CN114117461A - Data protection method, electronic equipment and storage medium - Google Patents

Data protection method, electronic equipment and storage medium Download PDF

Info

Publication number
CN114117461A
CN114117461A CN202010912441.4A CN202010912441A CN114117461A CN 114117461 A CN114117461 A CN 114117461A CN 202010912441 A CN202010912441 A CN 202010912441A CN 114117461 A CN114117461 A CN 114117461A
Authority
CN
China
Prior art keywords
account
encrypted
key
external storage
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010912441.4A
Other languages
Chinese (zh)
Inventor
孙珍奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202010912441.4A priority Critical patent/CN114117461A/en
Publication of CN114117461A publication Critical patent/CN114117461A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a data protection method, electronic equipment and a storage medium, relates to the technical field of data security, and can improve the security and privacy of data stored in multi-user shared storage equipment. The method comprises the following steps: obtaining a root key through a first account and a first password; creating an encrypted main directory in the storage device for the first account, and setting data in the encrypted main directory to be encrypted and decrypted based on a root key; acquiring a second account and a second password, and taking the second account and the second password as authentication information of an encrypted main directory of the first account when the storage equipment is mounted on the current electronic equipment; when a user needs to access data in an encrypted main directory of a first account, if the storage device is mounted on the current electronic device, accessing or modifying the data based on the first account, the first password, the second account and the second password; and if the storage equipment is mounted on other electronic equipment, accessing or modifying data based on the first account and the first password.

Description

Data protection method, electronic equipment and storage medium
Technical Field
The embodiment of the application relates to the field of data security, and in particular, to a data protection method, an electronic device, and a storage medium.
Background
As electronic devices become more powerful, data generated by the electronic devices, such as photos and videos taken by the electronic devices with cameras, multimedia data downloaded by the electronic devices through installed applications, and the like, become more and more abundant. However, the storage space of these electronic devices is limited, and therefore, data on these electronic devices needs to be backed up to an external storage device.
When a plurality of users share the same external storage device, in order to protect the privacy of the users, an information service Block (Samba) protocol may be used to set access rights on an electronic device mounted on the external storage device, for example, creating respective home directories for different users in the external storage device and setting an account and a password for the respective home directories, and only after the authentication of the account and the password is successful, the account may access or modify (e.g., create, copy, cut, paste, and delete) data under the home directory of the account. However, the account number and the password set on the electronic device are valid only when the external storage device is mounted on the electronic device. When the external storage device is mounted on other electronic equipment, the access right is not set on the other electronic equipment through the Samba protocol; resulting in one of the users having access to or modification of the data stored on the external storage device by the other user. Therefore, data stored in such a data protection manner on a storage device shared by multiple users is poor in security.
Disclosure of Invention
The embodiment of the application provides a data protection method, electronic equipment and a storage medium, and solves the problem that data stored on storage equipment shared by multiple users is poor in safety.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a data protection method, which is applied to a first device supporting an information service block service, and the method includes: the method comprises the steps that first equipment receives a first account and a root key sent by second equipment, wherein the root key is obtained after first passwords corresponding to the first account and the first account are successfully verified; when the encrypted main directory of the first account does not exist in the external storage device of the first device, the first device creates the encrypted main directory for the first account in the external storage device, wherein data in the encrypted main directory of the first account is encrypted and decrypted based on a root key; the first device receives a second account and a second password corresponding to the second account, which are sent by the second device, and sets the second account and the second password as authentication information of an encrypted main directory of the first account when the external storage device is mounted on the first device.
In the embodiment of the application, when a first device is connected to an external storage device and an encrypted main directory of a first account does not exist in the external storage device, the first device creates the encrypted main directory of the first account in the external storage device and sets data in the encrypted main directory to be encrypted and decrypted based on a root key, so that an encryption and decryption policy is set for the data in the encrypted main directory of the first account. In addition, the first device uses the second account and the second password as authentication information of the encrypted main directory, and sets the access right of the encrypted main directory of the first account to be obtained based on the authentication information, so the encrypted main directory of the first account also sets an access control strategy. The embodiment of the application protects the data in the encrypted main directory through the access control strategy of the encrypted main directory and the encryption and decryption strategy of the data in the encrypted main directory. When the external storage device is mounted on other electronic devices except the first device, even if the other electronic devices do not have the access control strategy of the encrypted main directory, the security of the data in the encrypted main directory can be ensured based on the preset encryption and decryption strategy of the data in the encrypted main directory, so that the data in the encrypted main directory of the first account can be accessed or modified only by obtaining the root key, and the root key is obtained based on the first account and the first password, so that the data in the encrypted main directory of the other party can not be accessed randomly among users.
In a possible implementation manner of the first aspect, after the first device creates an encrypted main directory for the first account in the external storage device, the method further includes: the method comprises the steps that first equipment generates a master key of an encrypted master catalog of a first account, and the master key of the encrypted master catalog of the first account is arranged in a system kernel of the first equipment; the first device encrypts and stores a master key of an encrypted main directory of the first account in the external storage device, wherein the root key is used for decrypting to obtain the master key stored in the external storage device in an encrypted mode, and data in the encrypted main directory of the first account is encrypted and decrypted based on the master key.
In this embodiment of the application, the first device may set that data in the encrypted main directory of the first account is encrypted and decrypted based on a master key, and the master key may derive a plurality of working keys, so that it may be ensured that a plurality of files in the encrypted main directory are encrypted and stored in the external storage device based on different working keys, respectively. In order to improve the convenience of the data protection method provided by the embodiment of the application when implemented, a user does not need to remember a master key of an encrypted main directory of a first account, and the master key can be stored in an external storage device in an encrypted manner; when a user needs to access or modify data in the encrypted main directory, the first device obtains the main key master key from the external storage device based on the root key, so that a working key for decrypting each file is obtained, convenience in implementation is improved, and data security is improved.
In a possible implementation manner of the first aspect, the storing, by the first device, the encrypted master key of the encrypted master directory of the first account in the external storage device includes: the method comprises the steps that a first device creates a key file of a first account in an external storage device; the first device stores the master key encryption of the encrypted master directory of the first account in the key file of the first account.
In this embodiment, the first device may set a key file key store for the first account, and store information of the first account for decrypting data in the key file, for example, a master key for deriving a work key, a second account and a second password for obtaining an access right of an encrypted master directory of the first account. The first device may set that the encrypted data in the key file key store is decrypted based on the root key, that is, the master key, the second account, and the second password in the key file key store may be obtained through decryption of the root key.
In one possible implementation form of the first aspect, the root key is generated from root keying material, the root keying material comprising at least two sub-parts, and one of the sub-parts being a verification sub-part.
Correspondingly, the receiving, by the first device, the first account and the root key sent by the second device includes: the first device receives a first account number and a verification sub-part of root keying material sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
In one possible implementation form of the first aspect, the root keying material further comprises a local subpart.
When the encrypted main directory of the first account does not exist in the external storage device of the first device, the method further comprises the following steps: the first device generates a local subpart of root keying material and stores the local subpart of root keying material in the external storage device.
In one possible implementation of the first aspect, the root keying material further comprises an application subsection stored in the first application of the second device.
In the embodiment of the present application, in order to improve the security of data, the root key material for generating the root key may be divided into at least two sub-parts, where one sub-part is a verification sub-part, and the verification sub-part is obtained based on the first account and the first password, and therefore, an effect of distinguishing different users by the first account may be achieved. Other subparts, such as a local subpart, may also be provided, and the local subpart may be stored in the external storage device, so that even if the external storage device is mounted on another electronic device, the other electronic device may still obtain the local subpart from the external storage device, so as to decrypt the master key of the encrypted master catalog. The other set sub-parts can also be application sub-parts which can be set in the matched application software in the development stage of the matched application software; therefore, only the matched application software can obtain the application subparts, and the master key of the encrypted main directory is obtained through decryption. The first device can generate the root key from each subsection of the root key material after acquiring each subsection of the preset root key material, and obtains the master key of the encrypted master catalog based on decryption of the generated root key. By arranging the distributed obtaining of the sub-parts of the root keying material, the security of data in the storage device and the privacy among users are improved.
In a possible implementation manner of the first aspect, the receiving, by the first device, the second account and the second password corresponding to the second account, where the second account and the second password are sent by the second device, includes: the method comprises the steps that first equipment receives a second account number input by a user on second equipment and a second password corresponding to the second account number, wherein the second account number is sent by the second equipment; or the first device receives a second account generated by the second device and a second password corresponding to the second account, which are sent by the second device.
In a possible implementation manner of the first aspect, after the first device receives the second account and the second password corresponding to the second account, the method further includes: the first device encrypts and stores a second account and a second password in the external storage device, wherein the second account and the second password are obtained by decryption based on the root key.
In the embodiment of the application, if it is set that a second account and a second password are independently input by a user each time when the access right of the encrypted main directory of the first account is obtained, the user sets the second account and the second password by himself when the second account and the second password are set as the authentication information of the encrypted main directory. If the user needs to remember the second account and the second password, the second account and the second password may be automatically generated by application software (for example, a first application) or first equipment which is matched with the second equipment; accordingly, the second password of the second account needs to be stored in the external storage device, for example, the second account and the second password are stored in the key file key store. When the authentication information of the encrypted main directory of the first account needs to be acquired, a root key is acquired through the first account and the first password, and the encrypted data in the key file is decrypted based on the root key, so that a second account and a second password are acquired. Therefore, the user only needs to remember the first account and the first password. In addition, when setting that the user needs to independently input the second account and the second password, even if the user forgets the second account and the second password, the root key can be obtained through the first account and the first password, and the encrypted data in the key store can be decrypted based on the root key, so that the second account and the second password are obtained, and convenience and flexibility in implementation of the embodiment of the application are improved.
In a second aspect, an embodiment of the present application provides a data protection method, which is applied to a first device supporting an information service block service, and the method includes: the method comprises the steps that first equipment receives a first account and a root key sent by second equipment, wherein the root key is obtained after first passwords corresponding to the first account and the first account are successfully verified; when an encrypted main directory of a first account exists in external storage equipment of first equipment, if authentication information is set for the encrypted main directory of the first account by the first equipment, the first equipment acquires a second account and a second password corresponding to the second account, and authenticates the second account and the second password as the authentication information of the encrypted main directory; after the second account and the second password are authenticated successfully, if the first device receives a data access request or a data modification request of the encrypted main directory of the first account sent by the second device, the first device responds to the received data access request or the received data modification request based on the root key; after the first device receives the quit information of the first account, the first device locks the encrypted main directory of the first account.
In a possible implementation manner of the second aspect, when an encrypted main directory of the first account exists in the external storage device of the first device, the method further includes: the first device decrypts the encrypted main directory of the first account from the external storage device based on the root key to obtain a main key of the encrypted main directory of the first account; the first device sets a master key of an encrypted master catalog of the first account in a system kernel of the first device.
Accordingly, the first device responding to the received data access request or data modification request based on the root key comprises: the first device responds to and receives a data access request or a data modification request based on a master key in a system kernel; the first device locking the encrypted main directory of the first account comprises the following steps: the first device clears the master key in the system kernel.
In a possible implementation manner of the second aspect, the decrypting, by the first device, the master key of the encrypted master directory of the first account from the external storage device based on the root key includes: the first device analyzes the encrypted information in the key file stored in the external storage device through the root key to obtain a master key of the encrypted main directory of the first account.
In one possible implementation of the second aspect, the root key is generated from root keying material, the root keying material comprising at least two sub-parts, and one of the sub-parts being a verification sub-part.
Correspondingly, the receiving, by the first device, the first account and the root key sent by the second device includes: the first device receives a first account number and a verification sub-part of root keying material sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
In one possible implementation of the second aspect, the root keying material further comprises a local subpart.
Before the first device responds to the received data access request or data modification request based on the root key, the method further comprises the following steps: the first device retrieves a local sub-portion of the root keying material from an external storage device.
In a possible implementation manner of the second aspect, before the first device responds to the received data access request or data modification request based on the root key, the method further includes: the first device obtains from the second device an application subsection of root key material stored in a first application of the second device.
In a possible implementation manner of the second aspect, the obtaining, by the first device, the second account and the second password corresponding to the second account includes: the method comprises the steps that first equipment receives a second account number input by a user on second equipment and a second password corresponding to the second account number, wherein the second account number is sent by the second equipment; or the first device decrypts the second account and the second password corresponding to the second account from the external storage device based on the root key.
In a possible implementation manner of the second aspect, when an encrypted main directory of the first account exists in the external storage device of the first device, the method further includes: in response to the received request for retrieving the second password corresponding to the second account, the first device decrypts the second account and the second password corresponding to the second account from the external storage device based on the root key, and sends the second account and the second password corresponding to the second account to the second device.
In a third aspect, an embodiment of the present application provides a data protection method, including: in response to the first account and the first password corresponding to the first account received through the second application, the third device sends the first account and the first password corresponding to the first account to the preset server; the third equipment receives a root key which is sent by a preset server after the first account and the first password are successfully verified; when an encrypted main directory of a first account exists in external storage equipment of third equipment and authentication information is not set for the encrypted main directory of the first account by the third equipment, if the third equipment receives a data access request or a data modification request of the encrypted main directory of the first account, the third equipment responds to the received data access request or the received data modification request based on a root key; after the third equipment receives the quitting information of the first account, the third equipment locks the encrypted main directory of the first account; before the third device receives the exit information of the first account, the third device does not allow other accounts except the first account to log in the second application of the third device.
