CN108494734B - Safe mobile office method based on SDK - Google Patents

Safe mobile office method based on SDK Download PDF

Info

Publication number
CN108494734B
CN108494734B CN201810148496.5A CN201810148496A CN108494734B CN 108494734 B CN108494734 B CN 108494734B CN 201810148496 A CN201810148496 A CN 201810148496A CN 108494734 B CN108494734 B CN 108494734B
Authority
CN
China
Prior art keywords
app
byoa
file
enterprise
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810148496.5A
Other languages
Chinese (zh)
Other versions
CN108494734A (en
Inventor
吕秋云
俞祥祥
王秋华
祁伊祯
欧阳萧琴
詹佳程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Qiangua Information Technology Co ltd
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN201810148496.5A priority Critical patent/CN108494734B/en
Publication of CN108494734A publication Critical patent/CN108494734A/en
Application granted granted Critical
Publication of CN108494734B publication Critical patent/CN108494734B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a safe mobile office method based on an SDK. According to the invention, the user is allowed to freely use the third-party App to safely edit the enterprise file by embedding the SDK into the App. Firstly, the overall architecture and operation flow of the S-BYOA are explained, and then three main functions of the S-BYOA are introduced: and in the S-BYOA security file transmission process, the S-BYOA detects malicious remote backup of the enterprise files, and the S-BYOA prevents the malicious local storage of the enterprise files. The invention makes safety protection for the most common enterprise file editing, provides an enterprise file editing scheme based on the SDK, realizes that a third party App obtains the enterprise file safely under the condition of not modifying the original enterprise file system, prevents the enterprise file from being revealed during editing, prevents the App from storing the file maliciously and achieves the aim of safe mobile office.

Description

Safe mobile office method based on SDK
Technical Field
The invention belongs to the technical field of BYOA (Bring Young Own apps) mobile office, and particularly relates to a safe mobile office method based on an SDK (software development kit), in particular to a safe mobile office method based on an SDK (software development kit) for realizing any App to edit enterprise files.
Technical Field
In 2014, Earley first proposed the concept of the Bring Young Own Apps (BYOA): enterprise employees can browse and edit enterprise files by using personal favorite arbitrary applications; the private information of the user is protected while the enterprise data is not leaked, and safe mobile office is realized. The existing BYOA implementation methods mainly include the following two methods: (1) establishing an App store of BYOA, and analyzing and managing the safety of App in a unified way; the method can prevent the attack of the malicious App, but the analysis method belongs to static code analysis, and for a dynamic operating system (such as iOS), the judgment of the static analysis can be bypassed by calling the malicious code through the script when the malicious App runs. (2) By improving the structure of the App sandbox and dividing the sandbox structure into three parts, namely navigation, storage and setting, a malicious App cannot find a local file of a designated App, so that the safety of local enterprise data is effectively protected. In addition, from experimental results, modifying the sandbox structure results in an increased collapse rate of the App.
Disclosure of Invention
The invention aims to provide a safe mobile office method based on SDK (software development kit) aiming at the defects of the prior art.
The BYOA mobile office includes enterprise file editing, employee communication, file sharing, employee management, and the like. According to the invention, the user is allowed to freely use the third-party App to safely edit the enterprise file by embedding the SDK into the App.
In order to achieve the purpose, the invention is realized by the following technical scheme:
the premise of the specific implementation of the invention is that an S-BYOA framework is constructed, and the S-BYOA framework comprises the following components:
(1) E-Server: and the enterprise self-owned server manages and stores the file, and is responsible for employee identity authentication, generation, management and distribution of the user key.
(2) S-BYOA-App: and the mobile security office App installed at the user side is responsible for security storage of partial keys, security browsing of enterprise files and malicious storage and detection.
(3) S-BYOA-SDK: the SDK is embedded in a safe mobile office of a third-party App, and for convenience of description, the SDK is abbreviated as the SDK and is matched with the S-BYOA-App to realize enterprise file monitoring, safe transmission, malicious storage detection and deletion.
(4) Third-Party-App: and integrating the third party App of the SDK, and editing the enterprise file.
(5) Third party App server: the server for providing the original business of the original third-party App is irrelevant to enterprise files, and is hereinafter referred to as an App server for short.
(6) S-BYOA-Server: and the safe mobile office server detects malicious remote backup files of the third-party App by combining the S-BYOA-SDK and informs the enterprise of processing in time.
The operation process is as follows: and the user selects the enterprise file to be edited in the S-BYOA-App and selects to use the third party App for editing. And the third party App obtains the enterprise files from the enterprise server through the S-BYOA-SDK, performs file decryption and integrity verification, and opens the files for editing. The S-BYOA server detects whether the third party App maliciously leaks the content of the enterprise file when editing the enterprise file in real time, if so, the server intercepts and notifies the enterprise, and if not, the server forwards normal network data. After the enterprise files are edited, the S-BYOA-App detects whether the sandbox of the third-party App maliciously stores the enterprise files through the S-BYOA-SDK. When the App edits the enterprise file, the App is responsible for sending a network request of the App to the guide BS.
A safe mobile office method based on SDK comprises the following steps:
step 1. secure file transmission in S-BYOA: encrypting the transmission file by using AES, and verifying the integrity of the file by adopting a Hash algorithm; the concrete implementation is as follows:
1-1, the employee logs in an enterprise authentication system through an S-BYOA-App, the S-BYOA requests a PHE user secret key generation parameter from an E-Server, and pk and sk corresponding to the employee are generated; when an employee initiates a request for editing a file F, the S-BYOA-App sends the F _ id of the file F and the employee UserId to an E-Server;
1-2.E-Server generates download link url of file F, in order to prevent enterprise file from being maliciously and repeatedly requested, the link can be requested only once, then a key encrypted by AES is randomly generated, and key is obtained by encrypting PHE encryption key pk of Servers(equation 1), then key, keysAnd performing a Hash algorithm on url to obtain Hcontrol(equation 2), finally the E-Server will keys、url、HcontrolSending the data to an S-BYOA-App;
keys=PHEpk(key) (1)
Hcontrol=H(url,key,keyS) (2)
1-3, after receiving the data returned by the E-Server, the S-BYOA-App decrypts the data by using the employee sk to obtain a key (formula 3), and then the key and the key are decryptedsPerforming a Hash algorithm again by the url to verify whether the data is tampered in the transmission process;
key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App:// key + url } to call up a target Third-Party-App, and transmits key and url to SDK;
1-5, the SDK initiates a request for downloading a file F to the E-Server according to url, and adds Token obtained when the SDK is started, after the E-Server receives the request, the E-Server firstly verifies whether the SDK is started normally, then encrypts the file F (formula 4) by using the key generated in the step 1-2, and then carries out a hash algorithm on the file F to obtain HF(equation 5), and finally FSAnd HFSending the data to the SDK;
FS=AESkey(F) (4)
HF=H(F) (5)
SDK reception of FSLater, decrypting by using the key obtained in the step 1-3 to obtain a file F, and performing hash on the decrypted file F again to judge whether the file is tampered in the transmission process; if the file is tampered, the SDK jumps to the S-BYOA-App through a URL Scheme mechanism to inform a user that the file is damaged, and the file is requested again;
1-7, after the file is edited, the file uploading process is similar to the file uploading process, the SDK randomly generates a key to encrypt the file, sends the encrypted file to the E-Server, deletes the enterprise file in the Third-Party-App after the transmission is finished, and transmits the key to the S-BYOA-App through a URL Scheme mechanism { S-BYOA-App:// key }, wherein the public key E of the Server for the S-BYOA-App is used by the S-BYOA-ApppkEncrypting the key, and then sending the encrypted key to the E-Server;
step 2.S-BYOA detection enterprise file malicious remote backup
By combining the SDK with the characteristics of the mobile system during operation, the App network flow during the enterprise file editing is guided to the S-BYOA server, whether leakage exists is detected through the S-BYOA server, if leakage exists, the enterprise is informed, and otherwise, data forwarding is carried out;
2-1, the SDK modifies host addresses of all network requests of App into addresses of S-BYOA-Server through NSURLProtocol, and attaches employee userId and enterprise id to realize network traffic monitoring;
2-2, judging whether malicious remote backup exists or not by the S-BYOA-Server according to whether non-control information of Third-Party-App is contained in network request data sent by the Third-Party-App to a Server of the S-BYOA-Server, and if the non-control information is contained, judging whether the malicious remote backup exists;
2-3, if the malicious remote backup exists, positioning corresponding enterprises and employees by using the userId and the enterprise id;
step 3, S-BYOA prevents the malicious local storage of enterprise files
In order to prevent the threat of App malicious local storage of enterprise files, through the function of the SDK monitoring and management sandbox, when quitting after editing is completed, a user is informed to delete the enterprise files in Third-Party-A pp, and the method is specifically realized as follows:
3-1. sandbox file viewing: the method comprises the steps that an S-BYOA-App sends a file viewing request to the Third-Party-App through { Third-Party-App:// search } and an SDK traverses all file information in an App sandbox, file names are spliced into character strings, the character strings are recalled to an S-BYOA-App interface through { S-BYOA-App:// file name character strings }, and meanwhile the file name character strings are transmitted to the S-BYOA-App; after receiving the file name character string, the S-BYOA-App segments the file name character string and displays the file name character string to a user;
3-2, deleting: the method comprises the steps that an S-BYOA-App initiates a deletion request to the Third-Party-App through { Third-Party-App:// delete/file name }, the Third-Party-App receives the deletion request, file name character strings are divided to obtain file names needing to be deleted, an SDK calls a deletion interface to delete specified files, and after deletion is successful, the { S-BYOA-App:// success or error } is called to return deleted results to the S-BYOA-App.
The invention has the following beneficial effects:
the invention researches and analyzes the most outstanding security problem in the existing Bring Young Own Apps (BYOA) method and provides a secure mobile office method based on SDK. According to the method, the SDK is embedded in the App, so that a user is allowed to freely use the third-party App to safely edit the enterprise files; enterprises do not need to modify an original file system and maintain App white lists to realize safe mobile office, and the S-BYOA has the advantages of being low in deployment and maintenance cost.
The safe mobile office provided by the invention mainly protects enterprise files, and is protected in three stages of obtaining, editing and locally storing the enterprise files from App. The main functions include:
(1) app obtains enterprise's file safely
(2) Detecting whether App is malicious or not to remotely backup enterprise files
(3) Detecting whether App is malicious and locally saving enterprise files
The invention makes safety protection for the most common enterprise file editing, provides an enterprise file editing scheme based on the SDK, realizes that a third party App obtains the enterprise file safely under the condition of not modifying the original enterprise file system, prevents the enterprise file from being revealed during editing, prevents the App from storing the file maliciously and achieves the aim of safe mobile office.
Drawings
FIG. 1 is an S-BYOA architectural diagram;
FIG. 2 is an enterprise file transfer flow;
fig. 3 App network traffic safety monitoring flow chart;
FIG. 4 App sandbox viewing and deletion process;
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further described with the accompanying drawings.
The content of the S-BYOA architecture is shown in FIG. 1, the overall architecture of the S-BYOA comprises an Enterprise Server (E-Server), an S-BYOA Server (S-BYOA-Server), a secure mobile office auxiliary App (S-BYOA-App), any Third Party App (Third-Party-App), an S-BYOA-SDK (SDK), and the Third Party App Server has the following specific functions:
(1) E-Server: and the enterprise self-owned server manages and stores the file, and is responsible for employee identity authentication, generation, management and distribution of the user key.
(2) S-BYOA-App: and the mobile security office App installed at the user side is responsible for security storage of partial keys, security browsing of enterprise files and malicious storage and detection.
(3) S-BYOA-SDK: the SDK is embedded in a safe mobile office of a third-party App, and for convenience of description, the SDK is abbreviated as the SDK and is matched with the S-BYOA-App to realize enterprise file monitoring, safe transmission, malicious storage detection and deletion.
(4) Third-Party-App: and integrating the third party App of the SDK, and editing the enterprise file.
(5) Third party App server: the server for providing the original business of the original third-party App is irrelevant to enterprise files, and is hereinafter referred to as an App server for short.
(6) S-BYOA-Server: and the safe mobile office server detects malicious remote backup files of the third-party App by combining the S-BYOA-SDK and informs the enterprise of processing in time.
The operation process of the framework is as follows:
and the user selects the enterprise file to be edited in the S-BYOA-App and selects to use the third party App for editing. And secondly, the third party App obtains the enterprise files from the enterprise server through the S-BYOA-SDK, performs file decryption and integrity verification, and opens the files for editing. And the S-BYOA server detects whether the third party App maliciously leaks the content of the enterprise file when editing the enterprise file in real time, if so, the third party App intercepts and notifies the enterprise (process IV), and if not, normal network data are forwarded (process IV). After the enterprise files are edited, the S-BYOA-App detects whether the sandbox of the third party App maliciously stores the enterprise files through the S-BYOA-SDK. When the App edits the enterprise file, the App is responsible for sending a network request of the App to the guide BS.
Step 1. flow of secure file transmission in S-BYOA
As shown in FIG. 2, in order to ensure that the enterprise file can be safely transferred from the E-Server to the App, the invention uses AES to encrypt the transmission file and adopts the Hash algorithm to verify the integrity of the file.
1-1, the employee logs in the enterprise authentication system through the S-BYOA-App, the S-BYOA requests the PHE user secret key generation parameter from the E-Server, and pk and sk corresponding to the employee are generated. When the employee initiates a request for editing the file F, the S-BYOA-App sends the F _ id of the file F and the employee UserId to the E-Server.
1-2.E-Server generates download link url of file F, in order to prevent enterprise file from being maliciously and repeatedly requested, the link can be requested only once, then a key encrypted by AES is randomly generated, and key is obtained by encrypting PHE encryption key pk of Servers(equation 1), then key, keysAnd performing a Hash algorithm on url to obtain Hcontrol(equation 2), finally the E-Server will keys、url、HcontrolAnd sending the data to the S-BYOA-App.
keys=PHEpk(key) (1)
Hcontrol=H(url,key,keyS) (2)
1-3, after receiving the data returned by the E-Server, the S-BYOA-App decrypts the data by using the employee sk to obtain a key (formula 3), and then the key and the key are decryptedsAnd performing a Hash algorithm again by the url to verify whether the data is tampered in the transmission process.
key=PHEsk(keys) (3)
S-BYOA-App evokes a target Third-Party-App using { Third-Party-App:// key + url }, and passes key and url to the SDK.
1-5, the SDK initiates a request for downloading a file F to the E-Server according to url, and adds Token obtained when the SDK is started, after the E-Server receives the request, the E-Server firstly verifies whether the SDK is started normally, then encrypts the file F (formula 4) by using the key generated in the step 1-2, and then carries out a hash algorithm on the file F to obtain HF(equation 5), and finally FSAnd HFAnd sending the data to the SDK.
FS=AESkey(F) (4)
HF=H(F) (5)
SDK reception of FSAnd later, decrypting by using the key obtained in the step 1-3 to obtain a file F, and performing hash on the decrypted file F again to judge whether the file is tampered in the transmission process. If tampering is found, the SDK passes the URL ScAnd the heme mechanism jumps to the S-BYOA-App to inform the user that the file is damaged and to re-request the file.
1-7, after the file is edited, the file uploading process is similar to the file uploading process, the SDK randomly generates a key to encrypt the file, sends the encrypted file to the E-Server, deletes the enterprise file in the Third-Party-App after the transmission is finished, and transmits the key to the S-BYOA-App through a URL Scheme mechanism { S-BYOA-App:// key }, wherein the public key E of the Server for the S-BYOA-App is used by the S-BYOA-ApppkAnd encrypting the key and then sending the encrypted key to the E-Server.
Step 2.S-BYOA detection enterprise file malicious remote backup
As shown in fig. 3, by combining the SDK with the characteristics of the mobile system during operation, App network traffic during editing of an enterprise file is directed to the S-BYOA server, and the S-BYOA server is used to detect whether a leakage exists, and if so, the enterprise is notified, otherwise, data forwarding is performed, as shown in fig. 3; the App refers to any App capable of editing files, and the state of the App is when an enterprise file is edited.
And 2-1, the SDK modifies host addresses of all network requests of the App into addresses of an S-BYOA-Server through NSURLProtocol, and attaches employee userId and enterprise id to realize network traffic monitoring.
2-2, judging whether malicious remote backup exists or not by the S-BYOA-Server according to whether non-control information (such as large data uploading, file picture uploading and the like) of Third-Party-App is contained in network request data sent by the Third-Party-App to a Server thereof, and if the non-control information is contained, judging whether the malicious remote backup exists;
and 2-3, if the malicious remote backup exists, locating corresponding enterprises and employees by using the userId and the enterprise id.
Step 3, S-BYOA prevents the malicious local storage of enterprise files
As shown in fig. 4, to prevent the threat of App malicious local saving of enterprise files. And through the function of monitoring and managing the sandbox by the SDK, when quitting after completion, informing the user to delete the enterprise files in the Third-P art-App. The specific flow is shown in fig. 4:
3-1. sandbox file viewing: the method comprises the steps that an S-BYOA-App sends a file viewing request to the Third-Party-App through { Third-Party-App:// search } and an SDK traverses all file information in an App sandbox, file names are spliced into character strings, the character strings are recalled to an S-BYOA-App interface through { S-BYOA-App:// file name character strings }, and meanwhile the file name character strings are transmitted to the S-BYOA-App. After receiving the file name character string, the S-BYOA-App segments the file name character string and displays the file name character string to a user; the App refers to any App capable of editing files.
The file names are spliced into character strings, and the splicing process is as follows:
and splicing file names by using special symbols as identification marks, for example: the file name A is the file name B is the file name C, and the file names are spliced by using the name.
The file name character string is divided, and the dividing process is as follows: dividing the file name by taking the special symbol during splicing as an identification mark, for example: the file name a, the file name B, the file name C, is divided by "".
3-2, deleting: the method comprises the steps that an S-BYOA-App initiates a deletion request to the Third-Party-App through { Third-Party-App:// delete/file name }, the Third-Party-App receives the deletion request, file name character strings are divided to obtain file names needing to be deleted, an SDK calls a deletion interface to delete specified files, and after deletion is successful, the { S-BYOA-App:// success or error } is called to return deleted results to the S-BYOA-App.
S-BYOA parameter comparison table.
Figure 1

Claims (2)

1. A safe mobile office method based on SDK is characterized by comprising the following steps:
step 1. secure file transmission in S-BYOA: encrypting the transmission file by using AES, and verifying the integrity of the file by adopting a Hash algorithm; the concrete implementation is as follows:
1-1, the employee logs in the enterprise authentication system through an S-BYOA-App, the S-BYOA requests parameters for generating the PHE from the E-Server, and pk and sk corresponding to the employee are generated; when an employee initiates a request for editing a file F, the S-BYOA-App sends the F _ id of the file F and the employee UserId to an E-Server;
1-2.E-Server generates download link url of file F, in order to prevent enterprise file from being maliciously and repeatedly requested, the link can be requested only once, then a key encrypted by AES is randomly generated, and key is obtained by encrypting PHE encryption key pk of ServersThen key, keysAnd the url adopts a formula 2 to carry out a Hash algorithm once to obtain HcontrolFinally, the E-Server will keys、url、HcontrolSending the data to an S-BYOA-App;
keys=PHEpk(key) (1)
Hcontrol=H(url,key,keyS) (2)
1-3. after the S-BYOA-App receives the data returned by the E-Server, the employee sk is used for decryption through a formula 3 to obtain a key, and then the key and the key are decryptedsPerforming a Hash algorithm again by the url to verify whether the data is tampered in the transmission process;
key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App:// key + url } to call up a target Third-Party-App, and transmits key and url to SDK;
1-5, the SDK initiates a request for downloading a file F to the E-Server according to url, and adds Token obtained when the SDK is started, after the E-Server receives the request, the E-Server firstly verifies whether the SDK is started normally, then uses the key generated in the step 1-2 to encrypt the file F through a formula 4, and then carries out a hash algorithm on the file F through a formula 5 to obtain HFFinally F is addedSAnd HFSending the data to the SDK;
FS=AESkey(F) (4)
HF=H(F) (5)
SDK reception of FSLater, decrypting by using the key obtained in the step 1-3 to obtain a file F, and performing hash on the decrypted file F again to judge whether the file is tampered in the transmission process; if tampering is found, the SDK jumps to S-BYOA through a URL Scheme mechanism-App, informing the user that the file is damaged, re-requesting the file;
1-7, after the file is edited, the file uploading process comprises the following steps: the SDK randomly generates a key to encrypt the file, sends the encrypted file to the E-Server, deletes the enterprise file in the Third-Party-App after transmission is completed, and transmits the key to the S-BYOA-App through a URL Scheme mechanism { S-BYOA-App:// key }, wherein the public key E of the Server is used by the S-BYOA-ApppkEncrypting the key, and then sending the encrypted key to the E-Server;
step 2.S-BYOA detection enterprise file malicious remote backup
By combining the SDK with the characteristics of the mobile system during operation, the App network flow during the enterprise file editing is guided to the S-BYOA server, whether leakage exists is detected through the S-BYOA server, if leakage exists, the enterprise is informed, and otherwise, data forwarding is carried out;
2-1, the SDK modifies host addresses of all network requests of App into addresses of S-BYOA-Server through NSURLProtocol, and attaches employee UserId and enterprise id to realize network traffic monitoring;
2-2, judging whether malicious remote backup exists or not by the S-BYOA-Server according to whether non-control information of Third-Party-App is contained in network request data sent by the Third-Party-App to a Server of the S-BYOA-Server, and if the non-control information is contained, judging whether the malicious remote backup exists;
2-3, if the malicious remote backup exists, positioning corresponding enterprises and employees by using the UserId and the enterprise id;
step 3, S-BYOA prevents the malicious local storage of enterprise files
In order to prevent the threat of malicious local storage of enterprise files by App, through the functions of monitoring and managing the sandbox by the SDK, when quitting after editing is completed, a user is informed to delete the enterprise files in the Third-Party-App, and the method is specifically realized as follows:
3-1. sandbox file viewing: the method comprises the steps that an S-BYOA-App sends a file viewing request to the Third-Party-App through { Third-Party-App:// search }, an SDK traverses all file information in a Third-Party-App sandbox, file names are spliced into character strings, the character strings are recalled to an S-BYOA-App interface through { S-BYOA-App:// file name character strings }, and meanwhile the file name character strings are transmitted to the S-BYOA-App; after receiving the file name character string, the S-BYOA-App segments the file name character string and displays the file name character string to a user;
3-2, deleting: the method comprises the following steps that an S-BYOA-App initiates a deletion request to the Third-Party-App through { Third-Party-App:// delete/file name }, the Third-Party-App receives the deletion request, file name character strings are segmented to obtain a file name needing to be deleted, an SDK calls a deletion interface to delete a specified file, and after deletion is successful, the S-BYOA-App:// success or error } is called to return a deletion result to the S-BYOA-App;
the method is based on an S-BYOA framework, wherein the S-BYOA framework comprises an enterprise Server (E-Server), an S-BYOA Server (S-BYOA-Server), a safe mobile office auxiliary App (S-BYOA-App), any Third Party App (Third Party App), an S-BYOA-SDK (SDK), and a Third Party App Server:
(1) E-Server: the enterprise self-owned server is used for managing and storing the file and is responsible for employee identity authentication, generating, managing and distributing user keys;
(2) S-BYOA-App: the mobile security office App is arranged at the user side and is responsible for security storage of partial keys, security browsing of enterprise files and malicious storage detection;
(3) S-BYOA-SDK: the SDK is embedded in a safe mobile office of a third-party App and is matched with the S-BYOA-App to realize enterprise file monitoring, safe transmission, malicious storage detection and deletion;
(4) Third-Party-App: integrating the third party App of the SDK, and editing enterprise files;
(5) third party App server: a server for providing the original business of the original third party App;
(6) S-BYOA-Server: and the safe mobile office server detects malicious remote backup files of the third-party App by combining the S-BYOA-SDK and informs the enterprise of processing in time.
2. The secure mobile office method based on SDK according to claim 1, wherein the S-BYOA architecture operates as follows:
the user selects an enterprise file to be edited in the S-BYOA-App and selects to use a third party App for editing; the third party App obtains the enterprise files from the enterprise server through the S-BYOA-SDK, carries out file decryption and integrity verification, and opens the files for editing; the method comprises the steps that an S-BYOA server detects whether the content of an enterprise file is leaked maliciously when a third party App edits the enterprise file in real time, if yes, the third party App intercepts and informs the enterprise, and if not, normal network data are forwarded; after the enterprise files are edited, the S-BYOA-App detects whether a sandbox of the third party App maliciously stores the enterprise files through the S-BYOA-SDK; and when the third party App edits the enterprise file, the third party App is responsible for sending the network request of the third party App to the guide BS.
CN201810148496.5A 2018-02-13 2018-02-13 Safe mobile office method based on SDK Active CN108494734B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810148496.5A CN108494734B (en) 2018-02-13 2018-02-13 Safe mobile office method based on SDK

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810148496.5A CN108494734B (en) 2018-02-13 2018-02-13 Safe mobile office method based on SDK

Publications (2)

Publication Number Publication Date
CN108494734A CN108494734A (en) 2018-09-04
CN108494734B true CN108494734B (en) 2020-11-17

Family

ID=63340594

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810148496.5A Active CN108494734B (en) 2018-02-13 2018-02-13 Safe mobile office method based on SDK

Country Status (1)

Country Link
CN (1) CN108494734B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520995A (en) * 2022-01-11 2022-05-20 宝宝巴士股份有限公司 Method for realizing non-invasive monitoring of application network flow use

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469767A (en) * 2014-10-28 2015-03-25 杭州电子科技大学 Implementation method for integrated security protection subsystem of mobile office system
CN106446673A (en) * 2016-09-18 2017-02-22 深圳市深信服电子科技有限公司 Application isolation method and terminal device
CN106936686A (en) * 2015-12-31 2017-07-07 北京北信源软件股份有限公司 A kind of immediate communication platform for supporting safety moving to handle official business

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9635580B2 (en) * 2013-10-08 2017-04-25 Alef Mobitech Inc. Systems and methods for providing mobility aspects to applications in the cloud

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469767A (en) * 2014-10-28 2015-03-25 杭州电子科技大学 Implementation method for integrated security protection subsystem of mobile office system
CN106936686A (en) * 2015-12-31 2017-07-07 北京北信源软件股份有限公司 A kind of immediate communication platform for supporting safety moving to handle official business
CN106446673A (en) * 2016-09-18 2017-02-22 深圳市深信服电子科技有限公司 Application isolation method and terminal device

Also Published As

Publication number Publication date
CN108494734A (en) 2018-09-04

Similar Documents

Publication Publication Date Title
US9537864B2 (en) Encryption system using web browsers and untrusted web servers
CN103457733B (en) A kind of cloud computing environment data sharing method and system
CN109583217B (en) Internet e-commerce platform user privacy data encryption and decryption method
US10432619B2 (en) Remote keychain for mobile devices
Hsueh et al. Secure cloud storage for convenient data archive of smart phones
CN103248479A (en) Cloud storage safety system, data protection method and data sharing method
CN104662870A (en) Data security management system
CN109547215B (en) Document information protection method based on mobile terminal fingerprint
CN103731395A (en) Processing method and system for files
US20130290731A1 (en) Systems and methods for storing and verifying security information
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
CN109472130A (en) Linux cipher management method, middle control machine, readable storage medium storing program for executing
CN104618096A (en) Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center
CN109510702A (en) A method of it key storage based on computer characteristic code and uses
CN103973646A (en) Method, client device and system for storing services by aid of public cloud
CN113541935A (en) Encryption cloud storage method, system, equipment and terminal supporting key escrow
CN108494734B (en) Safe mobile office method based on SDK
US20130290732A1 (en) Systems and methods for storing and verifying security information
JP2007142504A (en) Information processing system
CN110807210B (en) Information processing method, platform, system and computer storage medium
CN103684780B (en) Domain-based file encryption protection method
CN114282189A (en) Data security storage method, system, client and server
KR101329789B1 (en) Encryption Method of Database of Mobile Communication Device
CN113392162B (en) Information sharing method, device, equipment and storage medium
CN109246062A (en) A kind of authentication method and system based on browser plug-in

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230907

Address after: Room 2002, Zone A, Huazhou Business Center, No. 1038 Jiangnan Avenue, Changhe Street, Binjiang District, Hangzhou City, Zhejiang Province, 310051

Patentee after: Zhejiang Qiangua Information Technology Co.,Ltd.

Address before: 310018 No. 2 street, Xiasha Higher Education Zone, Hangzhou, Zhejiang

Patentee before: HANGZHOU DIANZI University