CN105528553A - A method and a device for secure sharing of data and a terminal - Google Patents
A method and a device for secure sharing of data and a terminal Download PDFInfo
- Publication number
- CN105528553A CN105528553A CN201410521975.9A CN201410521975A CN105528553A CN 105528553 A CN105528553 A CN 105528553A CN 201410521975 A CN201410521975 A CN 201410521975A CN 105528553 A CN105528553 A CN 105528553A
- Authority
- CN
- China
- Prior art keywords
- data
- file
- belonging
- application program
- catalogue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for secure sharing of data. The method comprises the steps of after receiving a data access request sent by an application program, determining, according to the preset configuration files, that the user and the group to which the application program belongs have the permission for assessing the directory and/or the file to which the data belongs; determining that the application program has mandatory access control permission for the data, wherein the step and the previous step are not necessarily carried out in this order; when it is determined that the application program has the deciphering permission, deciphering the directory and/or the file the to which the data belongs; the application program accessing the data. The invention also provides a device for secure sharing of data and a terminal.
Description
Technical field
The present invention relates to the data sharing technology in moving communicating field, particularly relate to method, device and terminal that a kind of data security is shared.
Background technology
Along with the application of intelligent terminal in working environment gets more and more, problem of data safety becomes a very important problem gradually.At present, intelligent terminal ensures the method for application data safety, mainly by the security hardening of application program self, as: by file encryption, the modes such as network attached encryption are carried out data protection.
For android system, together with in android system, enterprise application is installed to the individual application program mixing that users from networks is downloaded.For the data that application program produces, the Dalvik sandbox mechanism by means of only android system standard conducts interviews control and management, but there is safety issue due to android system itself, and therefore sandbox mechanism is easy to be broken, and causes the loss of data.
At present, in an operating system, the data (abbreviation personal data) of application program of individual and data (abbreviation business data) mixing of the application program of enterprise, cannot carry out clear and definite differentiation and Classification Management.In order to by personal data and need the business data of safeguard protection to isolate; personal data and business data can store by operating system respectively; and isolate the access that two store data; realize isolating completely; but bring a problem, the shared data of the application program in enterprise domain application program and individual territory how safety simultaneously.
Summary of the invention
For solving the technical matters of existing existence, method, device and terminal that the embodiment of the present invention provides a kind of data security to share.
Embodiments provide a kind of method that data security is shared, the method comprises:
Receive application program after the data access request sent out, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group;
Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order;
When determining that described application program possesses decrypted rights, the catalogue belonging to described data and/or file are decrypted;
Described application program carries out the access of data.
Preferably, receive described application program before the data access request sent out, the method also comprises:
In described configuration file, the different directories belonging to data and/or file arrange different level of securitys, and arrange corresponding safety control strategy for the catalogue of different level of security and/or file.
Preferably, receive described application program before the data access request sent out, the method also comprises:
In described configuration file, file under the catalogue belonging to described data is set and allows the file belonging to the number of times read or described data to allow by the number of times read,
And/or the file under catalogue belonging to described data or the file belonging to described data read after whether automatically delete,
And/or the information of application program the need of record the file under the catalogue belonging to described data or the file belonging to data being conducted interviews and/or revise.
Preferably, the method also comprises:
After application program visit data, according to the setting of described configuration file, by described file erase when the file under the catalogue belonging to data or the file belonging to data are read the number of times of setting,
And/or the information of application program that record to conduct interviews to the file under the catalogue belonging to described data or the file belonging to described data and/or revises.
Preferably, receive described application program before the data access request sent out, the method also comprises:
In configuration file, the file of some types or the file encryption belonging to data under All Files, a file or several file under catalogue belonging to described data or the catalogue belonging to data or the catalogue belonging to data, and the access rights of application program to described corresponding document are set.
Preferably, the method also comprises:
Receive described application program after the data creation sent out or write request, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group;
Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order;
Read level of security and/or the safety control strategy of catalogue described in configuration file belonging to data and/or file, perform corresponding establishment or write operation according to described level of security and/or safety control strategy.
The embodiment of the present invention additionally provides the device that a kind of data security is shared, and this device comprises: initiatively access control module, forced symmetric centralization module and encryption and decryption access control module; Wherein,
Described active access control module, for receive application program after the data access request sent out, judge the authority of the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset;
According to the configuration file preset, described forced symmetric centralization module, for judging whether described application program possesses the forced symmetric centralization authority of data;
Described encryption and decryption access control module, for receive described active access control module and described forced symmetric centralization module be the judged result being time, and when determining that described application program possesses decipher function, catalogue belonging to described data and/or file are decrypted, allow described application program to carry out the access of data.
Preferably, this device also comprises: file configuration module, for storing described configuration file, and in described configuration file, different directories belonging to described data and/or file arrange different level of securitys, and arrange corresponding safety control strategy for the catalogue of different level of security and/or file.
Preferably, described file configuration module, also in configuration file, arranges file under the catalogue belonging to described data and allows the file belonging to the number of times read or data to allow by the number of times read,
And/or the file under catalogue belonging to described data or the file belonging to described data read after whether automatically delete,
And/or the information of application program the need of record the file under the catalogue belonging to described data or the file belonging to described data being conducted interviews and/or revise.
Preferably, described encryption and decryption access control module, also for after application program visit data, according to the setting of described configuration file, by described file erase when file under the catalogue belonging to described data or the file belonging to described data are read the number of times of setting
And/or the information of application program that record to conduct interviews to the file under the catalogue belonging to described data or the file belonging to described data and/or revises.
Preferably, described file configuration module, also in configuration file, the file of some types under All Files, a file or several file under catalogue belonging to described data or the catalogue belonging to data or the catalogue belonging to data, or the file encryption belonging to data, and the access rights of application program to described corresponding document are set.
Preferably, described active access control module, also for receive application program after the data creation sent out or write request, judge the authority of the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset; Accordingly,
This device also comprises: Data write. module, for receive described active access control module and described forced symmetric centralization module be the judged result being time, read level of security and/or the safety control strategy of catalogue described in configuration file belonging to data and/or file, perform corresponding establishment or write operation according to described level of security and/or safety control strategy.
The embodiment of the present invention additionally provides a kind of terminal, and described terminal comprises the device that data security mentioned above is shared.
Method, device and terminal that the data security that the embodiment of the present invention provides is shared, receive application program after the data access request sent out, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group; Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order; When determining that described application program possesses decrypted rights, the catalogue belonging to described data and/or file are decrypted; Described application program carries out the access of data.Visible, the embodiment of the present invention does not need the data of different application separately to preserve, and be different safe classes by all Data Placement, the application program arranged sending data access request according to configuration file carries out multiple access control, in different application is to data sharing process, ensure that data obtain security.Accompanying drawing explanation
In accompanying drawing (it is not necessarily drawn in proportion), similar Reference numeral can describe similar parts in different views.The similar reference numerals with different letter suffix can represent the different examples of similar parts.Accompanying drawing generally shows each embodiment discussed herein by way of example and not limitation.
The method realization flow schematic diagram that Fig. 1 shares for data security described in the embodiment of the present invention;
Fig. 2 carries out the schematic flow sheet of data creation and write for application program described in the embodiment of the present invention;
Fig. 3 carries out the schematic flow sheet of digital independent for application program described in the embodiment of the present invention;
The apparatus structure schematic diagram that Fig. 4 shares for data security described in the embodiment of the present invention.
Embodiment
In embodiments of the invention, receive application program after the data access request sent out, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group; Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order; When determining that described application program possesses decrypted rights, the catalogue belonging to described data and/or file are decrypted; Described application program carries out the access of data.
Below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
The method realization flow schematic diagram that Fig. 1 shares for data security described in the embodiment of the present invention, as shown in Figure 1, comprising:
Step 101: receive application program the data access request sent out;
Step 102: the authority judging the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset;
Here, when described application program does not possess the authority of catalogue belonging to visit data and/or file, that is: described application program be not the satisfactory user that arranges in configuration file and group time, the file under respective directories and catalogue or corresponding document are sightless to this application program.
When practical application, this step can be dependent on the base access controlling mechanism of Linux, and when application program conducts interviews to data, the authority of application programs manages.By being that system increases specific user and particular group, specific user and particular group is made to possess the authority of catalogue belonging to visit data and/or file.
Step 103: judge whether described application program possesses the forced symmetric centralization authority of data according to the configuration file preset;
When practical application, Linux security module (LinuxSecurityModule, the LSM) mechanism that this step can be dependent on operating system nucleus realizes Mandatory Access Control, carries out enforceable access control to the observability of data and accessibility.This mechanism can realize the forced symmetric centralization based on access originator and access destination, realizes only allowing specific source, that is: application program, accesses specific target data.Such as: the mandatory Access Control Mechanism utilizing SELinux.