In a possible implementation manner of the third aspect, when an encrypted main directory of the first account exists in an external storage device of the third device, the method further includes: the third equipment decrypts the master key of the encrypted master catalog of the first account from the external storage equipment based on the root key; the third device sets a master key of the encrypted master catalog of the first account in a system kernel of the third device.
Correspondingly, the third device responding to the received data access request or data modification request based on the root key comprises: the third device responds to the received data access request or data modification request based on the master key in the system kernel.
The third device locking the encrypted main directory of the first account comprises the following steps: the third device clears the master key in the system kernel.
In a possible implementation manner of the third aspect, the decrypting, by the third device, the master key of the encrypted master directory of the first account from the external storage device based on the root key includes: and the third equipment analyzes the encrypted information in the key file stored in the external storage equipment through the root key to obtain the master key of the encrypted main directory of the first account.
In one possible implementation of the third aspect, the root key is generated from root keying material, the root keying material comprising at least two sub-parts, and one of the sub-parts being a verification sub-part.
Correspondingly, the receiving, by the third device, the root key sent by the preset server after the first account and the first password are successfully verified includes: and the third equipment receives a verification sub-part of the root key material sent by the preset server after the first account and the first password are successfully verified.
In one possible implementation of the third aspect, the root keying material further comprises a local subpart.
Before the third device responds to the received data access request or data modification request based on the root key, the method further includes: the third device retrieves the local sub-portion of the root keying material from the external storage device.
In a possible implementation manner of the third aspect, before the third device responds to the received data access request or data modification request based on the root key, the method further includes: the third device obtains an application subsection of root key material stored in a second application of the third device.
In a fourth aspect, an embodiment of the present application provides an electronic device, which may be denoted as a first device, where the first device includes:
the root key receiving unit is used for receiving a first account and a root key which are sent by second equipment, wherein the root key is obtained after the first account and a first password corresponding to the first account are successfully verified;
an encrypted main directory creating unit, configured to create an encrypted main directory for the first account in an external storage device of the first device when the encrypted main directory of the first account does not exist in the external storage device, where data in the encrypted main directory of the first account is encrypted and decrypted based on a root key;
and the authentication information setting unit is used for receiving a second account and a second password corresponding to the second account sent by the second equipment, and setting the second account and the second password as the authentication information of the encrypted main directory of the first account when the external storage equipment is mounted on the first equipment.
In a fifth aspect, an embodiment of the present application provides an electronic device, which may be denoted as a first device, where the first device includes:
the root key receiving unit is used for receiving a first account and a root key sent by second equipment by first equipment, wherein the root key is obtained after the first account and a first password corresponding to the first account are successfully verified;
the authentication information acquisition unit is used for acquiring a second account and a second password corresponding to the second account if the first device sets authentication information for the encrypted main directory of the first account when the encrypted main directory of the first account exists in the external storage device of the first device, and authenticating the second account and the second password as the authentication information of the encrypted main directory;
the data access or modification unit is used for responding to the received data access request or data modification request based on the root key if the first equipment receives the data access request or data modification request of the encrypted main directory of the first account sent by the second equipment after the authentication of the second account and the second password is successful;
and the data locking unit is used for locking the encrypted main directory of the first account by the first equipment after the first equipment receives the quitting information of the first account.
In a sixth aspect, an embodiment of the present application provides an electronic device, which may be denoted as a third device, where the third device includes:
the third device sends the first account and a first password corresponding to the first account to the preset server in response to the first account and the first password corresponding to the first account received through the second application;
the root key receiving unit is used for receiving a root key which is sent by a preset server after the first account and the first password are successfully verified;
the data access or modification unit is used for responding to the received data access request or data modification request based on the root key if the third device receives the data access request or data modification request of the encrypted main directory of the first account when the encrypted main directory of the first account exists in the external storage device of the third device and the authentication information is not set for the encrypted main directory of the first account by the third device;
the data locking unit is used for locking the encrypted main directory of the first account by the third equipment after the third equipment receives the quitting information of the first account;
before the third device receives the exit information of the first account, the third device does not allow other accounts except the first account to log in the second application of the third device.
In a seventh aspect, an embodiment of the present application provides an electronic device, including a processor, configured to execute a computer program stored in a memory, and implement the method of any one of the first aspect and/or the method of any one of the second aspect, or the method of any one of the third aspect.
In an eighth aspect, a chip system is provided, which includes a processor coupled to a memory, the processor executing a computer program stored in the memory to implement the method of any one of the first aspect and/or the method of any one of the second aspect, or the method of any one of the third aspect of the present application.
In a ninth aspect, there is provided a computer readable storage medium, having a computer program stored thereon, the computer program, when executed by one or more processors, implementing the method of any one of the first aspect and/or the method of any one of the second aspect, or the method of any one of the third aspect of the present application.
In a tenth aspect, embodiments of the present application provide a computer program product, which, when run on an apparatus, causes the apparatus to implement the method of any one of the first aspect and/or the method of any one of the second aspect, or the method of any one of the third aspect of the present application.
It is to be understood that beneficial effects of the fourth to tenth aspects can be seen from the description of the first aspect, and are not repeated herein.
Drawings
Fig. 1 is a schematic view of an application scenario of a data protection method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a hardware structure of an electronic device executing a data protection method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a data protection method according to an embodiment of the present application;
fig. 4 is a schematic diagram of an encryption and decryption strategy for data according to an embodiment of the present application;
fig. 5 is a schematic diagram of data in an encrypted main directory of a first account stored in a storage device according to an embodiment of the present application;
fig. 6 is a timing diagram of a data protection method according to an embodiment of the present application;
fig. 7 is a schematic flowchart of a data protection method corresponding to the embodiment shown in fig. 3 according to an embodiment of the present application;
FIG. 8 is another timing diagram corresponding to the data protection method shown in FIG. 6 according to an embodiment of the present disclosure;
fig. 9 is a timing diagram of a method for retrieving a second account and a second password in the data protection method according to the embodiment of the present application;
fig. 10 is a schematic flowchart of a data protection method corresponding to the embodiment shown in fig. 3 according to an embodiment of the present application;
FIG. 11 is another timing diagram corresponding to the data protection method shown in FIG. 6 according to an embodiment of the present disclosure;
fig. 12 is a schematic block diagram of functional architecture modules of an electronic device that executes a data protection method according to an embodiment of the present application;
fig. 13 is a schematic block diagram of functional architecture modules of another electronic device that executes a data protection method according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that in the embodiments of the present application, "one or more" means one, two, or more than two; "and/or" describes the association relationship of the associated objects, indicating that three relationships may exist; for example, a and/or B, may represent: a alone, both A and B, and B alone, where A, B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
Furthermore, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
The data protection method provided by the embodiment of the application can be applied to the electronic equipment mounted with the external storage equipment. Referring to fig. 1, an application scenario of the data protection method provided in the embodiment of the present application is shown. The storage device in the application scene can be shared by multiple persons, and the storage device can be mounted on a router and shared by multiple persons as an external storage device of the electronic device, can also be mounted on a computer and shared by multiple persons, and can also be mounted on other electronic devices and shared by multiple persons.
An electronic device (e.g., a router in fig. 1) deploying a Server Message Block (Samba) program may configure an access control policy as a Server of the Samba protocol. A preset application may be installed on an electronic device (for example, the mobile phone in fig. 1) such as a mobile phone, a computer, a tablet computer, etc., which is a client of the samba protocol, where the preset application is a matched application software, the router is controlled by the preset application to create respective home directories for different users on an external storage device, and set samba account numbers and passwords as authentication information of the home directories for the respective home directories of the different users. When a user needs to access data stored in the respective main directory, the user can log in on a preset application serving as a client of a samba protocol through a preset samba account and a preset password to authenticate, and after authentication is successful, the user accesses the main directory which is accessed by the user with the authority in the external storage device of the router through the preset application, but cannot access the main directory which is accessed by the user without the authority in the external storage device.
However, when the external storage device is disconnected from the router and connected to another electronic device (e.g., the computer in fig. 1), since the samba access control policy of the master directory previously created in the external storage device is configured on the router, the samba access control policy of the master directory does not exist on the other electronic device, so that the user can freely access or even modify the data in the master directory on the external storage device, and thus, the security of the data protection method is poor.
As can be understood from the above description and analysis of the scenario, the access control policy of the master directory in the external storage device can only be validated at the specific electronic device, which is the electronic device (e.g., the router in fig. 1) configured with the access control policy of the master directory.
In order to solve the above-described problem of poor security of data in the external storage device, in the embodiment of the present application, on the basis of the samba access control policy, an encryption and decryption policy of data in the main directory is added, so as to achieve the following technical effects:
when the external storage device is mounted on the electronic device configured with the access control strategy of the main directory, the access authority of the main directory is obtained through the samba access control strategy, the encryption and decryption authority of the data in the main directory is obtained through the encryption and decryption strategy of the data, and after the access authority of the main directory and the encryption and decryption authority of the data in the main directory are obtained, a user can access or modify the data in the main directory which has obtained the double authority. Through a preset double-layer permission barrier, the data stored in the main directory of the external storage device by the user can not be accessed by other users.
When the external storage device is mounted on other electronic devices, although the other electronic devices do not have the samba access control policy of the main directory, encryption and decryption policies of data in the main directory also exist. Therefore, the user can obtain the encryption and decryption authority of the data in the main directory through the encryption and decryption strategy of the data, and after the user obtains the encryption and decryption authority of the data in the main directory, the user can access or modify the data in the main directory which has obtained the encryption and decryption authority of the data. Through the encryption and decryption strategy of the data in the main directory, the data stored in the main directory of the external storage device by the user can not be accessed by other users.
The encryption and decryption policies for data in the home directory can be referred to in the description of the subsequent embodiments.
For convenience of description, an electronic device serving as a server of the samba protocol may be denoted as a first device, an electronic device serving as a client of the samba protocol may be denoted as a second device, and when the external storage device is disconnected from the first device and mounted on another electronic device, the other electronic device may be denoted as a third device.
The embodiment of the application provides a data protection method which can be applied to electronic equipment capable of mounting external storage equipment. The electronic device may be: the mobile phone, the tablet computer, the wearable device, the vehicle-mounted device, the smart sound box, the smart screen, the Augmented Reality (AR)/Virtual Reality (VR) device, the notebook computer, the router, the ultra-mobile personal computer (UMPC), the netbook, the Personal Digital Assistant (PDA), and other electronic devices. The specific type of the embodiment of the present application is not limited.
Fig. 2 shows a schematic structural diagram of an electronic device. The electronic device 200 may include a processor 210, an external storage device interface 220, an internal memory 221, a Universal Serial Bus (USB) interface 230, a charging management module 240, a power management module 241, a battery 242, an antenna 1, an antenna 2, a mobile communication module 250, a wireless communication module 260, an audio module 270, a speaker 270A, a receiver 270B, a microphone 270C, an earphone interface 270D, a sensor module 280, keys 290, a motor 291, an indicator 292, a camera 293, a display screen 294, a Subscriber Identification Module (SIM) card interface 295, and the like. The sensor module 280 may include a pressure sensor 280A, a gyroscope sensor 280B, an air pressure sensor 280C, a magnetic sensor 280D, an acceleration sensor 280E, a distance sensor 280F, a proximity light sensor 280G, a fingerprint sensor 280H, a temperature sensor 280J, a touch sensor 280K, an ambient light sensor 280L, a bone conduction sensor 280M, and the like.
When the electronic device is a mobile phone, all or part of the components described above may be included.
When the electronic device is a router, it may include the processor 210, the external storage device interface 220, the internal memory 221, the Universal Serial Bus (USB) interface 230, the charging management module 240, the power management module 241, the battery 242, the antenna 2, the wireless communication module 260, the button 290, and the indicator 292, which are described above.
When the electronic device is a computer, the electronic device may include the processor 210, the external storage device interface 220, the internal memory 221, a Universal Serial Bus (USB) interface 230, the charging management module 240, the power management module 241, the battery 242, the antenna 2, the wireless communication module 260, the audio module 270, the speaker 270A, the receiver 270B, the microphone 270C, the earphone interface 270D, the sensor module 280, the keys 290, the motor 291, the indicator 292, the camera 293, and the display 294 described above. The sensor module 280 may include a fingerprint sensor 280H, a touch sensor 280K, an ambient light sensor 280L, and the like.
It is to be understood that the illustrated structure of the embodiment of the present application does not specifically limit the electronic device 200. In other embodiments of the present application, the electronic device 200 may include more or fewer components than shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Processor 210 may include one or more processing units, such as: the processor 210 may include an Application Processor (AP), a modem processor, a Graphics Processing Unit (GPU), an Image Signal Processor (ISP), a controller, a memory, a video codec, a Digital Signal Processor (DSP), a baseband processor, and/or a neural-Network Processing Unit (NPU), etc. The different processing units may be separate devices or may be integrated into one or more processors. For example, the processor 210 is configured to execute a data protection method in the embodiment of the present application, for example, the following steps 301 to 303 and/or steps 701 to 704, or steps 1001 to 1004.
