CN112948839A - Method, system and device for managing data by adopting wallet client - Google Patents

Method, system and device for managing data by adopting wallet client Download PDF

Info

Publication number
CN112948839A
CN112948839A CN201911170124.3A CN201911170124A CN112948839A CN 112948839 A CN112948839 A CN 112948839A CN 201911170124 A CN201911170124 A CN 201911170124A CN 112948839 A CN112948839 A CN 112948839A
Authority
CN
China
Prior art keywords
data
user
server
folder
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911170124.3A
Other languages
Chinese (zh)
Inventor
刘晓伟
张强
王飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ucas Technology Co ltd
Original Assignee
Beijing Ucas Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ucas Technology Co ltd filed Critical Beijing Ucas Technology Co ltd
Priority to CN201911170124.3A priority Critical patent/CN112948839A/en
Publication of CN112948839A publication Critical patent/CN112948839A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method, a system and a device for managing data by a folder client, wherein the folder client is installed in a computer in the embodiment of the invention, a folder is arranged on the folder client for an authorized user corresponding to a user identifier, the folder comprises a safe disk with a transparent encryption and decryption driving function, when the authorized user needs to perform safe processing on the data, the data is directly copied into or copied out of the safe disk corresponding to the user identifier, and the safe disk adopts the transparent encryption and decryption driving function to encrypt and decrypt the data. In this way, the security of the user data is uniformly and simply managed by the set folder corresponding to the user identifier, and the user does not need to encrypt and decrypt the data, so that the uniform and safe management of the data in the computer of the user is realized.

Description

Method, system and device for managing data by adopting wallet client
Technical Field
The invention relates to the technical field of computers, in particular to a method, a system and a device for managing data by adopting a wallet client.
Background
With the rapid development of computer technology and internet technology, how to ensure the security of data when a user processes data in a computer becomes a problem to be solved urgently. Generally, when a user processes data, the data can be encrypted and stored in a folder set in a computer so as to avoid being acquired by other illegal users. When the user reprocesses the data, the data is retrieved from the folder and decrypted. Thus, the data security of the user can be ensured.
However, this ensures the data security of the user in the computer with a great disadvantage: the user can only carry out encryption and decryption management on each piece of data, and the data processing is complicated each time; the user does not manage all data needing security uniformly, and the data processing is lack of uniformity. Thus, the user experience of processing data at the computer is reduced.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method for managing data by using a wallet client, which can implement uniform and secure management of data in a computer of a user.
The embodiment of the invention provides a system for managing data by adopting a wallet client, which can realize uniform and safe management of data in a computer of a user.
The embodiment of the invention provides a device for managing data by adopting a wallet client, which can realize uniform and safe management of data in a computer of a user.
The embodiment of the invention is realized as follows:
a method for managing data using a wallet client, the method comprising:
installing a dense-folder client in a computer;
setting a folder corresponding to a user identifier for an authorized user on the folder client, wherein the folder comprises a safe disk with a transparent encryption and decryption driving function;
when the data is processed safely, the safe disk copies the data in or out by adopting a transparent encryption and decryption drive function.
The wallet client is software installed in a computer;
a plurality of folders are arranged corresponding to one user identifier, and each folder is provided with a plurality of safe disks. The set dense folder is represented by a dense folder identifier, the safe disk is represented by a safe disk identifier,
storing the corresponding relation of the user identification, the wallet identification and the safe disk identification;
the secure disk is a storage area in the computer or a storage area of a storage medium mounted in the computer.
The data copying of the secure disk by adopting a transparent encryption and decryption drive function comprises the following steps:
and the secure disk acquires a user work key corresponding to the user identifier from a server through the wallet client, and encrypts and stores the data by adopting the user work key.
The copying of the data by the secure disk by adopting a transparent encryption and decryption drive function comprises the following steps:
and the secure disk acquires a user work key corresponding to the user identifier from the server through the wallet client, decrypts the data by adopting the user work key, and then sends and stores the data to a specified storage position.
Before the sending and storing to the designated storage location, the method further comprises:
encrypting the decrypted data by adopting a transmission key set by the cipher folder client, and after setting a file header with a data identifier of a cipher text for the cipher text, sending and storing the file header to a specified storage position;
binding the set transmission key with the data identifier of the ciphertext and transmitting the bound transmission key to a server;
after obtaining the ciphertext, the computers used by other users send information for applying authorized copying to the server, wherein the information carries the data identification of the ciphertext in the file header;
the server authenticates the information which is authorized to be copied by other users, determines whether the authentication is passed, and if the authentication is passed, the server sends the transmission key corresponding to the data identification of the ciphertext to the computer used by other users, and the other users decrypt the ciphertext;
if the authentication is not passed, the instant communication application program corresponding to the user identification is operated on the mobile terminal, the authentication notice sent by the server is received, after the authentication of the mobile terminal, the server sends the transmission key corresponding to the data identification of the ciphertext to the computer used by other users, and the other users decrypt the ciphertext.
The method comprises the following steps that the designated position is a secure disk of other authorized users under a wallet client using corresponding user identification set by a computer, and before the secure disk is sent to and stored in the designated storage position, the method further comprises the following steps:
setting a time bottle file for the decrypted data, setting time for the time bottle file, and sending the time bottle file corresponding to the decrypted data identifier to a server;
after the secure disk under the secret folder corresponding to the other user identification and set by the computer used by the other user obtains the time bottle file corresponding to the decrypted data identification, judging whether the time set by the time bottle file is due, and if so, copying the decrypted data by adopting a transparent encryption and decryption driving function; if not, waiting for the time.
A system for managing data by using a wallet client comprises a server and a computer, wherein,
the server is used for establishing a secure connection for an authorized user between the server and a wallet client in a computer used by the user;
the computer is used for installing a folder client and setting a folder corresponding to a user identifier for an authorized user on the folder client after establishing a secure connection with a server, wherein the folder comprises a secure disk with a transparent encryption and decryption driving function; when the data is processed safely, the safe disk copies the data in or out by adopting a transparent encryption and decryption drive function.
But also computers used by other users and mobile terminals used by users,
the computer is also used for encrypting and sending the data to a computer of a client side using a cipher folder of other users by adopting a transmission key when the data is copied, setting a file header with a data identifier of a cipher text for the cipher text, and sending the data to the computer used by other users to bind the set transmission key and the data identifier of the cipher text and then send the data to the server;
the server is used for receiving the data identification of the transmission key and the corresponding ciphertext; when receiving an authorized copy-out application sent by a computer used by other users, authenticating the other users, confirming whether the authentication is passed, and if the authentication is passed, sending a transmission key corresponding to the data identifier of the ciphertext to the computer used by the other users; if the authentication is not passed, copying the authorization sent by the computer used by other users to apply to send to the mobile terminal used by the user, receiving an authorization notice sent by the mobile terminal used by the user, and sending the transmission key corresponding to the data identifier of the ciphertext to the computer used by other users;
the computers used by other users are used for receiving the ciphertext and sending information for applying for authorized copying to the server, and the information carries the data identification of the ciphertext in the file header; receiving a transmission key corresponding to the data identifier of the ciphertext, and decrypting;
the mobile terminal used by the user is used for operating the instant communication application program corresponding to the user identification, receiving the authorization application sent by the computer used by other users from the server for authorization, and then returning an authorization notice to the server.
But also computers used by other users,
the computer is further used for setting a time bottle file for the decrypted data when the data are copied out, setting time for the time bottle file, and sending the time bottle file to the server corresponding to the decrypted data identification;
the computers used by the other users. After the secure disk under the wallet corresponding to other user identifiers is set to obtain the time bottle file corresponding to the decrypted data identifier, judging whether the set time of the time bottle file is up, and if so, copying the decrypted data by adopting a transparent encryption and decryption driving function; if not, waiting for the time.
An apparatus for managing data using a wallet client, comprising: a user management module and a data processing module, wherein,
the user management module is used for installing the wallet client; setting a folder corresponding to a user identifier for an authorized user on the folder client, wherein the folder comprises a safe disk with a transparent encryption and decryption driving function;
and the data processing module is used for copying the data into or out of the secure disk by adopting a transparent encryption and decryption drive function when the data is subjected to secure processing.
As can be seen from the above, in the computer according to the embodiment of the present invention, a folder client is installed in the computer, and a folder is set on the folder client for an authorized user corresponding to a user identifier, where the folder includes a secure disk having a transparent encryption/decryption driving function, and when the authorized user wants to perform secure processing on data, the data is directly copied into or copied out of the secure disk corresponding to the user identifier, and the secure disk uses the transparent encryption/decryption driving function to encrypt/decrypt the data. In this way, the security of the user data is uniformly and simply managed by the set folder corresponding to the user identifier, and the user does not need to encrypt and decrypt the data, so that the uniform and safe management of the data in the computer of the user is realized.
Drawings
Fig. 1 is a flowchart of a method for managing data by using a wallet client according to an embodiment of the present invention;
FIG. 2 is a flowchart of a system for managing data using a wallet client according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an apparatus for managing data by using a wallet client according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an overall process for managing data by using a wallet client according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and examples.
The computer of the embodiment of the invention is provided with a secret folder client, a secret folder is arranged on the secret folder client for an authorized user corresponding to a user identifier, the secret folder comprises a safe disk with a transparent encryption and decryption driving function, when the authorized user needs to perform safe processing on data, the data is directly copied into or out of the safe disk corresponding to the user identifier, and the safe disk adopts the transparent encryption and decryption driving function to encrypt and decrypt the data.
In this way, the security of the user data is uniformly and simply managed by the set folder corresponding to the user identifier, and the user does not need to encrypt and decrypt the data, so that the uniform and safe management of the data in the computer of the user is realized.
Fig. 1 is a flowchart of a method for managing data by using a wallet client according to an embodiment of the present invention, which includes the following specific steps:
step 101, installing a dense-folder client in a computer;
step 101, a folder corresponding to a user identifier is set for an authorized user on the folder client, wherein the folder comprises a secure disk with a transparent encryption and decryption driving function;
and 103, when the data is subjected to security processing, copying the data into or out of the secure disk by adopting a transparent encryption and decryption drive function.
In this method, the folder client is actually a piece of software that can be installed into a computer, and can be installed and run in the windows operating system of the computer.
In the method, a plurality of folders can be set corresponding to one user identifier, and each folder can be provided with a plurality of secure disks. The set folders are represented by folder identifiers, the secure disks are represented by secure disk identifiers, one user identifier corresponds to one or more folder identifiers, and one folder identifier corresponds to one or more secure disks. Here, the secure disk is a storage area in the computer, a hard disk mounted in the computer, or a storage area of other storage devices that can be mounted in the computer.
Here, the folder id includes a character string made up of a user id and a computer id used by the user.
Before the secret folder corresponding to the user identification is set for the authorized user, the method further comprises the following steps:
and establishing a secure connection between the computer and the server.
Specifically, the establishing of the secure connection is:
a server initializes and generates a server public and private key pair;
the method comprises the following steps that a wallet client of a computer runs, and when a user logs in the wallet client of the computer, an authorization identifier of the user is obtained and sent to a server for verification;
after the server passes the verification, the user information and a public key in a public and private key pair of the server are sent to a wallet client of the computer;
and a secret client of the computer generates a user public and private key pair corresponding to the user identification and sends a public key in the user public and private key pair to the server.
Here, the authorization identifier of the user may be a code, and the user is a user in an instant messaging system, such as a user of a WeChat system. When a confidential folder client of the computer runs, a two-dimensional code which can be identified by the WeChat system is generated, when a user scans and authorizes the WeChat client of the mobile terminal, an authorization identifier of the user is obtained and submitted to the server, the server and the WeChat server are verified, and when the verification is successful, user information of the user in the WeChat system, such as a user image or/and a user nickname, is obtained and sent to the confidential folder client of the computer for display.
Of course, the wallet client and the server of the computer provided in the embodiment of the present invention may interact with other systems having a large number of users and capable of performing user authorization, and complete the process of authorizing the user by using the mobile terminal (or the third-party user equipment) of the user.
When interaction is carried out between a subsequent computer and a server, various information in the computer is encrypted and sent to the server by adopting a public key in a server public and private key pair, and the server receives the information and decrypts the information by adopting a private key in the server public and private key pair to obtain the information; after various information sent by the server is encrypted and sent to the computer by adopting a public key in a user public and private key pair corresponding to the user identification, the computer is obtained by adopting a private key in the user public and private key pair corresponding to the user identification for decryption.
In the method, the copying the data into the secure disk by using a transparent encryption and decryption drive function comprises:
and the secure disk acquires a user work key corresponding to the user identifier from a server through the wallet client, and encrypts and stores the data by adopting the user work key.
In the method, copying the data out of the secure disk by adopting a transparent encryption and decryption drive function comprises the following steps:
and the secure disk acquires a user work key corresponding to the user identifier from the server through the wallet client, decrypts the data by adopting the user work key, and then sends and stores the data to a specified storage position. Here, the data may be copied in plaintext or may be copied in ciphertext.
When the ciphertext is copied out, before the sending and storing to the appointed storage position, the method further comprises the following steps:
encrypting the decrypted data by adopting a transmission key set by the cipher folder client, and after setting a file header with a data identifier of a cipher text for the cipher text, sending and storing the file header to a specified storage position;
binding the set transmission key with the data identifier of the ciphertext and transmitting the bound transmission key to a server;
after obtaining the ciphertext, the computers used by other users send information for applying authorized copying to the server, wherein the information comprises the data identification of the ciphertext in the file header;
the server authenticates the information which is authorized to be copied by other users, determines whether the authentication is passed, and if the authentication is passed, the server sends the transmission key corresponding to the data identification of the ciphertext to the computer used by other users, and the other users decrypt the ciphertext;
if the authentication is not passed, the instant communication application program corresponding to the user identification is operated on the mobile terminal, the authentication notice sent by the server is received, after the authentication of the mobile terminal, the server sends the transmission key corresponding to the data identification of the ciphertext to the computer used by other users, and the other users decrypt the ciphertext.
The method comprises the following steps that the designated position is a secure disk of other authorized users under a wallet set by a computer and corresponding to user identification, and before the secure disk is sent to and stored in the designated storage position, the method further comprises the following steps:
setting a time bottle file for the decrypted data, setting time for the time bottle file, and sending the time bottle file corresponding to the decrypted data identifier to a server;
after the secure disk under the wallet corresponding to the other user identifier and set by the computer used by the other user obtains the time bottle file corresponding to the decrypted data identifier, a request is sent to the server to further judge whether the time set by the time bottle file is up, and if the time is up, the decrypted data is copied by adopting a transparent encryption and decryption driving function; if not, waiting for the time.
Fig. 2 is a diagram of a system for managing data using a wallet, which includes a server and a computer, wherein,
the server is used for establishing a secure connection for an authorized user between the server and a wallet client in a computer used by the user;
the computer is used for installing a folder client and setting a folder corresponding to a user identifier for an authorized user on the folder client after establishing a secure connection with a server, wherein the folder comprises a secure disk with a transparent encryption and decryption driving function; when the data is processed safely, the safe disk copies the data in or out by adopting a transparent encryption and decryption drive function.
In the system, computers used by other users and mobile terminals used by the users are also included,
the computer is also used for encrypting and sending the data to a computer of a client side using a cipher folder of other users by adopting a transmission key when the data is copied, setting a file header with a data identifier of a cipher text for the cipher text, and sending the data to the computer used by other users to bind the set transmission key and the data identifier of the cipher text and then send the data to the server;
the server is used for receiving the data identification of the transmission key and the corresponding ciphertext; when receiving an authorization application sent by a computer used by other users, authenticating the other users, confirming whether the authentication is passed, and if the authentication is passed, sending a transmission key corresponding to the data identifier of the ciphertext to the computer used by the other users; if the authentication is not passed, sending an authorization application sent by a computer used by other users to a mobile terminal used by the user, receiving an authorization notification sent by the mobile terminal used by the user, and sending a transmission key corresponding to the data identifier of the ciphertext to the computer used by other users;
the computers used by other users are used for receiving the ciphertext and sending information for applying for authorized copying to the server, and the information carries the data identification of the ciphertext in the file header; receiving a transmission key corresponding to the data identifier of the ciphertext, and decrypting;
the mobile terminal used by the user is used for operating the instant communication application program corresponding to the user identification, receiving the authorization application sent by the computer used by other users from the server for authorization, and then returning an authorization notice to the server.
In the system, computers used by other users are also included,
the computer is further used for setting a time bottle file for the decrypted data when the data are copied out, setting time for the time bottle file, and sending the time bottle file to the server corresponding to the decrypted data identification;
the computers used by the other users. After the secure disk under the wallet corresponding to other user identifiers is set to obtain the time bottle file corresponding to the decrypted data identifier, judging whether the set time of the time bottle file is up, and if so, copying the decrypted data by adopting a transparent encryption and decryption driving function; if not, waiting for the time.
In this system, the server has the main functions of: 1. various data services are provided for a wallet client installed in a user's computer, a related application (App) installed in a user's mobile terminal, and an applet in an instant messaging system. For example: user information, wallet information, safe disk and file list information, authorization list information, log information and the like; 2. and the device is responsible for communication between the App and the wallet client. Because the App and the wallet client adopt a point-to-point communication protocol, the App and the wallet client need to establish a link by a server; 3. storing and maintaining a user working key Symkey List, a folder public key PC _ Client _ PubKey List, a ciphertext copy data identifier and a File-Session List of Session Key; 4. and forwarding the App and the instruction of the applet. Such as file upload and download, remote logout, address book backup and download, etc.
Fig. 3 is a schematic structural diagram of an apparatus for managing data using a wallet, according to an embodiment of the present invention, where the apparatus is a computer used by a user, and the apparatus includes: a user management module and a data processing module, wherein,
the user management module is used for installing the wallet client; setting a folder corresponding to a user identifier for an authorized user on the folder client, wherein the folder comprises a safe disk with a transparent encryption and decryption driving function;
and the data processing module is used for copying the data into or out of the secure disk by adopting a transparent encryption and decryption drive function when the data is subjected to secure processing.
The present invention is described below by way of a specific example.
The entities involved in this example include computers used by servers and users, computers used by other users, mobile terminals used by users, and the like.
In the first step, the server communicates with the computer used by the user to complete the initialization process.
Here, the Server performs an initialization process, the Server generates a Server public-private key pair (Server _ PubKey/Server _ PriKey),
here, the algorithm used in the server public-private key pair is an asymmetric encryption algorithm RSA, and the key length is 2048 bytes (bits).
And secondly, installing a secret folder client by a computer used by a user, logging in a server through the secret folder client for authorization verification, and setting a user working key (Symkey) corresponding to the user identifier for the user after the server is successfully verified. The server informs the secret client of the computer and sends the public key of the public and private key pair of the server, and the secret client generates the public and private key pair of the user corresponding to the user identification.
Here, the algorithm adopted by the user public and private key pair is an asymmetric encryption algorithm RSA, and the key length is 2048 bytes (bits).
Here, the user information includes information such as user identification, avatar information, or/and a nickname. The user work key set for the user is 256 bytes of random characters (0-255) generated by the server, and the user work key is used for encrypting and decrypting data when a transparent encryption and decryption drive function is adopted as a secure disk in a subsequently set folder.
The server sends the public key in the server public and private key pair to the dense-folder client, the dense-folder client sends the public key of the user public and private key pair to the server, and at the moment, the server and the computer establish a secure connection.
After that, the information transmitted between the server and the folder client is processed in a ciphertext mode. Specifically, when a wallet client interacts between a computer and a server, various information in the computer is encrypted and sent to the server by adopting a public key in a server public and private key pair, and the server receives the information and decrypts the information by adopting a private key in the server public and private key pair to obtain the information; after various information sent by the server is encrypted and sent to the computer by adopting a public key in a user public and private key pair corresponding to the user identification, the computer is obtained by adopting a private key in the user public and private key pair corresponding to the user identification for decryption.
And step three, after the computer used by the user successfully logs in the server on the dense-folder client, the user can set a dense folder in the computer and identify the dense folder by adopting a dense-folder identifier.
And step four, after the user successfully logs in the folder client, detecting whether a legal folder is accessed, namely, the corresponding relation between the folder identifier and the user identifier is established, and the user with the user identifier has the legal folder.
If no legal folder is detected, the third step is carried out, the folder and a safe disk under the folder are continuously set, the folder identification is a character string formed by splicing the user identification and the local equipment identification, a 16-byte hash value is generated by using an encryption algorithm (MD5), and the hash value is stored in a hidden area of the folder after being bound with the user identification;
and if the legally set folder is detected, acquiring the folder identifier from the hidden area of the folder.
And fifthly, after the computer of the user creates the folder, a secure disk can be created under the folder, for example, the secure disk can be created on the computer, a mobile hard disk or a U disk, and the created secure disk identifier is bound with the folder identifier.
Here, the secure disk is a virtual disk created by a virtual disk drive (imdisk), and the secure disk identifier is a Universally Unique Identifier (UUID) generated randomly and has a length of 32 bytes.
In theory, the correspondence between the user identifier, the wallet, and the secure disk is 1: n: n, wherein n is a natural number.
And sixthly, mounting the secure disk to a disk management list in the computer used by the user by the computer of the user, and transmitting the path of the secure disk to the transparent encryption and decryption driver.
Here, the transparent encryption/decryption driver has a function of transparently encrypting/decrypting data on the secure disk, and any data to be written/read can be automatically encrypted/decrypted as long as the secure disk is mounted on the wallet. The encryption or decryption algorithm adopts AES, and the used key is a user working key which can be 256 bytes in length.
And seventhly, when the encrypted data in the encrypted data is copied out by a secure disk arranged in a computer used by a user, the encrypted data can be copied out in a ciphertext mode or in a plaintext mode.
When the encrypted data is to be copied out in the clear, the secure disk decrypts and copies out the encrypted data by adopting a transparent encryption and decryption function, specifically, decrypts the encrypted data by adopting a working key corresponding to the user identifier, and sends and stores the decrypted data to a specified storage position;
when encrypted data of the secure disk are to be encrypted and copied, the secure disk decrypts the encrypted data by adopting a transparent encryption and decryption function, specifically, a working key corresponding to a user identifier is used for decrypting the encrypted data, then a unique identifier of the data and a corresponding transmission key are generated, the data are encrypted by adopting the transmission key to obtain a ciphertext and then are sent to a specified storage position, and the ciphertext data can be sent to a server by using the unique identifier of the ciphertext data and the transmission key when the data are copied; during transmission, a public key in the server public and private key pair can be used for encrypting and then sending to the server, and the server receives and decrypts a private key in the server public and private key pair to obtain a transmission key corresponding to the data and the data identifier. The transmission key and the identification of the data are 256 byte random strings.
And step eight, before the data decrypted and copied by the secure disk is transmitted to the specified storage position, loading a file header on the ciphertext, wherein the file header comprises authorization information and a data identifier.
Here, the file header of the ciphertext includes: 1) a Globally Unique Identification (GUID) of the file; 2) an identification of an original host for the data; 3) the file identification; 4) a ciphertext hash value of the data; 5) 1) to 4), and the digital signature is realized by using SHA1+ RSA algorithm.
And a ninth step of transmitting the ciphertext to a specified storage position, and if the specified storage position is a secure disk of another user, analyzing and copying the encrypted data by adopting a set transparent encryption and decryption driving function.
And if the file header does not exist, the transparent encryption and decryption drive function directly adopts the user work key to encrypt the data and store the data on the secure disk.
If so, prompting that the ciphertext is not authorized.
And a tenth step, if the user shares the ciphertext with other users, the user copies the encrypted data into a secure disk in a computer used by other users, and the secure disk reads a file header of the ciphertext and obtains the authorization of the ciphertext from the server.
If other users have authority, after receiving the data identification and the transmission key sent by the server, the security disk decrypts the encrypted data by adopting the transmission key corresponding to the data identification, and copies the decrypted data by adopting a set transparent encryption and decryption drive function, and the user can check the data by directly opening the security disk;
if not, the server determines the user identifier according to the data identifier of the ciphertext and notifies the user with the user identifier (the user identifier can be sent to the mobile terminal of the user, and an instant messaging application program corresponding to the user identifier is operated in the mobile terminal of the user to carry out authorization). Determining whether the user sends a notice for authorizing other users, sending a transmission key corresponding to the data identifier of the ciphertext to a computer used by other users after receiving an authorization approval notice sent by the user, encrypting and sending the transmission key to other users by adopting a private key in a public and private key pair during transmission, decrypting the encrypted data by adopting a public key in the public and private key pair after receiving the transmission key by other users to obtain the transmission key, then copying the decrypted data by adopting a set transparent encryption and decryption driving function after decrypting the encrypted data by adopting the transmission key, and checking the data by directly opening a secure disk by the user.
Take a specific example to illustrate: when other users open data without authorization, the server checks the public number identification of the user according to the data identification, pushes the authorization application copied by the data based on the public number identification of the user A and informs the corresponding public number in the instant messaging software in the mobile terminal of the user A, after the user A agrees to the authorization, the server adds an authorization record, encrypts the Session Key by using the PC _ Client _ PubKey of the other users and returns the encrypted Session Key to the other users, and the other users decrypt the Session Key by using the PC _ Client _ PrintKey to obtain the Session Key. When the file can enter the secure disk when copied out again, other users decrypt the file by using the SessionKey, and then encrypt and store the file to the secure disk by using the working keys of other users. Therefore, other users can view the content by opening the file on the secure disk. And the public number identifications corresponding to other users receive the notice that the file authorization passes; the user refuses the authorization, and other users can also receive the notice that the file authorization is refused at the corresponding public number.
In this case, if the user rejects the authorization, the server transmits a notification that the user rejects the authorization to the computer used by the other user.
In an embodiment of the invention, the set time bottle can be used for transmitting data between the computers of the users. The user can select any data in the safe disk to set the time bottle, and meanwhile, specific time can be set in the time bottle, so that other users can copy the ciphertext data into the safe disk of the user, and the ciphertext data can be checked at the specific time set by the time bottle.
The method comprises the following steps that a safety disk in a computer used by a first user is opened, all ciphertext data in the safety disk are displayed, ciphertext data in the safety disk are selected, time is set for the selected ciphertext data, and the ciphertext data of a time bottle are stored:
the first step, the safe magnetic disc of the computer used by the first user uses the working key to decrypt the ciphertext data, and then uses the transmission key to encrypt the decrypted data, and then transmits the encrypted data to the appointed position;
a second step, a safe disk of a computer used by a first user binds a time bottle file identifier corresponding to the ciphertext data and a transmission key and sends the time bottle file identifier and the transmission key to a server, wherein the time bottle file is provided with time for inquiring the ciphertext data;
a third step, if the designated position is a safe disk of a computer used by a second user, judging whether the time set in the time bottle file of the received data encrypted by the transmission key is up or not by the safe disk of the computer used by the second user, if not, prompting the second user that the time is not up and the encrypted data cannot be obtained; if yes, the transmission key is obtained from the server, the data encrypted by the transmission key is decrypted, and the secure disk of the computer used by the second user copies the data in by adopting the transparent encryption and decryption drive function.
In an application scenario, when an instant messaging application program corresponding to a user identifier or an application program of a set associated folder client is run in a mobile terminal of the user, data on a secure disk set under a computer of the user can also be acquired.
In the embodiment of the invention, the mobile terminal of the user runs the application program of the set related folder client, establishes communication connection with the folder client corresponding to the user identifier of the computer, and then sends data to the secure disk under the folder corresponding to the user identifier in the computer, and the secure disk copies the data; correspondingly, the user transmits the data copied from the secure disk under the folder corresponding to the user identifier in the computer to the application program of the associated folder client set by the user at the mobile terminal.
In the embodiment of the invention, in order to ensure the security of data, the instant messaging application program corresponding to the user identifier or the application program of the set associated folder client run in the mobile terminal of the user can also send a folder quitting request to the server, and the server sends a remote folder quitting instruction to the computer used by the user through a network socket (websocket) technology so as to enable the folder application program of the computer used by the user to be offline.
Fig. 4 is a schematic diagram of an overall process for managing data by using a wallet client according to an embodiment of the present invention, and it can be seen from the diagram that a wallet client is provided in a computer of a user, multiple folders corresponding to user identifiers can be provided on the platform for users authorized by a server, and one or more secure disks are provided under each folder. And storing the set corresponding relation of the user identification, the folder identification and the safe disk identification locally in the computer of the user. Here, the secure disk may be a storage area of the computer, or a storage area in a storage medium such as a usb disk or a removable hard disk mounted on the computer.
The secure disk under the wallet set in the user's computer can copy data in or copy data out by adopting a transparent encryption and decryption drive function, and the copied data is sent and stored in a specified storage position. When sending, the data can be directly encrypted by adopting a transmission key, a ciphertext is transmitted to a designated storage position, the ciphertext is obtained by adopting the transmission key for decryption when the designated position obtains the ciphertext, and the transmission key can be forwarded to the designated transmission position through a server, so that the safe transmission of the data is ensured.
The designated storage location may be in a secure disk under a wallet provided for the other user's computer, particularly the other user's computer.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for managing data by a wallet client, the method comprising:
installing a dense-folder client in a computer;
setting a folder corresponding to a user identifier for an authorized user on the folder client, wherein the folder comprises a safe disk with a transparent encryption and decryption driving function;
when the data is processed safely, the safe disk copies the data in or out by adopting a transparent encryption and decryption drive function.
2. The method of claim 1, wherein the wallet client is a piece of software installed into a computer;
a plurality of folders are arranged corresponding to one user identifier, and each folder is provided with a plurality of safe disks. The set dense folder is represented by a dense folder identifier, the safe disk is represented by a safe disk identifier,
storing the corresponding relation of the user identification, the wallet identification and the safe disk identification;
the secure disk is a storage area in the computer or a storage area of a storage medium mounted in the computer.
3. The method of claim 1, wherein the secure disk copying the data using a transparent encryption/decryption driver function comprises:
and the secure disk acquires a user work key corresponding to the user identifier from a server through the wallet client, and encrypts and stores the data by adopting the user work key.
4. The method of claim 1, wherein the secure disk copying the data using a transparent encryption/decryption driver function comprises:
and the secure disk acquires a user work key corresponding to the user identifier from the server through the wallet client, decrypts the data by adopting the user work key, and then sends and stores the data to a specified storage position.
5. The method of claim 4, prior to said sending and storing to a specified storage location, further comprising:
encrypting the decrypted data by adopting a transmission key set by the cipher folder client, and after setting a file header with a data identifier of a cipher text for the cipher text, sending and storing the file header to a specified storage position;
binding the set transmission key with the data identifier of the ciphertext and transmitting the bound transmission key to a server;
after obtaining the ciphertext, the computers used by other users send information for applying authorized copying to the server, wherein the information carries the data identification of the ciphertext in the file header;
the server authenticates the information which is authorized to be copied by other users, determines whether the authentication is passed, and if the authentication is passed, the server sends the transmission key corresponding to the data identification of the ciphertext to the computer used by other users, and the other users decrypt the ciphertext;
if the authentication is not passed, the instant communication application program corresponding to the user identification is operated on the mobile terminal, the authentication notice sent by the server is received, after the authentication of the mobile terminal, the server sends the transmission key corresponding to the data identification of the ciphertext to the computer used by other users, and the other users decrypt the ciphertext.
6. The method of claim 4, wherein the designated location is a secure disk under a wallet client having a corresponding user identifier set by a computer for other authorized users at the designated location, and before the sending and storing to the designated storage location, further comprising:
setting a time bottle file for the decrypted data, setting time for the time bottle file, and sending the time bottle file corresponding to the decrypted data identifier to a server;
after the secure disk under the secret folder corresponding to the other user identification and set by the computer used by the other user obtains the time bottle file corresponding to the decrypted data identification, judging whether the time set by the time bottle file is due, and if so, copying the decrypted data by adopting a transparent encryption and decryption driving function; if not, waiting for the time.
7. A system for managing data by using a wallet client is characterized by comprising a server and a computer, wherein,
the server is used for establishing a secure connection for an authorized user between the server and a wallet client in a computer used by the user;
the computer is used for installing a folder client and setting a folder corresponding to a user identifier for an authorized user on the folder client after establishing a secure connection with a server, wherein the folder comprises a secure disk with a transparent encryption and decryption driving function; when the data is processed safely, the safe disk copies the data in or out by adopting a transparent encryption and decryption drive function.
8. The system of claim 7, further comprising computers used by other users and mobile terminals used by users,
the computer is also used for encrypting and sending the data to a computer of a client side using a cipher folder of other users by adopting a transmission key when the data is copied, setting a file header with a data identifier of a cipher text for the cipher text, and sending the data to the computer used by other users to bind the set transmission key and the data identifier of the cipher text and then send the data to the server;
the server is used for receiving the data identification of the transmission key and the corresponding ciphertext; when receiving an authorized copy-out application sent by a computer used by other users, authenticating the other users, confirming whether the authentication is passed, and if the authentication is passed, sending a transmission key corresponding to the data identifier of the ciphertext to the computer used by the other users; if the authentication is not passed, copying the authorization sent by the computer used by other users to apply to send to the mobile terminal used by the user, receiving an authorization notice sent by the mobile terminal used by the user, and sending the transmission key corresponding to the data identifier of the ciphertext to the computer used by other users;
the computers used by other users are used for receiving the ciphertext and sending information for applying for authorized copying to the server, and the information carries the data identification of the ciphertext in the file header; receiving a transmission key corresponding to the data identifier of the ciphertext, and decrypting;
the mobile terminal used by the user is used for operating the instant communication application program corresponding to the user identification, receiving the authorization application sent by the computer used by other users from the server for authorization, and then returning an authorization notice to the server.
9. The system of claim 7, further comprising computers used by other users,
the computer is further used for setting a time bottle file for the decrypted data when the data are copied out, setting time for the time bottle file, and sending the time bottle file to the server corresponding to the decrypted data identification;
the computers used by the other users. After the secure disk under the wallet corresponding to other user identifiers is set to obtain the time bottle file corresponding to the decrypted data identifier, judging whether the set time of the time bottle file is up, and if so, copying the decrypted data by adopting a transparent encryption and decryption driving function; if not, waiting for the time.
10. An apparatus for managing data using a wallet client, comprising: a user management module and a data processing module, wherein,
the user management module is used for installing the wallet client; setting a folder corresponding to a user identifier for an authorized user on the folder client, wherein the folder comprises a safe disk with a transparent encryption and decryption driving function;
and the data processing module is used for copying the data into or out of the secure disk by adopting a transparent encryption and decryption drive function when the data is subjected to secure processing.
CN201911170124.3A 2019-11-26 2019-11-26 Method, system and device for managing data by adopting wallet client Pending CN112948839A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911170124.3A CN112948839A (en) 2019-11-26 2019-11-26 Method, system and device for managing data by adopting wallet client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911170124.3A CN112948839A (en) 2019-11-26 2019-11-26 Method, system and device for managing data by adopting wallet client

Publications (1)

Publication Number Publication Date
CN112948839A true CN112948839A (en) 2021-06-11

Family

ID=76224976

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911170124.3A Pending CN112948839A (en) 2019-11-26 2019-11-26 Method, system and device for managing data by adopting wallet client

Country Status (1)

Country Link
CN (1) CN112948839A (en)

Similar Documents

Publication Publication Date Title
JP6383019B2 (en) Multiple permission data security and access
US9832016B2 (en) Methods, systems and computer program product for providing verification code recovery and remote authentication
JP4668619B2 (en) Device key
CN104662870B (en) Data safety management system
US7975312B2 (en) Token passing technique for media playback devices
US9070112B2 (en) Method and system for securing documents on a remote shared storage resource
JP6009083B2 (en) Method for providing secure app ecosystem with key and data exchange according to corporate information management policy, non-transitory computer readable medium, and mobile computing device
US9135464B2 (en) Secure storage system for distributed data
JP4148979B2 (en) E-mail system, e-mail relay device, e-mail relay method, and e-mail relay program
US8204233B2 (en) Administration of data encryption in enterprise computer systems
US20070118735A1 (en) Systems and methods for trusted information exchange
US20040177248A1 (en) Network connection system
AU1481000A (en) A system and method for manipulating a computer file and/or program
KR20220039779A (en) Enhanced security encryption and decryption system
KR101479290B1 (en) Agent for providing security cloud service, security token device for security cloud service
US20220247729A1 (en) Message transmitting system with hardware security module
JP2006139489A (en) Method for restoring environment of common use personal computer system and common use personal computer
CN110807210B (en) Information processing method, platform, system and computer storage medium
CN112948839A (en) Method, system and device for managing data by adopting wallet client
JP2002149061A (en) Rental contents distribution system and method therefor
CN112084485A (en) Data acquisition method, device, equipment and computer storage medium
JP6778033B2 (en) Take-out file simple encryption system and take-out file simple encryption program
JP4762847B2 (en) Online storage system and method
CN115543361B (en) File burning method, device, electronic equipment and storage medium
JP7000961B2 (en) File operation management system and file operation management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination