CN105701417A - Method for implementing CMS based system for grouped security management of files - Google Patents
Method for implementing CMS based system for grouped security management of files Download PDFInfo
- Publication number
- CN105701417A CN105701417A CN201610022512.7A CN201610022512A CN105701417A CN 105701417 A CN105701417 A CN 105701417A CN 201610022512 A CN201610022512 A CN 201610022512A CN 105701417 A CN105701417 A CN 105701417A
- Authority
- CN
- China
- Prior art keywords
- file
- password
- access
- access group
- group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The present invention relates to a method for implementing a CMS based system for grouped security management of files. According to the method, accessing persons are divided into a plurality of accessing groups; a CMS security index table is created for files; a security identifier is set for each accessing group, and the accessing group is forbidden to access files with a security identifier and is allowed to access files without a security identifier. An access password and a destruction password are set for each accessing group, wherein the access password is used for entering the access group, and is used for accessing non-confidential files of the accessing group; and the destruction password is used for destructing confidential files in the group. Encryption and decryption are applied to storage and access of confidential files, and a database may also be used for storage. According to the method, a function of locking in case of a wrong password, a function of automatic file destruction in case of a wrong password, a function of an automatic exit in case of no operation, and a function of a manual exit are provided. The method eliminates the defect of that an identity opens all confidential files, is applicable to mobile phone APP/APK design for privacy protection, and is applicable to security design of removable storage products for mobile phones or PCs.
Description
Technical field
The present invention relates to the field of storage of information technology, especially relate to security information file field of storage, what particularly relate to mechanism's confidential information file and individual privacy information file grouping security management system realizes method。
Background technology
File security technology has developed a lot of year, for national structure, army, finance and corporate entity, very early all using, no matter is secrecy technology or security system, all very perfect。But unfortunately, for individual's aspect, even if comparing the western countries paying attention to individual privacy, the protection of individual privacy, at least from technological layer, being also unsatisfactory, can conjure up the whole thing through seeing a part of it from the personal disclosure event emerged in an endless stream。
At present, the storage of personal information, nothing more than two extreme, one is cloud storage pattern, and another is mobile memory module。In cloud storage pattern, owing to cloud is on the internet, it is faced with the attack of global various hacker, and no matter how operator improves secrecy technology, and its result is still that filled with flaws, and case of divulging a secret can be found everywhere。And move memory module, although currently also there being some secrecy technologies using, such as mobile phone power-on cryptographic technique, secrecy USB flash disk technology, secrecy portable hard drive technology etc., although they alleviate the secrecy difficulty of some individual privacies, but after carefully analyzing, find that secrecy technology is still had too many difficulties to cope with, be actually difficult to meet the security requirements of individual privacy。
First, we come analyzing personal privacy and the concrete feature of protection demand:
1, the hazardness of privacy
To be frank, if the hazardness of individual privacy is for society, most situations are less, only dilly, otherwise the unlikely harm whole society。But for he individual oneself, the divulging a secret or have harm of individual privacy, at least everybody is it is not desirable that the privacy of oneself is divulged a secret, and in a lot of situations, is would rather destroy also not reveal。
2, the relative property of privacy
Certain information, file, for oneself, count privacy actually?The need of secrecy?In fact to see individual, see information, see object, see opportunity and see relation。
What is called sees individual, it is simply that the intention of information owner individual, for instance, the living photo of a random shooting, being likely to for star is exactly the privacy of need for confidentiality, because shooting is not best image, perhaps can affect her public image;But for ordinary people, just not having this to worry, just do not include the privacy of need for confidentiality, whether privacy is in fact according further to the subjective intention of information owner individual, and he is artificially maintaining secrecy exactly of secrecy。
What is called sees information, it is simply that the content of information, and known shared thing is not just password, only relates to the information of individual privacy, not ostensible information is only the information of need for confidentiality。
What is called sees object, it is simply that message reference person's object, for instance, the offer sheet of certain salesman, for rival, it is simply that the privacy of need for confidentiality, but for colleague, is just not required to the privacy of secrecy。
What is called sees opportunity, it it is exactly the time period of information privacy, such as certain engineer is made that technological innovation in research and development, writing patent application document, then, these files are before submitting Patent Office to, for colleague, certainly it is the privacy of need for confidentiality, but once after Patent Office successfully accepts, is not just the thing of need for confidentiality。
What is called sees relation, it it is exactly the confidential relationship of message file and visitor, have one to one, one-to-many, multi-to-multi, many-one, it is exactly that an individual demand is only maintained secrecy by a file one to one, one-to-many is exactly that a file needs many individual's secrecy, multi-to-multi is exactly that multiple file needs many individual's secrecy, and many-one is exactly that multiple file needs a people is maintained secrecy。
So, from these factors, we it is seen that, these privacies are relative in fact, we totally unnecessary what all treat as privacy and go to maintain secrecy, everybody is maintained secrecy, whenever all maintain secrecy, what is desired is that " carrying out maintaining secrecy between message file and visitor realization according to individual, information, object, opportunity, confidential relationship " one to one, one-to-many, multi-to-multi, many-one。
3, the emphasis of secret protection
Although message file a multitude of names of individual, we can not go to meet the demand of privacy secrecy by a kind of way comprehensively, but we can select emphasis。According to current development, it will be seen that smart mobile phone, notebook computer and mobile storage covers substantially the overwhelming majority of personal information file, so, this respect is the emphasis of secrecy。
4, the simple and effective property of secret protection
Secret protection, for individual, it is necessary to accomplish simple and effective as much as possible, do not increase the use difficulty of user as far as possible, particularly in current the Internet+epoch, particularly strong tune Consumer's Experience, this point is extremely important。
According to above analysis, it is as follows that we retrieved prior art:
Patent application " the safety moving storage control method for designing of 201310304229.X wireless terminal mandate and encryption and decryption " and " 201310305419.3 with the design method of security U disk of wireless authentication authorization terminal certification and encryption and decryption " are the patents that inventor has obtained invention patent mandate, it provide mobile storage, file security method for designing between USB flash disk and PC and mobile phone, have employed the safe and secret access method that file authorizes one by one, but do not adopt and carry out security management for visitor groupings, mobile phone accesses, still also exist and be not grouped, one identity can access inconvenience and the puzzlement of all files。
Patent application " 200710065060.1 utilize the flash memory device method to file encryption " provides the function realizing file security by the method for encryption and decryption, it is characterized in portable hard drive storing the classified document of different user, different user uses different keys to carry out the file that encryption and decryption is each different, which solves the problem that same storage can store the classified document of different user。Although this method solving the privacy problem allowing access, one-to-many denied access between file and visitor one to one, namely the encryption file of A visitor only has A to be able to access that, and other people cannot access。This does not meet the relative property of privacy described above, does not meet the relation of the one-to-many between file and visitor, multi-to-multi。
Patent application " 201210476802.0 1 kinds of multimedia file encryption methods and device " is the invention of company of Tengxun, it adopts sets up secret photograph album in user mobile phone stores, store the multimedia file of user by encryption and decryption mode, encrypt All Files by an encrypted ones。This mode is also solve the permission accessed one to one between file and visitor, but does not still meet the relative property of privacy described above, does not meet the relation of the one-to-many between file and visitor, multi-to-multi。
Patent application " in 201410768312.7 mobile phones the guard method of personal information " provides cloud mode secrecy, leaves high in the clouds in all or part of for the information in mobile phone, does not preserve information or do not preserve complete information in mobile phone;When user whenever necessary, directly from high in the clouds download;Deposit, downloading process is the process that download was uploaded and deciphered in encryption。This mode does not still meet the relative property of privacy described above, does not meet the relation of the one-to-many between file and visitor, multi-to-multi。Additionally, due to cloud mode is vulnerable to attack, so safety is not good enough。
Additionally, patent application " 201310286194.1 1 kinds of mobile phone two-dimension codes based on Information hiding use method safely ", " methods of 201010002644.6 protection contents of mobile phone ", " 201210010862.3 1 kinds of time slot scramblings based on the data card of file system and system ", " 201310019879.X asymmetrical mobile phone short message encryption ", " 201110441367.3 strengthen smart mobile phone short message, the method of Email and voice communication safety ", " 201010207011.9 1 kinds of deleting short messages (SMS) automaticallies realize method, device and system ", " 201410109868.5 1 kinds of pictures are hidden, acquisition methods and intelligent terminal ", " 201010122316.X method for preventing leakage of lost file of handheld communication terminal ", " in 201410768312.7 mobile phones the guard method of personal information ", " 200410022022.4 1 kinds of mobile phone message security methods ", " 201510150354.9 1 kinds of packet aggregation methods, client and server " it is all solve mobile phone message security problem from different technological innovation angles。This does not meet the relative property of privacy described above, does not meet the relation of the one-to-many between file and visitor, multi-to-multi。
Summary of the invention
The technical problem to be solved is to provide a kind of for above-mentioned prior art to realize method based on CMS file grouping security management system, core innovation is " allowing secrecy technology change oneself CMS:Changemyself ", file for need for confidentiality, for visitor, provide can according to individual, object, opportunity, confidential relationship carries out one to one, maintain secrecy realization one-to-many, multi-to-multi, many-one, meanwhile, easy to operate, intelligent。
This invention address that the technical scheme that the problems referred to above adopt is: a kind of realize method based on CMS file grouping security management system, the method comprises storage, file, access group, accesses password and black designation, by the file in storage according to the needs maintained secrecy, black designation is set up for access group, being called the classified document of this group, access group forbids accessing the classified document of its correspondence;Access group sets up access password, and visitor enters corresponding access group with accessing password, it is allowed to access the unclassified file of this access group。
Preferably, described access group is provided with destruction password, can destroy the whole classified documents belonging to this access group by destroying password。
Preferably, described access group comprises numbering, uses after destroying password, by destruction access group itself;Destroyed content is irrecoverable, and the content of destruction is including at least the content in the title of this access group, numbering, access password, destruction password, the file allocation table content of classified document, file storage area address pointer content, file storage area。
Preferably, the method arranges interface for password input for access group, when Password Input, does not point out the title of access group, and what also do not point out input is access password or destroy password, and the password inputted according to visitor determines be access or destroy corresponding file;Described file comprises all or part of in the chat record in complete computer documents, word, image, video, audio frequency and instant messaging。
Preferably, the behavior of described access file comprise the lookup for the file path of described file, filename, file attribute, file content, file store path and pointer, newly-built, delete, amendment, read, display, storage, sequence。
Preferably, each storage may only set up an one-level access group, and described access group can by naming & numbering, and one-level access group is also called root access group;
From described access group, it is possible to set up several subordinate's access groups, under subordinate's access group, it is also possible to set up several subordinate's access groups again, under each access group, the number of access group at the same level and the number of levels of subordinate's access group do not limit;
Each described access group can set up its exclusive described access password and described destruction password, the access password using higher level's access group can access the whole unclassified file of subordinate's access group, and the password of destroying using higher level's access group will this group of destruction and following whole classified documents;
The higher level of number record access group of described access group, subordinate and relation at the same level, and in same system, numbering has uniqueness;
The access password adopting mistake will be unable to enter access group, cannot access any file。
Preferably, under described access group, do not set up any classified document, only setting up access password, or destroy password, destroying password if used, then destroy all classified documents in storage。
Preferably, described access group has the whole authority of system, comprises:
File arranges maintenance function, including file importing, derivation, black designation editor, described file imports, derivation refers to and from miscellaneous equipment, file is copied to described storage, the derivation of described file refers to and the file in described storage is copied to miscellaneous equipment, described black designation editor refers to all files in described storage, adopt manual mode one by one, or the attribute according to file adopts automatic batch mode, and all other the access group outside root access group is set up described black designation;
Access group arranges maintenance function, including inquiring about, set up, delete, revise and reset access group at different levels and accessing password, destroy password;
Secrecy behavior arranges maintenance function, including bad password locking, trial and error cryptogram destruction, automatically exit from access group, manually exit access group, root access group password is given for change;
The locking of described bad password refers to, when operator enters access group, if having input the password of mistake, re-enter password by not allowing in the locking regular hour, password, the number of times of Password Input and the time span of locking just can be re-entered by being manually set after terminating locking time;
Described trial and error cryptogram destruction refers to, after the number of times of the bad password of input reaches the number of times set, destroys function by automatically proceeding to file, and to destroy the file with black designation, the number of times of described trial and error cryptogram destruction is by being manually set;
The described access group that automatically exits from refers to, after user enters certain access group, if a period of time, operation operation behavior did not occur, then automatically exits from this access group, and closes closed file and file shows, described post-set time is by being manually set;
The described access group that manually exits refers to, arranges a key and exits this access group, and closes closed file and file shows;
Described access group password is given for change and is referred to, access group access password including root and destroy password, can according to root visitor individual selection, in password finding program, by the question and answer set in advance, putd question to by password finding program, answered by visitor, answer correct, then what password was dealt into that root visitor sets in advance by password finding program gives for change in communication, as in mailbox, QQ, wechat, note and webpage, thus giving password for change。
Preferably, the method is provided with secrecy indexed table, wherein record the storage filename of file, store path and black designation, black designation have recorded the access group of this document need for confidentiality all number, after operator enters with some access group password, system, when search file, searches the numbering of this access group in this secrecy indexed table, that finds then forbids access, and the then permission that can not find accesses。
Preferably, all files includes the file being provided with described black designation, its filename, store path, file content and file allocation table adopt encryption storage, deciphering access, on enciphering and deciphering algorithm, comprise DES, 3DES, AES, RC2, RC4, IDEA, RSA, DSA, ECC, BLOWFISH, KPCS, DM5, SHA, SSF33, SSF28, SCB2, SM1, SM2, SM3, SM4 are at interior enciphering and deciphering algorithm。
Preferably, described file adopts database form storage, and database access password identity can be adopted to differentiate in porch in data, and correct database access password allows to access data base, and the database access password of mistake is prohibited from entering data base。
Preferably, described storage, is the part in mobile phone storage, and now root access group can be mobile phone memory block, Logical Disk and one part, it is also possible to be that certain applies the memory area applied for;Described storage, it is possible to being the entirety of mobile storage, now root access group is the entirety of this storage;Described storage, it is possible to being the part in mobile storage, now root access group is this part;Described storage, it is possible to being a Logical Disk of computer disk or electric board, now root access group is this Logical Disk;Described storage, it is possible to be a part for computer disk or electric board, now root access group is this part;Described storage, it is also possible to be the part in the internal memory in computer, mobile phone, PDA, panel computer。
Preferably, described storage and file management system therein, it it is the file system of privately owned CMS mode, do not adopt general file system, do not support FAT, exFAT, NTFS, EXT, HFS, XFS, UFS, ReFS file management standard, outer computer operating system can not directly access, but to be accessed by the software that the design method provides。
Preferably, the design method sets a public storage area in internal storage areas, it adopts general file management system, the file management standard one of can supported in FAT, exFAT, NTFS, EXT, HFS, XFS, UFS, ReFS, it is transparent to outside operating system, after entering access group by the access password of access group, by the described file allowing and accessing, copy to this public territory, for extraneous accessible with application software。
Preferably, the software designed by this method, including at least mobile phone A PP/APK version, PC version, PDA version, panel computer version and server version。
Preferably, the software designed by this method, it is possible to implant including but not limited to floating frame, stationary window in interface for password input, with interactive and display advertisement, help, behavior record, cloud service content, further, it is also possible to support network linking, enter other software system。
Compared with prior art, it is an advantage of the current invention that:
1, realize one to one, one-to-many, multi-to-multi, many-one ground maintains secrecy。
It is capable of realizing between message file and visitor one to one, maintain secrecy one-to-many, multi-to-multi, many-one, and message file and access group arrange flexibly, are suitable for individual and use。
2, password is anti-cracks
Once run into password cracking, automatically into lock program, if the number of times of examination password reaches set point number, will will automatically proceed to the program destroying whole classified documents。
3, password is without back door
The present invention, when password is forgotten, does not stay back door, it is ensured that secrecy puts in place。But support password retrieval function。
4, classified document self-destruction is realized
The present invention has classified document self-destroying function, inputs self-destruction password, it will the access group classified document that auto-destruct is specified。
5, access group is realized automatically, manually exit
Described method for designing has access group exit function automatic, manual, and exits display, thus being conducive to secrecy。
Accompanying drawing explanation
Fig. 1 is that in the embodiment of the present invention, CMS accesses component group structure chart。
Fig. 2 is CMS file security mark concordance list in the embodiment of the present invention。
Fig. 3 is CMS grouping management software module figure in the embodiment of the present invention。
Fig. 4 is CMS master control flow chart in the embodiment of the present invention。
Fig. 5 is CMS overall construction drawing in the embodiment of the present invention。
Wherein:
Root access group 1.1.1
Colleague access group 1.2.1
Rival access group 1.2.2
Online friend access group 1.2.3
Project colleague access group 1.3.1
Other access group 1.3.2 that works together
Filename 2.1
Store path 2.2
Black designation 2.3
Access group 1 numbering 2.4
Access group 2 numbering 2.5
Access group n numbering 2.6
CMS grouping management software top control module 3.1.1
Initialize installation module 3.2.1
System maintaining module 3.2.2
Secure access controls module 3.2.3
File encryption-decryption module 3.2.4
File security configuration module 3.2.5
Auto-destruct module 3.2.6
Other functional module 3.2.7
CMS master control 4.1
Input accesses or destroys password 4.2
Root access group 4.3
Initialized setting system safeguards 4.4
Destroy whole classified document 4.5
Sub-access group 4.6
Destroy sub-access group classified document 4.7
Secure access module 4.8
CMS exits 4.9
Root accesses group access password 4.10
Root access group destroys password 4.11
Non-root access group password 4.12
Code error 4.13
Sub-access group destroys password 4.14
Son accesses group access password 4.15
Code error processes 4.16
Storage and file 5.1
Access group 5.2。
Detailed description of the invention
Below in conjunction with accompanying drawing embodiment, the present invention is described in further detail。
The present invention relates to and a kind of realize method based on CMS file grouping security management system, as shown in Figure 5, this security management system includes storage and access group two large divisions, wherein, in storage, there is all files, wherein comprise the file of some need for confidentiality, such as file 1, file 2 and file n, in access group, comprise root access group, also comprise access group 1, access group 2 and access group n。
Fig. 1 is the packet configuration figure of CMS access group in the present invention。Wherein, 1.1.1 it is root access group, under root access group, it is provided with three second-level access groups, respectively: colleague access group 1.2.1, rival access group 1.2.2, colleague access group 1.2.3, it addition, colleague access group under, it is additionally provided with two three grades of access groups, respectively: project colleague access group 1.3.1 and other colleague access group 1.3.2。As seen from the figure, it stores 4 kinds of information to the data structure of access group, is the group name of this access group, numbering, access password respectively, destroys password。
As in figure 2 it is shown, be CMS file security concordance list in the present invention, its data structure is:
Corresponding CMS file security concordance list set up by file for whole need for confidentiality, wherein, filename according to storage file sets up list item, each list item comprises filename 2.1, store path 2.2 and black designation 2.3, in black designation 2.3, store the numbering of the access group of the concrete need for confidentiality of respective file, for instance access group 1 numbering 2.4, access group 2 numbering 2.5, access group n numbering 2.6。At this point, it should be noted that in black designation, if this document to which access group secrecy, then just need not store the numbering of its access group, only this document needs, to its secrecy, just to need to store the numbering of this access group。
As shown in Figure 3, for in the present invention based on total figure block diagram of CMS file grouping security management system, wherein, design has top control module 3.1.1, Initialize installation module 3.2.1, system maintaining module 3.2.2, secure access to control module 3.2.3, file encryption-decryption module 3.2.4, file security configuration module 3.2.5, auto-destruct module 3.2.6, other functional module 3.2.7。
As shown in Figure 4, for the present invention overview flow chart based on CMS file grouping security management system, wherein, design has CMS master control 4.1, input to access or destroy password 4.2, root access group 4.3, initialized setting system safeguard 4.4, destroy whole classified document 4.5, sub-access group 4.6, destroy sub-access group classified document 4.7, secure access module 4.8, CMS exit 4.9。Workflow is such that CMS master control 4.1 times, accesses or destroys in input in password 4.2, and user inputs password, enters root access group 4.3 password comparison program。This password can be that root accesses group access password 4.10, it is possible to is that root access group destroys password 4.11, it is also possible to be non-root access group password 4.12, i.e. other access group password or bad password。Result of the comparison if root accesses group access password 4.10, then enters initialized setting system and safeguards 4.4, perform initialize and arrange work, be aggregated into secure access module 4.8 after completing;Result of the comparison if root access group destroys password 4.11, then enters and destroys whole classified documents 4.5, to destroy whole classified document, be aggregated into CMS and exit 4.9 after completing;Result of the comparison if non-root access group password 4.12, then enters sub-access group 4.6, carries out sub-access group password and compares。In sub-access group 4.6, result of the comparison if code error 4.13, then enters code error and processes 4.16, be then aggregated into CMS and exit 4.9;Result of the comparison if sub-access group destroys password 4.14, then enters and destroys sub-access group classified document 4.7, destroy whole classified documents of this sub-access group, be then aggregated into CMS and exit 4.9;Result of the comparison if son accesses group access password 4.15, then enters secure access module 4.8, accesses the unclassified all files of this visitor, always exit 4.9 to CMS after terminating。Exit in 4.9 at CMS, it is possible to select to exit CMS system。
According under packet mode as shown in Figure 1, a kind of concrete methods of realizing based on CMS file grouping security management system of the present invention is as follows:
(1), use a SSD storage card as storage medium, wherein have all files, access group, access password and black designation。Its needs according to file security, sets up black designation respectively for access group。It is called the classified document of this access group with the file of black designation, is called the unclassified file of this access group without the file of black designation。Each access group sets up respective access password, and visitor enters corresponding access group with the correct password that accesses, it is allowed to accesses the unclassified file of this access group, but is prohibited from accessing the classified document of its correspondence。If access code error, will be unable to enter access group, any file cannot be accessed。
(2), multiple access groups are set up black designation by described file respectively, it is achieved man-to-man confidential relationship between file and access group, are more in that it can also realize the confidential relationship of one-to-many, many-one, multi-to-multi。
(3), described visitor refer to the concrete individual accessing file, described access group is the set of multiple visitors specifically individual with predicable, and visitor individual and access group here are referred to as access group。
(4), access group destruction password is set, use and destroy password, the whole classified documents belonging to this access group will be destroyed。
(5), use and destroy after password, the whole classified documents belonging to access group itself and this access group will be destroyed。Destroyed content is irrecoverable, and content is including at least the content in the title of this access group, numbering, access password, destruction password, the file allocation table content of classified document, file storage area address pointer content, file storage area。
(6), access group arranges interface for password input, when Password Input, in order to increase secrecy effect, do not point out the title of access group, what also do not point out input is access password or destroy password, and the password inputted according to visitor determines be access or destroy corresponding file。It is whole and a part of that described file comprises in the chat record in complete computer documents, word, image, video, audio frequency and instant messaging。
(7), the behavior of described access file comprise the lookup for the file path of described file, filename, file attribute, file content, file store path and pointer, newly-built, delete, amendment, read, display, storage, sequence。
(8), described access group, specific as follows:
(8.1), set up a root access group and number;
(8.2), from root access group, as it can be seen, set up " co-workers group ", " rival's group " and " friend's group ", and under " co-workers group ", set up " project co-workers group " and " other co-workers group ", set up respective group # simultaneously, access password and destroy password。
(8.3), use the access password of higher level's access group can access the whole unclassified file of subordinate's access group, use the destruction password of higher level's access group will destroy whole classified documents of this access group and following access group;
(8.4), the higher level of number record access group of access group, subordinate and relation at the same level, and in same system, numbering has uniqueness。
(8.5) the access password of mistake, is adopted to will be unable to enter access group, any file cannot be accessed。
(9), do not set up any classified document under root access group, however it is necessary that and set up asked password, setting up destruction password, the entrance of root access group to be also required to use it to access password simultaneously, if using it to destroy password, then destroying all classified documents in all storages。
(10), root access group have the whole authority of system, comprise:
(10.1), file arranges maintenance function, including but not limited to file importing, derivation, black designation editor, file imports, derivation refers to and from miscellaneous equipment, file is copied to described storage, file is derived and is referred to that the file by storage copies to miscellaneous equipment, black designation editor refers to all files in described storage, adopt manual mode one by one, or the attribute according to file adopts automatic batch mode, and all other the access group outside root access group is set up described black designation;
(10.2), access group maintenance function is set, comprise inquiry, set up, delete, revise and reset access group at different levels and access password, destroy password;
(10.3), secrecy behavior maintenance function is set, including bad password locking, trial and error cryptogram destruction, automatically exit from access group, manually exit access group, root access group password is given for change;
(10.3.1), bad password locking refers to, when operator enters access group, if have input the password of mistake, password is re-entered by not allowing in the locking regular hour, password, the number of times of Password Input and the time span of locking just can be re-entered by being manually set after terminating locking time;
(10.3.2), trial and error cryptogram destruction refer to, after the number of times of bad password of input reaches the number of times set, automatically proceeding to file and destroy function, to destroy all files with black designation, the number of times of trial and error cryptogram destruction is by being manually set;
(10.3.3), automatically exiting from access group and refer to, after user enters certain access group, if a period of time, operation behavior did not occur, then automatically exiting from this access group, post-set time is by being manually set;Such as arrange 1 minute and then exit access group without operational motion, and close closed file and file shows, so can realize secrecy。
(10.3.4), manually exit access group to refer to, a key is set and exits this access group, screen arranges an ESC Escape, click this key and then immediately exit from this access group, and close closed file and file shows。;
(10.3.5), root access group password is given for change and is referred to, access group access password including root and destroy password, can according to the selection of root visitor individual, in password finding program, by the question and answer set in advance, password finding program put question to, answered by visitor, answer correct, then password is dealt in the mailbox that root visitor sets in advance by password finding program, thus giving password for change。
(11), system is provided with secrecy indexed table, wherein record the storage filename of file, store path and black designation, black designation have recorded the access group of this document need for confidentiality all number, after operator enters with some access group password, system is when search file, searching the numbering of this access group in this secrecy indexed table, that finds then forbids access, and the then permission that can not find accesses。
(12), the file of all files and black designation, its filename, store path, file content and file allocation table adopt encryption storage, deciphering access, on enciphering and deciphering algorithm, adopt the enciphering and deciphering algorithm of AES。
(13), described file support adopt database form storage, and database access password identity can be adopted to differentiate in porch in data, correct database access password allows to access data base, and the database access password of mistake is prohibited from entering data base。
(14), described storage and file management system therein, be the file system of privately owned CMS mode, outer computer operating system can not directly access, but to be accessed by the software that the design method provides。
(15), this method sets a public storage area in internal storage areas, it adopts general file management system, the file management standard of NTFS can be supported, it is transparent to outside operating system, after entering access group by the access password of access group, by the described file allowing and accessing, copy to this public territory, for extraneous accessible with application software。
(16) software, designed by this method, implants floating frame, stationary window in interface for password input, with interactive and display advertisement, help, behavior record, cloud service content, further, it is also possible to support network linking, enter other software system。
In addition to the implementation, present invention additionally comprises the technical scheme that other embodiments, all employing equivalents or equivalence substitute mode are formed, all should fall within the protection domain of the claims in the present invention。
Claims (16)
1. one kind realizes method based on CMS file grouping security management system, it is characterized in that: the method comprises storage, file, access group, accesses password and black designation, by the file in storage according to the needs maintained secrecy, black designation is set up for access group, being called the classified document of this group, access group forbids accessing the classified document of its correspondence;Access group sets up access password, and visitor enters corresponding access group with accessing password, it is allowed to access the unclassified file of this access group。
2. according to claim 1 a kind of realize method based on CMS file grouping security management system, it is characterised in that: described access group is provided with destruction password, can destroy the whole classified documents belonging to this access group by destroying password。
3. according to claim 2 a kind of realize method based on CMS file grouping security management system, it is characterised in that: described access group comprises numbering, uses after destroying password, by destruction access group itself;Destroyed content is irrecoverable, and the content of destruction is including at least the content in the title of this access group, numbering, access password, destruction password, the file allocation table content of classified document, file storage area address pointer content, file storage area。
4. according to claim 3 a kind of realize method based on CMS file grouping security management system, it is characterized in that, the method arranges interface for password input for access group, when Password Input, do not point out the title of access group, what also do not point out input is access password or destroy password, and the password inputted according to visitor determines be access or destroy corresponding file;Described file comprises all or part of in the chat record in complete computer documents, word, image, video, audio frequency and instant messaging。
5. a kind of according to claim 3 and/or claim 4 realizes method based on CMS file grouping security management system, it is characterized in that, the behavior of described access file comprise the lookup for the file path of described file, filename, file attribute, file content, file store path and pointer, newly-built, delete, amendment, read, display, storage, sequence。
6. according to claim 5 a kind of realize method based on CMS file grouping security management, it is characterised in that: each storage may only set up an one-level access group, and described access group can by naming & numbering, and one-level access group is also called root access group;
From described access group, it is possible to set up several subordinate's access groups, under subordinate's access group, it is also possible to set up several subordinate's access groups again, under each access group, the number of access group at the same level and the number of levels of subordinate's access group do not limit;
Each described access group can set up its exclusive described access password and described destruction password, the access password using higher level's access group can access the whole unclassified file of subordinate's access group, and the password of destroying using higher level's access group will this group of destruction and following whole classified documents;
The higher level of number record access group of described access group, subordinate and relation at the same level, and in same system, numbering has uniqueness;
The access password adopting mistake will be unable to enter access group, cannot access any file。
7. according to claim 6 a kind of realize method based on CMS file grouping security management system, it is characterized in that, any classified document is not set up under described access group, only set up access password, and/or destruction password, destroy password if used, then destroy all classified documents in storage。
8. according to claim 7 a kind of realize method based on CMS file grouping security management system, it is characterised in that described access group has the whole authority of system, comprises:
File arranges maintenance function, including file importing, derivation, black designation editor, described file imports, derivation refers to and from miscellaneous equipment, file is copied to described storage, the derivation of described file refers to and the file in described storage is copied to miscellaneous equipment, described black designation editor refers to all files in described storage, adopt manual mode one by one, or the attribute according to file adopts automatic batch mode, and all other the access group outside root access group is set up described black designation;
Access group arranges maintenance function, including inquiring about, set up, delete, revise and reset access group at different levels and accessing password, destroy password;
Secrecy behavior arranges maintenance function, including bad password locking, trial and error cryptogram destruction, automatically exit from access group, manually exit access group, root access group password is given for change;
The locking of described bad password refers to, when operator enters access group, if having input the password of mistake, re-enter password by not allowing in the locking regular hour, password, the number of times of Password Input and the time span of locking just can be re-entered by being manually set after terminating locking time;
Described trial and error cryptogram destruction refers to, after the number of times of the bad password of input reaches the number of times set, destroys function by automatically proceeding to file, and to destroy the file with black designation, the number of times of described trial and error cryptogram destruction is by being manually set;
The described access group that automatically exits from refers to, after user enters certain access group, if a period of time, operation operation behavior did not occur, then automatically exits from this access group, and closes closed file and file shows, described post-set time is by being manually set;
The described access group that manually exits refers to, arranges a key and exits this access group, and closes closed file and file shows;
Described access group password is given for change and is referred to, access group access password including root and destroy password, can according to root visitor individual selection, in password finding program, by the question and answer set in advance, putd question to by password finding program, answered by visitor, answer correct, then what password was dealt into that root visitor sets in advance by password finding program gives for change in communication, as in mailbox, QQ, wechat, note and webpage, thus giving password for change。
9. according to claim 8 a kind of realize method based on CMS file grouping security management system, it is characterized in that, the method is provided with secrecy indexed table, wherein record the storage filename of file, store path and black designation, black designation have recorded the access group of this document need for confidentiality all number, after operator enters with some access group password, system is when search file, this secrecy indexed table is searched the numbering of this access group, that finds then forbids access, and the then permission that can not find accesses。
10. according to claim 9 a kind of realize method based on CMS file grouping security management system, it is characterized in that, all files includes the file being provided with described black designation, its filename, store path, file content and file allocation table adopt encryption storage, deciphering access, on enciphering and deciphering algorithm, comprise DES, 3DES, AES, RC2, RC4, IDEA, RSA, DSA, ECC, BLOWFISH, KPCS, DM5, SHA, SSF33, SSF28, SCB2, SM1, SM2, SM3, SM4 are at interior enciphering and deciphering algorithm。
A kind of method is realized based on CMS file grouping security management system 11. according to claim 9, it is characterized in that, described file adopts database form storage, and database access password identity can be adopted to differentiate in porch in data, correct database access password allows to access data base, and the database access password of mistake is prohibited from entering data base。
12. a kind of according to claim 9 and/or claim 10 and/or claim 11 realizes method based on CMS file grouping security management system, it is characterized in that, described storage, it it is the part in mobile phone storage, now root access group can be mobile phone memory block, Logical Disk and one part, it is also possible to is that certain applies the memory area applied for;Described storage, it is possible to being the entirety of mobile storage, now root access group is the entirety of this storage;Described storage, it is possible to being the part in mobile storage, now root access group is this part;Described storage, it is possible to being a Logical Disk of computer disk or electric board, now root access group is this Logical Disk;Described storage, it is possible to be a part for computer disk or electric board, now root access group is this part;Described storage, it is also possible to be the part in the internal memory in computer, mobile phone, PDA, panel computer。
A kind of method is realized based on CMS file grouping security management system 13. according to claim 12, it is characterized in that, described storage and file management system therein, it it is the file system of privately owned CMS mode, do not adopt general file system, not supporting FAT, exFAT, NTFS, EXT, HFS, XFS, UFS, ReFS file management standard, outer computer operating system can not directly access, but to be accessed by the software that the design method provides。
A kind of method is realized based on CMS file grouping security management system 14. according to claim 12, it is characterized in that: the design method sets a public storage area in internal storage areas, it adopts general file management system, the file management standard one of can supported in FAT, exFAT, NTFS, EXT, HFS, XFS, UFS, ReFS, it is transparent to outside operating system, after entering access group by the access password of access group, by the described file allowing and accessing, copy to this public territory, for extraneous accessible with application software。
A kind of method is realized based on CMS file grouping security management system 15. according to claim 12, it is characterized in that: the software designed by this method, including at least mobile phone A PP/APK version, PC version, PDA version, panel computer version and server version。
A kind of method is realized based on CMS file grouping security management system 16. according to claim 12, it is characterized in that: the software designed by this method, floating frame, stationary window can be implanted in interface for password input, with interactive and display advertisement, help, behavior record and cloud service content, support network linking simultaneously, enter other software system。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610022512.7A CN105701417A (en) | 2016-01-13 | 2016-01-13 | Method for implementing CMS based system for grouped security management of files |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610022512.7A CN105701417A (en) | 2016-01-13 | 2016-01-13 | Method for implementing CMS based system for grouped security management of files |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105701417A true CN105701417A (en) | 2016-06-22 |
Family
ID=56227279
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610022512.7A Pending CN105701417A (en) | 2016-01-13 | 2016-01-13 | Method for implementing CMS based system for grouped security management of files |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105701417A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080022090A1 (en) * | 2006-06-20 | 2008-01-24 | Canon Kabushiki Kaisha | Information processing apparatus capable of communicating with external authentication device |
| CN101815128A (en) * | 2010-04-22 | 2010-08-25 | 中兴通讯股份有限公司 | Method and device for destroying terminal data |
| CN102821096A (en) * | 2012-07-17 | 2012-12-12 | 华中科技大学 | Distributed storage system and file sharing method thereof |
| CN103177206A (en) * | 2013-02-21 | 2013-06-26 | 深圳市中兴移动通信有限公司 | Information privacy method and electronic terminal |
| CN104166844A (en) * | 2014-08-13 | 2014-11-26 | 惠州Tcl移动通信有限公司 | Login method and system through human face identification based on mobile terminal |
-
2016
- 2016-01-13 CN CN201610022512.7A patent/CN105701417A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080022090A1 (en) * | 2006-06-20 | 2008-01-24 | Canon Kabushiki Kaisha | Information processing apparatus capable of communicating with external authentication device |
| CN101815128A (en) * | 2010-04-22 | 2010-08-25 | 中兴通讯股份有限公司 | Method and device for destroying terminal data |
| CN102821096A (en) * | 2012-07-17 | 2012-12-12 | 华中科技大学 | Distributed storage system and file sharing method thereof |
| CN103177206A (en) * | 2013-02-21 | 2013-06-26 | 深圳市中兴移动通信有限公司 | Information privacy method and electronic terminal |
| CN104166844A (en) * | 2014-08-13 | 2014-11-26 | 惠州Tcl移动通信有限公司 | Login method and system through human face identification based on mobile terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170277773A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| US9031876B2 (en) | Managing keys for encrypted shared documents | |
| US20170277774A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| US20070101438A1 (en) | Location-based authentication | |
| WO2017143879A1 (en) | File permission management method and device | |
| CA3020743A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| US20170277775A1 (en) | Systems and methods for secure storage of user information in a user profile | |
| CN106022155A (en) | Method and server for security management in database | |
| US11728975B2 (en) | Systems and methods for selective access to logs | |
| CN103647784A (en) | Public and private isolation method and device | |
| KR20010076222A (en) | Portable terminals, servers, systems, and their program recording mediums | |
| CA3066701A1 (en) | Controlling access to data | |
| US20160171222A1 (en) | Information rights management using discrete data containerization | |
| CN110110550B (en) | Searchable encryption method and system supporting cloud storage | |
| WO2018167328A1 (en) | Data processing apparatus and methods | |
| CN105515959A (en) | Implementation method of CMS technology-based instant messenger security system | |
| US20240073005A1 (en) | Method and system for digital health data encryption | |
| US11595193B2 (en) | Secure data storage for anonymized contact tracing | |
| US20180204017A1 (en) | Systems and methods to convert a data source into a secure container with dynamic rights based on data location | |
| US11853451B2 (en) | Controlled data access | |
| CN105701417A (en) | Method for implementing CMS based system for grouped security management of files | |
| CN115514523A (en) | Data security access system, method, device and medium based on zero trust system | |
| US10970408B2 (en) | Method for securing a digital document | |
| CN106453273A (en) | Cloud technology based information security management system and method | |
| WO2018232021A2 (en) | Systems and methods for secure storage of user information in a user profile |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160622 |
|
| RJ01 | Rejection of invention patent application after publication |