The controller may be, among other things, a neural center and a command center of the electronic device 200. The controller can generate an operation control signal according to the instruction operation code and the timing signal to complete the control of instruction fetching and instruction execution.
A memory may also be provided in processor 210 for storing instructions and data. In some embodiments, the memory in the processor 210 is a cache memory. The memory may hold instructions or data that have just been used or recycled by processor 210. If the processor 210 needs to reuse the instruction or data, it may be called directly from memory. Avoiding repeated accesses reduces the latency of the processor 210, thereby increasing the efficiency of the system.
In some embodiments, processor 210 may include one or more interfaces. The interface may include an integrated circuit (I2C) interface, an integrated circuit built-in audio (I2S) interface, a Pulse Code Modulation (PCM) interface, a universal asynchronous receiver/transmitter (UART) interface, a Mobile Industry Processor Interface (MIPI), a general-purpose input/output (GPIO) interface, a Subscriber Identity Module (SIM) interface, and/or a Universal Serial Bus (USB) interface, etc.
The I2C interface is a bi-directional synchronous serial bus that includes a serial data line (SDA) and a Serial Clock Line (SCL). In some embodiments, processor 210 may include multiple sets of I2C buses. The processor 210 may be coupled to the touch sensor 280K, the charger, the flash, the camera 293, etc. through different I2C bus interfaces. For example: the processor 210 may be coupled to the touch sensor 280K via an I2C interface, such that the processor 210 and the touch sensor 280K communicate via an I2C bus interface to implement the touch function of the electronic device 200.
The I2S interface may be used for audio communication. In some embodiments, processor 210 may include multiple sets of I2S buses. Processor 210 may be coupled to audio module 270 via an I2S bus to enable communication between processor 210 and audio module 270. In some embodiments, the audio module 270 may communicate audio signals to the wireless communication module 260 via the I2S interface, enabling answering of calls via a bluetooth headset.
The PCM interface may also be used for audio communication, sampling, quantizing and encoding analog signals. In some embodiments, audio module 270 and wireless communication module 260 may be coupled by a PCM bus interface.
In some embodiments, the audio module 270 may also transmit audio signals to the wireless communication module 260 through the PCM interface, so as to implement a function of answering a call through a bluetooth headset. Both the I2S interface and the PCM interface may be used for audio communication.
The UART interface is a universal serial data bus used for asynchronous communications. The bus may be a bidirectional communication bus. It converts the data to be transmitted between serial communication and parallel communication.
In some embodiments, a UART interface is generally used to connect the processor 210 with the wireless communication module 260. For example: the processor 210 communicates with the bluetooth module in the wireless communication module 260 through the UART interface to implement the bluetooth function. In some embodiments, the audio module 270 may transmit the audio signal to the wireless communication module 260 through a UART interface, so as to realize the function of playing music through a bluetooth headset.
The MIPI interface may be used to connect the processor 210 with peripheral devices such as the display screen 294, the camera 293, and the like. The MIPI interface includes a Camera Serial Interface (CSI), a Display Serial Interface (DSI), and the like. In some embodiments, processor 210 and camera 293 communicate via a CSI interface to implement the capture functionality of electronic device 200. The processor 210 and the display screen 294 communicate through the DSI interface to implement a display function of the electronic device 200.
The GPIO interface may be configured by software. The GPIO interface may be configured as a control signal and may also be configured as a data signal. In some embodiments, a GPIO interface may be used to connect processor 210 with camera 293, display 294, wireless communication module 260, audio module 270, sensor module 280, and the like. The GPIO interface may also be configured as an I2C interface, an I2S interface, a UART interface, a MIPI interface, and the like.
The USB interface 230 is an interface conforming to the USB standard specification, and may specifically be a Mini USB interface, a Micro USB interface, a USB Type C interface, or the like. The USB interface 230 may be used to connect a charger to charge the electronic device 200, and may also be used to transmit data between the electronic device 200 and a peripheral device. And the earphone can also be used for connecting an earphone and playing audio through the earphone. The interface may also be used to connect other electronic devices, such as AR devices and the like.
It should be understood that the interfacing relationship between the modules illustrated in the embodiments of the present application is only an illustration, and does not limit the structure of the electronic device 200. In other embodiments of the present application, the electronic device 200 may also adopt different interface connection manners or a combination of multiple interface connection manners in the above embodiments.
The charge management module 240 is configured to receive a charging input from a charger. The charger may be a wireless charger or a wired charger. In some wired charging embodiments, the charging management module 240 may receive charging input from a wired charger via the USB interface 230. In some wireless charging embodiments, the charging management module 240 may receive a wireless charging input through a wireless charging coil of the electronic device 200. The charging management module 240 may also supply power to the electronic device through the power management module 241 while charging the battery 242.
The power management module 241 is used to connect the battery 242, the charging management module 240 and the processor 210. The power management module 241 receives input from the battery 242 and/or the charging management module 240, and supplies power to the processor 210, the internal memory 221, the external storage device 220, the display 294, the camera 293, and the wireless communication module 260. The power management module 241 may also be used to monitor parameters such as battery capacity, battery cycle number, battery state of health (leakage, impedance), etc.
In some other embodiments, the power management module 241 may also be disposed in the processor 210. In other embodiments, the power management module 241 and the charging management module 240 may be disposed in the same device.
The wireless communication function of the electronic device 200 may be implemented by the antenna 1, the antenna 2, the mobile communication module 250, the wireless communication module 260, the modem processor, the baseband processor, and the like.
The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. Each antenna in the electronic device 200 may be used to cover a single or multiple communication bands. Different antennas can also be multiplexed to improve the utilization of the antennas. For example: the antenna 1 may be multiplexed as a diversity antenna of a wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.
The mobile communication module 250 may provide a solution including 2G/3G/4G/5G wireless communication applied on the electronic device 200. The mobile communication module 250 may include at least one filter, a switch, a power amplifier, a Low Noise Amplifier (LNA), and the like. The mobile communication module 250 may receive the electromagnetic wave from the antenna 1, filter, amplify, etc. the received electromagnetic wave, and transmit the electromagnetic wave to the modem processor for demodulation. The mobile communication module 250 may also amplify the signal modulated by the modem processor, and convert the signal into electromagnetic wave through the antenna 1 to radiate the electromagnetic wave.
In some embodiments, at least some of the functional modules of the mobile communication module 250 may be disposed in the processor 210. In some embodiments, at least some of the functional modules of the mobile communication module 250 may be disposed in the same device as at least some of the modules of the processor 210.
The modem processor may include a modulator and a demodulator. The modulator is used for modulating a low-frequency baseband signal to be transmitted into a medium-high frequency signal. The demodulator is used for demodulating the received electromagnetic wave signal into a low-frequency baseband signal. The demodulator then passes the demodulated low frequency baseband signal to a baseband processor for processing. The low frequency baseband signal is processed by the baseband processor and then transferred to the application processor. The application processor outputs sound signals through an audio device (not limited to the speaker 270A, the receiver 270B, etc.) or displays images or video through the display screen 294. In some embodiments, the modem processor may be a stand-alone device. In other embodiments, the modem processor may be separate from the processor 210, and may be disposed in the same device as the mobile communication module 250 or other functional modules.
The wireless communication module 260 may provide a solution for wireless communication applied to the electronic device 200, including Wireless Local Area Networks (WLANs) (e.g., wireless fidelity (Wi-Fi) networks), bluetooth (bluetooth, BT), Global Navigation Satellite System (GNSS), Frequency Modulation (FM), Near Field Communication (NFC), Infrared (IR), and the like. The wireless communication module 260 may be one or more devices integrating at least one communication processing module. The wireless communication module 260 receives electromagnetic waves via the antenna 2, performs frequency modulation and filtering processing on electromagnetic wave signals, and transmits the processed signals to the processor 210. The wireless communication module 260 may also receive a signal to be transmitted from the processor 210, frequency-modulate and amplify the signal, and convert the signal into electromagnetic waves via the antenna 2 to radiate the electromagnetic waves.
In some embodiments, antenna 1 of electronic device 200 is coupled to mobile communication module 250 and antenna 2 is coupled to wireless communication module 260, such that electronic device 200 may communicate with networks and other devices via wireless communication techniques. The wireless communication technology may include global system for mobile communications (GSM), General Packet Radio Service (GPRS), code division multiple access (code division multiple access, CDMA), Wideband Code Division Multiple Access (WCDMA), time-division code division multiple access (time-division code division multiple access, TD-SCDMA), Long Term Evolution (LTE), LTE, BT, GNSS, WLAN, NFC, FM, and/or IR technologies, among others. GNSS may include Global Positioning System (GPS), global navigation satellite system (GLONASS), beidou satellite navigation system (BDS), quasi-zenith satellite system (QZSS), and/or Satellite Based Augmentation System (SBAS).
The electronic device 200 implements display functions via the GPU, the display screen 294, and the application processor. The GPU is a microprocessor for image processing, and is connected to the display screen 294 and an application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 210 may include one or more GPUs that execute program instructions to generate or alter display information.
The display screen 294 is used to display images, video, and the like. The display screen 294 includes a display panel. The display panel may adopt a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode, AMOLED), a flexible light-emitting diode (FLED), a miniature, a Micro-oeld, a quantum dot light-emitting diode (QLED), and the like. In some embodiments, the electronic device 200 may include 1 or N display screens 294, N being a positive integer greater than 1.
The electronic device 200 may implement a shooting function through the ISP, the camera 293, the video codec, the GPU, the display screen 294, and the application processor.
The ISP is used to process the data fed back by the camera 293. For example, when a photo is taken, the shutter is opened, light is transmitted to the camera photosensitive element through the lens, the optical signal is converted into an electrical signal, and the camera photosensitive element transmits the electrical signal to the ISP for processing and converting into an image visible to naked eyes. The ISP can also carry out algorithm optimization on the noise, brightness and skin color of the image. The ISP can also optimize parameters such as exposure, color temperature and the like of a shooting scene. In some embodiments, the ISP may be provided in camera 293.
The camera 293 is used to capture still images or video. The object generates an optical image through the lens and projects the optical image to the photosensitive element. The photosensitive element may be a Charge Coupled Device (CCD) or a complementary metal-oxide-semiconductor (CMOS) phototransistor. The light sensing element converts the optical signal into an electrical signal, which is then passed to the ISP where it is converted into a digital image signal. And the ISP outputs the digital image signal to the DSP for processing. The DSP converts the digital image signal into image signal in standard RGB, YUV and other formats. In some embodiments, electronic device 200 may include 1 or N cameras 293, N being a positive integer greater than 1.
The digital signal processor is used for processing digital signals, and can process digital image signals and other digital signals. For example, when the electronic device 200 selects a frequency bin, the digital signal processor is used to perform fourier transform or the like on the frequency bin energy.
Video codecs are used to compress or decompress digital video. The electronic device 200 may support one or more video codecs. In this way, the electronic device 200 may play or record video in a variety of encoding formats, such as: moving Picture Experts Group (MPEG) 1, MPEG2, MPEG3, MPEG4, and the like.
The NPU is a neural-network (NN) computing processor that processes input information quickly by using a biological neural network structure, for example, by using a transfer mode between neurons of a human brain, and can also learn by itself continuously. The NPU can realize applications such as intelligent cognition of the electronic device 200.
The external storage device interface 220 may be used to connect an external storage device, such as a Micro SD card, a mobile hard disk, or the like, to extend the storage capability of the electronic device 200. The external storage device communicates with the processor 210 through the external storage device interface 220 to implement a data storage function. For example, files such as music, video, etc. are saved in the external storage device.
Internal memory 221 may be used to store computer-executable program code, which includes instructions. The processor 210 executes various functional applications of the electronic device 200 and data processing by executing instructions stored in the internal memory 221. The internal memory 221 may include a program storage area and a data storage area. The storage program area may store an operating system, and an application program (such as a sound playing function, an image playing function, etc.) required by at least one function. The data storage area may store data (e.g., audio data, phone book, etc.) created during use of the electronic device 200.
In addition, the internal memory 221 may include a high-speed random access memory, and may further include a nonvolatile memory, such as at least one magnetic disk storage device, a flash memory device, a universal flash memory (UFS), and the like.
Electronic device 200 may implement audio functions via audio module 270, speaker 270A, receiver 270B, microphone 270C, headset interface 270D, and an application processor, among other things. Such as music playing, recording, etc.
Audio module 270 is used to convert digital audio signals to analog audio signal outputs and also to convert analog audio inputs to digital audio signals. Audio module 270 may also be used to encode and decode audio signals. In some embodiments, the audio module 270 may be disposed in the processor 210, or some functional modules of the audio module 270 may be disposed in the processor 210.
The speaker 270A, also called a "horn", is used to convert an audio electrical signal into an acoustic signal. The electronic apparatus 200 can listen to music through the speaker 270A or listen to a handsfree call.
The receiver 270B, also called "earpiece", is used to convert the electrical audio signal into an acoustic signal. When the electronic apparatus 200 receives a call or voice information, it is possible to receive voice by placing the receiver 270B close to the human ear.