If wish to allow application A to read catalogue and/or the file of data ADATA, corresponding configuration file content can be as follows:
AllowAADATA:dirread;
AllowAADATA:filewrite。
Step 104: be if above-mentioned judged result is, then when determining that described application program possesses decrypted rights, being decrypted the catalogue belonging to described data and/or file, allowing described application program to carry out the access of data; Otherwise, perform step 105;
Here, when the user belonging to the forced symmetric centralization authority of application program, application program and group all meet the requirement arranged in configuration file, just can shared file or catalogue.Now, if the file that this application program will be accessed is encrypt file, still needing to possess corresponding decrypted rights that configuration file arranges just can declassified document, and uses.
Certainly, application program is created to the process of write data, then need application program to possess corresponding Encryption permissions.The described encryption and decryption to data operates, and achieves the security from the dynamic of original aspect protected data and flowing.
Step 105: end data browsing process.
Here, it should be noted that, the sequencing of described step 102 and step 103 does not have strict requirement.
Visible, the embodiment of the present invention does not need the data of different application separately to preserve, and be different safe classes by all Data Placement, the application program arranged sending data access request according to configuration file carries out multiple access control, in different application is to data sharing process, ensure that data obtain security.
Preferably, in one embodiment of the present of invention, the method also comprises: in configuration file, different directories belonging to data and/or file arrange different level of securitys, and corresponding safety control strategy is set, to realize Data Placement as different level of securitys for the catalogue of different level of security and/or file.Concrete,
Below for enterprise (enterprise) catalogue: enterprise catalogue is divided into 5 level of securitys, the mode that different level of securitys is shared is different with control and management dynamics, and described 5 level of securitys are respectively:
1, App_only: the catalogue oneself can accessed for only application program (App), revise, and leave in file under this catalogue also only App oneself can access, revise;
2, Enterprise_only: the application program only in enterprise domain can access the file changed under catalogue;
3, Enterprise_for_domain: the application program only sharing to the territory determined can be accessed;
4, Enterprise_for_app: only share to the App determined;
5, Share_for_all: share to everyone.
Different safety control strategies can be formulated, for catalogue and data protection provide concrete safeguard protection for the catalogue of above-mentioned different level of security:
1, the only strategy that can access of application program: be data configuration independently user and the group that application program produces, for file configuration only changes the attribute that isolated user can access, and configures independently data MAC control domain for user.
2, enterprise domain may have access to the strategy of data: the data configuration independently user produced for application program, enterprise domain group, and file configuration is that enterprise domain group can be accessed, and is the addressable control strategy of data file configuration enterprise domain MAC.
3, enterprise domain shares to the strategy of special domain: being data configuration independently user and the group access control strategy that application program produces, is the attribute that file configuration special domain can be accessed, and for the data file configuration special domain MAC that can access tactful.
4, enterprise domain shares to the strategy of application-specific: data configuration independently user and the group access control strategy produced for application program, for the attribute that file configuration application-specific can be accessed, and for data file configuration application-specific can access MAC strategy.
5, enterprise domain shares to the strategy of any application program: the data configuration produced for application program is anyone user that can access and group access control strategy, the attribute can accessed per capita for file configuration is any, and configure the MAC strategy that any application program all can access for data file.
In actual applications, the setting of above-mentioned level of security and safety control strategy can be carried out according to the demand of user, thus realize carrying out file attribute and access control to the file of the All Files under particular category, catalogue, certain type, specific file etc.Guarantee file observability in systems in which and accessibility.
Preferably, in one embodiment of the present of invention, the method also comprises: in configuration file, file under catalogue belonging to setting data allows the file belonging to the number of times read or data to allow by the number of times read, and/or the file under catalogue belonging to described data or the file belonging to data read after whether automatically delete, and/or the information of application program the need of record the file under the catalogue belonging to described data or the file belonging to data being conducted interviews and/or revise, in order to subsequent query etc.
In actual applications, how accessed such file arranged on the escape way that can control between enterprise domain and individual territory is, several times accessed, and record access person, and namely the information such as source of application program, is convenient to the process of the safe sharing of log file.
