CN101937501A - Method and device for protecting files from unauthenticated accesses - Google Patents

Method and device for protecting files from unauthenticated accesses Download PDF

Info

Publication number
CN101937501A
CN101937501A CN2009101484754A CN200910148475A CN101937501A CN 101937501 A CN101937501 A CN 101937501A CN 2009101484754 A CN2009101484754 A CN 2009101484754A CN 200910148475 A CN200910148475 A CN 200910148475A CN 101937501 A CN101937501 A CN 101937501A
Authority
CN
China
Prior art keywords
document
authentication information
protection device
encryption key
memory apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2009101484754A
Other languages
Chinese (zh)
Inventor
郭代飞
隋爱芬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Ltd China
Original Assignee
Siemens Ltd China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Ltd China filed Critical Siemens Ltd China
Priority to CN2009101484754A priority Critical patent/CN101937501A/en
Publication of CN101937501A publication Critical patent/CN101937501A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for protecting files from unauthenticated accesses. The file protection device comprises encrypted files and a control module. The control module comprises a transmitting module, a receiving module, a decrypting module and a management module, wherein the transmitting module is used for sending a message, which is used for requesting encrypting keys for decrypting the encrypted files and contains identity information and authentication information, to another device when the file protection device is run on a computer, wherein the identity information and the authentication information are acquired from portable storage equipment connected to the computer; the receiving module is used for receiving the encrypting keys used for decrypting the encrypted files from the another device; the decrypting module is used for decrypting the encrypted files by using the received encrypting keys to obtain plain-text files; and the management module is used for controlling the access of users to the plain-text files according to the file access policies. When the method and the device are used, the files can be protected from unauthenticated accesses.

Description

A kind ofly be used to prevent that document is by the method and apparatus of unauthorized access
Technical field
The present invention relates to a kind ofly be used to prevent that document is by the method and apparatus of unauthorized access.
Background technology
Along with the widespread use of computer technology, in each enterprise, various data and information all can be stored as document usually in the input computer.The computing machine of each enterprise generally all can be connected with printer etc. with the internet, and have disc driver and/or USB (universal serial port bus) interface etc. usually, so in each enterprise, the document that is stored in the computing machine is easy to be sent to the enterprise outside by the internet, perhaps be printed and be carried out enterprise, perhaps be copied into disk and/or USB flash disk and be carried out enterprise by printer.Thereby the document that comprises business data and information that is stored in the computing machine is easy to unlawfully be leaked to the enterprise outside, thereby is obtained by the rival.
For the document that comprises business data and information that prevents to be stored in the computing machine unlawfully is leaked to the enterprise outside, has proposed some at present and be used to prevent the scheme of document leakage.These schemes are divided into two kinds: based on network scheme and Host Based scheme.Based on network scheme is by preventing that at the portal of the enterprise subordinate of place security gateway the document that enterprise staff is used enterprise by diverse network is leaked to the enterprise outside.Host Based scheme is by installing each computing machine that Security Agent is come monitoring enterprise in each computing machine of enterprise, to prevent enterprise staff the document of enterprise main frame peripheral equipment interface, printer and/or the portable memory apparatus by each computing machine of enterprise is leaked to the enterprise outside.By using the scheme that these are used to prevent that document from revealing, the document that has prevented from well to be stored in the computing machine of enterprise unlawfully is leaked to the enterprise outside.
Yet, in practice, need document with enterprise to copy to sometimes, so that on the computing machine that does not adopt the above-mentioned scheme that is used for preventing that document from revealing, use document at this portable memory apparatus such as in the such portable memory apparatus of USB flash disk.For example, when the employee W of the employee Y of a Q of enterprise and other cooperative enterprises meeting, employee Y may need some documents of the Q of enterprise that meeting is required to copy in the USB flash disk, and employee W is by being inserted into this USB flash disk the document of reading the Q of enterprise that copies in this USB flash disk on its notebook computer then.In this case, because employee W does not belong to the Q of enterprise, so the notebook computer of employee W does not adopt the above-mentioned scheme that is used to prevent the document leakage probably, thereby can not prevent that employee W from having a mind to or by mistake the document of the Q of enterprise in this USB flash disk is blazed abroad with the plaintext form, thereby other people just can visit the document under situation about not being authorized to.
Summary of the invention
Consider the above-mentioned defective of prior art, the invention provides and a kind ofly be used to prevent that document from by the method and apparatus that unauthorized uses, utilizing this method and apparatus, can prevent that document is by unauthorized access.
According to a kind of document protection device of the present invention, comprising: the document of having encrypted; And, control module, wherein, described control module further comprises: sending module, be used for when described document protection device is moved on computers, send to another device and to be used to ask to be used for encryption key that the described document of having encrypted is decrypted and comprise identity information and the message of authentication information, wherein, described identity information and described authentication information are to obtain from the portable memory apparatus that is connected to described computing machine; Receiver module is used for receiving the described encryption key that the described document of having encrypted is decrypted of being used for from described another device; Deciphering module is used to utilize the encryption key of described reception that the described document of having encrypted is decrypted, to obtain document expressly; And administration module is used for controlling the visit of user to the document of described plaintext according to the document access strategy.
According to a kind of portable memory apparatus of the present invention, comprising: communication interface modules, the computing machine that is used for being connected with described portable memory apparatus communicates; Secure storage areas is used for storing identity information and original authentication information relatedly; And; control module; be used for when via described communication interface modules when the document protection device of described computing machine receives the message that is used for requests identity information and Basic Authentication information; through calculating Basic Authentication information, and the identity information that the Basic Authentication information of described calculating and described secure storage areas are stored sends to document protection device in the described computing machine by described communication interface modules based on the original authentication information of described secure storage areas storage.
According to a kind of device that is used to make the document protection device of document of the present invention, comprising: receiver module is used to receive user ID, access code and is used to control the document access strategy of user to the visit of described document; Generation module is used to produce the Crypted password that is used for encrypting described document; Encrypting module is used to utilize the encryption key of described generation that described document is encrypted, with the document that obtains encrypting; Composite module is used for that the document of described encryption and one are used to control the user control module of the visit of described document is combined, to obtain the document protection device; And; sending module; be used for sending the user ID of described reception and the document protection device of access code and described acquisition to portable memory apparatus, and the Crypted password that sends user ID, access code and the document access strategy and the described generation of described reception to another device.
According to a kind of method of carrying out by the document protection device of the present invention, wherein, described document protection device comprises the document of having encrypted, described method comprises step: when described document protection device is moved on computers, send to another device and to be used to ask to be used for encryption key that the described document of having encrypted is decrypted and comprise identity information and the message of authentication information, wherein, described identity information and described authentication information are to obtain from the portable memory apparatus that is connected to described computing machine; Receive the described encryption key that the described document of having encrypted is decrypted of being used for from described another device; Utilize the encryption key of described reception that the described document of having encrypted is decrypted, to obtain document expressly; And the document access strategy is controlled the visit of user to the document of described plaintext.
According to a kind of method of carrying out by portable memory apparatus of the present invention, comprise step: when the document protection device the computing machine that connects from described portable memory apparatus receives the message that is used for requests identity information and Basic Authentication information, based on the original authentication information of storage in advance through calculating Basic Authentication information; And, the identity information of the Basic Authentication information of described calculating and storage is in advance sent to document protection device in the described computing machine.
According to a kind of method that is used to make the document protection device of document of the present invention, comprise step: receive user ID, access code and be used to control the document access strategy of user to the visit of described document; Generation is used for encrypting the Crypted password of described document; Utilize the encryption key of described generation that described document is encrypted, with the document that obtains encrypting; The document of described encryption and one are used to control the user control module of the visit of described document is combined, to obtain the document protection device; And; send the user ID of described reception and the document protection device of access code and described acquisition to portable memory apparatus, and the Crypted password that sends user ID, access code and the document access strategy and the described generation of described reception to another device.
Description of drawings
Other characteristics of the present invention, feature and advantage will become more apparent by the detailed description below in conjunction with accompanying drawing.Wherein:
Fig. 1 is the synoptic diagram that illustrates according to the system that is used to prevent that document from being used by unauthorized of first embodiment of the invention;
Fig. 2 is the synoptic diagram that illustrates according to the portable memory apparatus of first embodiment of the invention;
Fig. 3 is the process flow diagram of method that is used to make the document protection device that illustrates according to first embodiment of the invention; And
Fig. 4 A-4C is the process flow diagram that illustrates according to the method that is used to visit the document that needs protection of first embodiment of the invention.
Embodiment
Below, will describe each embodiment of the present invention in conjunction with the accompanying drawings in detail.
Fig. 1 is the synoptic diagram that illustrates according to the system that is used to prevent that document from being used by unauthorized of first embodiment of the invention.As shown in Figure 1, this system comprises supervisory computer 100, server 200, portable memory apparatus 300 and object computer 400.Wherein, supervisory computer 100 is connected with server 200, object computer 400 is connected with server 200 by network, and portable memory apparatus 300 can be connected with object computer 400 with supervisory computer 100 with object computer 400 by being inserted into supervisory computer 100.
Supervisory computer 100 is used to make the document protection device of the document that needs protection.Each document protection device is an executable file, is used to prevent that the document that needs protection from being used by unauthorized.Each document protection device comprises that a document that needs protection of having encrypted and one are used for controlling the control module of user to the visit of this document that needs protection according to the document access strategy; wherein; this control module realizes by executable program code, and the document access strategy can be that document is read, document is write, print screen, document are printed, authority change and/or position change etc.
When making the document protection device of the document that needs protection; supervisory computer 100 will be as this user ID of identity information; this access code as original authentication information is shared password with being somebody's turn to do; and the document protection device of made is stored in the portable memory apparatus 300, and this user ID that sends as identity information to server 200; this access code as original authentication information is shared password with being somebody's turn to do; be used for encryption key of when making the document protective device, this document that needs protection being encrypted and the document access strategy that is used to control to the visit of this document that needs protection.
Server 200 is used for storing the user ID as identity information that receives from supervisory computer 100 at its storer relatedly, as access code and shared password, encryption key and the document access strategy of original authentication information.Server 200 also is used for being used for encryption key request and document access strategy and including identity information when receiving from object computer 400, authentication information and the authentication supplementary message the time, calculate authentication information with the original authentication information that the identity information that the message of this reception comprises is stored relatedly in the authentication supplementary that comprises according to the message of this reception and its storer, relatively whether the authentication information of the authentication information that comprises of the message of this reception and this calculating is identical, and when comparative result for certainly the time, send encryption key and the document access strategy that its storeies are stored to object computer 400.
Portable memory apparatus 300 is movable memory equipments; be used to store the user ID that receives from supervisory computer 100 as identity information, as access code and the shared password and the document protection device of original authentication information; wherein; be stored in the secure storage areas of portable memory apparatus 300 to this user ID, access code and shared cryptographic association, and the document protective device is stored in the data storage area of portable memory apparatus 300.Under portable memory apparatus 300 is being connected to the situation of object computer 400, receive from object computer 400 be used for the message of requests identity information and Basic Authentication information the time, portable memory apparatus 300 calculates Basic Authentication information according to access code of storing in its secure storage areas and shared password (original authentication information), then the user ID as identity information of storing in the Basic Authentication information of being calculated and its secure storage areas is sent to object computer 400.
Object computer 400 is computing machines of the document that needs protection of user capture.When the user wants to visit this document that needs protection on object computer 400; the user makes portable memory apparatus 300 be connected to object computer 400 by the portable memory apparatus 300 that stores the document protection device of this document that needs protection is inserted in the object computer 400.Be connected at portable memory apparatus 300 under the situation of object computer 400; when the user directly moves the document protection device of this document that needs protection in the portable memory apparatus 300 or the document protective device is copied to when moving in the object computer 400; the document protective device at first obtains identity information and Basic Authentication information from the portable memory apparatus 300 that is connected to object computer 400; identity information that this is obtained and authentication information and authentication supplementary send to server 200 with encryption key request and document access strategy then; wherein; this authentication information is based on that this Basic Authentication information and this authentication supplementary calculate; then be used in the encryption key of server 200 comes the document protective device included document of having encrypted and be decrypted and obtain document expressly, and according to controlling the visit of this user to the document of this plaintext from the document access strategy of server 200.
Fig. 2 is the synoptic diagram that illustrates according to the portable memory apparatus of first embodiment of the invention.As shown in Figure 2, portable memory apparatus 300 comprises communication interface modules 310, control module 320, secure storage areas 330 and data storage area 340.
Wherein, communication interface modules 310 is used for portable memory apparatus 300 and communicates with its computing machine that is connected.
Control module 320 is used to control outside visit to secure storage areas 330 and data storage area 340.
Secure storage areas 330 be used to store from supervisory computer receive as the user ID of identity information and as the access code and the shared password of original authentication information.
Data storage area 340 is used to store the document protection device from the document that needs protection of supervisory computer reception.
Fig. 3 is the process flow diagram of method that is used to make the document protection device that illustrates according to first embodiment of the invention.As shown in Figure 3; when making the document protection device of a document D that needs protection, the document access strategy (step S300) that the operator imports user ID, access code and is used for the visit of this document D that needs protection is controlled is made in supervisory computer 100 promptings.
After receiving making user ID, access code and document access strategy that the operator imported, supervisory computer 100 generates the encryption key (step S310) of sharing key and being used for this document D that needs protection is encrypted at random.
Then, supervisory computer 100 utilizes the encryption key that is generated to come this document D that needs protection is encrypted the document of having been encrypted (step S320).
Then, supervisory computer 100 is used to control the user to this document of having encrypted and one to be combined the control module of the visit of this document D that needs protection, and produces the document protection device (step S330) of this document D that needs protection.
Next, supervisory computer 100 is as these user ID of identity information, send to the portable memory apparatus 300 (step S340) that is connected to supervisory computer 100 as this access code of original authentication information and the document protection device that should share key and this making.
The user ID that portable memory apparatus 300 storage receives from supervisory computer 100 as identity information, as access code and the shared key and the document protection device (step S350) of original authentication information.Wherein, be stored in the secure storage areas 330 of portable memory apparatus 300 to this user ID, this access code and this shared cipher key associated, and the document protective device is stored in the data storage area 340 of portable memory apparatus 300.
Supervisory computer 100 is as these user ID of identity information, as this access code of original authentication information with should share key, this encryption key and the document access strategy and send to server 200 (step S360).
Server 200 stores the user ID as identity information that receives from supervisory computer 100 relatedly in its storer, as access code and shared key, encryption key and the document access strategy (step S370) of original authentication information.
Fig. 4 A-4C is the process flow diagram that illustrates according to the method that is used to visit the document that needs protection of first embodiment of the invention.Suppose that portable memory apparatus 300 has stored the document protection device of the document D that needs protection here.
Shown in Fig. 4 A-4C, be connected at portable memory apparatus 300 under the situation of object computer 400, when the user wants to visit portable memory apparatus 300, object computer 400 prompting user's input reference passwords (step S400).
After the access code that receives user's input, object computer 400 sends an access request message (step S410) that comprises the access code of this reception to connected portable memory apparatus 300.
After the control module 320 of portable memory apparatus 300 receives access request message via the communication interface modules 310 of portable memory apparatus 300 from object computer 400, read access password (step S420) from the secure storage areas 330 of portable memory apparatus 300.
Whether the control module 320 of portable memory apparatus 300 relatively the included access code of the access request message of this reception and the access code that is read identical (step S430).
If the comparative result of step S430 is for negative, then the control module 320 of portable memory apparatus 300 sends the access response message (step S440) of an expression denied access to object computer 400 via the communication interface modules 310 of portable memory apparatus 300.
After receiving the access response message of this expression denied access from portable memory apparatus 300, object computer 400 notice user capture portable memory apparatus 300 are rejected (step S450).
If the comparative result of step S430 is for certainly, then the document protection device that comprises this document D that needs protection stored to the data storage area 340 that object computer 400 sends portable memory apparatus 300 via the communication interface modules 310 of portable memory apparatus 300 of the control module 320 of portable memory apparatus 300 is at the fileinfo (step S460) of each interior file.
After receiving fileinfo from portable memory apparatus 300, object computer 400 shows the fileinfo of being received (step S470) to the user.
After having seen the shown fileinfo of object computer 400; when the user wanted to visit this document D that needs protection, object computer 400 read the document protection device of this document D that needs protection that is arranged in portable memory apparatus 300 or the document protection device of this document D that needs protection that copied the harddisk memory of object computer 400 to internal memory and moves the document protection device (step S480) that this is arranged in internal memory.
The control module of the document protection device of this operation sends a request message (step S490) that is used to obtain identity information and Basic Authentication information to portable memory apparatus 300.
After the control module 320 of portable memory apparatus 300 receives this request message via the communication interface modules 310 of portable memory apparatus 300 from the control module of the document protection device of this operation, from the secure storage areas 330 of portable memory apparatus 300, read as the user ID of identity information and as the access code and the shared key (step S500) of original authentication information.
The control module 320 of portable memory apparatus 300 is connected in series and carries out Hash (Hash) computing to access code and the shared key as the original authentication information that are read, to obtain operation result Hash (access code+shared key) as Basic Authentication information (step S510).
The control module 320 of portable memory apparatus 300 sends to a response message (step S520) via the communication interface modules 310 of portable memory apparatus 300 to the control module of the document protection device of this operation.Wherein, this response message comprises as the user ID that is read of identity information with as the operation result Hash that is obtained of Basic Authentication information (access code+share key).
After receiving this response message from portable memory apparatus 300, the control module of the document protection device of this operation sends the key strategy request message (step S530) that is used for encryption key request and document access strategy to server 200.Wherein, this key strategy request message includes the user ID that is comprised in the response message of this reception, the sequence number SEQ and the Hash (Hash (access code+shared key)+SEQ) of this key strategy request message.Wherein, the user ID that is comprised in the response message of this reception is an identity information, and the sequence number SEQ of this key strategy request message is the authentication supplementary, and Hash (Hash (access code+share with key)+SEQ) is an authentication information.
After the control module from the document protection device of this operation received this key strategy request message, server 200 retrieved access code and shared key and encryption key and the document access strategy (step S540) as original authentication information that included user ID is stored relatedly in the key strategy request message with this reception from its storer.
Server 200 is connected in series the execution Hash operation to access code of being retrieved and shared key, to obtain operation result Hash (access code+shared key), and the sequence number SEQ of the Hash of this acquisition (access code+share with key) and this key strategy request message is connected in series and carries out Hash operation, (Hash (access code+share key)+SEQ) is as the authentication information (step S550) of calculating to obtain operation result Hash.
((whether Hash (access code+shared key)+SEQ) identical (step S560) for included Hash in the key strategy request message of Hash (access code+share key)+SEQ) and this reception for operation result Hash that server 200 relatively should obtain.
If the comparative result of step S560 is for negative, then server 200 sends the key policy response message (step S570) of an expression authentification failure to the control module of the document protection device of this operation.
After the key policy response message that receives the expression authentification failure from server 200, the control module of the document protection device of this operation notice user authentication failure (step S580).
If the comparative result of step S560 is for affirming, then server 200 increases by 1 to the sequence number SEQ of this key strategy request message and obtains new sequence number SEQ1, and carries out corresponding Hash operation to obtain operation result Hash (Hash (access code+share key)+SEQ1) as authorization information (step S590).
Server 200 is connected in series and carries out Hash operation to user ID, Hash (access code+share key) and new sequence number SEQ1, to obtain operation result Hash (user ID+Hash (access code+shared key)+SEQ1) as session key sk (step S600).
Server 200 utilizes this session key sk to the new sequence number SEQ1 that is connected in series, the encryption key of being retrieved and document access strategy execution computations, obtains encrypted result E Sk(SEQ1+ encryption key+document access strategy) (step S610).
Server 200 sends a key policy response message (step S620) to the control module of the document protection device of this operation.Wherein, this key policy response message comprises user ID, this encrypted result E Sk(SEQ1+ encryption key+document access strategy) and this authorization information Hash (Hash (access code+shared key)+SEQ1).
After receiving key policy response message from server 200; the control module of the document protection device of this operation increases by 1 to the sequence number SEQ that it sends to the key strategy request message of server 200; obtain new sequence number SEQ1, and the new sequence number SEQ1 of an operation result Hash from portable memory apparatus 300 receptions (access code+shared key) and this acquisition is connected in series the execution Hash operation, and (Hash (access code+shared key)+SEQ1) is as the authorization information (step S630) of calculating to obtain operation result Hash.
((whether Hash (access code+shared key)+SEQ1) identical (step S640) for included authorization information Hash in the key policy response message of Hash (access code+share key)+SEQ1) and this reception for authorization information Hash that the control module of the document protection device of this operation relatively should be calculated.
If the comparative result of step S640 is for negative, then this document D that needs protection of the control module of the document protection device of this operation notice user capture is rejected (step S650).
If the comparative result of step S640 is for certainly, then the new sequence number SEQ1 of the operation result Hash that receives the user ID that receives from server 200, from portable memory apparatus 300 of the control module of the document protection device of this operation (access code+share key) and this acquisition is connected in series the execution Hash operation with acquisition operation result Hash (user ID+Hash (access code+shared key)+SEQ1) as session key sk (step S660).
The control module of the document protection device of this operation is utilized the key policy response message included encrypted result E of session key sk to receiving from server 200 of this acquisition Sk(SEQ1+ encryption key+document access strategy) is decrypted, to obtain encryption key and document access strategy (step S670) expressly.
The control module of the document protection device of this operation utilizes the encryption key of this acquisition that the document D that needs protection of having encrypted in the document protection device of this operation is decrypted, and obtains the document D that needs protection (step S680) expressly.
The control module of the document protection device of this operation is controlled the visit (step S690) of user to the document D that needs protection expressly according to this document access strategy that obtains.For example, when this document access strategy that obtains is a document when reading, the control module of the document protection device of this operation shows the document D that needs protection expressly with read-only form to the user; When this document access strategy that obtains is a document when writing, the control module of the document protection device of this operation shows the document D that needs protection expressly with rewritable form to the user; When this document access strategy that obtains was the document printing, the control module of the document protection device of this operation allowed the user to print the document D that needs protection expressly.
By the detailed description of top first embodiment as can be seen; the document that needs protection is included in after encryption in the document protection device; provide identity information at the document protective device to server; authentication information and authentication supplementary are with after obtaining encryption key and document access strategy; the user could visit this document that needs protection; obtain from portable memory apparatus and this identity information that offers server is the document protective device, and this authentication information that offers server is based on, and the Basic Authentication information calculations obtained from the document protective device from portable memory apparatus obtains.Therefore; by only allowing authorized user hold this portable memory apparatus; just can could visit the document that this needs protection so that hold the authorized user of this portable memory apparatus; and the unauthorized user of not holding this portable memory apparatus can not be visited the document that this needs protection, thereby has realized preventing that document is by the purpose of unauthorized access.
Other distortion
Though it will be appreciated by those skilled in the art that among superincumbent first embodiment, encryption key and document access strategy are stored in the server 200, yet the present invention is not limited thereto.In some other embodiment of the present invention, encryption key and document access strategy also can be stored in the secure storage areas 330 of portable memory apparatus 300.In encryption key and document access policy store under the situation of the secure storage areas 330 of portable memory apparatus 300; in step S530; after receiving this response message from portable memory apparatus 300; the control module of the document protection device of this operation is not to server 200 but sends the key strategy request message that is used for encryption key request and document access strategy to portable memory apparatus 300, and portable memory apparatus 300 is carried out server among first embodiment 200 performed step S540-S570 and S590-S620 afterwards.
Though it will be appreciated by those skilled in the art that the document access strategy is stored in server 200 or the portable memory apparatus 300 among each embodiment that describes in the above, yet the present invention is not limited thereto.In some other embodiment of the present invention, the document access strategy also can directly be placed in the document protection device.In this case, the document protection device only need obtain encryption key from server 200 or portable memory apparatus 300, and no longer needs to obtain the document access strategy from server 200 or portable memory apparatus 300.
Those skilled in the art are to be understood that; though in the above among each embodiment of Miao Shuing; the Password Policy request message that the control module of the document protection device of this operation sends to server 200 or portable memory apparatus 300 includes the authentication supplementary; be the sequence number SEQ of key strategy request message; yet the present invention is not limited thereto.In some other embodiment of the present invention, the Password Policy request message that the control module of the document protection device of this operation sends to server 200 or portable memory apparatus 300 also can not comprise the authentication supplementary.In this case; the included authentication information of Password Policy request message that the control module of the document protection device of this operation sends to server 200 or portable memory apparatus 300 is exactly the Basic Authentication information of obtaining from portable memory apparatus 300 from the control module of the document protection device of this operation, i.e. Hash (access code+share key).
Though it will be appreciated by those skilled in the art that original authentication information comprises shared key among each embodiment that describes in the above, yet the present invention is not limited thereto.In some other embodiment of the present invention, original authentication information also can not comprise shared key.
Those skilled in the art are to be understood that; though in the above among each embodiment of Miao Shuing; server 200 or portable memory apparatus 300 are encrypted to encryption key and document access strategy (perhaps encipher only key) that the document protection device sends, yet the present invention is not limited thereto.In some other embodiment of the present invention, server 200 or portable memory apparatus 300 also can be unencrypteds to encryption key and the document access strategy (perhaps encipher only key) that the document protection device sends.
It will be appreciated by those skilled in the art that each embodiment of the present invention can make various modification and change under the situation that does not depart from invention essence, and these modification fall within protection scope of the present invention all with changing.Therefore, protection scope of the present invention is defined by appending claims.

Claims (16)

1. document protection device comprises:
The document of having encrypted; And
Control module, wherein, described control module further comprises:
Sending module, be used for when described document protection device is moved on computers, send to another device and to be used to ask to be used for encryption key that the described document of having encrypted is decrypted and comprise identity information and the message of authentication information, wherein, described identity information and described authentication information are to obtain from the portable memory apparatus that is connected to described computing machine;
Receiver module is used for receiving the described encryption key that the described document of having encrypted is decrypted of being used for from described another device;
Deciphering module is used to utilize the encryption key of described reception that the described document of having encrypted is decrypted, to obtain document expressly; And
Administration module is used for controlling the visit of user to the document of described plaintext according to the document access strategy.
2. document protection device as claimed in claim 1, wherein, described document access strategy receives from described another device with described encryption key.
3. document protection device as claimed in claim 2, wherein,
The encryption key of described reception and document access strategy are encrypted,
Described deciphering module is further used for the encryption key of described reception and document access strategy are decrypted to obtain encryption key and document access strategy expressly, and utilize the encryption key of described plaintext that the described document of having encrypted is decrypted, obtaining document expressly, and
Described administration module is further used for the document access strategy based on described plaintext, and the control user is to the operation of the document of described plaintext.
4. document protection device as claimed in claim 1, wherein, described another device is server or described portable memory apparatus.
5. document protection device as claimed in claim 1, wherein
Described message also comprises the authentication supplementary, and
What the authentication information that described message comprises was based on described authentication supplementary and the authentication information that obtains from described portable memory apparatus calculates.
6. portable memory apparatus comprises:
Communication interface modules, the computing machine that is used for being connected with described portable memory apparatus communicates;
Secure storage areas is used for storing identity information and original authentication information relatedly; And
Control module; be used for when via described communication interface modules when the document protection device of described computing machine receives the message that is used for requests identity information and Basic Authentication information; through calculating Basic Authentication information, and the identity information that the Basic Authentication information of described calculating and described secure storage areas are stored sends to document protection device in the described computing machine by described communication interface modules based on the original authentication information of described secure storage areas storage.
7. portable memory apparatus as claimed in claim 6, wherein,
Described secure storage areas also is used for the storage encryption key; And
Control module also is used for being used for encryption key request and including identity information and during the message of authentication information when receiving from the document protection device of described computing machine via described communication interface modules; calculate authentication information based on the original authentication information of in described secure storage areas, storing relatedly with the identity information that message comprised of described reception; and after the authentication information of the authentication information that message comprised of determining described reception and described calculating was identical, the encryption key that described secure storage areas is stored sent to document protection device in the described computing machine via described communication interface modules.
8. portable memory apparatus as claimed in claim 7, wherein
Described secure storage areas also is used to store the document access strategy, and
Safety control module; be used for being used for encryption key request and document access strategy and including identity information and during the message of authentication information when receiving from the document protection device of described computing machine via described communication interface modules; calculate authentication information based on the original authentication information of in described secure storage areas, storing relatedly with the identity information that message comprised of described reception; and after the authentication information of the authentication information that message comprised of determining described reception and described calculating was identical, encryption key that described secure storage areas is stored and document access strategy sent to document protection device in the described computing machine via described communication interface modules.
9. portable memory apparatus as claimed in claim 8, wherein
After being further used for the encryption key of described secure storage areas storage and document access strategy encrypted, safety control module sends to document protection device in the described computing machine via described communication interface modules.
10. as claim 7 or 8 described portable memory apparatus, wherein
The message of described reception also comprises the authentication supplementary, and
Described safety control module is further used for the authentication supplementary that the message based on described reception comprises and calculates authentication information with the original authentication information of storing with the identity information that message comprised of described reception relatedly in described secure storage areas.
11. a device that is used to make the document protection device of document comprises:
Receiver module is used to receive user ID, access code and is used to control the document access strategy of user to the visit of described document;
Generation module is used to produce the Crypted password that is used for encrypting described document;
Encrypting module is used to utilize the encryption key of described generation that described document is encrypted, with the document that obtains encrypting;
Composite module is used for that the document of described encryption and one are used to control the user control module of the visit of described document is combined, to obtain the document protection device; And
Sending module; be used for sending the user ID of described reception and the document protection device of access code and described acquisition to portable memory apparatus, and the Crypted password that sends user ID, access code and the document access strategy and the described generation of described reception to another device.
12. as claim 11 described devices, wherein
Described another device is server or described portable memory apparatus.
13. a method of being carried out by the document protection device, wherein, described document protection device comprises the document of having encrypted, and described method comprises step:
When described document protection device is moved on computers, send to another device and to be used to ask to be used for encryption key that the described document of having encrypted is decrypted and comprise identity information and the message of authentication information, wherein, described identity information and described authentication information are to obtain from the portable memory apparatus that is connected to described computing machine;
Receive the described encryption key that the described document of having encrypted is decrypted of being used for from described another device;
Utilize the encryption key of described reception that the described document of having encrypted is decrypted, to obtain document expressly; And
The document access strategy is controlled the visit of user to the document of described plaintext.
14. a method of being carried out by portable memory apparatus comprises step:
When the document protection device the computing machine that connects from described portable memory apparatus receives the message that is used for requests identity information and Basic Authentication information, based on the original authentication information of storage in advance through calculating Basic Authentication information; And
The identity information of the Basic Authentication information of described calculating and storage is in advance sent to document protection device in the described computing machine.
15. method as claimed in claim 14 wherein, also comprises step:
Be used for encryption key request and include identity information and during the message of authentication information, when the document protection device from described computing machine receives based on calculating authentication information with the original authentication information that the identity information that message comprised of described reception is stored relatedly in advance;
Whether the authentication information that message comprised of more described reception is identical with the authentication information of described calculating; And
The encryption key of storage is in advance sent to document protection device in the described computing machine.
16. a method that is used to make the document protection device of document comprises step:
Receive user ID, access code and be used to control the document access strategy of user the visit of described document;
Generation is used for encrypting the Crypted password of described document;
Utilize the encryption key of described generation that described document is encrypted, with the document that obtains encrypting;
The document of described encryption and one are used to control the user control module of the visit of described document is combined, to obtain the document protection device; And
Send the user ID of described reception and the document protection device of access code and described acquisition to portable memory apparatus, and the Crypted password that sends user ID, access code and the document access strategy and the described generation of described reception to another device.
CN2009101484754A 2009-06-30 2009-06-30 Method and device for protecting files from unauthenticated accesses Pending CN101937501A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101484754A CN101937501A (en) 2009-06-30 2009-06-30 Method and device for protecting files from unauthenticated accesses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101484754A CN101937501A (en) 2009-06-30 2009-06-30 Method and device for protecting files from unauthenticated accesses

Publications (1)

Publication Number Publication Date
CN101937501A true CN101937501A (en) 2011-01-05

Family

ID=43390824

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101484754A Pending CN101937501A (en) 2009-06-30 2009-06-30 Method and device for protecting files from unauthenticated accesses

Country Status (1)

Country Link
CN (1) CN101937501A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992996A (en) * 2017-05-25 2017-07-28 郑州云海信息技术有限公司 The access control method and system of a kind of storage device
CN109740360A (en) * 2018-12-29 2019-05-10 中国联合网络通信集团有限公司 A kind of document authorization device, client and method
CN112054890A (en) * 2019-06-06 2020-12-08 西安诺瓦星云科技股份有限公司 Screen configuration file exporting method, screen configuration file importing method, screen configuration file exporting device, screen configuration file importing device and broadcast control equipment
CN112153072A (en) * 2020-09-30 2020-12-29 重庆电子工程职业学院 Computer network information safety control device
CN112601219A (en) * 2021-03-03 2021-04-02 四川微巨芯科技有限公司 Data encryption and decryption method and system, server, storage device and mobile device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992996A (en) * 2017-05-25 2017-07-28 郑州云海信息技术有限公司 The access control method and system of a kind of storage device
CN109740360A (en) * 2018-12-29 2019-05-10 中国联合网络通信集团有限公司 A kind of document authorization device, client and method
CN112054890A (en) * 2019-06-06 2020-12-08 西安诺瓦星云科技股份有限公司 Screen configuration file exporting method, screen configuration file importing method, screen configuration file exporting device, screen configuration file importing device and broadcast control equipment
CN112153072A (en) * 2020-09-30 2020-12-29 重庆电子工程职业学院 Computer network information safety control device
CN112153072B (en) * 2020-09-30 2023-05-26 重庆电子工程职业学院 Computer network information safety control device
CN112601219A (en) * 2021-03-03 2021-04-02 四川微巨芯科技有限公司 Data encryption and decryption method and system, server, storage device and mobile device

Similar Documents

Publication Publication Date Title
CN100454274C (en) Safty printing using secrete key after being checked
RU2589861C2 (en) System and method of user data encryption
US6314521B1 (en) Secure configuration of a digital certificate for a printer or other network device
EP2830282B1 (en) Storage method, system and apparatus
US8856530B2 (en) Data storage incorporating cryptographically enhanced data protection
CN1967558B (en) Image processing system, information processing device, and information processing method
CN101971186B (en) Information leak prevention device, and method and program thereof
US20090106561A1 (en) Data management apparatus and data management method
US6977745B2 (en) Method and apparatus for the secure printing of a document
CA2913444C (en) System and method for user authentication
CN101122942B (en) Data safe reading method and its safe storage device
US7587045B2 (en) System and method for securing document transmittal
CN104361267A (en) Software authorization and protection device and method based on asymmetric cryptographic algorithm
CN102227734A (en) Client computer for protecting confidential file, server computer therefor, method therefor, and computer program
JP2001016655A (en) Portable terminal with security
JP2006155554A (en) Database encryption and access control method, and security management device
JP2022542095A (en) Hardened secure encryption and decryption system
CA3156555A1 (en) Cryptographic key management
CN101937501A (en) Method and device for protecting files from unauthenticated accesses
CN106992978A (en) Network safety managing method and server
KR101485968B1 (en) Method for accessing to encoded files
JP4791193B2 (en) Information processing apparatus, portable terminal apparatus, and information processing execution control method
JP2004070875A (en) Secure system
KR101116607B1 (en) Printing apparatus having security funcition and method for the same
CN113342896B (en) Scientific research data safety protection system based on cloud fusion and working method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110105