The microphone 270C, also referred to as a "microphone," is used to convert acoustic signals into electrical signals. When making a call or transmitting voice information, the user can input a voice signal to the microphone 270C by speaking the user's mouth near the microphone 270C. The electronic device 200 may be provided with at least one microphone 270C. In other embodiments, the electronic device 200 may be provided with two microphones 270C to achieve a noise reduction function in addition to collecting sound signals. In other embodiments, the electronic device 200 may further include three, four or more microphones 270C to collect sound signals, reduce noise, identify sound sources, implement directional recording functions, and so on.
The headphone interface 270D is used to connect wired headphones. The headset interface 270D may be the USB interface 230, or may be an open mobile electronic device platform (OMTP) standard interface of 3.5mm, or a Cellular Telecommunications Industry Association (CTIA) standard interface.
The pressure sensor 280A is used to sense a pressure signal, which can be converted into an electrical signal. In some embodiments, the pressure sensor 280A may be disposed on the display screen 294. The pressure sensor 280A can be of a wide variety of types, such as a resistive pressure sensor, an inductive pressure sensor, a capacitive pressure sensor, and the like. The capacitive pressure sensor may be a sensor comprising at least two parallel plates having an electrically conductive material. When a force acts on the pressure sensor 280A, the capacitance between the electrodes changes. The electronic device 200 determines the intensity of the pressure from the change in capacitance. When a touch operation is applied to the display screen 294, the electronic apparatus 200 detects the intensity of the touch operation based on the pressure sensor 280A. The electronic apparatus 200 may also calculate the touched position from the detection signal of the pressure sensor 280A.
The gyro sensor 280B may be used to determine the motion pose of the electronic device 200. In some embodiments, the angular velocity of the electronic device 200 about three axes (i.e., x, y, and z axes) may be determined by the gyroscope sensor 280B. The gyro sensor 280B may be used for photographing anti-shake. For example, when the shutter is pressed, the gyro sensor 280B detects a shake angle of the electronic device 200, calculates a distance to be compensated for by the lens module according to the shake angle, and allows the lens to counteract the shake of the electronic device 200 through a reverse movement, thereby achieving anti-shake. The gyro sensor 280B may also be used for navigation, somatosensory gaming scenes.
The air pressure sensor 280C is used to measure air pressure. In some embodiments, electronic device 200 calculates altitude, aiding in positioning and navigation, from barometric pressure values measured by barometric pressure sensor 280C.
The magnetic sensor 280D includes a hall sensor. The electronic device 200 may detect the opening and closing of the flip holster using the magnetic sensor 280D. In some embodiments, when the electronic device 200 is a flip, the electronic device 200 may detect the opening and closing of the flip according to the magnetic sensor 280D. And then according to the opening and closing state of the leather sheath or the opening and closing state of the flip cover, the automatic unlocking of the flip cover is set.
The acceleration sensor 280E may detect the magnitude of acceleration of the electronic device 200 in various directions (typically three axes). The magnitude and direction of gravity can be detected when the electronic device 200 is stationary. The method can also be used for recognizing the posture of the electronic equipment, and is applied to horizontal and vertical screen switching, pedometers and other applications.
A distance sensor 280F for measuring distance. The electronic device 200 may measure the distance by infrared or laser. In some embodiments, taking a picture of a scene, the electronic device 200 may utilize the distance sensor 280F to range for fast focus.
The proximity light sensor 280G may include, for example, a Light Emitting Diode (LED) and a light detector, such as a photodiode. The light emitting diode may be an infrared light emitting diode. The electronic apparatus 200 emits infrared light to the outside through the light emitting diode. The electronic device 200 detects infrared reflected light from nearby objects using a photodiode. When sufficient reflected light is detected, it can be determined that there is an object near the electronic device 200. When insufficient reflected light is detected, the electronic device 200 may determine that there are no objects near the electronic device 200. The electronic device 200 can utilize the proximity sensor 280G to detect that the user holds the electronic device 200 close to the ear for talking, so as to automatically turn off the screen to save power. The proximity light sensor 280G may also be used in a holster mode, a pocket mode automatically unlocks and locks the screen.
The ambient light sensor 280L is used to sense the ambient light level. The electronic device 200 may adaptively adjust the brightness of the display screen 294 based on the perceived ambient light level. The ambient light sensor 280L may also be used to automatically adjust the white balance when taking a picture. The ambient light sensor 280L may also cooperate with the proximity light sensor 280G to detect whether the electronic device 200 is in a pocket to prevent inadvertent contact.
The fingerprint sensor 280H is used to collect a fingerprint. The electronic device 200 can utilize the collected fingerprint characteristics to unlock the fingerprint, access the application lock, photograph the fingerprint, answer an incoming call with the fingerprint, and the like.
The temperature sensor 280J is used to detect temperature. In some embodiments, the electronic device 200 implements a temperature processing strategy using the temperature detected by the temperature sensor 280J. For example, when the temperature reported by the temperature sensor 280J exceeds the threshold, the electronic device 200 performs a reduction in performance of a processor located near the temperature sensor 280J, so as to reduce power consumption and implement thermal protection. In other embodiments, the electronic device 200 heats the battery 242 when the temperature is below another threshold to avoid the low temperature causing the electronic device 200 to shut down abnormally. In other embodiments, when the temperature is below a further threshold, the electronic device 200 performs a boost on the output voltage of the battery 242 to avoid an abnormal shutdown due to low temperature.
The touch sensor 280K is also referred to as a "touch panel". The touch sensor 280K may be disposed on the display screen 294, and the touch sensor 280K and the display screen 294 form a touch screen, which is also called a "touch screen". The touch sensor 280K is used to detect a touch operation applied thereto or nearby. The touch sensor can communicate the detected touch operation to the application processor to determine the touch event type. Visual output related to touch operations may be provided through the display screen 294. In other embodiments, the touch sensor 280K can be disposed on a surface of the electronic device 200 at a different location than the display screen 294.
The bone conduction sensor 280M may acquire a vibration signal. In some embodiments, the bone conduction sensor 280M may acquire a vibration signal of the human vocal part vibrating the bone mass. The bone conduction sensor 280M may also contact the pulse of the human body to receive the blood pressure pulsation signal.
In some embodiments, bone conduction sensor 280M may also be disposed in a headset, integrated into a bone conduction headset. The audio module 270 may analyze a voice signal based on the vibration signal of the bone mass vibrated by the sound part acquired by the bone conduction sensor 280M, so as to implement a voice function. The application processor can analyze heart rate information based on the blood pressure beating signal acquired by the bone conduction sensor 280M, so as to realize the heart rate detection function.
The keys 290 include a power-on key, a volume key, etc. The keys 290 may be mechanical keys. Or may be touch keys. The electronic apparatus 200 may receive a key input, and generate a key signal input related to user setting and function control of the electronic apparatus 200.
The motor 291 may generate a vibration cue. The motor 291 can be used for both incoming call vibration prompting and touch vibration feedback. For example, touch operations applied to different applications (e.g., photographing, audio playing, etc.) may correspond to different vibration feedback effects. The motor 291 may also respond to different vibration feedback effects for touch operations on different areas of the display 294. Different application scenes (such as time reminding, receiving information, alarm clock, game and the like) can also correspond to different vibration feedback effects. The touch vibration feedback effect may also support customization.
Indicator 292 may be an indicator light that may be used to indicate a state of charge, a change in charge, or may be used to indicate a message, missed call, notification, etc.
The SIM card interface 295 is used to connect a SIM card. The SIM card can be attached to and detached from the electronic apparatus 200 by being inserted into the SIM card interface 295 or being pulled out from the SIM card interface 295. The electronic device 200 may support 1 or N SIM card interfaces, N being a positive integer greater than 1. The SIM card interface 295 may support a Nano SIM card, a Micro SIM card, a SIM card, etc. Multiple cards can be inserted into the same SIM card interface 295 at the same time. The types of the plurality of cards may be the same or different. The SIM card interface 295 may also be compatible with different types of SIM cards. The SIM card interface 295 may also be compatible with external memory cards. The electronic device 200 interacts with the network through the SIM card to implement functions such as communication and data communication. In some embodiments, the electronic device 200 employs esims, namely: an embedded SIM card. The eSIM card can be embedded in the electronic device 200 and cannot be separated from the electronic device 200.
It should be noted that, if the electronic device is a server, the server includes a processor and a communication interface.
The embodiment of the present application is not particularly limited, and a specific structure of an execution main body of a data protection method may be any that can perform communication by a data protection method according to the embodiment of the present application by running a program in which a code of the data protection method of the embodiment of the present application is recorded. For example, an execution subject of the data protection method provided by the embodiment of the present application may be a functional module capable of calling a program and executing the program in the electronic device, or a communication device, such as a chip, applied to the electronic device.
In order to clearly understand the data protection method provided by the embodiment of the present application, in the embodiment of the present application, the data protection method provided by the embodiment of the present application is described by taking, as an execution subject, when the first device serving as a server of the samba protocol exists in the external storage device and when the third device exists in the external storage device, respectively. When the first device is used as an execution subject to implement the data protection method provided by the embodiment of the present application, two situations may exist:
in the first case, in the external storage device of the first device, there is no encrypted main directory of the user, in this case, it is necessary to create an encrypted main directory for the user, and set a protection policy for data in the encrypted main directory: the access control policy of the main directory and the encryption and decryption policy of the data in the main directory.
In the second case, in the external storage device of the first device, there is a case where the encrypted main directory of the user exists, and in this case, it is necessary to obtain the access right of the encrypted main directory and the encryption/decryption right of the data in the encrypted main directory based on a preset protection policy of the data in the encrypted main directory to access or modify the data in the encrypted main directory.
When the third device is used as an execution subject, the encrypted main directory of the user exists in the external storage device of the third device, and the third device needs to obtain the encryption and decryption authority of the data in the encrypted main directory based on a preset protection policy of the data in the encrypted main directory to access or modify the data in the encrypted main directory.
First, a first case when the first device implements the data protection method provided in the embodiment of the present application as an execution subject is described below.
Referring to fig. 3, fig. 3 is a schematic flow chart of a data protection method provided in this embodiment of the present application, where as shown in the figure, the method is applied to a first device that supports an information service block service, and the first device may be connected to an external storage device as a server in a samba protocol, and the data protection method provided in the first case is implemented, where the method includes:
step 301, the first device receives a first account and a root key sent by the second device, where the root key is obtained after the first account and a first password corresponding to the first account are successfully verified.
In the embodiment of the application, the first device may be connected with an external storage device. The first device is provided with a samba service program, the first device can be used as a service end in a samba protocol, and the client end in the samba protocol is used as a second device. By way of example, the first device may be a router or the like and the second device may be a cell phone, a computer, a tablet computer or the like.
The second device is provided with a first application, the first application is matched application software, and when a user needs to create a new account in the external storage device to store data, the first account needs to be registered first.
For example, a user may register a first account with a preset server through a first application in the second device, and set a login password for the first account at the same time. After the first account registration is successful, the user can log in a first application in the second device through the first account and the login password, the first application in the second device sends the first account and the login password to the cloud server, and after the cloud server successfully verifies the first account and the login password, the cloud server generates a root key based on a preset root key generation rule and sends the root key to the second device.
Or, the user may register the first account with the preset server through the first application in the second device, and set a login password for the first account at the same time. After the first account registration is successful, the cloud server generates a root key for the first account, and stores the root key in the cloud server. The user logs in a first application in the second device through the first account and the login password later, the first application in the second device sends the first account and the login password to the cloud server, and the cloud server acquires the stored root key after successfully verifying the first account and the login password and sends the root key to the second device.
After receiving the root key sent by the preset server, the second device may establish a connection with the first device in a wired or wireless manner, and after the connection is successful, the second device may send the first account and the root key to the first device.
In the embodiment of the application, the first account can be a mobile phone number, an email account and the like, and the login password can be conveniently retrieved or reset subsequently through a mobile phone number or email account registration mode.
In addition, the first password may be a login password set by the user in the above example, or may be an authentication code acquired through a mobile phone number and an email account.
For example, a user sends a first account to a preset server through a first application in second equipment, the preset server sends a verification code to the first account, the user logs in the first application through the first account and the verification code, the second equipment where the first application is located sends the first account and the verification code to a cloud server, and after the cloud service successfully verifies the first account and the verification code, a root key is sent to the second equipment. And the second equipment sends the received root key and the first account to the first equipment.
Step 302, when the encrypted main directory of the first account does not exist in the external storage device of the first device, the first device creates the encrypted main directory for the first account in the external storage device, wherein data in the encrypted main directory of the first account is encrypted and decrypted based on the root key.
In this embodiment of the application, when the first account logs in the first application for the first time and is connected to the first device, an encrypted main directory of the first account may not exist in the external storage device of the first device, an encrypted main directory may be created for the first account, and after the encrypted main directory of the first account is created in the external storage device for the first account, data in the encrypted main directory of the first account may be set to be encrypted and decrypted based on a root key. That is, the first device sets an encryption and decryption policy for the data in the encrypted main directory, and when the user needs to access or modify the data in the encrypted main directory of the first account, the data stored in the main directory needs to be encrypted or decrypted based on the obtained root key.
It should be noted that, after the first device creates an encrypted main directory for the first account in the external storage device, data created or stored by the user does not exist in the encrypted main directory; setting data in the encrypted main directory of the first account to be encrypted and decrypted based on the root key indicates that when data created or stored by a user exists in the encrypted main directory of the first account, the data of the user in the encrypted main directory is encrypted and decrypted based on the root key.
Step 303, the first device receives the second account and the second password corresponding to the second account, which are sent by the second device, and sets the second account and the second password as the authentication information of the encrypted main directory of the first account when the external storage device is mounted on the first device.
In this embodiment of the application, the second account may be an account based on the samba protocol, that is, the second account and a second password corresponding to the second account are authentication information in an access control policy set for the encrypted master directory by the first device. After the authentication of the second account and the second password is successful, the access right of the encrypted main directory of the first account can be obtained.
The user can input a second account and a second password in a first application of the second device, the second device sends the second account and the second password to the first device, and the first device sets the second account and the second password as authentication information of an access control strategy of an encrypted main directory of the first account.
According to the embodiment of the application, when an encrypted main directory is created for a first account in an external storage device for the first time, an encryption and decryption strategy is set for data in the encrypted main directory of the first account based on a root key, and an access control strategy is set for the encrypted main directory of the first account based on a second account and a second password. When the external storage device is mounted on the first device, the security of the data in the encrypted main directory is improved through a dual protection strategy, namely, the access control strategy of the encrypted main directory is utilized to ensure that only a user obtaining the access authority of the encrypted main directory can access the encrypted main directory, and the encryption and decryption strategy of the data in the encrypted main directory is utilized to ensure that the data in the encrypted main directory is stored in a ciphertext mode. When the external storage device is mounted on other electronic devices, even if the other electronic devices do not have the access control policy for encrypting the main directory, the encryption and decryption policy for encrypting the data in the main directory can be used for ensuring that the data in the encrypted main directory is stored in a ciphertext form, the data in the encrypted main directory can be decrypted only if the root key is obtained through the first account and the first password, and other users can not access or modify the data in the encrypted main directory of the first account.
As another embodiment of the present application, after the first device creates an encrypted main directory for the first account in the external storage device, the method further includes:
the method comprises the steps that first equipment generates a master key of an encrypted master catalog of a first account, and the master key of the encrypted master catalog of the first account is arranged in a system kernel of the first equipment;
the first device encrypts and stores a master key of an encrypted main directory of the first account in the external storage device, wherein the root key is used for decrypting to obtain the master key stored in the external storage device in an encrypted mode, and data in the encrypted main directory of the first account is encrypted and decrypted based on the master key.
In this embodiment of the present application, the first device may further generate a master key of an encrypted master catalog of the first account: a master key that may derive a work key based on which data in the encrypted master catalog may be encrypted and decrypted. And the master key encryption is stored in the external storage device. The encrypted stored master key may be decrypted from the storage device based on the root key of the encrypted master directory.
In order to have a clearer understanding of the root key, the master key, and the working key, referring to fig. 4, fig. 4 is a relationship between the root key, the master key, and the working key. As shown in fig. 4, when the first device sets an encryption and decryption policy for data in the encrypted primary directory of the first account, the root key of the encrypted primary directory of the first account is set to decrypt to obtain the master key stored in the external storage device in an encrypted manner, and the master key of the encrypted primary directory derives the working key, which is used for encrypting and decrypting the data stored in the encrypted primary directory of the external storage device. When a plurality of primary directories of the first account exist in the external storage device, the root key1 of the first account A is decrypted to obtain a primary key1, and the primary key1 derives working keys 11 and … … and a working key1 n. Each working key encrypts and decrypts a file in the encrypted main directory of the first account A; the root key2 of the first account B is decrypted to obtain the master key2, and the master key2 derives the working keys 21, … … and the working key2 n. Each work key encrypts and decrypts a file in the encrypted master directory of the first account B.
As for data stored in an encrypted main directory of a first account a corresponding to a user a and data stored in an encrypted main directory of a first account B corresponding to a user B in an external storage device, reference may be made to fig. 5, where fig. 5 is a schematic diagram of data in an encrypted main directory of a first account in a storage device provided in this embodiment of the present application. The storage device in the figure is used as an external storage device of the electronic device, and an encrypted master directory of a first account A of a user A and an encrypted master directory of a first account B of a user B exist. When the external storage device is mounted on the first device, the first device has an access control policy of the encrypted main directory, and therefore, the access right of the encrypted main directory of the first account corresponding to the second account can be obtained only through the second account and the second password. The data stored in the encrypted master directory for the first account a includes: files 1, … … and n, wherein files 1, … … and n are encrypted and decrypted by working keys 11, … … and 1n derived from a master key respectively; correspondingly, the data stored in the encrypted main directory of the first account B includes: file 1, … …, file n, are encrypted and decrypted by work key 21, … …, work key 2n, respectively.
As can be understood from fig. 4 and fig. 5, if the user needs to access or modify data in the encrypted main directory of the first account, it is necessary to obtain access rights of the encrypted main directory of the first account based on the second account and the second password; the root key of the encrypted main directory of the first account is obtained based on the first account and the first password, the master key of the encrypted main directory of the first account is obtained based on decryption of the root key of the encrypted main directory of the first account, and the file in the encrypted main directory of the first account is decrypted based on the master key of the encrypted main directory of the first account.
As another embodiment of the present application, the first device storing a master key of an encrypted master directory of a first account in an external storage device in an encrypted manner includes:
the method comprises the steps that a first device creates a key file of a first account in an external storage device;
the first device stores the master key encryption of the encrypted master directory of the first account in the key file of the first account.
In this embodiment of the present application, a key file may be set for the first account, where the key file is stored in the external storage device, and the master key master of the encrypted main directory of the first account is stored in the key file in an encrypted manner.
The second account and the second password may also be stored in the key file in an encrypted manner, and when a subsequent user accesses or modifies data in the encrypted main directory of the first account, the first device decrypts the data based on the root key of the encrypted main directory of the first account to obtain the second account and the second password, and obtains the access right of the encrypted main directory of the first account based on the decrypted second account and the decrypted second password.
Certainly, in practical application, the master key of the encrypted main directory of the first account, the second account and the second password may also be stored in the external storage device in an encrypted manner in other forms, which is not limited in this embodiment of the present application.
In order to clearly understand the manner of setting the protection policy of the data in the foregoing embodiment, referring to fig. 6, fig. 6 is a timing diagram of a data protection method provided in an embodiment of the present application. As shown, a user inputs a first account and a first password through a first application in a second device; the second equipment sends the first account and the first password to the server; after the server successfully verifies the first account and the first password, a root key is generated and sent to the second device; after receiving the root key, the second device is connected with the first device and sends a first account number and the root key to the first device; the method comprises the steps that a first device and an external storage device have a connection relation, after the first device receives a root key, if the storage device serving as the external storage device of the first device does not have an encrypted main directory of a first account, the first device creates an encrypted main directory and a key file of the first account for the first account in the external storage device; the method comprises the steps that first equipment generates a master key of an encrypted main directory of a first account, and the master key is arranged in a system kernel of the first equipment; the first device stores the master key encryption in a key file. When the encrypted home directory of the first account exists in the system kernel of the first device, if the first device receives a data access request or a data modification request of the encrypted home directory of the first account, the first device may automatically encrypt or decrypt data in the encrypted home directory based on a master key in the system kernel.
It should be noted that, in the timing diagram shown in fig. 6, the first device first creates a key file, then generates a master key, and encrypts and stores the master key in the key file, and in practical applications, the operation of creating the key file in the external storage device by the first device may be performed before encrypting and storing the master key in the key file; the operation of the first device setting the master key in the system kernel and the operation of the first device encrypting and storing the master key in the key file may also set different sequences according to actual situations. The timing chart shown in fig. 6 is merely an example, and does not set any limit to the embodiments of the present application.
The user can continue to input the second account and the second password in the first application of the second device, or the first application of the second device generates the second account and the second password, the second device sends the second account and the second password to the first device, and the first device encrypts and stores the second account and the second password in the key file as authentication information of the encrypted main directory.
After the setting is completed, if the user executes an operation of exiting the first account on the second device or the login of the first account is overtime, the second device sends the exit information of the first account to the first device so as to control the first device to clear the master key in the system kernel of the first device and lock the encrypted main directory of the first account.
The sequence diagram shown in fig. 6 mainly describes information interaction among the server, the second device, the first device, and the storage device, and the execution order of some steps is determined based on internal logic.
As another embodiment of the present application, the root key may be generated from root keying material, which may include a plurality of sub-portions, at least one sub-portion of the root keying material being a verification sub-portion.
Correspondingly, the receiving, by the first device, the first account and the root key sent by the second device includes:
the first device receives a first account number and a verification sub-part of root keying material sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified. I.e. the verification subsection may be obtained from a pre-set server. The provisioning server sends the verification subsection of the root keying material to the second device, which sends the first account number and the verification subsection of the root keying material to the first device. The specific process of the preset server obtaining the verification sub-portion of the root key material may refer to the above-described process of obtaining the root key by the preset server, and is not described herein again.
In this embodiment of the present application, in order to improve the security of data in the external storage device, root key material corresponding to a root key of a master key of an encrypted master directory of a first account obtained by decryption from the external storage device may be further divided into at least two sub-portions. After the first device or other electronic devices acquire the sub-parts of the root keying material, root keys are generated according to the sub-parts of the root keying material, and the master keys of the encrypted master catalog of the first account are obtained through decryption from the external storage device based on the root keys.
As another embodiment of the present application, the root keying material may further include: a local subsection;
correspondingly, when the encrypted main directory of the first account does not exist in the external storage device of the first device, the method further includes:
the first device generates a local subpart of root keying material and stores the local subpart of root keying material in the external storage device.
As another embodiment of the present application, the root keying material further comprises an application subpart stored in the first application of the second device.
In embodiments of the present application, the other sub-portions of the root keying material may comprise at least one of a local sub-portion and an application sub-portion.
When the root keying material includes a local subpart, the first device generates the local subpart of the root keying material and stores the local subpart of the root keying material in the external storage device.
When the root keying material comprises an application subsection, the application subsection is stored in the first application of the second device or in the first application of the third device, i.e. the application subsection may be written into the application software during a development phase of the application software.
The verification sub-part in the embodiment of the application is obtained based on the first account and the first password, so that the effect of distinguishing different users through the first account can be achieved. The local sub-part may be stored in the external storage device, and therefore, even if the external storage device is mounted on another electronic device, the other electronic device may still obtain the local sub-part from the external storage device, thereby decrypting to obtain the master key of the encrypted master catalog. The application subparts can be arranged in the matched application software in the development stage of the matched application software; therefore, only the matched application software can obtain the application subparts, and the master key of the encrypted main directory is obtained through decryption.
As another embodiment of the present application, the receiving, by a first device, a second account and a second password corresponding to the second account, where the second account and the second password are sent by a second device, includes:
the method comprises the steps that first equipment receives a second account number input by a user on second equipment and a second password corresponding to the second account number, wherein the second account number is sent by the second equipment;
or the first device receives a second account generated by the second device and a second password corresponding to the second account, which are sent by the second device.
In the embodiment of the application, the user can input the second account and the second password through the first application in the second device, and the second device sends the received second account and the received second password input by the user to the first device. The first application in the second device may also randomly generate a second account and a second password for the user, and of course, the first application in the second device may also display the second account and the second password to prompt the user to remember the second account and the second password.
As another embodiment of the present application, after the first device receives the second account and the second password corresponding to the second account, the method further includes:
the first device encrypts and stores a second account and a second password in the external storage device, wherein the second account and the second password are obtained by decryption based on the root key.
In the embodiment of the application, in order to avoid the problem that a user needs to remember a first account and a first password, and a second account and a second password at the same time to access data in an encrypted main directory of the first account, which causes complicated operation of the user and may forget the account and the password, the second account and the second password may be stored in an external storage device. When a user needs to access or modify data in the encrypted main directory, a root key is obtained based on a first account and a first password, a second account and a second password are obtained from external storage equipment based on the root key, and the access authority of the encrypted main directory of the first account is obtained through the obtained second account and the obtained second password. Thus, the user does not need to remember the second account and the second password, but can access the data in the encrypted master catalog of the first account. Meanwhile, the second account and the second password need to be acquired based on the first account and the first password, so that the data security is also ensured.
The first case when the first device implements the data protection method provided by the embodiment of the present application as an execution subject is described. The following describes a second case when the first device is used as an execution subject to implement the data protection method provided by the embodiment of the present application.
Referring to fig. 7, fig. 7 is a schematic flowchart of a data protection method corresponding to the embodiment shown in fig. 3 according to an embodiment of the present application. After the first device sets the protection policy for the data in the encrypted main directory of the first account according to the embodiment shown in fig. 3, if the external storage device is still mounted on the first device, the data in the encrypted main directory may be accessed or modified according to the data protection method provided in the embodiment shown in fig. 7. The data protection method provided by the embodiment shown in fig. 7 is applied to the first device described in the embodiment shown in fig. 3, and the method includes:
step 701, the first device receives a first account and a root key sent by the second device, wherein the root key is obtained after the first account and a first password corresponding to the first account are successfully verified.
In the embodiment of the present application, the content of the step is the same as that of step 301, and reference may be specifically made to the description of step 301, which is not described herein again.
Step 702, when the encrypted main directory of the first account exists in the external storage device of the first device, if the authentication information is set for the encrypted main directory of the first account by the first device, the first device acquires the second account and a second password corresponding to the second account, and authenticates the second account and the second password as the authentication information of the encrypted main directory.
In this embodiment of the application, an encrypted primary directory of a first account may exist in an external storage device of a first device, or the encrypted primary directory of the first account may not exist, if the encrypted primary directory of the first account does not exist in the external storage device of the first device, it indicates that the first account logs in the first application for the first time to connect to the first device, the first device performs steps 302 to 303 in the embodiment shown in fig. 3, and if the encrypted primary directory of the first account exists in the external storage device of the first device, it indicates that the first account does not log in the first application for the first time to connect to the first device, the first device performs steps 702 to 704.
In the embodiment shown in fig. 3, what data protection policy is set for the encrypted main directory of the first account, and accordingly, when data in the encrypted main directory needs to be accessed or modified, corresponding rights need to be obtained based on what data protection policy to access or modify the data in the encrypted main directory.
As shown in fig. 3, the protection policy set for the data of the first account in the primary directory in the storage device includes: an access control policy for encrypting the master directory and an encryption/decryption policy for encrypting data in the master directory. The access control policy of the encrypted main directory is configured in the first device as shown in fig. 3, that is, the first device sets authentication information corresponding to the access control policy for the encrypted main directory of the first account, so that the first device needs to acquire the second account and the second password, and authenticate the encrypted main directory by using the second account and the second password as the authentication information of the encrypted main directory.
The user can input a second account and a second password in the first application of the second device, and the second device sends the second account and the second password to the first device. Of course, the first device may also decrypt the second account and the second password from the external storage device.
In step 703, after the authentication of the second account and the second password is successful, if the first device receives a data access request or a data modification request of the encrypted main directory of the first account sent by the second device, the first device responds to the received data access request or data modification request based on the root key.
In this embodiment of the application, after the authentication of the second account and the second password is successful, it indicates that the access right of the encrypted main directory of the first account has been obtained, and therefore, the encrypted main directory of the first account and the files in the encrypted main directory may be displayed in the first application of the second device, however, the files in the encrypted main directory are stored in a form of a ciphertext. The preset encryption and decryption strategy of the data in the encryption master catalog is as follows: the data in the encrypted master directory is encrypted and decrypted based on the root key.
When a user needs to access a file in the encrypted main directory, the user can execute an operation of opening the displayed file in the encrypted main directory in a first application of second equipment, the second equipment sends a data access request to the first equipment after receiving the corresponding operation of the user, and the first equipment can decrypt the corresponding file and open the file based on a root key of the encrypted main directory of the first account after receiving the data access request.
Similarly, when a user needs to create new data in the encrypted main directory of the first account, the user may perform an operation of creating new data in the encrypted main directory displayed by the first application of the second device, the second device sends a data creation request of the encrypted main directory of the first account and data to be created to the first device, and after receiving the data creation request of the encrypted main directory of the first account and the data to be created, the first device creates data in the encrypted main directory of the first account of the external storage device and encrypts the newly created data based on the root key;
when a user needs to perform other modification operations on data in the encrypted main directory of the first account, the user may perform the modification operations on the data in the encrypted main directory displayed by the first application of the second device, the second device sends a data modification request of the encrypted main directory of the first account to the first device, and after the first device receives the data modification request of the encrypted main directory of the first account, the first device decrypts the data to be modified based on the root key, performs the corresponding modification operations, and encrypts the modified data.
It should be noted that the modification of the data in the encrypted main directory is only used as an example, and in practical applications, the modification process may be different from the data modification process described above, and in the process of the first device responding to the modification operation corresponding to the data modification request in the embodiment of the present application, the encryption and decryption of the data are implemented based on the root key. Moreover, the modification of the data in the encrypted master directory is not limited to creation, copy, cut, paste, and deletion, and may be other modification operations of the data, such as editing a document stored in the encrypted master directory, processing an image stored in the encrypted master directory, and the like.
Step 704, after the first device receives the exit information of the first account, the first device locks the encrypted main directory of the first account.
In this embodiment of the application, if a user logs out of a first account in a first application of a second device or the login of the first account is overtime (for example, when the first account is in a login state, the running time of the first application in a background exceeds a preset time; when the first account is in the login state, the time interval between the last detection of the user operation on a display interface of the first application and the last detection of the first account exceeds the preset time), the second device sends the logout information of the first account to the first device, and after the first device receives the logout information of the first account, the first device locks an encrypted main directory of the first account.
In the embodiment of the application, if the external storage device is still mounted on the first device, or the external storage device is disconnected from the first device and then mounted on the first device again, since the access control policy of the primary directory of the first account is configured on the first device, when a user needs to access or modify data in the encrypted primary directory of the first account, the user needs to obtain the access right of the encrypted primary directory of the first account based on the access control policy; since the data in the encrypted main directory of the first account is stored in the external storage device in the form of a ciphertext based on the data encryption and decryption policy, when the user needs to access or modify the encrypted main directory of the first account, the root key of the encrypted main directory of the first account needs to be obtained, so that the data in the encrypted main directory can be encrypted and decrypted based on the root key of the encrypted main directory of the first account.
As another embodiment of the present application, when an encrypted main directory of a first account exists in an external storage device of a first device, the method further includes:
the first device decrypts the encrypted main directory of the first account from the external storage device based on the root key to obtain a main key of the encrypted main directory of the first account;
the first device sets a master key of an encrypted master catalog of the first account in a system kernel of the first device.
Accordingly, in step 703, the first device responding to the received data access request or data modification request based on the root key includes: the first device responds to receiving a data access request or a data modification request based on a master key in a system kernel.
In step 704, the locking, by the first device, the encrypted home directory of the first account includes: the first device clears the master key in the system kernel.
As another embodiment of the present application, the decrypting, by the first device, the master key of the encrypted master directory of the first account from the external storage device based on the root key includes:
the first device analyzes the encryption information in the key file stored in the external storage device through the root key to obtain the master key of the encrypted main directory of the first account.
In this embodiment of the application, based on the data encryption and decryption policy shown in fig. 4, the first device may decrypt, based on the root key, the master key of the encrypted master directory of the first account from the external storage device; the method comprises the steps that a first device sets a master key of an encrypted master catalog of a first account in a system kernel of the first device; the method comprises the steps that a user sends a data access request or a data modification request to first equipment through a first application in second equipment, the first equipment automatically derives a corresponding working key based on a master key in a system kernel, data to be accessed or modified are decrypted through the working key, and the data are encrypted again after the access or modification is finished. After the user quits the first account in the first application of the second device, the second device sends quit information to the first device, and after the first device receives the quit information of the first account, the first device can clear the master key in the system kernel, that is, the first device no longer has the encryption and decryption authority for the data in the encrypted main directory of the first account.
Of course, if the master key of the encrypted master directory of the first account is stored in the key file of the first account in the external storage device in an encrypted manner in the preset data encryption and decryption policy, the first device analyzes the encrypted information in the key file stored in the external storage device by using the root key to obtain the master key of the encrypted master directory of the first account.
For a clearer understanding of the process of accessing or modifying data in the encrypted main directory based on the preset data protection policy, referring to fig. 8, fig. 8 is a timing diagram of another data protection method provided by the embodiment of the present application, and as shown in the figure, the storage device in the figure may be an external storage device of the first device. Before the first device receives the root key sent by the second device, reference may be made to the related description of the timing diagram shown in fig. 6, which is not described herein again. After the first device receives the root key sent by the second device, the first device decrypts the key file of the first account based on the root key, obtains the master key of the encrypted main directory of the first account, and sets the master key in the system kernel of the first device. The user inputs a second account and a second password through a first application of second equipment; the second equipment sends a second account and a second password input by the user to the first equipment as authentication information; and after the first device successfully authenticates the second account and the second password, acquiring a data access request or a data modification request sent by a user through a first application of the second device, encrypting or decrypting data in the encrypted main directory based on a main key in a system kernel, and simultaneously executing corresponding data access or modification operation.
Certainly, after the first device receives the exit information of the first account sent by the second device, the first device clears the master key in the system kernel of the first device, and locks the encrypted home directory of the first account.
As another embodiment of the present application, the root key is generated from root keying material that includes at least two sub-portions, and one of the sub-portions is a verification sub-portion.
Correspondingly, the receiving, by the first device, the first account and the root key sent by the second device includes:
the first device receives a first account number and a verification sub-part of root keying material sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
As another embodiment of the present application, when the root keying material includes a local sub-portion, before the first device responds to the received data access request or data modification request based on the root key, the method further includes:
the first device retrieves a local sub-portion of the root keying material from an external storage device.
When the root keying material comprises the application subsection, before the first device responds to the received data access request or data modification request based on the root key, the method further comprises the following steps:
the first device obtains from the second device an application subsection of root key material stored in a first application of the second device.
In the embodiment of the present application, before the first device performs the related operation based on the root key of the encrypted master catalog of the first account, it is necessary to acquire each sub-portion of the root keying material, and it is also necessary to generate the root key based on each sub-portion of the root keying material after acquiring each sub-portion of the root keying material.
It should be noted that, in practical applications, when a protection policy for encrypting data in a main directory is set, how many sub-portions are set for a root keying material, and accordingly, in a data access stage or a data modification stage, how many sub-portions of the root keying material need to be obtained to generate a root key.
As another embodiment of the present application, in a stage of accessing or modifying data in an encrypted main directory of a first account, a user may input a previously set second account and a second password in a first application of a second device to obtain an access right of the encrypted main directory, or the first device may decrypt and obtain the second account and the second password from an external storage device based on a root key to obtain the access right of the encrypted main directory.
Of course, if it is preset that the user needs to manually input the second account and the second password, the user may also find the second account and the second password after forgetting the second account and the second password.
As an example, in response to a received request for retrieving a second password corresponding to a second account, the first device decrypts the second password from the external storage device based on the root key to obtain the second account and the second password corresponding to the second account, and sends the second account and the second password corresponding to the second account to the second device. Specifically, referring to the method for retrieving the second account and the second password provided in the embodiment shown in fig. 9, the storage device in fig. 9 may be an external storage device of the first device.
After describing the first case and the second case when the first device is used as an execution subject to implement the data protection method provided by the embodiment of the present application. Correspondingly, the third device is described as an execution subject to implement the data protection method provided by the embodiment of the application.
Referring to fig. 10, fig. 10 is a schematic flowchart of a data protection method corresponding to the embodiment shown in fig. 3 according to an embodiment of the present application. After the first device sets a protection policy for data in the encrypted main directory of the first account according to the embodiment shown in fig. 3, if the external storage device is disconnected from the first device and mounted on another electronic device, the data in the encrypted main directory may be accessed or modified according to the data protection method provided in the embodiment shown in fig. 10. The data protection method provided by the embodiment shown in fig. 10 is applied to other electronic devices other than the first device described in the embodiment shown in fig. 3, where the other electronic devices are denoted as third devices, and the method includes:
step 1001, in response to the first account and the first password corresponding to the first account received by the second application, the third device sends the first account and the first password corresponding to the first account to the preset server.
In this embodiment of the application, the third device does not configure an access control policy for the first account, and the samba service program may not be loaded in the third device. The third device may have a second application installed therein, where the first application and the second application are application software respectively installed in different electronic devices, and when the third device and the second device are the same, the first application and the second application may be the same application software.
By way of example, when the storage device is mounted on a router (first device), a mobile phone (second device) establishes a wireless connection with the router, and a user can access data in an encrypted main directory of a first account in an external storage device of the router through a first application on the mobile phone (second device); when the storage device leaves the first device and is mounted on the mobile phone (third device), the user can also access data in the encrypted main directory of the first account in the external storage device of the mobile phone through a second application (which can be the same as the first application) on the mobile phone (third device).
The matched second application is installed on the third device, the user can input the first account and the first password corresponding to the first account on the second application of the third device, and the third device sends the first account and the first password to the preset server to indicate the preset server to verify the first account and the first password.
In step 1002, the third device receives a root key sent by the preset server after the first account and the first password are successfully verified.
In this embodiment of the application, the process of obtaining the root key after the preset server verifies the first account and the first password may refer to the description in step 301, and is not described herein again. The root key acquired by the third device is consistent with the root key acquired by the first device when the first account is registered.
Step 1003, when the encrypted main directory of the first account exists in the external storage device of the third device and the authentication information is not set for the encrypted main directory of the first account by the third device, if the third device receives a data access request or a data modification request of the encrypted main directory of the first account, the third device responds to the received data access request or data modification request based on the root key.
In this embodiment of the application, since the third device does not have the access control policy of the first account, when the storage device is mounted on the third device, the samba protocol access barrier does not exist in the data in the encrypted master directory of the first account. However, the data in the encrypted main directory of the first account is stored in the form of a ciphertext, so that if a user needs to access or modify the data in the encrypted main directory of the first account, the user does not need to authenticate through the second account and the second password as authentication information, but needs to encrypt and decrypt the data based on the root key. The user may perform an access or modification operation on data in the encrypted main directory of the first account in the second application of the third device to send an access request or a modification request, and a process of the third device responding to the received data access request or data modification request based on the root key may refer to the description in step 703, which is not described herein again.
Step 1004, after the third device receives the exit information of the first account, the third device locks the encrypted main directory of the first account.
Before the third device receives the exit information of the first account, the third device does not allow other accounts except the first account to log in the second application of the third device.
In the embodiment of the present application, the contents of step 1004 and step 704 are similar, and specific reference may be made to the description related to step 704.
In addition, since the third device does not configure the access control policy of the encrypted master directory of the first account, it is equivalent to that no access barrier is set for the encrypted master directory of each first account in the external storage device, and when two first accounts are in the login state in the second application of the third device, the third device acquires the root key a of the encrypted master directory of the first account a and also acquires the root key B of the encrypted master directory of the second account B. Because the third device does not have an access barrier of the encrypted main directory of the first account a, nor does it have an access barrier of the encrypted main directory of the first account B, the user can see the data in the encrypted main directory of the first account B after logging in the second application of the third device through the first account a, and can also see the data in the encrypted main directory of the first account a after logging in the second application of the third device through the first account B, and when the user sends a request for data access or modification of the data in the encrypted main directory of the first account B through the first account a, the third device can decrypt the data in the encrypted main directory of the first account B according to the obtained root key of the first account B. In order to avoid the above phenomenon, it may be set that, before the third device receives the logout information of the first account, other accounts other than the first account are not allowed to log in the second application of the third device, that is, the second application of the third device is not allowed to log in two first accounts at the same time. In a specific implementation process, the following settings can be set: when the first account is in a login state in the second application of the third device, if the second application of the third device receives login requests of other first accounts, the login requests of other first accounts are rejected; or controlling the first account in the login state to quit, and responding to newly received login requests of other first accounts.
If the second application of the third device only allows one first account to be in the login state at the same time, only the root key in the current login state exists in the third device, and only the access or modification request of the encrypted main directory sent by the first account in the current login state can be received, so that the first account in the login state only can access or modify the data in the encrypted main directory of the first account in the current login state; therefore, even if the storage device is mounted on other electronic equipment except the first equipment, the users can not randomly access the data in the encrypted main directory of the other party, and the safety of the data in the storage device is improved.
As another embodiment of the present application, when an encrypted main directory of a first account exists in an external storage device of a third device, the method further includes:
the third equipment decrypts the master key of the encrypted master catalog of the first account from the external storage equipment based on the root key;
the third device sets a master key of the encrypted master catalog of the first account in a system kernel of the third device.
Correspondingly, the step 1003, in response to the received data access request or data modification request based on the root key, includes: the third device responds to the received data access request or data modification request based on a master key in the system kernel;
correspondingly, in step 1004, locking the encrypted home directory of the first account by the third device includes: the third device clears the master key in the system kernel.
As another embodiment of the present application, when the master key of the encrypted master directory of the first account is encrypted and stored in the key file of the first account in the external storage device, the third device obtains the master key of the encrypted master directory of the first account by parsing the encrypted information in the key file stored in the external storage device through the root key.
In this embodiment of the application, a manner in which the third device obtains the master key of the encrypted master directory of the first account, a manner in which the third device responds to the received data access request or data modification request, and a manner in which the third device locks the encrypted master directory of the first account may refer to a manner in which the first device obtains the master key of the encrypted master directory of the first account, a manner in which the first device responds to the received data access request or data modification request, and a manner in which the first device locks the encrypted master directory of the first account. And will not be described in detail herein.
For a clearer understanding of the process of the third device accessing or modifying data in the encrypted main directory based on the data protection policy preset on the first device, reference is made to a timing diagram of a data protection method shown in fig. 11, where the storage device in the figure can be used as an external storage device of the third device. The user may log in the companion application software (second application) in the third device. The method comprises the steps that a user inputs a first account and a first password in a second application of third equipment, the third equipment sends the first account and the first password to a server, the server verifies the received first account and the first password, generates a root key after the verification is successful, sends the generated root key to the third equipment, the third equipment decrypts a key file of the first account based on the root key after receiving the root key, obtains a master key of an encrypted main directory of the first account, and sets the master key in a system kernel of the third equipment. And the user sends a data access request or a data modification request through a second application in the third device, and the third device encrypts or decrypts data based on the master key in the system kernel and executes corresponding data access operation or data modification operation. After the user sends a quit request through a second application in the third equipment, the third equipment sends quit information of the first account to the server, and meanwhile, a master key in the system is cleared, and the encrypted master directory is locked.
As can be understood from the timing diagram, if two first accounts are simultaneously logged in the third device, the master keys of the encrypted master directories of the two first accounts are simultaneously present in the system kernel of the third device, meanwhile, because the third device does not have the access control strategy of the encrypted main directory of the first account, the two accounts can mutually access the encrypted main directory of the other party, when the data in the encrypted main directory needs to be accessed or modified, the third device receives the data access request or the data modification request, decrypts the corresponding data based on the corresponding main key in the system kernel, and executes the corresponding operation, therefore, if the second application of the third device allows the multiple first accounts to be in the login state at the same time, the multiple first accounts may access or modify data in the encrypted main directory of the other party, and the data in the encrypted main directory cannot be protected. Therefore, it is required to set that the third device does not allow other accounts other than the first account to log in the second application of the third device before the third device receives the logout information of the first account.
As another embodiment of the present application, the root key is generated from root keying material that includes at least two sub-portions, and one of the sub-portions is a verification sub-portion.
The third device receiving the root key sent by the preset server after the first account and the first password are successfully verified includes:
and the third equipment receives a verification sub-part of the root key material sent by the preset server after the first account and the first password are successfully verified.
Before the third device responds to the received data access request or data modification request based on the root key, the method further includes: the third device retrieves the local sub-portion of the root keying material from the external storage device.
Before the third device responds to the received data access request or data modification request based on the root key, the method further comprises the following steps: the third device obtains an application subsection of root key material stored in a second application of the third device.
In this embodiment of the application, the process of the third device obtaining each sub-portion of the root key material may refer to the process of the first device obtaining each sub-portion of the root key material, and is not described herein again.
It should be noted that, in practical application, if the preset server can obtain the root key based on the first account and the first password, the root key is not generated by the root key material any more; if the preset server can obtain complete root key material based on the first account and the first password, the root key is generated by the root key material; if the provisioning server can obtain one of the sub-parts of the root keying material based on the first account number and the first password, the root key is generated from each sub-part of the root keying material, and before the first device or the third device generates the root key from each sub-part of the root keying material, other sub-parts of the root keying material need to be obtained.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
In the embodiment of the present application, the first device may be divided into the functional modules according to the above method example, for example, each functional module may be divided for each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. The following description will be given by taking the case of dividing each function module corresponding to each function:
referring to fig. 12, the first device 1200 supports an information service block service, and the first device 1200 includes:
a root key receiving unit 1201, configured to receive a first account and a root key sent by a second device, where the root key is obtained after the first account and a first password corresponding to the first account are successfully verified;
a master directory creating unit 1202, configured to create, when an encrypted master directory of a first account does not exist in an external storage device of a first device, an encrypted master directory for the first account in the external storage device, where data in the encrypted master directory of the first account is encrypted and decrypted based on a root key;
the authentication information setting unit 1203 is configured to receive a second account and a second password corresponding to the second account, which are sent by the second device, and set the second account and the second password as authentication information of an encrypted main directory of the first account when the external storage device is mounted on the first device.
As another embodiment of the present application, the first device 1200 further includes:
a master key setting unit 1204, configured to generate a master key of an encrypted master catalog of the first account, and set the master key of the encrypted master catalog of the first account in a system kernel of the first device; and encrypting and storing a master key of the encrypted main directory of the first account in the external storage device, wherein the root key is used for decrypting to obtain the master key encrypted and stored in the external storage device, and data in the encrypted main directory of the first account is encrypted and decrypted based on the master key.
As another embodiment of the present application, the master key setting unit 1204 is further configured to:
creating a key file of a first account in an external storage device; the master key of the encrypted master directory of the first account is stored encrypted in the key file of the first account.
As another embodiment of the present application, the root key is generated from root keying material, the root keying material comprising at least two sub-parts, and one of the sub-parts being a verification sub-part;
correspondingly, the root key receiving unit 1201 is further configured to:
and receiving a first account number and a verification sub-part of the root keying material, which are sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
As another embodiment of the present application, the root keying material further comprises a local subpart; the first device 1200 further comprises:
a root key generation unit 1205 for generating the local subpart of root key material and storing the local subpart of root key material in the external storage device.
As another embodiment of the present application, the root keying material further comprises an application subpart stored in the first application of the second device.
As another embodiment of the present application, the authentication information setting unit 1203 is further configured to:
receiving a second account and a second password, which are sent by second equipment and input by a user on the second equipment, wherein the second account and the second password correspond to the second account;
or receiving a second account generated by the second device and a second password corresponding to the second account, which are sent by the second device.
As another embodiment of the present application, the first device 1200 further includes:
an authentication information holding unit 1206 is configured to store a second account and a second password in the external storage device in an encrypted manner, where the second account and the second password are obtained by decryption based on the root key.
As a schematic diagram of another functional module architecture of the first device, the first device 1200 includes:
a root key receiving unit 1201, configured to receive a first account and a root key sent by a second device, where the root key is obtained after the first account and a first password corresponding to the first account are successfully verified;
an authentication information obtaining unit 1207, configured to, when an encrypted main directory of a first account exists in an external storage device of a first device, obtain a second account and a second password corresponding to the second account if the first device sets authentication information for the encrypted main directory of the first account, and authenticate the second account and the second password as authentication information of the encrypted main directory;
a data access modification unit 1208, configured to, after the authentication of the second account and the second password is successful, if a data access request or a data modification request of the encrypted main directory of the first account sent by the second device is received, respond to the received data access request or data modification request based on the root key;
a data locking unit 1209, configured to lock the encrypted primary directory of the first account after receiving the logout information of the first account.
As another embodiment of the present application, the first device 1200 further includes:
a master key obtaining unit 1210 configured to obtain a master key of an encrypted master directory of the first account by decryption from an external storage device based on the root key; setting a master key of an encrypted master catalog of a first account in a system kernel of first equipment;
accordingly, the access or modify data unit 1208 is further configured to:
receiving a data access request or a data modification request based on a master key response in a system kernel;
the data locking unit 1209 is further configured to: the master key in the system kernel is cleared.
As another embodiment of the present application, the master key obtaining unit 1210 is further configured to:
and analyzing the encrypted information in the key file stored in the external storage equipment through the root key to obtain a master key of the encrypted master directory of the first account.
As another embodiment of the present application, the root key is generated from root keying material, the root keying material comprising at least two sub-parts, and one of the sub-parts being a verification sub-part;
the root key receiving unit 1201 is further configured to: and receiving a first account number and a verification sub-part of the root keying material, which are sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
As another embodiment of the present application, the root keying material further comprises a local subpart;
the first device 1200 further comprises:
a root key acquisition unit 1211 is used to acquire a local subpart of root key material from the external storage device.
And for obtaining from the second device an application subsection of root key material stored in the first application of the second device.
As another embodiment of the present application, the authentication information obtaining unit 1207 is further configured to:
receiving a second account and a second password, which are sent by second equipment and input by a user on the second equipment, wherein the second account and the second password correspond to the second account;
or decrypting and acquiring the second account and the second password corresponding to the second account from the external storage device based on the root key.
As another embodiment of the present application, the first device 1200 further includes:
the authentication information retrieving unit 1212 is configured to, in response to a received retrieval request for a second password corresponding to a second account, decrypt, based on the root key, the second account and the second password corresponding to the second account from the external storage device, and send the second account and the second password corresponding to the second account to the second device.
It should be noted that, because the above-mentioned information interaction between the first devices/units, the execution process, and the like are based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to specifically in the method embodiment section, and are not described herein again.
In the embodiment of the present application, the third device may be divided into the functional modules according to the above method example, for example, each functional module may be divided for each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. The following description will be given by taking the case of dividing each function module corresponding to each function:
referring to fig. 13, the third apparatus 1300 includes:
a first account receiving unit 1301, configured to send a first account and a first password corresponding to the first account to a preset server in response to the first account and the first password corresponding to the first account received by the second application;
a root key receiving unit 1302, configured to receive a root key sent by a preset server after the first account and the first password are successfully verified;
a data access modifying unit 1303, configured to, when an encrypted main directory of the first account exists in an external storage device of the third device and the third device does not set authentication information for the encrypted main directory of the first account, if a data access request or a data modification request of the encrypted main directory of the first account is received, respond to the received data access request or data modification request based on the root key;
a data locking unit 1304, configured to lock an encrypted main directory of the first account after receiving the exit information of the first account;
before the third device receives the quitting information of the first account, accounts other than the first account are not allowed to log in the second application of the third device.
As another embodiment of the present application, the third apparatus 1300 further includes:
a master key obtaining unit 1305, configured to obtain a master key of an encrypted master directory of the first account by decryption from the external storage device based on the root key; setting a master key of an encrypted master catalog of the first account in a system kernel of the third device;
correspondingly, the data access modification unit 1303 is further configured to:
responding to the received data access request or data modification request based on a master key in a system kernel;
the data locking unit 1304 is further configured to: the master key in the system kernel is cleared.
As another embodiment of the present application, the master key obtaining unit 1305 is further configured to:
and analyzing the encrypted information in the key file stored in the external storage equipment through the root key to obtain a master key of the encrypted master directory of the first account.
As another embodiment of the present application, the root key is generated from root keying material that includes at least two sub-portions, and one of the sub-portions is a verification sub-portion.
The root key receiving unit 1302 is further configured to: and receiving a verification sub-part of the root key material sent by the preset server after the first account and the first password are successfully verified.
As another embodiment of the present application, the root keying material further comprises a local subpart; the third device 1300 further comprises:
a root key obtaining unit 1306 for obtaining the local sub-part of the root key material from the external storage device.
An application subsection of root key material stored in a second application of a third device is obtained.
It should be noted that, because the contents of information interaction, execution process, and the like between the third devices/units are based on the same concept as that of the method embodiment of the present application, specific functions and technical effects thereof may be specifically referred to a part of the method embodiment, and details are not described here.
It will be clear to those skilled in the art that, for convenience and simplicity of description, the above division of the functional units is merely illustrated, and in practical applications, the above function distribution may be performed by different functional units according to needs, that is, the internal structure of the first device/the third device is divided into different functional units to perform all or part of the above described functions. Each functional unit in the embodiments may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the application. The specific working process of the units in the system may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps in the above-mentioned method embodiments may be implemented.
Embodiments of the present application further provide a computer program product, which when run on a first device, enables the first device to implement the steps in the above method embodiments.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer readable storage medium and used by a processor to implement the steps of the embodiments of the methods described above. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or apparatus capable of carrying computer program code to a first device, including recording media, computer Memory, Read-Only Memory (ROM), Random-Access Memory (RAM), electrical carrier signals, telecommunications signals, and software distribution media. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
An embodiment of the present application further provides a chip system, where the chip system includes a processor, the processor is coupled to the memory, and the processor executes a computer program stored in the memory to implement the steps of any of the method embodiments of the present application. The chip system may be a single chip or a chip module composed of a plurality of chips.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (24)

1. A data protection method applied to a first device supporting an information service block service, the method comprising:
the method comprises the steps that first equipment receives a first account and a root key sent by second equipment, wherein the root key is obtained after the first account and a first password corresponding to the first account are successfully verified;
when the encrypted main directory of the first account does not exist in the external storage device of the first device, the first device creates the encrypted main directory for the first account in the external storage device, wherein data in the encrypted main directory of the first account is encrypted and decrypted based on the root key;
the first device receives a second account and a second password corresponding to the second account, which are sent by the second device, and sets the second account and the second password as authentication information of an encrypted main directory of the first account when the external storage device is mounted on the first device.
2. The method of claim 1, after the first device creates an encrypted primary directory for the first account in the external storage device, further comprising:
the first device generates a master key of an encrypted master catalog of the first account, and sets the master key of the encrypted master catalog of the first account in a system kernel of the first device;
the first device encrypts and stores a master key of an encrypted main directory of the first account in the external storage device, wherein the root key is used for decryption to obtain the master key encrypted and stored in the external storage device, and data in the encrypted main directory of the first account is encrypted and decrypted based on the master key.
3. The method of claim 2, wherein the first device storing the master key of the encrypted master catalog of the first account in the external storage device encrypted comprises:
the first device creates a key file of the first account in the external storage device;
and the first equipment stores the encrypted master key of the encrypted master catalog of the first account in the key file of the first account in an encrypted way.
4. The method of claim 1, wherein the root key is generated from root keying material that includes at least two sub-portions, and wherein one sub-portion is a verification sub-portion,
correspondingly, the receiving, by the first device, the first account and the root key sent by the second device includes:
the first device receives a first account number and a verification sub-part of the root keying material, which are sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
5. The method of claim 4, wherein the root keying material further comprises a local subpart;
when the encrypted main directory of the first account does not exist in the external storage device of the first device, the method further includes:
the first device generates a local subpart of the root keying material and stores the local subpart of the root keying material in the external storage device.
6. The method of claim 4 or 5, wherein the root keying material further comprises an application subpart stored in the first application of the second device.
7. The method of claim 1, wherein the receiving, by the first device, the second account and the second password corresponding to the second account, which are sent by the second device, comprises:
the first device receives a second account and a second password, which are sent by the second device and input by a user on the second device, and the second password corresponds to the second account;
or the like, or, alternatively,
and the first equipment receives a second account generated by the second equipment and a second password corresponding to the second account, which are sent by the second equipment.
8. The method of claim 7, wherein after the first device receives the second account and the second password corresponding to the second account, the method further comprises:
the first device encrypts and stores the second account and the second password in the external storage device, wherein the second account and the second password are obtained by decryption based on the root key.
9. A data protection method applied to a first device supporting an information service block service, the method comprising:
the method comprises the steps that first equipment receives a first account and a root key sent by second equipment, wherein the root key is obtained after the first account and a first password corresponding to the first account are successfully verified;
when the encrypted main directory of the first account exists in the external storage device of the first device, if the authentication information is set for the encrypted main directory of the first account by the first device, the first device acquires a second account and a second password corresponding to the second account, and authenticates the second account and the second password as the authentication information of the encrypted main directory;
after the authentication of the second account and the second password is successful, if the first device receives a data access request or a data modification request of an encrypted main directory of the first account sent by the second device, the first device responds to the received data access request or data modification request based on the root key;
and after the first equipment receives the quitting information of the first account, the first equipment locks the encrypted main directory of the first account.
10. The method of claim 9, wherein when the encrypted primary directory for the first account exists in the external storage device of the first device, further comprising:
the first device decrypts the root key from the external storage device to obtain a master key of an encrypted master catalog of the first account;
the first device sets a master key of an encrypted master catalog of the first account in a system kernel of the first device;
correspondingly, the first device responding to the received data access request or data modification request based on the root key comprises:
the first device responds to receiving the data access request or the data modification request based on a master key in the system kernel;
the first device locking the encrypted main directory of the first account comprises the following steps:
the first device clears the master key in the system kernel.
11. The method of claim 10, wherein the first device decrypting from the external storage device based on the root key to obtain a master key for an encrypted master catalog of the first account number comprises:
and the first device analyzes the encryption information in the key file stored in the external storage device through the root key to obtain a master key of the encrypted main directory of the first account.
12. The method of claim 9, wherein the root key is generated from root keying material that includes at least two sub-portions, and wherein one sub-portion is a verification sub-portion,
correspondingly, the receiving, by the first device, the first account and the root key sent by the second device includes:
the first device receives a first account number and a verification sub-part of the root keying material, which are sent by the second device, wherein the verification sub-part of the root keying material is obtained after the first account number and a first password corresponding to the first account number are successfully verified.
13. The method of claim 12, wherein the root keying material further comprises a local subpart;
before the first device responds to the received data access request or data modification request based on the root key, further comprising:
the first device obtains a local subpart of the root keying material from the external storage device.
14. The method of claim 12 or 13, wherein prior to the first device responding to the received data access request or data modification request based on the root key, further comprising:
the first device obtains, from the second device, an application subsection of the root keying material stored in a first application of the second device.
15. The method of claim 9, wherein the obtaining, by the first device, a second account and a second password corresponding to the second account comprises:
the first device receives a second account and a second password, which are sent by the second device and input by a user on the second device, and the second password corresponds to the second account;
or the like, or, alternatively,
and the first device decrypts the external storage device based on the root key to obtain the second account and a second password corresponding to the second account.
16. The method of claim 9, wherein when the encrypted primary directory for the first account exists in the external storage device of the first device, further comprising:
in response to a received request for retrieving a second password corresponding to a second account, the first device decrypts the second account and the second password corresponding to the second account from the external storage device based on the root key, and sends the second account and the second password corresponding to the second account to the second device.
17. A method for protecting data, comprising:
responding to a first account and a first password corresponding to the first account received by a second application, and sending the first account and the first password corresponding to the first account to a preset server by a third device;
the third device receives a root key sent by the preset server after the first account and the first password are successfully verified;
when the encrypted main directory of the first account exists in the external storage device of the third device and the authentication information is not set for the encrypted main directory of the first account by the third device, if the third device receives a data access request or a data modification request of the encrypted main directory of the first account, the third device responds to the received data access request or data modification request based on the root key;
after the third equipment receives the quitting information of the first account, the third equipment locks the encrypted main directory of the first account;
before the third device receives the exit information of the first account, the third device does not allow other accounts except the first account to log in a second application of the third device.
18. The method of claim 17, wherein when the encrypted primary directory of the first account exists in the external storage device of the third device, further comprising:
the third device decrypts the root key from the external storage device to obtain a master key of the encrypted master catalog of the first account;
the third device sets a master key of an encrypted master catalog of the first account in a system kernel of the third device;
correspondingly, the third device responding to the received data access request or data modification request based on the root key comprises:
the third device responds to the received data access request or data modification request based on a master key in the system kernel;
the third device locking the encrypted main directory of the first account comprises the following steps:
the third device clears the master key in the system kernel.
19. The method of claim 18, wherein the third device decrypting from the external storage device based on the root key to obtain the master key of the encrypted master catalog of the first account number comprises:
and the third equipment analyzes the encryption information in the key file stored in the external storage equipment through the root key to obtain the master key of the encrypted main directory of the first account.
20. The method of claim 17, wherein the root key is generated from root keying material that includes at least two sub-portions, and wherein one sub-portion is a verification sub-portion,
correspondingly, the receiving, by the third device, the root key sent by the preset server after the first account and the first password are successfully verified includes:
and the third equipment receives a verification sub-part of the root key material, which is sent after the preset server successfully verifies the first account and the first password.
21. The method of claim 20, wherein the root keying material further comprises a local subpart;
before the third device responds to the received data access request or data modification request based on the root key, the third device further includes:
the third device retrieves a local sub-portion of the root keying material from the external storage device.
22. The method of claim 20 or 21, wherein prior to the third device responding to the received data access request or data modification request based on the root key, further comprising:
the third device obtains an application subsection of the root keying material stored in a second application of the third device.
23. An electronic device, characterized in that the electronic device comprises a processor for executing a computer program stored in a memory for implementing the method of any of claims 1 to 8 and/or the method of any of claims 9 to 16, or the method of any of claims 17 to 22.
24. A computer-readable storage medium, in which a computer program is stored which, when run on a processor, implements the method of any of claims 1 to 8 and/or the method of any of claims 9 to 16, or the method of any of claims 17 to 22.
CN202010912441.4A 2020-09-01 2020-09-01 Data protection method, electronic equipment and storage medium Pending CN114117461A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010912441.4A CN114117461A (en) 2020-09-01 2020-09-01 Data protection method, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010912441.4A CN114117461A (en) 2020-09-01 2020-09-01 Data protection method, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114117461A true CN114117461A (en) 2022-03-01

Family

ID=80360626

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010912441.4A Pending CN114117461A (en) 2020-09-01 2020-09-01 Data protection method, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114117461A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115562573A (en) * 2022-08-30 2023-01-03 荣耀终端有限公司 Data storage method, communication system, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115562573A (en) * 2022-08-30 2023-01-03 荣耀终端有限公司 Data storage method, communication system, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN111466099B (en) Login method, token sending method, device and storage medium
CN111373713B (en) Message transmission method and device
CN111132137A (en) Wi-Fi connection method and device
CN111093183B (en) Mobile equipment management method and equipment
CN113609498A (en) Data protection method and electronic equipment
CN113408016B (en) Method and device for storing ciphertext
WO2021175266A1 (en) Identity verification method and apparatus, and electronic devices
CN110752929B (en) Application program processing method and related product
CN112654989B (en) Data storage method, data access method, related device and equipment
CN114117461A (en) Data protection method, electronic equipment and storage medium
CN113676440B (en) Authority negotiation method and device in communication process and electronic equipment
CN113556734B (en) Authentication method and device
CN116340913A (en) Login method, electronic equipment and computer readable storage medium
CN114117367A (en) Data protection method and electronic equipment
CN114254334A (en) Data processing method, device, equipment and storage medium
WO2023246695A1 (en) Device authorization method, electronic device and system
WO2022037405A1 (en) Information verification method, electronic device and computer-readable storage medium
CN115599596B (en) Data processing method, electronic device, system and storage medium
WO2024113865A1 (en) Secure transmission method and apparatus for video stream
WO2022042273A1 (en) Key using method and related product
WO2024032400A1 (en) Picture storage method and apparatus, and terminal device
US20230214532A1 (en) Permission negotiation method and apparatus during communication, and electronic device
WO2024037040A1 (en) Data processing method and electronic device
CN115550919A (en) Equipment pairing authentication method and device, sender equipment and receiver equipment
CN118118739A (en) Secure transmission method and device for video stream

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination