poor after the USB channel is opened in a VDI application scene.
According to an aspect of an embodiment of the present application, there is provided a data encryption method, including: starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal; starting a safety mode of a USB transmission channel and monitoring a current cache region under the condition that the physical environment of a target object meets a preset condition, wherein the current cache region is used for caching a file to be transmitted; and determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises the following steps: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; determining an encryption strategy according to the type of the file, wherein the encryption strategy is used for encrypting the file; and after the encryption of the file is finished, transmitting the file to the terminal through the USB transmission channel.
Optionally, the first type of file comprises: determining an encryption strategy according to the type of the file by the pictures and the characters, wherein the encryption strategy comprises the following steps: determining a picture encryption strategy corresponding to the picture under the condition that the first type file is detected to be the picture; determining a character encryption strategy corresponding to characters under the condition that the first type file is detected to be the characters; and determining an encryption strategy corresponding to the second type of file under the condition that the type of the detected file is the second type of file.
Optionally, when it is detected that the first type file is a picture, determining a picture encryption policy corresponding to the picture includes: acquiring the file size of the picture; comparing the file size of the picture with a preset threshold, wherein the preset threshold comprises: the device comprises a first preset threshold and a second preset threshold, wherein the first preset threshold is smaller than the second preset threshold; under the condition that the file size of the picture is smaller than a first preset threshold value, encrypting all contents corresponding to the picture; encrypting the head data of the first preset size before and the tail data of the second preset size after the picture under the condition that the file size of the picture is larger than a first preset threshold and smaller than a second preset threshold; and under the condition that the file size of the picture is larger than a second preset threshold value, encrypting the picture at an interval of a third preset size.
Optionally, when it is detected that the first type file is a picture, determining a picture encryption policy corresponding to the picture includes: acquiring the content of the picture; determining a security level of the picture based on the content of the picture; and encrypting the picture based on the security level, wherein the security level corresponds to different picture encryption strategies.
Optionally, when it is detected that the first type file is a text, determining a text encryption policy corresponding to the text includes: and encrypting the characters based on an irreversible encryption algorithm.
Optionally, in a case that the type of the detected file is a second type of file, determining an encryption policy corresponding to the second type of file includes: acquiring the transmission rate of a USB channel; dividing the file size of the second type of file based on the transmission rate and the preset transmission time length; obtaining a plurality of data blocks corresponding to the second class of files based on the division result; sequencing the data blocks according to a preset rule to obtain a sequencing sequence number; whether to encrypt each data block is determined based on the sorting sequence number.
Optionally, determining whether to encrypt each data block based on the sorting sequence number includes: judging whether the sequencing serial number is an odd number or an even number; under the condition that the sequencing serial number is odd, encrypting the data block with the odd sequencing serial number; when the sequence number is even, the data block with the even sequence number is not encrypted.
Optionally, in a case that the type of the detected file is a second type of file, determining an encryption policy corresponding to the second type of file includes: acquiring a file handle corresponding to the second type of file; acquiring a file body of the second type of file based on the file handle; and performing segmented reading and writing on the file body, and encrypting the second type of file based on the segmented reading and writing result.
According to another aspect of the embodiments of the present application, there is also provided a data encryption apparatus, including: the starting module is used for starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in the host to the terminal; the monitoring module is used for starting a safety mode of a USB transmission channel and monitoring a current cache region under the condition that the physical environment of the target object meets a preset condition, wherein the current cache region is used for caching a file to be transmitted; the first determining module is configured to determine a type of a file to be transmitted when the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, where the type of the file at least includes: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; the second determining module is used for determining an encryption strategy according to the type of the file, wherein the encryption strategy is used for encrypting the file; and the transmission module is used for transmitting the file to the terminal through the USB transmission channel after the file is encrypted.
According to another aspect of the embodiments of the present application, there is also provided a non-volatile storage medium, which includes a stored program, wherein a device in which the non-volatile storage medium is located is controlled to execute any one of the data encryption methods when the program is executed.