Accordingly, the method also comprises: after application program visit data, according to the setting of configuration file, when file under the catalogue belonging to data or the file belonging to data are read the number of times of setting, by described file erase, and/or the information of application program that record to conduct interviews to the file under the catalogue belonging to described data or the file belonging to data and/or revises.
Preferably, in one embodiment of the present of invention, the method also comprises: in configuration file, the file of some types or the file encryption belonging to data under All Files, a file or several file under catalogue belonging to described data or the catalogue belonging to data or the catalogue belonging to data, and the access rights of application program to described corresponding document are set.
Preferably, in one embodiment of the present of invention, the method also comprises: receive described application program after the data creation sent out or write request, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group; Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order;
Read level of security and/or the safety control strategy of catalogue described in configuration file belonging to data and/or file, perform corresponding establishment or write operation according to described level of security and/or safety control strategy.
Preferably, in one embodiment of the present of invention, the method also comprises: according to the needs of user, upgrade the setting in configuration file.
Concrete, when practical application, the long-range level of security to the catalogue belonging to described data and/or file of management platform by configuration file and safety control strategy, the file under the catalogue belonging to data or the file belonging to data are reset by the number of times read etc. content.Like this, can ensure security when data are shared further, the real-time of data security is stronger.
In addition, because the data of application program comprise: the data etc. produced when the data that application program is downloaded and application program are run, therefore, the embodiment of the present invention can ensure that the data that application program is operationally the generation of described application program according to configuration file arrange level of security, configuration safety control strategy, ensure that data only can be accessed by application program oneself, and/or share to specific territory, application program, all users in a different manner, and/or data only share to the application program in territory, data self place, or the application program of special domain.
Be described below in conjunction with the method for embody rule scene to the embodiment of the present invention.
Fig. 2 carries out the schematic flow sheet of data creation and write for application program described in the embodiment of the present invention, and as shown in Figure 2, the method flow process comprises:
Step 201: the establishment or the write request that receive data;
Step 202: judge that user belonging to application program and group whether can catalogue belonging to visit data and/or files, if so, then perform step 203, otherwise perform step 207;
Step 203: whether the MAC information judging application program can catalogue belonging to visit data and/or file, if so, then performs step 204, otherwise performs step 207;
Here, described MAC information refers to the Security Context Information of application program, i.e. the access authority information of application program.
Step 204: the level of security and the safety control strategy that read catalogue described in configuration file belonging to data and/or file;
Step 205: perform corresponding establishment or write operation according to described level of security and safety control strategy;
Here, if needed, operation is encrypted to the data of corresponding establishment or write.
Step 206: data creation or write operation successfully terminate;
Step 207: data creation or write operation failure.
Fig. 3 carries out the schematic flow sheet of digital independent for application program described in the embodiment of the present invention, and as shown in Figure 3, the method flow process comprises:
Step 301: the read requests receiving data;
Step 302: judge that user belonging to application program and group whether can catalogue belonging to visit data and/or files, if so, then perform step 303, otherwise perform step 307;
Step 303: judge whether the file under the catalogue belonging to data or the file belonging to data can be employed routine access, if so, then performs step 304, otherwise performs step 307;
Step 304: whether the MAC information judging application program can catalogue belonging to visit data and/or file, if so, then performs step 305, otherwise performs step 307;
Here, if be provided with the decipher function of application program in configuration file, then need to be decrypted the catalogue belonging to data and/or file herein, perform step 305 afterwards.
Step 305: read the catalogue belonging to corresponding data and/or file;
Step 306: data read operation successfully terminates;
Step 307: data read operation failure.
The embodiment of the present invention additionally provides the device that a kind of data security is shared, and as shown in Figure 4, this device comprises: initiatively access control module 41, forced symmetric centralization module 42 and encryption and decryption access control module 43; Wherein,
Described active access control module 41, for receive application program after the data access request sent out, judge the authority of the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset;
Here, when described application program does not possess the authority of catalogue belonging to visit data and/or file, that is: described application program be not the satisfactory user that arranges in configuration file and group time, the file under respective directories and catalogue or corresponding document are sightless to this application program.
When practical application, can be dependent on the base access controlling mechanism of Linux, when application program conducts interviews to data, the authority of application programs manages.By being that system increases specific user and particular group, specific user and particular group is made to possess the authority of catalogue belonging to visit data and/or file.
According to the configuration file preset, described forced symmetric centralization module 42, for judging whether described application program possesses the forced symmetric centralization MAC authority of data;
When practical application, Linux security module (LinuxSecurityModule, the LSM) mechanism that can be dependent on operating system nucleus realizes Mandatory Access Control, carries out enforceable access control to the observability of data and accessibility.This mechanism can realize the forced symmetric centralization based on access originator and access destination, realizes only allowing specific source, that is: application program, accesses specific target data.
Described encryption and decryption access control module 43, for receive described active access control module 41 and described forced symmetric centralization module 42 be the judged result being time, and when determining that described application program possesses decrypted rights, catalogue belonging to described data and/or file are decrypted, allow described application program to carry out the access of data.
Here, when the user belonging to the forced symmetric centralization authority of application program, application program and group all meet the requirement arranged in configuration file, just can shared file or catalogue.Now, if the file that this application program will be accessed is encrypt file, still needing to possess corresponding decryption capabilities that configuration file arranges just can declassified document, and uses; Certainly, application program is created to the process of write data, then need application program to possess corresponding cryptographic capabilities.The described encryption and decryption to data operates, and achieves the security from the dynamic of original aspect protected data and flowing.
Preferably, in an embodiment of the invention, this device also comprises: file configuration module 44, for storing described configuration file, and in described configuration file, different directories belonging to data and/or file arrange different level of securitys, and arrange corresponding safety control strategy, to realize Data Placement as different level of securitys for the catalogue of different level of security and/or file.
In actual applications, the setting of above-mentioned level of security and safety control strategy can be carried out according to the demand of user, thus realize carrying out file attribute and access control to the file of the All Files under particular category, catalogue, certain type, specific file etc.Guarantee file observability in systems in which and accessibility.
Preferably, in an embodiment of the invention, described file configuration module 44, also in configuration file, file under the catalogue belonging to setting data allows the file belonging to the number of times read or data to allow by the number of times read,
And/or the file under catalogue belonging to described data or the file belonging to data read after whether automatically delete,
And/or the information of application program the need of record the file under the catalogue belonging to described data or the file belonging to data being conducted interviews and/or revise.
Preferably, in an embodiment of the invention, described encryption and decryption access control module 43, also for after application program visit data, according to the setting of configuration file, when the file under the catalogue belonging to data or the file belonging to data are read the number of times of setting, by described file erase
And/or the information of application program that record to conduct interviews to the file under the catalogue belonging to described data or the file belonging to data and/or revises.
Preferably, in an embodiment of the invention, described file configuration module 44, also in configuration file, the file of some types under All Files, a file or several file under catalogue belonging to data or the catalogue belonging to data or the catalogue belonging to data, or the file encryption belonging to data, and the access rights of application program to described corresponding document are set.
Preferably, in an embodiment of the invention, described active access control module 41, also for receive application program after the data creation sent out or write request, judge the authority of the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset; Accordingly,
As shown in Figure 4, this device also comprises: Data write. module 45, for receive described active access control module 41 and described forced symmetric centralization module 42 be the judged result being time, read level of security and/or the safety control strategy of catalogue described in configuration file belonging to data and/or file, perform corresponding establishment or write operation according to described level of security and/or safety control strategy.
The embodiment of the present invention additionally provides a kind of terminal, and described terminal comprises the device that data security mentioned above is shared.
Visible, the embodiment of the present invention does not need the data of different application separately to preserve, and be different safe classes by all Data Placement, the application program arranged sending data access request according to configuration file carries out multiple access control, in different application is to data sharing process, ensure that data obtain security.
In addition, because the data of application program comprise: the data etc. produced when the data that application program is downloaded and application program are run, therefore, the embodiment of the present invention can ensure that the data that application program is operationally the generation of described application program according to configuration file arrange level of security, configuration safety control strategy, ensure that data only can be accessed by application program oneself, and/or share to specific territory, application program, all users in a different manner, and/or data only share to the application program in territory, data self place, or the application program of special domain.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of hardware embodiment, software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disk memory and optical memory etc.) of computer usable program code.
The present invention describes with reference to according to the process flow diagram of the method for the embodiment of the present invention, equipment (system) and computer program and/or block scheme.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block scheme and/or square frame and process flow diagram and/or block scheme and/or square frame.These computer program instructions can being provided to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computing machine or other programmable data processing device produce device for realizing the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
These computer program instructions also can be loaded in computing machine or other programmable data processing device, make on computing machine or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computing machine or other programmable devices is provided for the step realizing the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (13)
1. the method that data security is shared, it is characterized in that, the method comprises:
Receive application program after the data access request sent out, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group;
Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order;
When determining that described application program possesses decrypted rights, the catalogue belonging to described data and/or file are decrypted;
Described application program carries out the access of data.
