Background technology
File cloud storage brings great convenience to user, receives the welcome of users.It is now not only personal to use
Family is using file cloud storage system, and increasing enterprise, mechanism particularly medium-sized and small enterprises, mechanism is also using file
Cloud storage system, including public cloud storage system.
Many file cloud storage systems are provided with the user of file-sharing function, i.e., one by a file at present
The user using file can be shared by being specified while passing to the cloud system of file cloud storage system, including specify specific personal
User or group user.Current file cloud storage system is that the safety that file is realized by access control mechanisms is shared mostly
's.The shortcoming of this technical scheme is:If shared file is related to individual privacy or corporate secret, then the operation of cloud storage system
Guardian (O&M person) is the content it can be seen that shared file, or have when cloud storage system is by assault can
The situation that file is stolen, private information is compromised can occur, these are all the problem of cloud storage user worry very much.Solve this
The best solution of one safety problem is that first file is added before file to be uploaded to user the cloud system of cloud storage system
It is close, and ensure that the user being only licensed could decrypt encrypted file (encryption file).But, for adding for personal document
It is close be from the encryption for shared file it is different, the latter is more complicated, it is necessary to consider how distribution, shared file encryption key
Problem, and realize that shared file encryption must also consider a factor under public cloud storage environment:In order to realize that file adds
Close particularly shared file is encrypted and the cloud storage system disposed is modified and is nearly impossible, in order to shared text
The scheme that part increases encryption function and transformed file cloud storage system is difficult to be received by cloud storage operator.For cloud
The cryptography issue of shared file is stored, the applicant is in a kind of its patent application " file encryption system towards shared file "
(number of patent application:201410151619.2) in propose it is a kind of without the shared file that be transformed file cloud storage system
Encipherment scheme.Manual file encryption is combined (text by this scheme with the autofile decryption based on file encryption filter
Part encryption filter is merely responsible for decryption), user can be entered by manual mode to the All Files in a single or file directory
Row cryptographic operation and user, colony's sharing policy are shared to the individual of file it is managed and (including strategy setting, change and delete
Remove or remove) and encryption file is encrypted public key renewal operation, the file after encryption is then uploaded into cloud storage system
It is shared for authorized user;The user for having downloaded encryption shared file from cloud storage system can when using encryption shared file
Processing is decrypted to encryption shared file by the way that file encryption filter is automatic, so as to not change shared file user's
The use of encryption shared file is realized in the case of operating with the operation processing mode of custom and program.But patent application
201410151619.2 in scheme there is also following problem:1) user is needed to carry out file encryption by manual mode;Though 2)
The All Files in one file directory can so be set by manual mode personal shared user and colony's sharing policy with
And be encrypted, if but add new file in file directory after completing file policy setting and cryptographic operation, it is new to add
The file entered still needs to again mode by hand and sets personal and colony's sharing policy and be encrypted.It is all these all to user with
Very big inconvenience is carried out.
The present invention is by the basis of the file encryption system in patent application 201410151619.2, with reference to based on file
The transparent file encipherment scheme of encryption filter, proposes that one kind carries out file encryption by manual mode without user and set repeatedly
Shared file encipherment scheme putting decryption control strategy, being suitable for file cloud storage.
The content of the invention
It is suitable for realizing the shared file of file security by file cloud storage system the purpose of the present invention is to propose to a kind of
Encryption system, to overcome the shortcomings of existing scheme.
To achieve these goals, the technical solution adopted in the present invention is:
It is a kind of towards shared secure file catalogue file encryption system, the file encryption system includes secure file mesh
Record, file encryption filter and file encryption filter assisted process, wherein:
Secure file catalogue:One file directory of the selected computer file system for carrying out safeguard protection of user;It is described
The file preserved in the file preserved in secure file catalogue, and subordinate's file directory of secure file catalogue is by file
Encryption filter encrypts the encryption file of generation automatically;The encryption file has after same file with the file before encryption
Sew, i.e., keep file type constant before and after file encryption;The secure file catalogue and its subordinate's file directory be provided with or after
File decryption control strategy is held;The file decryption control strategy of one file directory (set or inherit) defines file directory
Under encryption file default decryption control strategy and authorized user;If in secure file catalogue a file directory (including
The direct subordinate of secure file catalogue or indirect subordinate's file directory) be not provided with file decryption control strategy, then this file mesh
The file decryption control strategy of its higher level's file directory is inherited in record;If a file directory in secure file catalogue is not provided with
File decryption control strategy and its higher level's file directory is also not provided with file decryption control strategy, then its higher level's file directory
File decryption control strategy inherits the file decryption control strategy of more upper level file directory, is set with north on this until inheriting one
It is equipped with the file decryption control strategy of the upper file catalogue of file decryption control strategy;The file decryption control of the file directory
System strategy includes decrypting control strategy for the personal decryption control strategy of personal user and for the colony of group user, its
In, a personal decryption control strategy of file directory provides that a specific personal user has the personal decryption control plan of decryption
The authority of close encryption file under the slightly targeted or file directory that is acted on, and a colony of file directory decryption control plan
Slightly regulation has user's (such as belonging to some group or the user with certain role) of given feature or meets the use of specified criteria
Authority of the family with the encryption file under the file directory that decryption colony decryption control strategy is targeted or is acted on;It is described literary
The personal user that can decrypt encryption file of the personal decryption control strategy license of part catalogue is referred to as personal decryption control strategy
Targeted or the file directory acted on and the personal authorized user of encryption file, the personal authorized user are divided into management and used again
Family and domestic consumer;The management user refers to can be to the file directory in secure file catalogue (including secure file catalogue itself)
It is managed with the file decryption control strategy of encryption file and to encrypting the user that is updated of encrypted public key of file (no
Same file directory can have different management users);Colony's decryption control strategy license by file directory can
The user of decryption encryption file is referred to as that colony's decryption control strategy is targeted or group of the file directory that is acted on and encryption file
Body authorized user;A file decryption control strategy (including personal decryption control strategy and the colony's decryption of the file directory
Control strategy) it is targeted or effect file directory refer to set or inherit the file directory of this document control strategy;It is described
One file decryption control strategy of file directory is targeted or encryption file that acted on refers to be directly deposited in this document solution
Close control strategy is targeted or the file directory that is acted under encryption file;Secure file catalogue generation when creating has
One default personal decryption control strategy for creating user, the establishment user of regulation secure file catalogue is secure file
The management user of catalogue, so that the file decryption control strategy with the file directory in management secure file mesh and encryption file
Authority;The automatic file decryption control strategy for inheriting place file directory during one encryption file generated;One encryption file
Personal decryption control strategy define and can decrypt the personal authorized user of the encryption file and include management user and common use
Family;Colony's decryption control strategy of one encryption file, which is defined, can decrypt the colony authorized user of the encryption file;Safety
The data of each encryption file (including encryption file in the subprime directory of secure file catalogue) in file directory include two
Part:File data and file decryption control data;The file data for encrypting file is as before the encryption corresponding to encryption file
Original non-encrypted file data through a symmetric key generated at random use symmetric key cipher algorithm for encryption after institute
The data of formation;The symmetric key generated at random referred to as file encryption key;Encrypt the file decryption control data of file
Produced according to the file decryption control strategy of the encryption file;Corresponding to the personal decryption control strategy and colony's solution of encryption file
Close control strategy, the file decryption control data of encryption file includes personal decryption control data and colony's decryption control data,
Wherein, including the use of (every personal decryption control strategy defined of encryption file) encryption file in people's decryption control data
Each personal authorized user file encryption key (how many personal authorized user, with regard to how many for encrypting respectively of public key
The file encryption key that part is encrypted respectively with the public key of personal authorized user), and colony's decryption control data is included with shared
Colony's decryption control strategy of the file encryption key of encrypted public key encryption and the encryption file encrypted with file encryption key;
The shared encrypted public key is a public public key that the file encryption key for encrypting file is encrypted, its corresponding private key
File decryption for colony authorized user is handled;The file decryption control data of the encryption file is when encrypting file generated
Produce;The file decryption control data of the encryption file is after encryption file generated through managing user's modification file decryption control
System is tactful and changes;
File encryption filter:The subordinate of secure file catalogue is included to the file being stored in the secure file catalogue
A filtering being inserted into the driving stack of computer file system for processing is encrypted and decrypted in file in catalogue automatically
The driving of device type;When the file of a unencryption is saved in secure file catalogue by a process (trusted or untrusted process)
When including in subordinate's file directory of secure file catalogue, the file encryption filter is added automatically to the file of preservation
Close processing;When the file that a process opens a unencryption in secure file catalogue includes subordinate's mesh of secure file catalogue
During the file of a unencryption in record, the file encryption of unencryption is first turned into encryption file by the file encryption filter,
Then follow-up operation processing is carried out again;The file encryption of one unencryption is being turned into an encryption text by file encryption filter
During part, the file decryption control strategy generation encryption file of the file directory (set or inherit) according to where file
File decryption control data;When a trusted process includes secure file catalogue to the encryption file in the secure file catalogue
Subordinate's file directory in encryption file when being read out or deposit write operation file encryption filter write automatically to reading or depositing
File data be decrypted or encryption;When a untrusted process is to the encryption file bag in the secure file catalogue
When including the encryption file in subordinate's file directory of secure file catalogue and being read, the file encryption filter is not right
Processing is decrypted in the file data that untrusted process is read;The trusted process is allowed to read encryption text with plaintext version
The program process of the file data of part;The untrusted process is the number of files for being not allowed to read encryption file with clear-text way
According to program process;The trusted process and untrusted process are determined by the file encryption system developer in system development
And Mobile state renewal is entered by online updating mode, or by being set using user's manual configuration of file encryption system;Work as institute
The encryption file that stating the encryption file in secure file catalogue is included in the subprime directory of secure file catalogue is used to upload or same
File cloud storage system (or general file storage system) is walked share in use, the client quilt of file cloud storage system
It is set to untrusted process;The file encryption filter, which is provided with right mouse button menu, to be used for the text in secure file catalogue
Part catalogue (including secure file catalogue itself) and file decryption control strategy (including the personal decryption control strategy for encrypting file
Control strategy is decrypted with colony) it is managed, including set, change, removing decryption control strategy, and to encrypting the text of file
Encrypted public key (public key and shared encrypted public key that include personal authorized user) in part decryption control data is updated operation;
File encryption filter assisted process:One operates in (User under subscriber computer operating system user model
Mode) the program process of (or client layer or application layer), is responsible for completing file encryption filter in System kernel mode
The operation processing that (Kernel Mode) (or inner nuclear layer) can not be completed;
Decryption as a user by right mouse button menu to the file directory in secure file catalogue and encryption file
When control strategy is managed operation or when the encrypted public key renewal operation of file is encrypted, file encryption filter or file
Encryption filter assisted process first determines whether user is file directory or encrypts one of file management user, if so, then after
Continuous operation processing, otherwise, hang up processing.
As a user by right mouse button menu to the file directory in secure file catalogue and the file of encryption file
When decryption control strategy is managed operation or when the encrypted public key renewal operation of file is encrypted, the file encryption filtering
Device or file encryption filter assisted process determine whether user is file directory or encrypts a pipe of file as follows
Manage user:
If what user was operated by right mouse button menu is a file directory, file encryption filter or file
Encryption filter assisted process first obtains the file decryption control strategy of the file directory operated by user, then checks and determines to use
Whether family computer local (in crypto module) has one in file decryption control strategy personal decryption control strategy institute pin
To management user private key, if so, then determining that user is one of file directory management user, otherwise, uncertain user is
One management user of file directory;
If what user was operated by right mouse button menu is an encryption file, file encryption filter or file
Encryption filter assisted process first obtains the personal decryption control data in the file decryption control data of file, then checks true
Determine whether subscriber computer local (in crypto module) has personal decrypt that file encryption key is encrypted in control data
Management user public key corresponding to private key, if so, then determine user be encrypt file management user, otherwise, do not know
User is a management user for encrypting file.
In file directory and encryption document creation or generation, the file encryption filter is in secure file catalogue
File directory and the title of encryption file carry out name translation, including under secure file catalogue itself and secure file catalogue
Level file directory and the title of the encryption file in subordinate's file directory carry out name translation and (preserved on a storage medium
Name is the name after conversion);Name is carried out again (when such as file enumeration, open file operation) when carrying out file I/O operation
Inverse transformation so that file encryption filter not normally start when user or program process seen by file directory title and plus
(original) the file directory title and encryption filename used when close file name is with file directory and encryption document creation
Claim different (being such as shown as mess code).
The file encryption filter includes under secure file catalogue in the unencrypted file in secure file catalogue
Unencrypted file in level file directory generates the file decryption control data of encryption file as follows when being encrypted:
File decryption control strategy (the file solution that file directory is directly set of file directory where obtaining unencrypted file
Close control strategy or the file decryption control strategy of succession), and turn into the file decryption control strategy for encrypting file with this;Use
Every personal public key for decrypting the targeted each personal authorized user of control strategy in the file decryption control strategy of acquisition
The file encryption key generated at random is encrypted respectively, the personal decryption control data of encryption file is formed, using shared
Encrypted public key is encrypted to the file encryption key generated at random and the file decryption of acquisition is controlled with file encryption key
Colony's decryption control strategy in strategy is encrypted, and forms colony's decryption control data of encryption file;By the individual of formation
Decryption control data and colony's decryption control data merge the file decryption control data to form encryption file, then by formation
File decryption control data is put into encryption file.
When user is included to secure file mesh by right mouse button menu to an encryption file in secure file catalogue
When an encryption file in subordinate's file directory of record carries out the setting of file decryption control strategy or modification, the file encryption
Filter or file encryption filter assisted process are it is determined that user is as follows to pipe after the management user for encrypting file
The file decryption control strategy set by user or changed is managed to be handled:
Private key decryption using the current management user for carrying out the setting of file decryption control strategy or modification operation adds
The file encryption key with the public key encryption for currently managing user in the personal decryption control data of ciphertext part;Then use and work as
Preceding management user set or the file decryption control strategy of modification in every personal decryption control strategy it is targeted per each and every one
File encryption key is encrypted respectively for the public key that people authorized user includes current management user, forms the individual of encryption file
Decrypt control data;File encryption key is encrypted using shared encrypted public key and with file encryption key to current management
Colony's decryption control strategy in the file decryption control strategy that user sets or changed is encrypted, and forms the group of encryption file
Body decrypts control data;The personal decryption control data of formation and colony's decryption control data are merged to the text to form encryption file
Part decrypts control data, finally replaces original file decryption control number in encryption file with the file decryption control data formed
According to;
Currently set by management user or in the file decryption control strategy of modification, working as operation, is being configured or changed
Preceding management user is always set or file decryption control strategy of modification in a personal decryption control strategy it is targeted
Manage user.
When user is included to secure file mesh by right mouse button menu to an encryption file in secure file catalogue
When the file decryption control strategy of an encryption file in subordinate's file directory of record is purged, the file encryption filtering
Device or file encryption filter assisted process are it is determined that user is grasped as follows to removing after the management user for encrypting file
As being handled:
Remove clear using carrying out in the colony's decryption control data and personal decryption control data of removing encryption file
Division operation management user public key encryption file encryption key outside other useful public key encryptions file encryption key
And the colony's decryption control strategy encrypted using file encryption key.
As user by right mouse button menu to the file directory progress file decryption control in secure file catalogue
When strategy setting or modification, file encryption filter or the file encryption filter assisted process is it is determined that user is file mesh
Handled as follows managing the file decryption control strategy set by user or changed after the management user of record:
The file mesh that the file decryption control strategy replacement management user for being set or being changed using management user is being operated
The file decryption control strategy of record, wherein, set by management user or in the file decryption control strategy of modification, carry out
Set or modification operation management user is always set or file decryption control strategy of modification in a personal decryption control
The targeted management user of system strategy;For the management user file decryption control strategy that is setting or changing is targeted or institute
Each encryption file of effect, file decryption is configured or changes by management user by right mouse button menu to encryption file
Processing mode when control strategy is operated is handled the file decryption control strategy for setting or changing.
Controlled when user removes file decryption by right mouse button menu to a file directory in secure file catalogue
When tactful, file encryption filter or the file encryption filter assisted process is it is determined that the management that user is file directory is used
The operation that management user removes file decryption control strategy is handled as follows behind family:
Remove in the file decryption control strategy that management user passes through the file directory of right mouse button menu operation and remove pin
To the every other file decryption control strategy outside the personal decryption control strategy of the management user operated, including
Individual's decryption control strategy and colony's decryption control strategy;The file decryption control strategy institute pin removed for management user
Pair or effect each encryption file, by management user by right mouse button menu to encryption file be purged file decryption control
Processing mode during policing action processed is purged the processing of file decryption control strategy.
When user is included to secure file mesh by right mouse button menu to an encryption file in secure file catalogue
When public key renewal operation is encrypted in an encryption file in subordinate's file directory of record, the file encryption filter or text
Part encryption filter assisted process it is determined that user be encrypt file management user after, check management user public key is encrypted
Update each public affairs that file encryption key is encrypted in the file decryption control data of the targeted encryption file of operation
Key, includes the public key and shared encrypted public key for the authorized user that file encryption key is encrypted, it is determined that be each examined
Whether public key has the public key of renewal, if so, then first with the private key for the current management user that public key renewal operation is encrypted
The file encryption key by currently management client public key encryption in the personal decryption control data of decryption encryption file, Ran Houyong
The public key of renewal is encrypted to the file encryption key that decryption is obtained again, is replaced afterwards with the file encryption key after re-encrypted
Encrypt the file encryption key of the original public key encryption of use in the file decryption control data of file.
When user by right mouse button menu to a file directory in secure file catalogue include secure file catalogue
Itself be encrypted public key update operation when, file encryption filter or the file encryption filter assisted process it is determined that with
After family is the management user for encrypting file, include for each encryption file in the file directory that is operating of management user
Encryption file in the subordinate's file directory for the file directory that management user is operating, right mouse button dish is passed through by management user
The processing of public key renewal is encrypted in the processing mode that single pair of encryption file is encrypted when public key updates operation.
From the above description it can be seen that, the present invention is by the encryption of transparent file based on file encryption filter and for peace
The setting of the file decryption control strategy of whole file catalogue and its subordinate's file directory, realizes shared file in file directory
The decryption control data of automatic encryption and encryption file is automatically generated, it is to avoid user need to carry out manual to shared file repeatedly
Encryption and strategy setting operation.Further, the present invention is by the file directory title and filename in secure file catalogue
Claim carry out name translation so that file encryption filter not normally start when user or program process seen by file directory title
The file directory title and file name used during with encryption file name from file directory and encryption document creation is different, than
Mess code is such as shown as, reminds user file encryption filter not yet to start, it is to avoid because file encryption filter does not start normally
So that the file in secure file catalogue is not encrypted, and the file for uploading to file cloud storage system is avoided not to be encrypted.
When for file cloud storage, by the way that the client of file cloud storage system is set into untrusted process so that upload to text
The shared file that is used for of part cloud storage system is encrypted, and can realize that safety is shared between the user of mandate.
Embodiment
The invention will be further described with reference to the accompanying drawings and examples.
The present invention system can the applicant a kind of another patent application " file encryption system towards shared file
System " (number of patent application:201410151619.2) implement on the basis of the shared file encipherment scheme in, it is perhaps many to implement
It is the same or similar with the implementation in patent application 201410151619.2 or extends in the above, it is specific as follows.
Public-key cipher technology:For the same patent application of public-key cipher technology used in encryption file
As in 201410151619.2, can be used identify-based encryption technology (Identity Based Encryption,
IBE), the use and the implementation of IBE cipher key service systems of extension identity are included.
Personal authorized user and colony authorized user:Personal authorized user in the present invention corresponds to patent application
Individual in 201410151619.2 shares user, but the personal authorized user in the present invention be further divided into management user and
Domestic consumer;User shares in the colony that the colony authorized user of the present invention corresponds in patent application 201410151619.2.
Secure file catalogue:Secure file catalogue can be any one file directory of subscriber computer file system, use
Family can be secure file catalogue by some file directory of right mouse button menu designated computer file system, or cancel
The secure file catalogue of setting, relevant configuration information can be stored in the file directory of file encryption system program storage.
File decryption control strategy:Colony's decryption control strategy in the present invention corresponds to patent application
201410151619.2 in colony's sharing policy;The personal decryption control strategy of the present invention is in patent application
201410151619.2 in without correspondence;The personal decryption control strategy of the present invention and the form of colony's decryption control strategy can be certainly
Define (text or XML) or using standard criterion form (such as XACML, eXtensible Access Control Markup
Language).It is (including individual for each file directory in secure file catalogue and the file decryption control strategy for encrypting file
People and colony's decryption control strategy) storage, can using leave concentratedly or it is scattered deposit by the way of, such as, leave concentratedly
In a toy data base on subscriber computer, or the file decryption control that All Files catalogue and encryption file will be included
The file (i.e. strategy file) of strategy is stored in the file directory of file encryption system program storage, or will include all texts
The strategy file of the file decryption control strategy of part catalogue and encryption file is stored in secure file catalogue (root), or
By a file directory and the strategy file of the file decryption control strategy for the encryption file being stored directly under this document catalogue
Deposit under this document catalogue (scattered storage scheme).
If the strategy file for preserving file decryption control strategy is left concentratedly in secure file catalogue or disperses to be stored in peace
In each file directory of whole file catalogue, then the filename of strategy file also carries out name conversion and in the form of hidden file
Preserve, file encryption filter does not return to the enumerations information of policy file when handling file enumeration operation.In order to ensure text
Part decrypts the safety of control strategy, prevents unauthorized modification, and strategy file available (last) is set or modification file solution
The private-key digital signature of the management user of close control strategy.
Encrypt file:Specific embodiment (i.e. the composition of file data) same patent application of encrypted file data
The embodiment of encryption file in 201410151619.2 is substantially the same, is the text for encrypting file in the present invention
The encryption text that personal decryption control data in part decryption control data corresponds in application for a patent for invention 201410151619.2
The public key with personal shared user in the key data of part file encryption key is encrypted the data formed afterwards, this hair
Colony's decryption control data in the file decryption control data of encryption file in bright corresponds to application for a patent for invention
Use in the key data of encryption file in 201410151619.2 shares the file encryption key and use of encrypted public key encryption
Colony's sharing policy of file encryption key encryption.It should be noted that, although encryption file includes or indirectly comprising encryption text
File decryption control strategy data in the personal decryption control strategy and colony decryption control strategy, but secure file catalogue of part
The file decryption control strategy of encryption file is still preserved in storehouse or strategy file.
File encryption filter:File encryption filter can the encrypted filter of file in patent application 201410151619.2
Extended on the basis of device, increase file encryption function of the present invention.
File encryption filter assisted process:Any application-development technologies for being suitable for subscriber computer can be used
Exploitation.What the data exchange between file encryption filter assisted process and file encryption filter can be provided using operating system
Data exchange mechanism (the data exchange between inner nuclear layer and client layer that such as Windows is provided between inner nuclear layer and client layer
Mechanism).
File name and file directory name translation:File name and a kind of embodiment of file directory name translation are
Ring shift left is carried out by low 7 of each byte of the byte serial of name or moves to right 1;Or owning the byte serial of name
Low 7 merging of byte, carry out ring shift left or move to right 1, then by the data after displacement by every 7 bit allocation to name after merging
The corresponding byte of the byte serial of word;Or Base64 coding (this schemes directly are carried out to file name and file directory title
The length of name can be changed).Name conversion is carried out in file directory or encryption document creation;Carrying out file I/O operation
Shi Jinhang inverse transformations (as carried out shift reverse or Base64 decodings).File name and file directory name translation and inverse transformation by
File encryption filter is carried out.
Public key updates:The meaning of the public key of the renewal of the present invention is as in patent application 201410151619.2.
Encrypt the decryption of file:The embodiment of the shared encryption file of personal authorized user decryption of the present invention and patent Shen
The embodiment that individual that please be in 201410151619.2 shares the shared encryption file of user's decryption is identical;Colony in the present invention
The embodiment of the shared encryption file of authorized user's decryption shares user's solution with the colony in patent application 201410151619.2
The scheme of close shared encryption file is identical, including implements the file solution in patent application 201410151619.2 for group of subscribers
Close server and identity management system.
Other aspects realized for technology, are self-evident for the technology developer of association area.