According to another aspect of the embodiments of the present application, there is also provided a processor, configured to execute a program, where the program executes any one of the data encryption methods.
In the embodiment of the application, a mode that when the current environment is detected to be in an unsafe scene, a file is encrypted in a USB transmission process is adopted, the file type transmitted to a terminal through a USB channel is determined, different encryption strategies are executed based on the file type, and the purpose of transmitting the encrypted file to the terminal through the USB channel is achieved, so that the technical effects that the file to be transmitted is encrypted flexibly according to different encryption strategies based on different types of the file to be transmitted, the file is prevented from being leaked are achieved, and the technical problems that file data possibly existing in the file transmission from a host to a zero terminal based on the USB channel is easy to be leaked and the safety is poor in a VDI application scene after the USB channel is opened are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of an alternative VDI system architecture in the related art;
FIG. 2 is a diagram illustrating the operation of a conventional USB peripheral device;
FIG. 3 is a schematic flow chart diagram illustrating an alternative data encryption method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an alternative data encryption device according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
To facilitate a better understanding of the embodiments of the present application by those skilled in the art, the technical terms or partial terms that may be referred to in the present application are now explained as follows:
and (4) zero terminal: the zero terminal is an exquisite and unique network computer without a CPU, a memory and a hard disk zero terminal, can be used as a mini PC to independently operate and browse a webpage, can construct a shared computing network, and develops a business operation network with innovative cost advantage. The computer host is divided into thirty or more users to use simultaneously, each user only needs to be provided with a keyboard, a mouse, a display and a zero terminal machine, and other users do not need a mini host of the host (a single machine and multiple users) except a host manager.
MD5 Message Digest Algorithm (english: MD5 Message-Digest Algorithm), a widely used cryptographic hash function, can generate a 128-bit (16-byte) hash value (hash value) to ensure the integrity of the Message transmission.
HMAC is an abbreviation of Hash-based Message Authentication Code (Hash-based Message Authentication Code), a method for performing Message Authentication based on a Hash function and a key, proposed by h.krawezyk, m.bellare, r.canetti in 1996, published as RFC2104 in 1997, and widely used in IPSec and other network protocols (such as SSL), and now becomes a de facto Internet security standard. It can be used in conjunction with any iterative hash function.
Secure Hash algorithms (english: Secure Hash Algorithm, abbreviated SHA) are a family of cryptographic Hash functions, which are FIPS certified Secure Hash algorithms. An algorithm for calculating a fixed-length character string (also called a message digest) corresponding to a digital message. And if the input messages are different, the probability that the input messages correspond to different character strings is high.
The irreversible encryption algorithm is characterized in that a secret key is not needed in the encryption process, the system directly processes the input plaintext into a ciphertext through the encryption algorithm, the encrypted data cannot be decrypted, and the data can be really decrypted only by re-inputting the plaintext and re-processing the plaintext through the same irreversible encryption algorithm to obtain the same encrypted ciphertext which is re-identified by the system.
Virtual Desktop Infrastructure (VDI) is a virtualization solution that provides and manages virtual desktops using virtual machines. VDI hosts the desktop environment on a centralized server and deploys it to end users upon request. Access may be made over a network using endpoint devices (notebook, tablet, etc.). After deploying the VDI solution, the enterprise can obtain many advantages. Desktop computing is performed on the host server, not the endpoint device, and therefore the hardware requirements for the endpoint are low. This may reduce the investment in end point equipment and may make it easier to support a variety of remote and mobile devices. As the hardware requirements of the desktop software change, it may be easier to reallocate CPU and memory from the server side than from the endpoint device. Security and configuration management are additional advantages of VDI solutions. Since all data is located in the data center, the loss of any endpoint device can limit the exposure of data not stored in the device. In an environment employing a standardized desktop configuration that does not require customization for each user, the VDI instance can provide tight control to eliminate deviations from organizational standards. When the virtual desktop is used, the PC operating system runs at a background server end, and the local terminal is only used for connecting and displaying; the user can use the virtual desktop at any place and in any connectable network environment by using any terminal.
VDI, in brief, virtualizes your desktop by running various operating systems, such as the Windows system, on the cluster servers of the data center. Users are connected with a virtual desktop (generally, a virtual machine) through a client computing protocol from a client device (zero terminal), the users can access the desktops of the users through the zero terminal just like accessing a traditional locally installed desktop, the users can be connected to the desktops which the users want to be connected at any time and any place as long as a network exists, IT personnel can manage desktop users and data more easily, and the data of the users are safer because all the data are in a service provider. A user can access the virtual machine distributed to the cluster server through the zero terminal, so that a desktop image is obtained, and the obtained virtual desktop is controlled in a reverse control mode. Fig. 1 is a schematic architecture diagram of an alternative VDI system in the related art, as shown in fig. 1, all virtual machines are placed in a cluster server, and each virtual machine corresponds to a zero terminal.
For better understanding of the related embodiments of the present application, first, a brief description is made on USB redirection, and fig. 2 is a schematic diagram of a conventional mode, i.e., a PC mode USB peripheral, as shown in fig. 2: all USB peripherals work normally and rely on USB bus drivers at the software level. An application needs to use a USB peripheral to interact with a USB device driver, the device driver completely depends on a USB bus driver to interact with USB device data, and the interaction with hardware is completed by a proxy of the bus driver.
It should be noted that, in the VDI scenario, USB redirection is divided into two types: USB port redirection and USB device redirection;
the USB port is redirected, the data of the USB equipment inserted in the zero terminal is submitted to a virtual USB driver through a USB bus of the zero terminal, the virtual USB driver is responsible for bidirectionally transmitting data between the zero terminal bus and a USB client, all details of USB hardware are transmitted really, and for a virtual machine, the virtual USB driver is equivalent to inserting one USB hardware on the virtual USB bus;
USB device redirection is implemented at the application layer, and enables an application program to obtain data by creating a virtual USB peripheral driver (for an operating system, one driver means one device), on a virtual machine, and for the whole system, the virtual USB peripheral driver and the USB device driver on the zero terminal are essentially two different USB devices, and the device redirection function maintains a data channel between the two drivers (similar to copying data between two USB disks).
In accordance with an embodiment of the present application, there is provided a method embodiment for data encryption, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 3 is a data encryption method according to an embodiment of the present application, as shown in fig. 3, the method includes the following steps:
step S102, starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal;
step S104, under the condition that the physical environment of the target object is detected to meet the preset condition, starting a safety mode of a USB transmission channel, and monitoring a current cache region, wherein the current cache region is used for caching a file to be transmitted;
step S106, determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained;
step S108, determining an encryption strategy according to the type of the file, wherein the encryption strategy is used for encrypting the file;
and step S110, after the file is encrypted, transmitting the file to the terminal through the USB transmission channel.
In the data encryption method, a USB transmission channel is started, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal; starting a safety mode of a USB transmission channel and monitoring a current cache region under the condition that the physical environment of a target object meets a preset condition, wherein the current cache region is used for caching a file to be transmitted; and determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises the following steps: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; determining an encryption strategy according to the type of the file, wherein the encryption strategy is used for encrypting the file; after the files are encrypted, the files are transmitted to the terminal through the USB transmission channel, and the purpose of transmitting the encrypted files to the terminal through the USB channel is achieved, so that the technical effects of flexibly executing different encryption strategies to encrypt the files to be transmitted based on different types of the files to be transmitted and preventing the files from being leaked are achieved, and the technical problems that file data possibly existing in the files transmitted from a host to a zero terminal based on the USB channel are easily leaked and the safety is poor in a VDI application scene after the USB channel is opened are solved.
It should be noted that the host may be a virtual machine in a cluster server, and the terminal includes but is not limited to: the zero terminal, the preset conditions include: the method includes that an instruction input to a zero terminal by a current user is wrong, namely, a desktop unlocking instruction input to the zero terminal by the current user is detected, if the unlocking instruction is inconsistent with a preset unlocking instruction, a preset condition is determined to be met, the preset condition can be an image of the current user, if the image of the current user is inconsistent with an image of an administrator corresponding to the zero terminal, the preset condition is determined to be met, and the preset condition further comprises the following steps: by collecting the sound size of the current environment, if the sound size is larger than a preset size, the preset condition is determined to be met.
In some embodiments of the present application, the first type of document includes: pictures and words, therefore, the encryption strategy is determined according to the type of the file, and the method comprises the following steps: determining a picture encryption strategy corresponding to the picture under the condition that the first type file is detected to be the picture; determining a character encryption strategy corresponding to characters under the condition that the first type file is detected to be the characters; in the case that the type of the detected file is the second type file, determining an encryption policy corresponding to the second type file, where the pictures and characters in the specification refer to characters or images that can be directly copied and pasted in a state that the file or software is opened, for example, characters or images copied in a word document, or characters or images copied from a software display page, such as a chat record in chat software.
Specifically, when it is detected that the first type file is a picture, determining a picture encryption policy corresponding to the picture includes: acquiring the file size of the picture; comparing the file size of the picture with a preset threshold, wherein the preset threshold comprises: the device comprises a first preset threshold and a second preset threshold, wherein the first preset threshold is smaller than the second preset threshold; under the condition that the file size of the picture is smaller than a first preset threshold value, encrypting all contents corresponding to the picture; encrypting the head data of the first preset size before and the tail data of the second preset size after the picture under the condition that the file size of the picture is larger than a first preset threshold and smaller than a second preset threshold; and under the condition that the file size of the picture is larger than a second preset threshold value, encrypting the picture at an interval of a third preset size. For example, when a picture is less than 1kb fully encrypted, 1kb-1Mb are encrypted head-to-tail, and 1Mb or more is encrypted every 500kb, i.e., encrypted according to the picture size.
Optionally, when it is detected that the first type file is a picture, a picture encryption policy corresponding to the picture may be determined in the following manner, and specifically, content of the picture is obtained; determining a security level of the picture based on the content of the picture; the picture is encrypted based on the security level, wherein the security level corresponds to different picture encryption strategies, for example, when the obtained picture content is the content disclosed by the network, for example, the picture content is the address of a company, a legal person, and the like, the picture may not be encrypted, and when the obtained content is the core technology of the company, the picture is completely encrypted, for example, the picture is encrypted in a full-screen mosaic manner.
In some optional embodiments of the present application, in a case that it is detected that the first type file is a text, determining a text encryption policy corresponding to the text includes: and encrypting the characters based on an irreversible encryption algorithm. The irreversible encryption algorithm includes, but is not limited to: MD5, SHA, HMAC algorithm.
In some optional embodiments of the present application, in a case that the type of the detected file is a second type of file, determining an encryption policy corresponding to the second type of file includes: acquiring the transmission rate of a USB channel; dividing the file size of the second type of file based on the transmission rate and the preset transmission time length; obtaining a plurality of data blocks corresponding to the second class of files based on the division result; sequencing the data blocks according to a preset rule to obtain a sequencing sequence number; whether each data block is encrypted is determined based on the sequencing sequence number, namely, the second type file is divided according to the attribute of the USB channel, and the second type file is encrypted based on the division result, obviously, the second type file is the whole file which cannot be copied and pasted at one time, such as pictures, documents, videos, software installation packages, folders and the like in various formats.
Specifically, determining whether to encrypt each data block based on the sorting sequence number includes: judging whether the sequencing serial number is an odd number or an even number; under the condition that the sequencing serial number is odd, encrypting the data block with the odd sequencing serial number; in the case where the sort number is even, the data block with the even sort number is not encrypted, for example, 1 to 9 data blocks, 1/3/5/7/9 is encrypted.
In addition, when the sort number is even, the data block with the even sort number may be encrypted, and when the sort number is odd, the data block with the odd sort number may not be encrypted.
In another optional embodiment of the present application, in a case that the type of the detected file is the second type of file, the encryption policy corresponding to the second type of file may be further determined in the following manner, and specifically, a file handle corresponding to the second type of file is obtained; acquiring a file body of the second type of file based on the file handle; and performing segmented reading and writing on the file body, and encrypting the second type of file based on the segmented reading and writing result.
Optionally, the data encryption method may include the following steps:
1. establishing connection and establishing a USB channel;
2. when detecting that the current client environment is unsafe, the system starts a USB transmission channel safety mode and starts to monitor all buffer zone operations;
3. if the current buffer zone has the operation of transmitting the file or the content to the mobile equipment through the USB channel, immediately intercepting;
specifically, the content refers to characters or images directly pasted in a file or software open state; for example, text or images are copied in a word document, or from a software display box, such as a WeChat chat log.
A file refers to the whole file, including pictures, documents, videos, software installation packages, folders, and the like in various formats.
Specifically, before the file or the content is transmitted to the USB device, the file or the content to be transmitted is intercepted.
4. After interception, encrypting the file or the content;
specifically, the content includes characters, images, and the like directly copied by a copy manner; files include, but are not limited to, pictures, documents, videos, software installation packages, folders, etc. files in various formats.
Respectively carrying out different processing on the copy of the picture content, the character content and the file; when the picture content to be copied is detected, encrypting the picture content, wherein the encryption strategy can be referred to; when the text content is detected, completely encrypting the whole text content; when the file is detected, encrypting part of the file, referring to the encryption strategy, recording the current file, and referring to the encryption strategy if the same file is encrypted for multiple times;
5. replacing the encrypted piece of data with the ciphertext;
6. copying the whole file to the mobile equipment through a USB transmission channel;
7. and when the current client environment is detected to be restored to be safe, the USB transmission channel safety mode is exited.
Fig. 4 is an alternative data encryption apparatus according to an embodiment of the present application, as shown in fig. 4, the apparatus including:
the starting module 40 is configured to start a USB transmission channel, where the USB transmission channel is used to transmit a file to be transmitted in a host to a terminal;
the monitoring module 42 is configured to start a security mode of the USB transmission channel and monitor a current cache region when detecting that a physical environment of the target object meets a preset condition, where the current cache region is used to cache a file to be transmitted;
a first determining module 44, configured to determine a type of a file to be transmitted when the monitoring result indicates that the file to be transmitted to the terminal through the USB transmission channel exists in the current cache region, where the type of the file at least includes: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained;
a second determining module 46, configured to determine an encryption policy according to the type of the file, where the encryption policy is used for encrypting the file;
and the transmission module 48 is used for transmitting the file to the terminal through the USB transmission channel after the encryption of the file is completed.
In the data encryption device, a starting module 40 is used for starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal; the monitoring module 42 is configured to start a security mode of the USB transmission channel and monitor a current cache region when detecting that a physical environment of the target object meets a preset condition, where the current cache region is used to cache a file to be transmitted; a first determining module 44, configured to determine a type of a file to be transmitted when the monitoring result indicates that the file to be transmitted to the terminal through the USB transmission channel exists in the current cache region, where the type of the file at least includes: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; a second determining module 46, configured to determine an encryption policy according to the type of the file, where the encryption policy is used for encrypting the file; the transmission module 48 is configured to transmit the file to the terminal through the USB transmission channel after the file is encrypted, so as to achieve a purpose of transmitting the encrypted file to the terminal through the USB channel, thereby implementing a technical effect of flexibly executing different encryption strategies to encrypt the file to be transmitted based on different types of the file to be transmitted, and preventing the file from being leaked, and further solving technical problems that file data is easily leaked and the security is poor when the file is transmitted from the host to the zero terminal based on the USB channel after the USB channel is opened in a VDI application scenario.
According to another aspect of the embodiments of the present application, there is also provided a non-volatile storage medium, which includes a stored program, wherein a device in which the non-volatile storage medium is located is controlled to execute any one of the data encryption methods when the program is executed.
Specifically, the storage medium is used for storing program instructions for executing the following functions, and the following functions are realized:
starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal; under the condition that the physical environment of the target object is detected not to meet the preset condition, starting a safety mode of a USB transmission channel, and monitoring a current cache region, wherein the current cache region is used for caching a file to be transmitted; and determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises the following steps: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; determining an encryption strategy according to the type of the file, wherein the encryption strategy is used for encrypting the file; and after the encryption of the file is finished, transmitting the file to the terminal through the USB transmission channel.
According to another aspect of the embodiments of the present application, there is also provided a processor, configured to execute a program, where the program executes any one of the data encryption methods.
Specifically, the processor is configured to call a program instruction in the memory, and implement the following functions:
starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal; under the condition that the physical environment of the target object is detected not to meet the preset condition, starting a safety mode of a USB transmission channel, and monitoring a current cache region, wherein the current cache region is used for caching a file to be transmitted; and determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises the following steps: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained; determining an encryption strategy according to the type of the file, wherein the encryption strategy is used for encrypting the file; and after the encryption of the file is finished, transmitting the file to the terminal through the USB transmission channel.
In the embodiment of the application, a mode that a file is encrypted in a USB file transmission process when the current environment is detected to be in an unsafe scene is adopted, the purpose of transmitting the encrypted file to a terminal through a USB channel is achieved by determining the type of the file transmitted to the terminal through the USB channel and executing different encryption strategies based on the type of the file, so that the technical effects of flexibly executing different encryption strategies to encrypt the file to be transmitted and preventing the file from being leaked based on different types of the file to be transmitted are achieved, and the technical problems that file data possibly existing in the file transmission from a host to a zero terminal based on the USB channel is easily leaked and the safety is poor in a VDI application scene after the USB channel is opened are solved.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. A method for data encryption, comprising:
starting a USB transmission channel, wherein the USB transmission channel is used for transmitting a file to be transmitted in a host to a terminal;
starting a safety mode of the USB transmission channel and monitoring a current cache region under the condition that the physical environment of a target object meets a preset condition, wherein the current cache region is used for caching the file to be transmitted;
and determining the type of the file to be transmitted under the condition that the monitoring result indicates that the file to be transmitted to the terminal exists in the current cache region through the USB transmission channel, wherein the type of the file at least comprises: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained;
determining an encryption policy according to the type of the file, wherein the encryption policy is used for encrypting the file;
and after the encryption of the file is finished, transmitting the file to the terminal through the USB transmission channel.
2. The method of claim 1, wherein the first type file comprises: determining an encryption strategy according to the type of the file by using the pictures and the characters, wherein the encryption strategy comprises the following steps:
determining a picture encryption strategy corresponding to the picture under the condition that the first type file is detected to be the picture;
determining a character encryption strategy corresponding to the characters under the condition that the first type file is detected to be the characters;
and determining an encryption strategy corresponding to the second type of file under the condition that the type of the file is detected to be the second type of file.
3. The method according to claim 2, wherein in the case that it is detected that the first type file is a picture, determining a picture encryption policy corresponding to the picture comprises:
acquiring the file size of the picture;
comparing the file size of the picture with a preset threshold, wherein the preset threshold comprises: the method comprises the following steps that a first preset threshold value and a second preset threshold value are obtained, wherein the first preset threshold value is smaller than the second preset threshold value;
under the condition that the file size of the picture is smaller than a first preset threshold value, encrypting all contents corresponding to the picture;
encrypting the head data of the first preset size and the tail data of the second preset size of the picture when the file size of the picture is larger than a first preset threshold and smaller than a second preset threshold;
and under the condition that the file size of the picture is larger than a second preset threshold value, encrypting the picture at an interval of a third preset size.
4. The method according to claim 2, wherein in the case that it is detected that the first type file is a picture, determining a picture encryption policy corresponding to the picture comprises:
acquiring the content of the picture;
determining a security level of the picture based on content of the picture;
and encrypting the picture based on the security and confidentiality level, wherein the security and confidentiality level corresponds to different picture encryption strategies.
5. The method of claim 2, wherein determining a text encryption policy corresponding to the text in the case that the first type file is detected to be the text comprises:
encrypting the text based on an irreversible encryption algorithm.
6. The method according to claim 2, wherein in the case that the type of the file is detected as a second type of file, determining the encryption policy corresponding to the second type of file comprises:
acquiring the transmission rate of the USB channel;
dividing the file size of the second type of file based on the transmission rate and a preset transmission time length;
obtaining a plurality of data blocks corresponding to the second class of files based on the division result;
sequencing the data blocks according to a preset rule to obtain a sequencing sequence number;
whether to encrypt each data block is determined based on the sorting sequence number.
7. The method of claim 6, wherein determining whether to encrypt each data block based on the ordering sequence number comprises:
judging whether the sequencing serial number is an odd number or an even number;
under the condition that the sorting serial number is an odd number, encrypting the data block with the sorting serial number being the odd number;
and under the condition that the sorting sequence number is an even number, the data block with the sorting sequence number being the even number is not encrypted.
8. The method according to claim 2, wherein in the case that the type of the file is detected as a second type of file, determining the encryption policy corresponding to the second type of file comprises:
acquiring a file handle corresponding to the second type of file;
acquiring a file body of the second class of files based on the file handle;
and performing segmented reading and writing on the file body, and encrypting the second type of file based on the segmented reading and writing result.
9. A data encryption apparatus, comprising:
the system comprises a starting module, a USB transmission channel and a terminal, wherein the starting module is used for starting the USB transmission channel, and the USB transmission channel is used for transmitting a file to be transmitted in a host to the terminal;
the monitoring module is used for starting a safety mode of the USB transmission channel and monitoring a current cache region under the condition that the physical environment of a target object meets a preset condition, wherein the current cache region is used for caching the file to be transmitted;
a first determining module, configured to determine a type of a file to be transmitted when a monitoring result indicates that a file to be transmitted to a terminal through the USB transmission channel exists in a current cache region, where the type of the file at least includes: the method comprises the following steps that a first type file which can be copied and pasted at one time and a second type file which cannot be copied and pasted at one time are obtained;
a second determining module, configured to determine an encryption policy according to the type of the file, where the encryption policy is used to encrypt the file;
and the transmission module is used for transmitting the file to the terminal through the USB transmission channel after the file is encrypted.
10. A non-volatile storage medium, comprising a stored program, wherein when the program is executed, a device in which the non-volatile storage medium is located is controlled to execute the data encryption method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110933174.3A CN113656817A (en) | 2021-07-23 | 2021-07-23 | Data encryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110933174.3A CN113656817A (en) | 2021-07-23 | 2021-07-23 | Data encryption method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113656817A true CN113656817A (en) | 2021-11-16 |
Family
ID=78491621
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110933174.3A Pending CN113656817A (en) | 2021-07-23 | 2021-07-23 | Data encryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113656817A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116150786A (en) * | 2023-01-10 | 2023-05-23 | 深圳技术大学 | USB flash disk file encryption system based on instruction key self-setting |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016106A1 (en) * | 2006-06-30 | 2008-01-17 | Data Equation Limited | Data processing |
| CN101561851A (en) * | 2008-04-16 | 2009-10-21 | 杭州正隆数码科技有限公司 | Open file encrypting method without distinguishing file types |
| CN101853363A (en) * | 2010-05-07 | 2010-10-06 | 北京飞天诚信科技有限公司 | File protection method and system |
| CN104091129A (en) * | 2014-06-26 | 2014-10-08 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN104318169A (en) * | 2014-09-26 | 2015-01-28 | 北京网秦天下科技有限公司 | Mobile terminal and method for preventing local file from leakage based on security policy |
| CN104318179A (en) * | 2014-10-30 | 2015-01-28 | 成都卫士通信息产业股份有限公司 | File redirection technology based virtualized security desktop |
| CN111158857A (en) * | 2019-12-24 | 2020-05-15 | 深信服科技股份有限公司 | Data encryption method, device, equipment and storage medium |
-
2021
- 2021-07-23 CN CN202110933174.3A patent/CN113656817A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016106A1 (en) * | 2006-06-30 | 2008-01-17 | Data Equation Limited | Data processing |
| CN101561851A (en) * | 2008-04-16 | 2009-10-21 | 杭州正隆数码科技有限公司 | Open file encrypting method without distinguishing file types |
| CN101853363A (en) * | 2010-05-07 | 2010-10-06 | 北京飞天诚信科技有限公司 | File protection method and system |
| CN104091129A (en) * | 2014-06-26 | 2014-10-08 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN104318169A (en) * | 2014-09-26 | 2015-01-28 | 北京网秦天下科技有限公司 | Mobile terminal and method for preventing local file from leakage based on security policy |
| CN104318179A (en) * | 2014-10-30 | 2015-01-28 | 成都卫士通信息产业股份有限公司 | File redirection technology based virtualized security desktop |
| CN111158857A (en) * | 2019-12-24 | 2020-05-15 | 深信服科技股份有限公司 | Data encryption method, device, equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116150786A (en) * | 2023-01-10 | 2023-05-23 | 深圳技术大学 | USB flash disk file encryption system based on instruction key self-setting |
| CN116150786B (en) * | 2023-01-10 | 2023-11-28 | 深圳技术大学 | USB flash disk file encryption system based on instruction key self-setting |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9536102B2 (en) | Privacy-protective data transfer | |
| US7877602B2 (en) | Transparent aware data transformation at file system level for efficient encryption and integrity validation of network files | |
| US9202076B1 (en) | Systems and methods for sharing data stored on secure third-party storage platforms | |
| US20060117178A1 (en) | Information leakage prevention method and apparatus and program for the same | |
| US10157290B1 (en) | Systems and methods for encrypting files | |
| US11755499B2 (en) | Locally-stored remote block data integrity | |
| US10623186B1 (en) | Authenticated encryption with multiple contexts | |
| CN113383330A (en) | Creation and execution of secure containers | |
| WO2020220536A1 (en) | Data backup method and device, and computer readable storage medium | |
| US20190238560A1 (en) | Systems and methods to provide secure storage | |
| CN109635581A (en) | A kind of data processing method, equipment, system and storage medium | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| US8639941B2 (en) | Data security in mobile devices | |
| CN106203141A (en) | The data processing method of a kind of application and device | |
| CN113656817A (en) | Data encryption method | |
| CN111858094B (en) | Data copying and pasting method and system and electronic equipment | |
| EP3893465A1 (en) | Method, device, and system for disk redirection | |
| US10496848B1 (en) | System and method for accessing secure files | |
| US11283768B1 (en) | Systems and methods for managing connections | |
| CN113486380B (en) | Encryption method of text file | |
| CN110895456A (en) | Data processing method, terminal, and computer-readable storage medium | |
| US20160063264A1 (en) | Method for securing a plurality of contents in mobile environment, and a security file using the same | |
| EP3754531B1 (en) | Virtualization for privacy control | |
| KR20160146623A (en) | A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal | |
| CN113656820A (en) | Data encryption method and device and remote desktop system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |