CN110430192A - A kind of method of file encryption-decryption, system, controller and storage medium - Google Patents
A kind of method of file encryption-decryption, system, controller and storage medium Download PDFInfo
- Publication number
- CN110430192A CN110430192A CN201910722518.9A CN201910722518A CN110430192A CN 110430192 A CN110430192 A CN 110430192A CN 201910722518 A CN201910722518 A CN 201910722518A CN 110430192 A CN110430192 A CN 110430192A
- Authority
- CN
- China
- Prior art keywords
- authorization access
- authorization
- user
- key
- original
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application provides method, system, controller and the storage medium of a kind of file encryption-decryption.Wherein the method for the file encryption includes step 1, symmetric cryptography or asymmetric encryption being carried out to original, to obtain ciphertext;Step 2, the user that there is access authority to the original is set, accesses user as authorization;Step 3, the public key of the authorization access user is obtained;Step 4, cryptographic calculation is carried out to decruption key using the public key of the authorization access user, obtains the second authorization access information of the authorization access user;Step 5, according to the second authorization access information of the authorization access user, authorization access list is generated;Step 6, by the ciphertext it is corresponding with the authorization access list after, be stored in document management center.According to the technical solution of the application, the defect and security risk that can not protect password are overcome;By the permission of authorization access list setting access user, the confidentiality and safety of file are realized.
Description
Technical field
This patent disclosure relates generally to file field is transmitted between multi-party, more particularly, to a kind of file encryption-decryption technology.
Background technique
General file security transmission mode is to be carried out using password to file by Document Editing software or compressed software
Encipherment protection, such as Microsoft Office, WinRAR, this mode need properly to save file password, anyone knows
Password can decrypt file, if password loss or forgetting, there is the risk that can not decrypt file forever;This method simultaneously
The access authority to file can not be set.
Summary of the invention
It is an object of the invention to overcome the defect protected in the prior art using password to file, and can not be right
File accesses the defect of authority setting, provides method, system, controller and the storage medium of a kind of file encryption-decryption.
According to the first aspect of the invention, a kind of method of file encryption is provided, is included the following steps, step 1, to original text
Part carries out symmetric cryptography or asymmetric encryption, to obtain ciphertext;Step 2, setting has access authority to the original
User accesses user as authorization;Step 3, the public key of the authorization access user is obtained;Step 4, using the authorization
The public key for accessing user carries out cryptographic calculation to decruption key, obtains the second authorization access information of the authorization access user,
The decruption key is for being decrypted the ciphertext;Step 5, according to the second authorization access letter of the authorization access user
Breath generates authorization access list;Step 6, by the ciphertext it is corresponding with the authorization access list after, be stored in document management
The heart;It accesses user and accesses document management center, when downloading the ciphertext, second authorization is obtained by the authorization access list
Access information obtains the decruption key to the second authorization access information decryption, the ciphertext to be decrypted, obtains
The original.
Optionally, in the step 1, use the cryptographic Hash of the original as encryption key, using symmetry algorithm pair
The original is encrypted.
Optionally, in the step 3, Hash operation is carried out to the public key of the authorization access user, obtains the authorization
Access the first authorization access information of user;In the step 5, the first authorization access information and second authorization are accessed
Information is corresponding, generates the authorization access list.
Optionally, it is also carried out in the step 1, the original is digitally signed, obtain signature value, invested described
After ciphertext, the document management center is uploaded.
According to the second aspect of the invention, a kind of method of file decryption is provided, is included the following steps, step 10, is obtained
Ciphertext and authorization access list;Step 20, the authorization access user in the authorization access list obtains the second authorization access letter
Breath;Step 30, the second authorization access information is decrypted using the private key of the authorization access user, obtains decrypting close
Key;Step 40, it is based on the decruption key, the authorization access user decrypts the ciphertext, obtains original.
Optionally, in the step 10, the authorization access list includes the first authorization access letter of authorization access user
Breath and the second authorization access information;In the step 20, according to the cryptographic Hash of the public key of the authorization access user, described in lookup
First authorization access information;According to the first authorization access information, the corresponding second authorization access information is obtained.
Optionally, in the step 30 or step 40, acquisition invests the signature value after the ciphertext, and is verified;Institute
Stating verifying includes: the public key based on the signature value, file owners, and informative abstract is calculated;And following verification mode
At least one of: the first verification mode includes comparing the informative abstract and the decruption key, identical, is tested
It demonstrate,proves successfully, different then authentication failed;Second of verification mode include, by the cryptographic Hash of the informative abstract and the original into
Row comparison, it is identical, it is proved to be successful, different then authentication failed.
According to the third aspect of the invention we, a kind of system of file encryption is provided, including, encrypting module, for original text
Part carries out symmetric cryptography or asymmetric encryption, to obtain ciphertext;The Key Management Center is configured to, the generation for key
And distribution, including, generate the private key and public key of the authorization access user;Generate encryption key and decruption key;The encryption
Key is for encrypting the original, and the decruption key is for being decrypted the ciphertext;Authorize access list
Generation module, for obtaining the public key of the authorization access user;Using the public key of the authorization access user to the decryption
Key carries out cryptographic calculation, obtains the second authorization access information of the authorization access user;User is accessed according to the authorization
Second authorization access information, generate authorization access list;Document management center, for receiving and saving the ciphertext and described
Authorize access list.
Optionally, the Key Management Center is additionally configured to, and receives the original, and carry out Hash to the original
Operation, the cryptographic Hash of generation is as encryption key;The encrypting module is configured to, and obtains the encryption key, and described in use
Encryption key encrypts the original using symmetry algorithm.
Optionally, the authorization access list generation module is additionally configured to, and is carried out to the public key of the authorization access user
Hash operation obtains the first authorization access information of the authorization access user;By it is described first authorization access information with it is described
Second authorization access information is corresponding, generates the authorization access list.
It optionally, further include Digital Signature module, the Digital Signature module, for carrying out digital label to the original
Name, obtains signature value, after investing the ciphertext, and is uploaded to the document management center.
According to the fourth aspect of the invention, a kind of system of file decryption is provided, including, document management center, for protecting
Deposit ciphertext and authorization access list;Decruption key obtains module, for obtaining the ciphertext and the authorization access list;It obtains
The second authorization access information of authorization access user in the authorization access list;Utilize the private key of the authorization access user
The second authorization access information is decrypted, decruption key is obtained;Deciphering module, for receiving the decruption key, and
Based on the decruption key, the ciphertext is decrypted, obtains original;Key Management Center, generation and distribution for key.
Optionally, the authorization access list includes that the first authorization access information of authorization access user and the second authorization are visited
Ask information;The decruption key obtains module and is additionally configured to, and according to the cryptographic Hash of the public key of the authorization access user, searches institute
State the first authorization access information;According to the first authorization access information, the corresponding second authorization access information is obtained.
Optionally, the document management center is additionally configured to, and saves the signature value of the original, and the system is also wrapped
It includes, signature verification module, for obtaining the signature value, and is verified;The signature verification module is additionally configured to, and is based on institute
The public key for stating signature value, file owners, is calculated informative abstract;At least one of and execute following verification mode: the
A kind of verification mode includes comparing the informative abstract and the decruption key, identical, is proved to be successful, different then test
Card failure;Second of verification mode includes comparing the cryptographic Hash of the informative abstract and the original, identical, is tested
It demonstrate,proves successfully, different then authentication failed.
According to the fifth aspect of the invention, a kind of controller for file encryption-decryption is provided, including, memory;And
It is coupled to the processor of the memory, the processor is configured to the instruction based on storage in the memory, executes
Method as described in any one of the first aspect of the present invention and second aspect.
According to the sixth aspect of the invention, a kind of computer readable storage medium is provided, computer program is stored thereon with
Instruction, the instruction are executed by one or more processor and realize such as any one of the first aspect of the present invention and second aspect
The operation of the method.
The present invention has the advantages that
1) according to the technique and scheme of the present invention, file can be protected without using password, overcoming can not protect
Protect the defect and security risk of password;
2) according to the technique and scheme of the present invention, can be by authorizing access list, setting has the right or haves no right to access file
User, to realize confidentiality and safety in file transmission;
3) according to the technique and scheme of the present invention, by the use of digital signature, it ensure that the integrality of file, prevent file
It is tampered.
Detailed description of the invention
Fig. 1 shows a kind of embodiment flow chart of the method for file encryption according to the present invention.
Fig. 2 shows second of embodiment flow charts of the method for file encryption according to the present invention.
Fig. 3 shows the third embodiment flow chart of the method for file encryption according to the present invention.
Fig. 4 shows a kind of embodiment flow chart of the method for file decryption according to the present invention.
Fig. 5 shows second of embodiment flow chart of the method for file decryption according to the present invention.
Fig. 6 shows the third embodiment flow chart of the method for file decryption according to the present invention.
Fig. 7 shows the 4th kind of embodiment flow chart of the method for file decryption according to the present invention.
Fig. 8 shows a kind of a kind of embodiment schematic diagram of the system of file encryption according to the present invention.
Fig. 9 shows a kind of another embodiment schematic diagram of the system of file encryption according to the present invention.
Figure 10 shows a kind of a kind of embodiment schematic diagram of the system of file decryption according to the present invention.
Figure 11 shows a kind of another embodiment schematic diagram of the system of file decryption according to the present invention.
Figure 12 shows a kind of schematic diagram of controller for file encryption-decryption according to the present invention.
Figure 13 shows a kind of program product of embodiment according to the present invention.
Specific embodiment
The preferred embodiments of the present invention will be described in detail with reference to the accompanying drawing, and reference label refers to the group in the present invention
Part, technology, realizing under appropriate circumstances so as to advantages and features of the invention can be easier to be understood.Following description is pair
The materialization of the claims in the present invention, and other specific implementations not clearly stated relevant to claim also belong to power
The range that benefit requires.
Fig. 1 shows a kind of embodiment flow chart of the method for file encryption according to the present invention.
As shown in Figure 1, as shown in step S1, user A uploads original text according to a kind of embodiment of the method for file encryption
Part M.Original M can be the file of user A, be also possible to other people file, and in present embodiment, user A is file
The owner.
As shown in step s 2, user A has the user of access authority to original M setting, and user can be one or more
It is a, in present embodiment, user B, user D Internet access original M are set, while to guarantee that user A oneself can also access original
File M sets user A, user B, user D as authorization and accesses user.
Hereinafter, encryption system handles original M and authorization access user information, to realize the mesh of file encryption
's.
As shown in step S3, firstly, encryption system carries out Hash operation to original M, the Kazakhstan of original M is calculated
Uncommon value H (M).
As shown in step s 4, the cryptographic Hash H (M) for the original M being calculated is used as encryption key SK, i.e. SK=H
(M), wherein SK indicates that encryption key, H indicate cryptographic Hash, and M indicates original.Use the cryptographic Hash of original close as encrypting
On the one hand key has the effect that, it is ensured that randomness, the uniqueness of encryption key;On the other hand, encryption key is logical
It crosses what original was directly calculated, without individually being saved, file will not be caused to be decrypted because file password is revealed,
Meanwhile it because of password loss, forgetting or damage etc. reasons will not cause that file can not be decrypted forever, such as decryption system meets with
To destruction, when can not obtain key, it is not that the key directly calculated by original will be lost forever, but according to this
Embodiment obtains encryption key by Hash operation, avoids the risk that can not decrypt file forever.
As shown in step s 5, encryption system encrypts original with encryption key SK, to obtain ciphertext C, i.e. C=ESK
(M), wherein C indicates ciphertext, and E indicates Encryption Algorithm, and SK indicates that encryption key, M indicate original.The encryption is using symmetrical
Algorithm is encrypted.Encryption key and decruption key are identical in the symmetry algorithm or encryption key can be close from decrypting
It calculates in key, also sets up in turn.In the present embodiment, decruption key is identical as encryption key SK.
As shown in step s beta, encryption system generates the public key K of authorization access user to each access user A, B, D respectivelyX,
And to the public key K of authorization access userXCalculate cryptographic Hash H (KX), as the first authorization access information.KXIndicate the public affairs of user X
Key.Therefore, the public key of user A is KA, the public key of user B is KB, the public key of user D is KD;The first authorization access letter of user A
Breath is H (KA), the first authorization access information of user B is H (KB), the first authorization access information of user D is H (KD)。
As shown in step S7, with the public key K of authorization access userXAsymmetric encryption is carried out to encryption key SK, is obtained
Encrypted result isAs the second authorization access information.User A second authorization access information beWith
Family B second authorization access information beUser D second authorization access information be
As shown in step S8, by the first authorization access information H (K of same authorization access userX) and the second authorization access
InformationIt is corresponding, for authorization to the authorization access information of access user, be
Wherein, AuthXIndicate the authorization access information of authorization access user X, H indicates cryptographic Hash, KXIndicate the public affairs of authorization access user X
Key, E indicate Encryption Algorithm, and SK indicates encryption key.
As shown in step S9, according to the authorization access information of each authorization access user, authorization access list is generated,
For L=(AuthA‖AuthB‖AuthD), wherein L indicates authorization access list, AuthAIndicate that the authorization of authorization access user A is visited
Ask information, AuthBIndicate the authorization access information of authorization access user B, AuthDIndicate that the authorization of authorization access user D accesses letter
Breath.It does not include the information of unauthorized access user in the authorization access list, therefore unauthorized access user can not be described
The relevant information that oneself is found in authorization access list can not also obtain the relevant information of authorization access user.
The first authorization access information H (K of same authorization access user in the authorization access listX) and the second authorization
Access informationIt is corresponding, corresponding second authorization can be found by the first authorization access information quickly
Access information.It is described first authorization access information using it is described authorization access user public key cryptographic Hash, compared to public key compared with
It is short, convenient for searching and comparing.The authorization access list can also be quickly deleted by deleting the first authorization access information
The relevant information including the second authorization access information of middle corresponding authorization access user, is awarded to realize and quickly delete to have
Weigh the function of user.It can be in the authorization Access Column by the setting of the first authorization access information and the second authorization access information
The relevant information of new authorization access user is quicklyd increase in table.According to the present embodiment, pass through the second authorization access letter
Breath contacts encryption key SK and the public key of authorization access user, carries out further through the first authorization access information with it
Matching, not only ensure that the safety and confidentiality of encryption key, but also realize easy-to-look-up and newly-increased and deletion authorized user
Function.
It is as shown in step S10, ciphertext C is corresponding with authorization access list L, and cloud platform is uploaded to (in document management
The heart) it is saved.
The ciphertext and the corresponding authorization access list, which can be packaged, to be uploaded and is stored in the cloud platform 130
In, to guarantee corresponding relationship and safety, and the matching work of cloud platform 130 is reduced, reduces operation, reduce equipment loss.
The document management center, which can be cloud platform, server, terminal, PC etc., can store the ground of document
Side, is cloud platform in the present embodiment.
When demonstrating access user is that the authorization in the authorization access list accesses user, can be authorized by obtaining
The the second authorization access information for accessing user, obtains the decruption key for decrypting ciphertext, to solve to corresponding ciphertext
It is close to obtain original.
Using the cryptographic Hash of the public key of the authorization access user, i.e., the described first authorization access information can both be verified
The identity of authorization access user can also realize the institute in entire document management center finding and the authorization access user-association
There is ciphertext, user according to oneself can need that specified ciphertext is decrypted.
Variation
A variation 1 according to the present embodiment replaces step S2, the step S2* in Fig. 1 with step S2* are as follows:
Setting authorization access user (B, D).That is, file owners A is not set as authorization access user as needed.
A variation 2 according to the present embodiment omits step S3, replaces the step S4 in Fig. 1, institute with step S4*
State step S4* are as follows: obtain encryption key SK.That is, the result calculated by other algorithms can also be chosen as encryption key SK
The data of random number or other any keys that can be used as symmetry algorithm, as encryption key SK.
A variation 3 according to the present embodiment, the step S1 in Fig. 1 is replaced with step S1*.The step S1* are as follows:
Upload part original M1.In step S1*, an original M is resolved into multi-section and divides M1, M2, M3 ... Mn, by the every of original
Part M1, M2, M3 ... Mn is executed according to step S2~step S10 respectively, is encrypted respectively to every original documents part therein
To form multiple and different ciphertexts, as soon as corresponding authorization access list of each ciphertext, such a original and multiple ciphertexts
(C1, C2, C3 ... Cn) and multiple authorization access lists (L1, L2, L3 ... Ln) respectively correspond.To further limit difference
Authorize the access authority of the authorization access user in access list, multiple ciphertexts corresponding for original, each authorization access
Authorization access user in list can only decrypt corresponding ciphertext, therefore the file only obtained after all ciphertext decryption is only
Otherwise the full content of original can only see the partial content in the original.It therefore, can be by the way that multiple authorizations be arranged
Access list makes each authorization access user can only see the file content that file owners (setting person) want that it is allowed to see.
A variation 4 according to the present embodiment replaces step S1, the step S1** in Fig. 1 with step S1**
Are as follows: original M is uploaded, and sets original M points and is formed for a few part M1, M2, M3 ... Mn;Replaced in Fig. 1 with step S2**
Step S2, the step S2** are as follows: setting authorization access user (A, B, D), and set wherein each user to every original documents
The access authority of part M1, M2, M3 ... Mn;Every part M1, M2, M3 ... Mn of original is held according to step S3~step S7 respectively
Row;Replace the step S8, the step S8** in Fig. 1 with step S8** are as follows: by the H (K of each authorization access userX) and the use
Family ownsIt is corresponding, it obtains That is, an authorization
The first authorization access information of access user can correspond to multiple second authorization access informations of the user;Continue to execute step S9
~S10.
According to variation 4, the corresponding authorization access list of an original, but can be achieved on authorization access and use
The different access permission at family.For example, original is divided into tri- parts M1, M2, M3 in step S1**;Step S2**
It is middle to set authorization access user as user A, user B, user D, wherein setting accessible tri- portions M1~M3 user A
Point, the accessible M3 of user B accessible M1 and M2, user D;M1, M2, M3 are executed into step S3~S7, wherein step
S3 obtains H (M1), H (M2), H (M3), and step S4 is obtained: SK1=H (M1), SK2=H (M2), SK3=H (M3), step S5
Obtain C1=ESK1(M1), C2=ESK2(M2), C3=ESK3(M3), the first authorization access information that step S6 obtains user A is H
(KA), user B first authorization access information be H (KB), user D first authorization access information be H (KD), step S7 is obtainedWherein AndIt is the second authorization access information of user A,WithIt is user B
Second authorization access information,It is the second authorization access information of user D;Step S8** is obtained Continue to execute step S9~S10.
The setting of the authorization access list can limit file access user, visit to realize the grouping authorization of file
It asks, ensure that the confidentiality and safety of file.The present invention does not need that password is arranged to protect to original, and overcoming can not protect
Protect the defect and security risk of password.
Fig. 2 shows second of embodiment flow charts of the method for file encryption according to the present invention.
As shown in Fig. 2, the difference with Fig. 1 is: step S51 is increased between step S5 and step S6, to original
It is digitally signed, obtains signature value S;And replace step S10, the step S10* are as follows: close in Fig. 1 with step S10*
Text, signature value and authorization access list are corresponding, upload and save to cloud platform.
As shown in step S51, when encryption key SK is the cryptographic Hash of original, the signature value S, which can be, uses file
The private key pair encryption key SK of owner A encrypted as a result, i.e.Wherein, S indicates signature value,
Sign indicates signature algorithm, kAIndicate that the private key of file owners A, SK indicate encryption key.
Signature value (is associated with, same as below) by the signature value after can investing the ciphertext with ciphertext, and described close
Text is uploaded or is downloaded together.With the formula of the ciphertext of signature value are as follows: C '=(C ‖ S), wherein C ' indicates cipher-text information, C table
Show ciphertext, S indicates signature value.
As shown in step S10*, the ciphertext, signature value, authorization access list can form ciphertext and relevant information together
It is uploaded to cloud platform, the ciphertext and relevant information are C "=(C ‖ S ‖ L), wherein C " indicates ciphertext and relevant information, and C is indicated
Ciphertext, S indicate signature value, and L indicates authorization access list.
A variation according to the present embodiment, it is described if encryption key SK is not the cryptographic Hash of original
Signature value S is the result encrypted with cryptographic Hash of the private key of file owners A to original.
Fig. 3 shows the third embodiment flow chart of the method for file encryption according to the present invention.
A kind of embodiment according to the present invention can carry out asymmetric encryption to original, such as shown in figure 3, such as
Shown in step S1, user A uploads original M.In present embodiment, user A is file owners.
As shown in step s 2, user A, which sets one or more users, has access authority, such as setting user B, user D
Internet access, while to guarantee that user A oneself also has the right, therefore set user A, user B, user D and access user as authorization.
As stated in step s 31, using the public key K of file ownersAThe original M is added using asymmetric arithmetic
It is close, obtain ciphertext
As shown in step S41, to the public key K of authorization access userXHash operation is carried out, cryptographic Hash H (K is obtainedX), as
The first authorization access information of the authorization access user.Wherein, X=A, B, D.
As shown in step S52, the public key K of the authorization access user is usedXTo the private key k of the file owners AAInto
Row asymmetric encryption operation, obtainsThe second authorization access information as the authorization access user.The file
The private key k of owner AAIt is the decruption key for ciphertext.
As shown in step S61, by the first authorization access information H (KX) and the second authorization access informationIt is corresponding, it obtainsWherein, AuthXIndicate the authorization access of authorization access user X
Information, H indicate cryptographic Hash, KXIndicate that the public key of authorization access user X, E indicate Encryption Algorithm, kAIndicate the private of file owners A
Key kA。
As shown in step S71, according to the authorization access information of authorization access user, authorization access list is generated, is L=
(AuthA‖AuthB‖AuthD), wherein L indicates authorization access list, AuthAIndicate that the authorization of authorization access user A accesses letter
Breath, AuthBIndicate the authorization access information of authorization access user B, AuthDIndicate the authorization access information of authorization access user D.
It is as shown in step S81, ciphertext C is corresponding with authorization access list L, and be uploaded to cloud platform and saved.
A variation 1 according to the present embodiment, step S2 can be changed to: setting authorization access user (B, D).
I.e., it is possible to file owners A is not set as authorization access user as needed.
A variation 2 according to the present embodiment can increase on the basis of present embodiment and carry out to original
The step of digital signature, such as the variation of the embodiment in conjunction with described in Fig. 2.
Fig. 4 shows a kind of embodiment flow chart of the method for file decryption according to the present invention.
As shown in figure 4, according to a kind of embodiment of the method for file decryption, as indicated in step sloo, firstly, first downloading
Ciphertext C and corresponding authorization access list L.
As shown in step S200, to the public key K of access user XXHash operation is carried out, cryptographic Hash H (K is obtainedX)。
As shown in step S300, searched and H (K in the authorization access list LX) it is identical first authorization access letter
Breath illustrates that accessing user X is unauthorized access user, without access authority, therefore terminates the visit of user X if it is not found,
It asks;If had found and H (KX) it is identical first authorization access information, indicate access user X be authorization access user, under continuing
One step.
As shown in step S400, continue to obtain and H (K in the authorization access list LX) corresponding user X
Two authorization access informations, i.e.,Wherein, E indicates Encryption Algorithm, KXIndicate that the public key of authorization access user X, SK indicate
The encryption key of symmetric cryptography is carried out to original M.When carrying out symmetry algorithm encryption to original, decruption key adds with described
Key is identical or solution can come out from encryption key.
As shown in step S500, with the private key k of authorization access user XXTo the second authorization access information
It is decrypted, obtains the encryption key SK for carrying out symmetric cryptography to original.
As shown in step S600, use the encryption key SK that ciphertext C is decrypted as decruption key, or described in use
Encryption key SK solves decruption key and ciphertext C is decrypted again.Such as it can be decrypted by following formula, M=DSK
(C), wherein M indicates original, and D indicates that decipherment algorithm, SK indicate that encryption key, C indicate ciphertext.
As shown in step S700, according to the calculating of step S600, original M is obtained.
A variation according to the present embodiment, with step S400* step of replacing S400, the step S400* are as follows:
It obtains and H (KX) corresponding allTo eachExecute step S500~S700.For example, with awarding
H (the K of power access user BB) it is corresponding second authorization access information includeStep S500
In, with the private key k of authorization access user BBIt is rightIt is decrypted, obtains SK1, SK2;Step S600
In, corresponding ciphertext C1 is decrypted with SK1, corresponding ciphertext C2 is decrypted with SK2;In step S700, obtaining portion
Original M1 and original documents part M2, M1 and M2 is divided to form the original content that user B is authorized to together.
Fig. 5 shows second of embodiment flow chart of the method for file decryption according to the present invention.
As shown in figure 5, the difference with Fig. 4 is, by step S110 step of replacing S100, the step S110 are as follows: downloading
Ciphertext, signature value and access list is authorized accordingly;And the step of verifying signature is increased after step S700;This method
The decryption of the case where for ciphertext with signature.
As shown in step S110, downloading ciphertext C, signature value S and corresponding authorization access list L after ciphertext are invested.
As shown in step S800, the public key K based on file owners AAWith signature value S, eap-message digest SK ' is calculated.
As shown in step S900, according to the original M that step S700 is obtained, its cryptographic Hash is calculated, H ' (M) is obtained.
As shown in step S1000, the SK ' that step S800 is calculated and the H ' (M) that step S900 is calculated are carried out
Compare, if the two is equal, then it represents that be proved to be successful, continue next step;If the two is unequal, then it represents that verifying is lost
It loses, the original of acquisition has been tampered with.
It as shown in step S1100, is proved to be successful, into next step.
As shown in step S1200, after being proved to be successful, original M is exported.
The present invention is by the use of digital signature, while guaranteeing the confidentiality and safety of file, moreover it is possible to guarantee text
The integrality of part, prevents file to be tampered;Due also to the public key of required file owners in signature process is verified, so as to test
Demonstrate,prove the identity of file owners.
Fig. 6 shows the third embodiment flow chart of the method for file decryption according to the present invention.
As shown in fig. 6, the difference with Fig. 4 is, by step S110 step of replacing S100, the step S110 are as follows: downloading
Ciphertext, signature value and access list is authorized accordingly;Increase step S800, step between step S500 and step S600
S1300 and step S1400;This method is suitable for ciphertext with signature, and SK is the cryptographic Hash by original as encryption key
The decryption of the case where when use.
As shown in step S110, downloading ciphertext C, signature value S and corresponding authorization access list L after ciphertext are invested.
As shown in step S800, the public key K based on file owners AAWith signature value S, eap-message digest SK ' is calculated.
As shown in step S1300, SK ' and the step S500 that step S800 the is calculated SK being calculated is compared
Compared with if the two is equal, then it represents that be proved to be successful, continue next step;If the two is unequal, then it represents that verifying is lost
It loses.
It as shown in step S1400, is proved to be successful, into next step.
As shown in step S600, use the encryption key SK that ciphertext C is decrypted as decruption key, or described in use
Encryption key SK solves decruption key and ciphertext C is decrypted again.
As shown in step S700, according to the calculating of step S600, original M is obtained.
A variation according to the present embodiment can all carry out two kinds of verification methods of Fig. 5 and Fig. 6, if two
Secondary verifying, which is proved to be successful, to be just proved to be successful, and otherwise any one or whole authentication faileds all indicate authentication failed.For example,
In Fig. 6, step S900~S1200 in Fig. 5 can be continued to execute after step S700.
Fig. 7 shows the 4th kind of embodiment flow chart of the method for file decryption according to the present invention.
As shown in fig. 7, for the ciphertext of asymmetric encryption to be decrypted, such as to the side of file encryption shown in Fig. 3
A kind of embodiment that the ciphertext that method obtains is decrypted.The difference of Fig. 7 and Fig. 4 is only that, by step S410 step of replacing
S400, the step S410 are as follows: obtain and H (KX) correspondingBy step S510 step of replacing S500, the step
Rapid S510 are as follows: with the private key k of authorization access userAIt is rightIt is decrypted, obtains kA;By step S610 step of replacing
S600, the step S610 are as follows: use kACiphertext is decrypted.
As shown in step S410, obtained and H (K in the authorization access list LX) corresponding user X second awards
Access information is weighed, i.e.,Wherein, E indicates Encryption Algorithm, KXIndicate the public key of authorization access user X, kAIndicate file
The private key of owner A.
As shown in step S510, with the private key k of authorization access user XXTo the second authorization access informationInto
Row decryption, can obtain the private key k of file owners AA。
As shown in step S610, with the private key k of file owners AACiphertext C is decrypted as decruption key.It can be with
It is decrypted by following formula,Wherein, M indicates original, and D indicates decipherment algorithm, kAIndicate file
The private key of owner A, C indicate ciphertext.
Therefore, after authorization accesses user's download relevant information, second authorization is decrypted using the private key of oneself and is accessed
After information, the decruption key of ciphertext can be obtained, recycles the decryption key decryption ciphertext, obtains original.
A variation according to the present embodiment, the decryption for the ciphertext with signature value, can be in this embodiment party
Signature verification mode on the basis of formula in conjunction with Fig. 5 is verified.
Fig. 8 shows a kind of a kind of embodiment schematic diagram of the system of file encryption according to the present invention.
As shown in figure 8, a kind of system of file encryption is provided, including, encrypting module 110, for adding to original
It is close, to obtain ciphertext;Access list generation module 120 is authorized, for the information according to authorization access user, generates authorization access
List;Cloud platform 130, for receiving and saving the ciphertext and the authorization access list;Key Management Center 140, is used for
The generation and distribution of key, the key include symmetric key and unsymmetrical key etc..
The system that original is uploaded to the file encryption by file owners to be encrypted, and can specify that one
Or multiple designated users have access authority, are input in the system.The file owners can when logging in the system
To carry out authentication, access authority and the Key Management Center 140 to guarantee oneself generate and distribute the behaviour of key
Make etc..
The encrypting module 110 to the original carry out cryptographic calculation, may include symmetric encryption operation, it is asymmetric plus
Close operation etc..The authorization access list generation module 120 accesses user according to the authorization that file owners determine, generates authorization
Access list, the authorization access user is the user for having access authority to the original.The authorization access list with
The ciphertext has corresponding relationship.I.e. only authorization access user can just crack corresponding ciphertext to read the content of original.
The information of authorization access user may include the relevant informations such as identity information, key information, the identification information of authorization access user.
The Key Management Center 140 can generate corresponding symmetric key or unsymmetrical key according to the demand of user.
Private key in symmetric key is only sent to private key user itself, and public key, which can be distributed also, can store in the Key Management Center
140 wait instruction to be distributed.The private key user both includes file owners, also includes authorization access user etc..Each use
The public key and private key at family are a pair of secret keys, can mutual encryption and decryption, public key can be distributed to other people.
Symmetric key can be generated in a kind of embodiment according to the present invention, the Key Management Center 140, for described
Encrypting module 110 carries out symmetric cryptography to original.The Key Management Center 140 generates a kind of embodiment of symmetric key
To receive the original that file owners upload, and carry out Hash operation to the original, the cryptographic Hash for generating original is made
For encryption key;The encrypting module 110 is configured to, and obtains the encryption key, and using the encryption key using symmetrical
Algorithm encrypts the original.
A kind of embodiment according to the present invention for generating authorization access list, the Key Management Center 140 are configured to,
The private key and public key of the authorization access user are generated, and the private key of the authorization access user is only sent to the authorization and is visited
Ask user;The authorization access list generation module 120 is configured to, and is obtained the authorization from the Key Management Center 140 and is visited
Ask the public key of user;Hash operation is carried out to the public key of the authorization access user, obtains the first of the authorization access user
Authorize access information;The decruption key of ciphertext is obtained from the Key Management Center 140, and uses the authorization access user's
Public key carries out cryptographic calculation to the decruption key, obtains the second authorization access information of the authorization access user;It will be described
First authorization access information is corresponding with the second authorization access information, generates the authorization access list.Wherein, add when described
When close module 110 carries out symmetric cryptography to original, the decruption key can be identical as encryption key or can be from encryption
It is calculated in key;When the encrypting module 110 carries out asymmetric encryption to original, the decruption key can be text
The private key of the part owner.
Fig. 9 shows a kind of another embodiment schematic diagram of the system of file encryption according to the present invention.
A kind of embodiment according to the present invention further includes Digital Signature module 310, the Digital Signature module 310, is used
It is digitally signed in the original, obtains signature value, after investing the ciphertext, and be uploaded to the cloud platform 130.
The Digital Signature module 310, which is digitally signed the original, may include, and carry out Hash to original
Operation obtains the cryptographic Hash of original as informative abstract, the private key k of file owners is obtained from the file ownersA, benefit
With the private key k of the file ownersASignature operation is carried out to the informative abstract, obtains the signature value.
Only original is encrypted when the encrypting module 110 using symmetric encipherment algorithm, and encryption key is original text
When the cryptographic Hash of part, the informative abstract is identical as the encryption key.For example, system as shown in Figure 9, may include, institute
It states Key Management Center 140 to be configured to, receives original, and calculate the cryptographic Hash of original, as encryption key SK, be sent to
The Digital Signature module 310 is used for digital signature, is sent to the encrypting module 110 for symmetrically add to original
It is close, be sent to the authorization access list generation module 120 for as decruption key calculate second authorize access information.Most
Afterwards, it after the signature value that the Digital Signature module 310 calculates invests the ciphertext that the encrypting module 110 obtains, and is awarded with described
It is corresponding to weigh the authorization access list that access list generation module 120 generates, uploads and saves to the cloud platform 130.
Figure 10 shows a kind of a kind of embodiment schematic diagram of the system of file decryption according to the present invention.
As shown in Figure 10, a kind of system of file decryption is provided, including, cloud platform 130 is visited for saving ciphertext and authorization
Ask list;Decruption key obtains module 410, for obtaining the ciphertext and the authorization access list, and according to the authorization
Access list, makes authorization access user obtain the decruption key of the ciphertext, and unauthorized access user can not obtain the decryption
Key;Deciphering module 420 for receiving the decruption key and the ciphertext, and is based on the decruption key, decrypts described close
Text obtains original;Key Management Center 140, for the generation and distribution of key, the key includes symmetric key, non-right
Claim key.The unsymmetrical key includes public key and private key.
It, can be by visiting the authorization due to only authorizing the relevant information of access user in the authorization access list
The authentication for asking user makes it obtain the download permission of relevant information;Downloading power can not also be limited without authentication
Limit, but since the relevant information of authorization access user is only could to obtain the decryption after decryption by encryption
Key, therefore unauthorized access user can not download or can not decrypt relevant information, so that the decruption key can not be obtained.
A kind of embodiment according to the present invention, the authorization access list include that the first authorization of authorization access user is visited
Ask information and the second authorization access information;The decruption key obtains module 410 and is configured to, from the Key Management Center 140
The public key of the authorization access user is obtained, and obtains private key from authorization access user;It is accessed and is used according to the authorization
The cryptographic Hash of the public key at family searches the first authorization access information;According to the first authorization access information, obtain corresponding
It is described second authorization access information;Based on the private key of the authorization access user, the second authorization access information is carried out
Operation is decrypted, the decruption key is obtained.
The first authorization access information can play the role of the index of the authorization access list, may include described
The cryptographic Hash of the public key of authorization access user, the second authorization access information include the public key based on authorization access user to institute
State the encrypted result that decruption key is encrypted.The decruption key obtains module 410 and passes through to authorization access user's
Public key carries out Hash operation, and the result is retrieved in all first authorization access informations in authorization access list,
When finding the identical first authorization access information, corresponding second authorization access information is obtained.
Figure 11 shows a kind of another embodiment schematic diagram of the system of file decryption according to the present invention.
As shown in figure 11, the cloud platform 130 is additionally configured to, and saves the signature value of the original, and the system is also wrapped
It includes, signature verification module 510, for obtaining the signature value, and is verified;The signature verification module 510 is additionally configured to,
Public key based on the signature value, file owners, is calculated informative abstract;And execute in following verification mode at least one
Kind: the first verification mode includes comparing the informative abstract and the decruption key, identical, is proved to be successful, no
Same then authentication failed;Second of verification mode includes comparing the cryptographic Hash of the informative abstract and the original, phase
It is same then be proved to be successful, different then authentication failed.
After the signature value of original invests the ciphertext of original, and the cloud platform is stored in together with authorization access list
On 130.When downloading ciphertext and relevant information from the cloud platform 130, the decruption key acquisition module 410 receives described close
The literary and described authorization access list;The signature verification module 510 receives the signature value.The signature verification module 510 from
The Key Management Center 140 obtains the public key of file owners, and the public key based on the file owners is to the signature
Operation is decrypted in value, obtains informative abstract.
The signature verification module 510 can only carry out the first described verification mode, can also only carry out described second
Kind verification mode, can be carried out with two kinds of verification modes, with the integrality of multiple-authentication file.The first described verification mode
Including obtaining module 410 from the decruption key and obtaining the decruption key, and by the decruption key and the informative abstract
It is verified, the two is identical, and expression is proved to be successful, otherwise authentication failed.The first described verification mode is suitable for original
Encrypted with symmetry algorithm, and encryption key be original cryptographic Hash the case where.Second of verification mode includes inciting somebody to action
The cryptographic Hash of the informative abstract and the original obtained from the deciphering module 420 compares, the identical then table of the two
Show and be proved to be successful, otherwise authentication failed.Being proved to be successful indicates that original is not tampered with, and authentication failed indicates the original text after decryption
Part is the file having been tampered with.Second of verification mode verifying range is wider, is suitable for most of encryption situation.Such as
The case where the first verification mode described in fruit and second of verification mode all carry out, then need two kinds of verification modes to verify
Success is just proved to be successful, and otherwise any one or whole authentication faileds all indicate authentication failed.
No matter carrying out which kind of above-mentioned verification mode can after the signature verification module 510 is proved to be successful the signature value
The original obtained from the deciphering module 420 is transmitted directly to authorization access user;The finger that can also will be proved to be successful
It enables and returns to the deciphering module 420, the original that decryption obtains is sent to the authorization by the deciphering module 420 and is visited
Ask user, as shown in Figure 5.
Figure 12 shows a kind of schematic diagram of controller for file encryption-decryption according to the present invention.
The controller 1 that Figure 12 is shown is only an example, this should not function and use scope to the embodiment of the present invention
Bring any restrictions.
As shown in figure 12, controller 1 can be showed in the form of universal computing device, for example, mobile phone, computer and other
Arrangement for reading, including but not limited to: at least one processor 10, connects the total of different system components at least one processor 20
Line 60.
Bus 60 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller,
Peripheral bus, graphics acceleration port, processor or the local bus using any bus structures in a variety of bus structures.
Memory 20 may include the readable medium of form of volatile memory, such as random access memory (RAM) 21
And/or cache memory 22, it can further include read-only memory (ROM) 23.
Memory 20 can also include program module 24, and such program module 24 includes but is not limited to: operating system, one
It can in a or multiple application programs, other program modules and program data, each of these examples or certain combination
It can include the realization of network environment.
Controller 1 can also be communicated with one or more external equipments 2, can also be carried out with one or more other equipment
Communication.This communication can be carried out by input/output (I/O) interface 40, and be shown on display unit 30.And it controls
Device 1 processed can also by network adapter 50 and one or more network (such as local area network (LAN), wide area network (WAN) and/
Or public network, such as internet) communication.As shown, network adapter 50 passes through other moulds in bus 60 and controller 1
Block communication.It should be understood that although not shown in the drawings, but other hardware and/or software module, packet can be used in conjunction with controller 1
It includes but is not limited to: microcode, device driver, redundant processing unit, external disk drive array, RAID system, magnetic tape drive
Device and data backup storage system etc..
In some possible embodiments, various aspects of the invention are also implemented as a kind of shape of program product
Formula comprising program code, when said program code is when being executed by processor, said program code is for making the processor
Execute method described above.
Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letter
Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example may be-but not limited to-electricity, magnetic, optical, electromagnetic, red
The system of outside line or semiconductor, device or device, or any above combination.The more specific example of readable storage medium storing program for executing
(non exhaustive list) includes: the electrical connection with one or more conducting wires, portable disc, hard disk, random access memory
(RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc
Read memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
As shown in figure 13, a kind of program product 3 of embodiment according to the present invention is shown, can be used portable
Compact disk read-only memory (CD-ROM) and including program code, and can be run on terminal device, such as PC.So
And program product of the invention is without being limited thereto, in this document, readable storage medium storing program for executing can be it is any include or storage program
Tangible medium, the program can be commanded execution system, device or device use or in connection.
The program for executing operation of the present invention can be write with any combination of one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., further include conventional
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating
Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far
Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind, including local area network (LAN) or wide area network
(WAN), it is connected to user calculating equipment, or may be coupled to external computing device and (such as utilize ISP
To be connected by internet).
The present invention has the advantages that
1) technical solution of the cryptographic Hash according to the present invention using original as encryption key, will not lose because of password
It loses or forgets and lead to not decrypt file, and without saving password, therefore file will not be led to because file password is revealed
It is decrypted, overcomes the defect and security risk that can not protect password;
2) according to the technique and scheme of the present invention, can be by authorizing access list, setting has the right or haves no right to access file
User, to realize confidentiality and safety in file transmission, and by setting each user to each section of original
Access authority realizes the effect of grouping access authority authorization;By the way that decruption key and authorization access user information are associated,
The case where authorizing different access permission to different user, avoiding decruption key leakage appearance;
3) according to the technique and scheme of the present invention, by the use of digital signature, it ensure that the integrality of file, prevent file
It is tampered, while demonstrating the identity of file owners.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and this
Field technical staff can be designed alternative embodiment without departing from the scope of the appended claims.In claim
In, any reference symbol between parentheses should not be configured to limitations on claims.
Claims (16)
1. a kind of method of file encryption, includes the following steps,
Step 1 (S5, S31) carries out symmetric cryptography or asymmetric encryption to original, to obtain ciphertext;
Step 2 (S2) sets the user for having access authority to the original, accesses user as authorization;
Step 3 (S6, S41) obtains the public key of the authorization access user;
Step 4 (S7, S52) carries out cryptographic calculation to decruption key using the public key of the authorization access user, obtains described award
The second authorization access information of power access user, the decruption key is for being decrypted the ciphertext;
Step 5 (S9, S71) generates authorization access list according to the second authorization access information of the authorization access user;
Step 6 (S10, S81), by the ciphertext it is corresponding with the authorization access list after, be stored in document management center;
It accesses user and accesses document management center, when downloading the ciphertext, obtain described second by the authorization access list and award
Access information is weighed, the decruption key is obtained to the second authorization access information decryption and is obtained so that the ciphertext is decrypted
Obtain the original.
2. according to the method described in claim 1, being made in the step 1 (S3, S4, S5) using the cryptographic Hash of the original
For encryption key, the original is encrypted using symmetry algorithm.
3. according to the method described in claim 1, being breathed out in the step 3 (S6) to the public key of the authorization access user
Uncommon operation obtains the first authorization access information of the authorization access user;
In the step 5 (S8), the first authorization access information is corresponding with the second authorization access information, awards described in generation
Weigh access list.
4. carrying out digital label to the original according to the method described in claim 1, also carrying out in the step 1 (S51)
Name, obtains signature value, after investing the ciphertext, uploads the document management center.
5. a kind of method of file decryption, includes the following steps,
Step 10 (S100, S110) obtains ciphertext and authorization access list;
Step 20 (S400, S410), the authorization access user authorized in access list obtain the second authorization access information;
Step 30 (S500, S510) solves the second authorization access information using the private key of the authorization access user
It is close, obtain decruption key;
Step 40 (S600, S610, S700), is based on the decruption key, and the authorization access user decrypts the ciphertext, obtains
Original.
6. according to the method described in claim 5, the authorization access list includes authorization access user in the step 10
First authorization access information and the second authorization access information;
In the step 20, according to the cryptographic Hash of the public key of the authorization access user, the first authorization access information is searched;
According to the first authorization access information, the corresponding second authorization access information is obtained.
7. according to the method described in claim 5, acquisition invests the signature after the ciphertext in the step 30 or step 40
Value, and verified;
The verifying includes:
Public key based on the signature value, file owners, is calculated informative abstract;And in following verification mode at least
It is a kind of:
The first verification mode includes comparing the informative abstract and the decruption key, identical, is proved to be successful, no
Same then authentication failed;
Second of verification mode includes comparing the cryptographic Hash of the informative abstract and the original, identical, is verified
Success, different then authentication failed.
8. a kind of system of file encryption, including,
Encrypting module, for carrying out symmetric cryptography or asymmetric encryption to original, to obtain ciphertext;
The Key Management Center is configured to, for the generation and distribution of key, including,
Generate the private key and public key of the authorization access user;
Generate encryption key and decruption key;
The encryption key is used to encrypt the original,
The decruption key is for being decrypted the ciphertext;
Access list generation module is authorized, for obtaining the public key of the authorization access user;User is accessed using the authorization
Public key to the decruption key carry out cryptographic calculation, obtain it is described authorization access user second authorization access information;According to
The second authorization access information of the authorization access user, generates authorization access list;
Document management center, for receiving and saving the ciphertext and the authorization access list.
9. system according to claim 8, wherein the Key Management Center is additionally configured to,
The original is received, and Hash operation is carried out to the original, the cryptographic Hash of generation is as encryption key;
The encrypting module is configured to, and obtains the encryption key, and use symmetry algorithm to described using the encryption key
Original is encrypted.
10. system according to claim 8, wherein the authorization access list generation module is additionally configured to,
Hash operation is carried out to the public key of the authorization access user, obtains the first authorization access letter of the authorization access user
Breath;
The first authorization access information is corresponding with the second authorization access information, generate the authorization access list.
11. system according to claim 8 further includes Digital Signature module,
The Digital Signature module obtains signature value for being digitally signed to the original, after investing the ciphertext,
And it is uploaded to the document management center.
12. a kind of system of file decryption, including,
Document management center, for saving ciphertext and authorization access list;
Decruption key obtains module, for obtaining the ciphertext and the authorization access list;Obtain the authorization access list
In authorization access user second authorization access information;Second authorization is visited using the private key of the authorization access user
It asks that information is decrypted, obtains decruption key;
Deciphering module for receiving the decruption key, and is based on the decruption key, decrypts the ciphertext, obtains original;
Key Management Center, generation and distribution for key.
13. system according to claim 12, wherein the authorization access list includes authorizing the first of access user to award
Weigh access information and the second authorization access information;
The decruption key obtains module and is additionally configured to,
According to the cryptographic Hash of the public key of the authorization access user, the first authorization access information is searched;
According to the first authorization access information, the corresponding second authorization access information is obtained.
14. system according to claim 12, wherein the document management center is additionally configured to, and saves the original
Signature value,
The system also includes,
Signature verification module for obtaining the signature value, and is verified;
The signature verification module is additionally configured to,
Public key based on the signature value, file owners, is calculated informative abstract;And it executes in following verification mode extremely
Few one kind:
The first verification mode includes comparing the informative abstract and the decruption key, identical, is proved to be successful, no
Same then authentication failed;
Second of verification mode includes comparing the cryptographic Hash of the informative abstract and the original, identical, is verified
Success, different then authentication failed.
15. a kind of controller for file encryption-decryption, including,
Memory;And it is coupled to the processor of the memory, the processor is configured to based on the storage is stored in
Instruction in device executes the method as described in any one of claims 1 to 7.
16. a kind of computer readable storage medium, is stored thereon with computer program instructions, the instruction is by one or more
It manages device and executes the operation for realizing method described in any one of claim 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910722518.9A CN110430192A (en) | 2019-08-06 | 2019-08-06 | A kind of method of file encryption-decryption, system, controller and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910722518.9A CN110430192A (en) | 2019-08-06 | 2019-08-06 | A kind of method of file encryption-decryption, system, controller and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110430192A true CN110430192A (en) | 2019-11-08 |
Family
ID=68413072
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910722518.9A Pending CN110430192A (en) | 2019-08-06 | 2019-08-06 | A kind of method of file encryption-decryption, system, controller and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110430192A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110941861A (en) * | 2019-12-16 | 2020-03-31 | 中国南方电网有限责任公司 | File protection method and device, computer equipment and medium |
CN111177784A (en) * | 2019-12-31 | 2020-05-19 | 上海摩勤智能技术有限公司 | Security protection method and device for file system and storage medium |
CN111447061A (en) * | 2020-04-21 | 2020-07-24 | 南京珥仁科技有限公司 | Data anti-disclosure and data credibility verification method for file data ferrying |
CN111523140A (en) * | 2020-04-23 | 2020-08-11 | 周婷 | Signature document encryption method and device, signature document training method, storage medium and equipment |
CN111586065A (en) * | 2020-05-12 | 2020-08-25 | 山东浪潮商用系统有限公司 | Data authorization method based on block chain |
CN112597523A (en) * | 2021-03-02 | 2021-04-02 | 冷杉云(北京)科技股份有限公司 | File processing method, file conversion encryption machine, terminal, server and medium |
CN113468545A (en) * | 2020-03-31 | 2021-10-01 | 北京梆梆安全科技有限公司 | File encryption and decryption method, device and system |
CN115913560A (en) * | 2022-09-08 | 2023-04-04 | 北京中宏立达科技发展有限公司 | Confidential paper authorization and use system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103685162A (en) * | 2012-09-05 | 2014-03-26 | 中国移动通信集团公司 | File storing and sharing method |
CN104796411A (en) * | 2015-04-01 | 2015-07-22 | 朱威 | Method for safely transmitting, storing and utilizing data in cloud and mobile terminal |
CN105164692A (en) * | 2013-07-30 | 2015-12-16 | 惠普发展公司,有限责任合伙企业 | Data management |
CN106254324A (en) * | 2016-07-26 | 2016-12-21 | 杭州文签网络技术有限公司 | A kind of encryption method storing file and device |
CN106682069A (en) * | 2016-11-14 | 2017-05-17 | 湖南工业大学 | User-controllable data retravel method and data storage method, terminal and system |
-
2019
- 2019-08-06 CN CN201910722518.9A patent/CN110430192A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103685162A (en) * | 2012-09-05 | 2014-03-26 | 中国移动通信集团公司 | File storing and sharing method |
CN105164692A (en) * | 2013-07-30 | 2015-12-16 | 惠普发展公司,有限责任合伙企业 | Data management |
CN104796411A (en) * | 2015-04-01 | 2015-07-22 | 朱威 | Method for safely transmitting, storing and utilizing data in cloud and mobile terminal |
CN106254324A (en) * | 2016-07-26 | 2016-12-21 | 杭州文签网络技术有限公司 | A kind of encryption method storing file and device |
CN106682069A (en) * | 2016-11-14 | 2017-05-17 | 湖南工业大学 | User-controllable data retravel method and data storage method, terminal and system |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110941861A (en) * | 2019-12-16 | 2020-03-31 | 中国南方电网有限责任公司 | File protection method and device, computer equipment and medium |
CN111177784A (en) * | 2019-12-31 | 2020-05-19 | 上海摩勤智能技术有限公司 | Security protection method and device for file system and storage medium |
CN113468545A (en) * | 2020-03-31 | 2021-10-01 | 北京梆梆安全科技有限公司 | File encryption and decryption method, device and system |
CN111447061A (en) * | 2020-04-21 | 2020-07-24 | 南京珥仁科技有限公司 | Data anti-disclosure and data credibility verification method for file data ferrying |
CN111523140A (en) * | 2020-04-23 | 2020-08-11 | 周婷 | Signature document encryption method and device, signature document training method, storage medium and equipment |
CN111523140B (en) * | 2020-04-23 | 2024-02-23 | 国网浙江省电力有限公司物资分公司 | Encryption method, encryption device, training method, storage medium and storage device for signature document |
CN111586065A (en) * | 2020-05-12 | 2020-08-25 | 山东浪潮商用系统有限公司 | Data authorization method based on block chain |
CN112597523A (en) * | 2021-03-02 | 2021-04-02 | 冷杉云(北京)科技股份有限公司 | File processing method, file conversion encryption machine, terminal, server and medium |
CN112597523B (en) * | 2021-03-02 | 2021-06-18 | 冷杉云(北京)科技股份有限公司 | File processing method, file conversion encryption machine, terminal, server and medium |
CN115913560A (en) * | 2022-09-08 | 2023-04-04 | 北京中宏立达科技发展有限公司 | Confidential paper authorization and use system |
CN115913560B (en) * | 2022-09-08 | 2023-06-16 | 北京中宏立达科技发展有限公司 | System for authorizing and using secret piece |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110430192A (en) | A kind of method of file encryption-decryption, system, controller and storage medium | |
CN106534092B (en) | The privacy data encryption method of key is depended on based on message | |
CN103563278B (en) | Securing encrypted virtual hard disks | |
US7802112B2 (en) | Information processing apparatus with security module | |
US8625802B2 (en) | Methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management | |
CN102271037B (en) | Based on the key protectors of online key | |
CN103366102B (en) | For content transmission and the system for numeral copyright management of distribution | |
CN109948322B (en) | Personal cloud storage data safe box device and method for localized encryption protection | |
CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
US20100095118A1 (en) | Cryptographic key management system facilitating secure access of data portions to corresponding groups of users | |
US20070168292A1 (en) | Memory system with versatile content control | |
CN105103488A (en) | Policy enforcement with associated data | |
CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
JP4876616B2 (en) | Data protection device | |
US11604888B2 (en) | Digital storage and data transport system | |
CN109922027A (en) | A kind of trusted identity authentication method, terminal and storage medium | |
WO2006069311A2 (en) | Control structure for versatile content control and method using structure | |
CN105072134A (en) | Cloud disk system file secure transmission method based on three-level key | |
KR20220039779A (en) | Enhanced security encryption and decryption system | |
Rao et al. | R-PEKS: RBAC enabled PEKS for secure access of cloud data | |
US9436849B2 (en) | Systems and methods for trading of text based data representation | |
CN103379133A (en) | Safe and reliable cloud storage system | |
CN108494724A (en) | Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method | |
CN106845264A (en) | Using encryption method, device and application access method, device | |
CN114553557A (en) | Key calling method, key calling device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191108 |