2. method according to claim 1, is characterized in that, receive described application program before the data access request sent out, the method also comprises:
In described configuration file, the different directories belonging to data and/or file arrange different level of securitys, and arrange corresponding safety control strategy for the catalogue of different level of security and/or file.
3. method according to claim 1 and 2, is characterized in that, receive described application program before the data access request sent out, the method also comprises:
In described configuration file, file under the catalogue belonging to described data is set and allows the file belonging to the number of times read or described data to allow by the number of times read,
And/or the file under catalogue belonging to described data or the file belonging to described data read after whether automatically delete,
And/or the information of application program the need of record the file under the catalogue belonging to described data or the file belonging to data being conducted interviews and/or revise.
4. method according to claim 3, is characterized in that, the method also comprises:
After application program visit data, according to the setting of described configuration file, by described file erase when the file under the catalogue belonging to data or the file belonging to data are read the number of times of setting,
And/or the information of application program that record to conduct interviews to the file under the catalogue belonging to described data or the file belonging to described data and/or revises.
5. method according to claim 1, is characterized in that, receive described application program before the data access request sent out, the method also comprises:
In configuration file, the file of some types or the file encryption belonging to data under All Files, a file or several file under catalogue belonging to described data or the catalogue belonging to data or the catalogue belonging to data, and the access rights of application program to described corresponding document are set.
6. method according to claim 2, is characterized in that, the method also comprises:
Receive described application program after the data creation sent out or write request, possess the authority of catalogue belonging to visit data and/or file according to the user belonging to configuration file determination application program preset and group;
Determine that described application program possesses the forced symmetric centralization authority of data, this step and previous step execution sequence are in no particular order;
Read level of security and/or the safety control strategy of catalogue described in configuration file belonging to data and/or file, perform corresponding establishment or write operation according to described level of security and/or safety control strategy.
7. the device that data security is shared, it is characterized in that, this device comprises: initiatively access control module, forced symmetric centralization module and encryption and decryption access control module; Wherein,
Described active access control module, for receive application program after the data access request sent out, judge the authority of the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset;
According to the configuration file preset, described forced symmetric centralization module, for judging whether described application program possesses the forced symmetric centralization authority of data;
Described encryption and decryption access control module, for receive described active access control module and described forced symmetric centralization module be the judged result being time, and when determining that described application program possesses decipher function, catalogue belonging to described data and/or file are decrypted, allow described application program to carry out the access of data.
8. device according to claim 7, it is characterized in that, this device also comprises: file configuration module, for storing described configuration file, and in described configuration file, different directories belonging to described data and/or file arrange different level of securitys, and arrange corresponding safety control strategy for the catalogue of different level of security and/or file.
9. device according to claim 8, is characterized in that, described file configuration module, also in configuration file, arranges file under the catalogue belonging to described data and allows the file belonging to the number of times read or data to allow by the number of times read,
And/or the file under catalogue belonging to described data or the file belonging to described data read after whether automatically delete,
And/or the information of application program the need of record the file under the catalogue belonging to described data or the file belonging to described data being conducted interviews and/or revise.
10. device according to claim 9, it is characterized in that, described encryption and decryption access control module, also for after application program visit data, according to the setting of described configuration file, by described file erase when file under the catalogue belonging to described data or the file belonging to described data are read the number of times of setting
And/or the information of application program that record to conduct interviews to the file under the catalogue belonging to described data or the file belonging to described data and/or revises.
Device described in 11. according to Claim 8,9 or 10, it is characterized in that, described file configuration module, also in configuration file, the file of some types under All Files, a file or several file under catalogue belonging to described data or the catalogue belonging to data or the catalogue belonging to data, or the file encryption belonging to data, and the access rights of application program to described corresponding document are set.
12. devices according to claim 8, it is characterized in that, described active access control module, also for receive application program after the data creation sent out or write request, judge the authority of the catalogue whether user belonging to application program and group possess belonging to visit data and/or file according to the configuration file preset; Accordingly,
This device also comprises: Data write. module, for receive described active access control module and described forced symmetric centralization module be the judged result being time, read level of security and/or the safety control strategy of catalogue described in configuration file belonging to data and/or file, perform corresponding establishment or write operation according to described level of security and/or safety control strategy.
13. 1 kinds of terminals, is characterized in that, described terminal comprises the device that the data security according to any one of claim 7-12 is shared.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410521975.9A CN105528553A (en) | 2014-09-30 | 2014-09-30 | A method and a device for secure sharing of data and a terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410521975.9A CN105528553A (en) | 2014-09-30 | 2014-09-30 | A method and a device for secure sharing of data and a terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105528553A true CN105528553A (en) | 2016-04-27 |
Family
ID=55770773
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410521975.9A Pending CN105528553A (en) | 2014-09-30 | 2014-09-30 | A method and a device for secure sharing of data and a terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105528553A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203159A (en) * | 2016-06-30 | 2016-12-07 | 乐视控股(北京)有限公司 | A kind of method and apparatus of application program operation file |
| CN107357723A (en) * | 2017-06-22 | 2017-11-17 | 上海斐讯数据通信技术有限公司 | A kind of administration authority method of testing and device |
| CN107798252A (en) * | 2017-10-27 | 2018-03-13 | 维沃移动通信有限公司 | A kind of file access method and mobile terminal |
| CN109522728A (en) * | 2018-10-30 | 2019-03-26 | 卢淳杰 | A kind of confidential document management method and system |
| CN109787946A (en) * | 2017-11-14 | 2019-05-21 | 阿里巴巴集团控股有限公司 | Access method, right management method and the device of the communal space |
| CN110096543A (en) * | 2019-05-06 | 2019-08-06 | 软通智慧科技有限公司 | Data manipulation method, device, server and the medium of application program |
| CN111339543A (en) * | 2020-02-27 | 2020-06-26 | 深信服科技股份有限公司 | File processing method and device, equipment and storage medium |
| CN111512328A (en) * | 2017-10-11 | 2020-08-07 | 谷歌有限责任公司 | Collaborative document access recording and management |
| CN112004153A (en) * | 2020-08-20 | 2020-11-27 | 深圳创维-Rgb电子有限公司 | Feature data reading method, storage medium and smart television |
| CN112329050A (en) * | 2020-10-14 | 2021-02-05 | 杭州来布科技有限公司 | File security management terminal and system |
| CN113239049A (en) * | 2021-06-15 | 2021-08-10 | 北京字跳网络技术有限公司 | Information processing method and device, terminal and storage medium |
| CN114186280A (en) * | 2022-02-14 | 2022-03-15 | 统信软件技术有限公司 | File access method, computing device and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1975731A (en) * | 2005-11-30 | 2007-06-06 | 国际商业机器公司 | System and method for managing access to data in a database |
| CN102254124A (en) * | 2011-07-21 | 2011-11-23 | 周亮 | Information security protecting system and method of mobile terminal |
| CN103020501A (en) * | 2012-11-14 | 2013-04-03 | 曙光云计算技术有限公司 | Access control method and access control device of user data |
| CN103299268A (en) * | 2010-12-29 | 2013-09-11 | 凡诺尼斯系统有限公司 | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements |
| CN103313238A (en) * | 2013-06-20 | 2013-09-18 | 天翼电信终端有限公司 | Safety system and safety protection method for mobile terminal |
-
2014
- 2014-09-30 CN CN201410521975.9A patent/CN105528553A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1975731A (en) * | 2005-11-30 | 2007-06-06 | 国际商业机器公司 | System and method for managing access to data in a database |
| CN103299268A (en) * | 2010-12-29 | 2013-09-11 | 凡诺尼斯系统有限公司 | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements |
| CN102254124A (en) * | 2011-07-21 | 2011-11-23 | 周亮 | Information security protecting system and method of mobile terminal |
| CN103020501A (en) * | 2012-11-14 | 2013-04-03 | 曙光云计算技术有限公司 | Access control method and access control device of user data |
| CN103313238A (en) * | 2013-06-20 | 2013-09-18 | 天翼电信终端有限公司 | Safety system and safety protection method for mobile terminal |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203159A (en) * | 2016-06-30 | 2016-12-07 | 乐视控股(北京)有限公司 | A kind of method and apparatus of application program operation file |
| CN107357723A (en) * | 2017-06-22 | 2017-11-17 | 上海斐讯数据通信技术有限公司 | A kind of administration authority method of testing and device |
| CN111512328A (en) * | 2017-10-11 | 2020-08-07 | 谷歌有限责任公司 | Collaborative document access recording and management |
| CN111512328B (en) * | 2017-10-11 | 2024-04-16 | 谷歌有限责任公司 | Collaborative document access records and management |
| US11860825B2 (en) | 2017-10-11 | 2024-01-02 | Google Llc | Collaborative document access recording and management |
| CN107798252A (en) * | 2017-10-27 | 2018-03-13 | 维沃移动通信有限公司 | A kind of file access method and mobile terminal |
| CN107798252B (en) * | 2017-10-27 | 2019-10-18 | 维沃移动通信有限公司 | A kind of file access method and mobile terminal |
| CN109787946A (en) * | 2017-11-14 | 2019-05-21 | 阿里巴巴集团控股有限公司 | Access method, right management method and the device of the communal space |
| CN109787946B (en) * | 2017-11-14 | 2022-02-25 | 阿里巴巴集团控股有限公司 | Access method and authority management method and device for shared space |
| CN109522728A (en) * | 2018-10-30 | 2019-03-26 | 卢淳杰 | A kind of confidential document management method and system |
| CN110096543A (en) * | 2019-05-06 | 2019-08-06 | 软通智慧科技有限公司 | Data manipulation method, device, server and the medium of application program |
| CN111339543A (en) * | 2020-02-27 | 2020-06-26 | 深信服科技股份有限公司 | File processing method and device, equipment and storage medium |
| CN112004153A (en) * | 2020-08-20 | 2020-11-27 | 深圳创维-Rgb电子有限公司 | Feature data reading method, storage medium and smart television |
| CN112329050A (en) * | 2020-10-14 | 2021-02-05 | 杭州来布科技有限公司 | File security management terminal and system |
| WO2022078222A1 (en) * | 2020-10-14 | 2022-04-21 | 杭州来布科技有限公司 | File security management terminal and system |
| CN113239049A (en) * | 2021-06-15 | 2021-08-10 | 北京字跳网络技术有限公司 | Information processing method and device, terminal and storage medium |
| CN113239049B (en) * | 2021-06-15 | 2023-11-24 | 北京字跳网络技术有限公司 | Information processing method, device, terminal and storage medium |
| CN114186280A (en) * | 2022-02-14 | 2022-03-15 | 统信软件技术有限公司 | File access method, computing device and readable storage medium |
| CN114186280B (en) * | 2022-02-14 | 2022-05-20 | 统信软件技术有限公司 | File access method, computing device and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105528553A (en) | A method and a device for secure sharing of data and a terminal | |
| US10089482B2 (en) | Enforcement mitigations for a protected file | |
| JP6412140B2 (en) | Make sure to allow access to remote resources | |
| US20140317679A1 (en) | System and method for creating secure applications | |
| CN102622311A (en) | USB (universal serial bus) mobile memory device access control method, USB mobile memory device access control device and USB mobile memory device access control system | |
| US9432369B2 (en) | Secure data containers | |
| US10713388B2 (en) | Stacked encryption | |
| CN103268455A (en) | Method and device for accessing data | |
| US9639713B2 (en) | Secure endpoint file export in a business environment | |
| US20210286890A1 (en) | Systems and methods for dynamically applying information rights management policies to documents | |
| CN103763313A (en) | File protection method and system | |
| US20140281499A1 (en) | Method and system for enabling communications between unrelated applications | |
| CN103581196A (en) | Distributed file transparent encryption method and transparent decryption method | |
| CN104077244A (en) | Process isolation and encryption mechanism based security disc model and generation method thereof | |
| CN104361291B (en) | Data processing method and device | |
| CN101739361A (en) | Access control method, access control device and terminal device | |
| CN107016288A (en) | Credible performing environment | |
| US20160171222A1 (en) | Information rights management using discrete data containerization | |
| US10726104B2 (en) | Secure document management | |
| US9430674B2 (en) | Secure data access | |
| KR20130079004A (en) | Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone | |
| KR20140088962A (en) | System and method for storing data in a cloud environment | |
| US9519759B2 (en) | Secure access to programming data | |
| WO2015139571A1 (en) | Data protection | |
| KR101439285B1 (en) | A security proxy device for cloud services and method operation of the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination |