CN116933275A - Data leakage prevention method, device, equipment and storage medium - Google Patents
Data leakage prevention method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116933275A CN116933275A CN202311197520.1A CN202311197520A CN116933275A CN 116933275 A CN116933275 A CN 116933275A CN 202311197520 A CN202311197520 A CN 202311197520A CN 116933275 A CN116933275 A CN 116933275A
- Authority
- CN
- China
- Prior art keywords
- file
- protected
- key
- content
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 230000002265 prevention Effects 0.000 title claims abstract description 26
- 230000008569 process Effects 0.000 claims abstract description 37
- 230000004044 response Effects 0.000 claims abstract description 13
- 238000010276 construction Methods 0.000 claims abstract description 12
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 14
- 239000004973 liquid crystal related substance Substances 0.000 claims description 11
- 238000004891 communication Methods 0.000 description 8
- 238000009795 derivation Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Abstract
The invention discloses a data leakage prevention method, a device, equipment and a storage medium. The method comprises the following steps: determining a target security component for constructing a security running environment of the file to be protected in response to a file encryption instruction of the file to be protected; constructing a safe operation environment by adopting a target safe component, and acquiring a random key generated by the safe operation environment in the construction process; in a safe operation environment, according to a random key and inode information of a file to be protected, encrypting initial file content in the file to be protected to obtain encrypted file content of the file to be protected; and updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked. The embodiment of the invention improves the safety of the protected data.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for preventing data leakage.
Background
Data security is critical for enterprises in various technical fields, so that data leakage prevention is an indispensable technical means for protecting data from leakage for each enterprise.
The existing data leakage prevention mode is to implement protection through encryption software, but the encrypted source code is easy to damage by using the encryption software, the system performance loss is serious, and if a master key is deleted by mistake, the data cannot be recovered when being lost. Therefore, the encryption software is used for preventing data leakage, the encrypted data can be easily decrypted later, the method is difficult to complete and effectively protect the true safety of the data, and the data or files to be protected are likely to be leaked.
Disclosure of Invention
The invention provides a data leakage prevention method, a device, equipment and a storage medium, which are used for improving the safety of protected data.
According to an aspect of the present invention, there is provided a data leakage prevention method, the method including:
determining a target security component for constructing a security running environment of a file to be protected in response to a file encryption instruction of the file to be protected;
constructing a safe operation environment by adopting the target safe component, and acquiring a random key generated by the safe operation environment in the construction process;
in the safe operation environment, according to the random key and the inode information of the file to be protected, carrying out encryption processing on the initial file content in the file to be protected to obtain the encrypted file content of the file to be protected;
and updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked.
According to another aspect of the present invention, there is provided a data leakage preventing apparatus, the apparatus comprising:
the target component determining module is used for determining a target security component for constructing a security running environment of the file to be protected in response to a file encryption instruction of the file to be protected;
the random key generation module is used for constructing a safe operation environment by adopting the target safe component and acquiring a random key generated by the safe operation environment in the construction process;
the encryption content determining module is used for carrying out encryption processing on the initial file content in the file to be protected according to the random key and the inode information of the file to be protected in the safe operation environment to obtain the encryption file content of the file to be protected;
and the file content updating module is used for updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data leakage prevention method according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the data leakage prevention method according to any of the embodiments of the present invention when executed.
According to the embodiment of the invention, the target security component for constructing the security operation environment of the file to be protected is determined by responding to the file encryption instruction of the file to be protected; constructing a safe operation environment by adopting a target safe component, and acquiring a random key generated by the safe operation environment in the construction process; in a safe operation environment, according to a random key and inode information of a file to be protected, encrypting initial file content in the file to be protected to obtain encrypted file content of the file to be protected; and updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked. According to the technical scheme, the file to be protected is encrypted in the safe operation environment, so that the integrity and confidentiality of the data are reliably protected in the encryption process, and a safe and reliable execution environment is provided for data encryption. By introducing inode information of the file to be protected in the encryption process, the file to be protected is effectively prevented from being tampered, moved and stolen maliciously, the security of the data encryption process is further improved, and the situation of data leakage can be effectively prevented.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a data leakage prevention method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a data leakage prevention method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data leakage preventing device according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing a data leakage prevention method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a data leakage prevention method according to an embodiment of the present invention, where the method may be performed by a data leakage prevention device, and the data leakage prevention device may be implemented in hardware and/or software, and the data leakage prevention device may be configured in an electronic device. As shown in fig. 1, the method includes:
s110, determining a target security component for constructing a security running environment of the file to be protected in response to a file encryption instruction of the file to be protected.
The file to be protected may be a file to be protected by data encryption, so as to prevent content data from being leaked. The file encryption instruction can be initiated by an encryption demand party or can be automatically generated and initiated periodically by a preset encryption task.
The secure operating environment may be an operating area isolated from other operating modules and capable of executing trusted applications. The target security component may be a hardware device capable of generating a secure operating environment. For example, the target security component may be a CPU (Central Processing Unit ), smart key, HSM (Hardware Security Module, hardware security module) or TPM (Trusted Platform Module ).
For example, in response to a file encryption instruction of a file to be protected, determining whether a security component exists in an operating environment of the file to be protected, if so, selecting any one of the security components as a target security component; if yes, determining the safety component as a target safety component if there is only one safety component; if not, the built-in white-box cryptographic technique is used to create a secure operating environment.
It should be noted that, in order to ensure the creation reliability of the secure operating environment, the secure operating environment may be created more specifically in combination with different operating environments of different files to be protected, so as to improve the creation efficiency and the creation reliability.
In an alternative embodiment, in response to a file encryption instruction for a file to be protected, determining a target security component that constructs a secure operating environment for the file to be protected includes: responding to a file encryption instruction of a file to be protected, and acquiring at least one candidate security component in an operating environment to which the file to be protected belongs; and selecting a target security component from the candidate security components according to the component information of the candidate security components.
The number of candidate security components in the running environment to which the file to be protected belongs may be one or more. The candidate security component may be CPU, HSM, TPM or a smart key or the like. The component information may be component priority information or component performance information, etc.
For example, a candidate security component with the highest component priority may be selected from the candidate security components according to the component priority information of the candidate security components, and the candidate security component is used as the target security component. The component priority of each candidate security component may be preset by a relevant technician. Alternatively, according to the component performance information of each candidate security component, a candidate security component with optimal performance in each aspect can be selected from each candidate security component as a target security component.
S120, constructing a secure operation environment by adopting the target secure component, and acquiring a random key generated by the secure operation environment in the construction process.
It should be noted that, the manner in which different target security components create a secure operating environment is different. For example, if the target security component is a CPU, the manner in which the secure operating environment is created is different for different CPU models. For example, for an Inter CPU, a secure operating environment may be built using its existing SGX technology; if the target security component is a TPM, a secure operating environment can be created using a built-in component trusted software stack of the TPM.
Alternatively, the secure execution environment may be a TEE (Trusted Execution Environment ).
The random key may be an initialization key randomly generated using a pseudo random number when constructing a secure operating environment.
Illustratively, a secure execution environment is constructed by using a target secure component, and an initialization key is randomly generated as a random key using a pseudo-random number during the construction of the secure execution environment. It should be noted that, the random key may be automatically generated in the process of constructing the secure operating environment, and may be directly obtained.
S130, in the safe operation environment, according to the random key and the inode information of the file to be protected, encrypting the initial file content in the file to be protected to obtain the encrypted file content of the file to be protected.
The inode information may be metadata stored in a hardware data block for storing a file in a file system, and for example, the metadata may include authority, size, creation time, modification time, and the like of the file. The inode information can be used as unique identification information of the file to be protected, and the inode information corresponding to any file exists for the file, and if the moving position of the file changes or the content of the file changes, the inode information of the file changes. Therefore, the inode information is introduced in the encryption process of the file to be protected, so that the encryption security and reliability of the file encryption can be further improved.
In an exemplary secure operating environment, the initial file content in the file to be protected can be encrypted based on a preset symmetric encryption and decryption algorithm according to the random key and the inode information of the file to be protected, so as to obtain the encrypted file content of the file to be protected. For example, the symmetric encryption and decryption algorithm may be an SM4 algorithm, or may be another symmetric encryption and decryption algorithm, which is not limited in this embodiment.
Specifically, the random key, the inode information of the file to be protected and the initial file content can be used as input data of a symmetric encryption and decryption algorithm, the symmetric encryption and decryption algorithm encrypts the initial file content based on the random key and the inode information, and the encrypted file content of the encrypted file to be protected is output.
It should be noted that, after the random key is generated, the random key may be stored in association with inode information of the file to be protected, so that the random key may be directly obtained for decryption in a subsequent decryption process.
And S140, updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked.
For example, the original file content in the file to be protected is updated by adopting the encrypted file content, that is, the original file content is covered by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked. It should be noted that, in the process of updating the initial file content of the file to be protected, the file position of the file to be protected does not change, so that the corresponding inode information is unchanged.
According to the embodiment of the invention, the target security component for constructing the security operation environment of the file to be protected is determined by responding to the file encryption instruction of the file to be protected; constructing a safe operation environment by adopting a target safe component, and acquiring a random key generated by the safe operation environment in the construction process; in a safe operation environment, according to a random key and inode information of a file to be protected, encrypting initial file content in the file to be protected to obtain encrypted file content of the file to be protected; and updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked. According to the technical scheme, the file to be protected is encrypted in the safe operation environment, so that the integrity and confidentiality of the data are reliably protected in the encryption process, and a safe and reliable execution environment is provided for data encryption. By introducing inode information of the file to be protected in the encryption process, the file to be protected is effectively prevented from being tampered, moved and stolen maliciously, the security of the data encryption process is further improved, and the situation of data leakage can be effectively prevented.
Example two
Fig. 2 is a flowchart of a data leakage prevention method according to a second embodiment of the present invention, where the embodiment is optimized and improved based on the above technical solutions.
Further, the step of encrypting the initial file content in the file to be protected according to the random key and the inode information of the file to be protected to obtain the encrypted file content of the file to be protected, wherein the encrypted file content is thinned to generate a first intermediate key with the same key length as the random key according to the key length of the random key and the inode information of the file to be protected; generating a target encryption key according to the random key and the first intermediate key; and according to the target encryption key, encrypting the initial file content in the file to be protected based on a preset symmetric encryption and decryption mode to obtain the encrypted file content of the file to be protected. "to perfect the way in which the encrypted file content of the file to be protected is generated. In the embodiments of the present invention, the descriptions of other embodiments may be referred to in the portions not described in detail.
As shown in fig. 2, the method comprises the following specific steps:
s210, determining a target security component for constructing a security running environment of the file to be protected in response to a file encryption instruction of the file to be protected.
S220, constructing a secure operation environment by adopting the target secure component, and acquiring a random key generated by the secure operation environment in the construction process.
S230, in the safe operation environment, generating a first intermediate key with the same key length as the random key according to the key length of the random key and the inode information of the file to be protected.
For example, the first intermediate key having the same key length as the random key may be generated based on a preset key derivation algorithm according to the key length of the random key and inode information of the file to be protected. The key derivation algorithm may be preset by a related technician, for example, the key derivation algorithm may be a KDF (key derivation function ) algorithm, where the KDF is a standard key derivation method, and a standard such as ANSI X9.63 is selected.
Specifically, a KDF algorithm is used for generating a first intermediate keyThe way of (2) is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,for the inode information of the file to be protected, < +.>Is the key length of the random key. It should be noted that the data representation of the inode information of the file to be protected is a string of valid character strings.
S240, generating a target encryption key according to the random key and the first intermediate key.
Illustratively, the random key and the first intermediate key may be spliced or summed to obtain the target encryption key. Alternatively, to further increase the complexity of generating the target encryption key, the target encryption key may be generated by an exclusive-or method.
In an alternative embodiment, generating the target encryption key from the random key and the first intermediate key includes: and performing exclusive OR operation on the random key and the first intermediate key to obtain the target encryption key.
The target encryption key K may be generated by the following method:
wherein, the liquid crystal display device comprises a liquid crystal display device,is a random key +.>Is the first intermediate key.
S250, according to the target encryption key, based on a preset symmetric encryption and decryption mode, the initial file content in the file to be protected is encrypted, and the encrypted file content of the file to be protected is obtained.
The symmetric encryption and decryption mode may be a symmetric encryption and decryption algorithm SM4, and the target encryption key and the initial file content in the file to be protected may be used as input parameters of the symmetric encryption and decryption algorithm SM4 to obtain an output result of the symmetric encryption and decryption algorithm SM4, so as to obtain the encrypted file content.
Note that, the SM4 may be an encryption mode with stream cipher properties, such as CTR (CountTeR), to ensure that the ciphertext and plaintext of the file have the same size, so as to preserve the inherent information of the file and improve usability.
S260, updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked.
According to the technical scheme, the first intermediate key with the same key length as the random key is generated according to the key length of the random key and the inode information of the file to be protected, the target encryption key is generated according to the random key and the first intermediate key, the initial file content in the file to be protected is encrypted according to the target encryption key based on a preset symmetric encryption and decryption mode, the encrypted file content of the file to be protected is obtained, the security of the encryption process of the initial file of the file to be protected is further improved, the security of the encrypted file content obtained by encryption is higher, and the encrypted file content is not easy to tamper, so that the occurrence of data leakage is further prevented.
It will be appreciated that there is an encryption requirement for the file, accompanied by a decryption requirement for the file.
In an alternative embodiment, in response to a file decryption instruction of a file to be decrypted, file ciphertext content in the file to be decrypted is obtained; in the safe operation environment, according to the random key and the inode information of the file to be decrypted, decrypting the file ciphertext content in the file to be decrypted to obtain the file plaintext content of the file to be decrypted.
The file decryption instruction may be initiated by a decryption requester, which may be a requester that obtains rights from a plaintext file.
Illustratively, in response to a file decryption instruction for a file to be decrypted, file ciphertext content in the file to be decrypted is obtained. According to the inode information of the file to be decrypted, a random key of a secure operating environment associated with the inode information can be acquired. In the safe operation environment, according to the random key and the inode information of the file to be decrypted, adopting a decryption mode corresponding to the encryption mode to decrypt the file ciphertext content in the file to be decrypted, and obtaining the file plaintext content of the file to be decrypted.
If the encryption process corresponding to the file to be decrypted is: generating a first intermediate key with the same key length as the random key according to the key length of the random key and inode information of the file to be protected; generating a target encryption key according to the random key and the first intermediate key; and according to the target encryption key, encrypting the initial file content in the file to be protected based on a preset symmetric encryption and decryption mode to obtain the encrypted file content of the file to be protected.
In an alternative embodiment, the decryption process of the file to be decrypted is: according to the random key and the inode information of the file to be decrypted, decrypting the file ciphertext content in the file to be decrypted to obtain the file plaintext content of the file to be decrypted, including: generating a second intermediate key with the same key length as the random key according to the key length of the random key and inode information of the file to be decrypted; generating a target decryption key according to the random key and the second intermediate key; and according to the target decryption key, decrypting the file ciphertext content in the file to be decrypted based on a preset symmetric encryption and decryption mode to obtain the file plaintext content of the file to be decrypted.
For example, the second intermediate key may be generated from the key length of the random key and inode information of the file to be decrypted using the same algorithm as the encryption process. Since the random key and inode information of the encryption process and the decryption process are the same, the first intermediate key and the second intermediate key are the same key. The target decryption key is generated from the random key and the second intermediate key in the same way as the target encryption key is generated by encryption, which may be an exclusive-or process, for example. And according to the target decryption key, decrypting the file ciphertext content in the file to be decrypted based on the same symmetric encryption and decryption mode as the encryption process to obtain the file plaintext content of the file to be decrypted.
It should be noted that, the decryption key generated in the decryption process and the encryption key generated in the encryption process have consistency, if the encryption key is inconsistent with the decryption key, the position of the file to be protected is shifted; if the encryption key and the decryption key are consistent, the file to be protected is unchanged in the disk position, namely, no movement is generated.
Example III
Fig. 3 is a schematic structural diagram of a data leakage preventing device according to a third embodiment of the present invention. The data leakage preventing device provided by the embodiment of the invention can be suitable for encrypting file data in a file to be protected to prevent data leakage, and can be realized in a hardware and/or software form, as shown in fig. 3, and specifically comprises: the target component determination module 301, the random key generation module 302, the encrypted content determination module 303, and the file content update module 304. Wherein, the liquid crystal display device comprises a liquid crystal display device,
the target component determining module 301 is configured to determine, in response to a file encryption instruction of a file to be protected, a target security component for constructing a secure operating environment of the file to be protected;
a random key generation module 302, configured to construct a secure operation environment using the target secure component, and obtain a random key generated by the secure operation environment in a construction process;
the encrypted content determining module 303 is configured to encrypt, in the secure operating environment, an initial file content in the file to be protected according to the random key and inode information of the file to be protected, so as to obtain an encrypted file content of the file to be protected;
and the file content updating module 304 is configured to update the initial file content in the file to be protected by using the encrypted file content, so as to prevent file data of the file to be protected from being revealed.
According to the embodiment of the invention, the target security component for constructing the security operation environment of the file to be protected is determined by responding to the file encryption instruction of the file to be protected; constructing a safe operation environment by adopting a target safe component, and acquiring a random key generated by the safe operation environment in the construction process; in a safe operation environment, according to a random key and inode information of a file to be protected, encrypting initial file content in the file to be protected to obtain encrypted file content of the file to be protected; and updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked. According to the technical scheme, the file to be protected is encrypted in the safe operation environment, so that the integrity and confidentiality of the data are reliably protected in the encryption process, and a safe and reliable execution environment is provided for data encryption. By introducing inode information of the file to be protected in the encryption process, the file to be protected is effectively prevented from being tampered, moved and stolen maliciously, the security of the data encryption process is further improved, and the situation of data leakage can be effectively prevented.
Optionally, the target component determining module 301 includes:
the device comprises a candidate component acquisition unit, a storage unit and a storage unit, wherein the candidate component acquisition unit is used for responding to a file encryption instruction of a file to be protected and acquiring at least one candidate security component in an operating environment to which the file to be protected belongs;
and the target component determining unit is used for selecting the target security component from the candidate security components according to the component information of the candidate security components.
Optionally, the encrypted content determining module 303 includes:
the first key generation unit is used for generating a first intermediate key with the same key length as the random key according to the key length of the random key and the inode information of the file to be protected;
a target encryption key generation unit, configured to generate a target encryption key according to the random key and the first intermediate key;
and the encryption content determining unit is used for carrying out encryption processing on the initial file content in the file to be protected based on a preset symmetric encryption and decryption mode according to the target encryption key to obtain the encrypted file content of the file to be protected.
Optionally, the target encryption key generating unit is specifically configured to:
and performing exclusive OR operation on the random key and the first intermediate key to obtain a target encryption key.
Optionally, the apparatus further includes:
the ciphertext content acquisition module is used for responding to a file decryption instruction of a file to be decrypted and acquiring file ciphertext content in the file to be decrypted;
and the plaintext content determining module is used for carrying out decryption processing on file ciphertext content in the file to be decrypted according to the random key and the inode information of the file to be decrypted in the safe operating environment to obtain file plaintext content of the file to be decrypted.
Optionally, the plaintext content determination module includes:
a second key generating unit, configured to generate a second intermediate key with the same key length as the random key according to the key length of the random key and inode information of the file to be decrypted;
a target decryption key generation unit, configured to generate a target decryption key according to the random key and the second intermediate key;
and the plaintext content determining unit is used for decrypting the file ciphertext content in the file to be decrypted based on a preset symmetric encryption and decryption mode according to the target decryption key to obtain the file plaintext content of the file to be decrypted.
Optionally, the secure execution environment is a trusted execution environment TEE.
The data leakage prevention device provided by the embodiment of the invention can execute the data leakage prevention method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of an electronic device 40 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM) 42, a Random Access Memory (RAM) 43, etc., in which the memory stores a computer program executable by the at least one processor, and the processor 41 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM 43, various programs and data required for the operation of the electronic device 40 may also be stored. The processor 41, the ROM 42 and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to bus 44.
Various components in electronic device 40 are connected to I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, etc.; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, an optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 41 may be various general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 41 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 41 performs the various methods and processes described above, such as a data leak prevention method.
In some embodiments, the data leakage prevention method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into RAM 43 and executed by processor 41, one or more steps of the data leakage prevention method described above may be performed. Alternatively, in other embodiments, processor 41 may be configured to perform the data leakage prevention method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for preventing data leakage, comprising:
determining a target security component for constructing a security running environment of a file to be protected in response to a file encryption instruction of the file to be protected;
constructing a safe operation environment by adopting the target safe component, and acquiring a random key generated by the safe operation environment in the construction process;
in the safe operation environment, according to the random key and the inode information of the file to be protected, carrying out encryption processing on the initial file content in the file to be protected to obtain the encrypted file content of the file to be protected;
and updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked.
2. The method of claim 1, wherein the determining, in response to the file encryption instruction for the file to be protected, a target security component that constructs a secure execution environment for the file to be protected comprises:
responding to a file encryption instruction of a file to be protected, and acquiring at least one candidate security component in an operating environment to which the file to be protected belongs;
and selecting a target security component from the candidate security components according to the component information of the candidate security components.
3. The method of claim 1, wherein the encrypting the initial file content in the file to be protected according to the random key and the inode information of the file to be protected to obtain the encrypted file content of the file to be protected comprises:
generating a first intermediate key with the same key length as the random key according to the key length of the random key and the inode information of the file to be protected;
generating a target encryption key according to the random key and the first intermediate key;
and according to the target encryption key, based on a preset symmetric encryption and decryption mode, carrying out encryption processing on the initial file content in the file to be protected to obtain the encrypted file content of the file to be protected.
4. A method according to claim 3, wherein said generating a target encryption key from said random key and said first intermediate key comprises:
and performing exclusive OR operation on the random key and the first intermediate key to obtain a target encryption key.
5. The method according to claim 1, wherein the method further comprises:
responding to a file decryption instruction of a file to be decrypted, and acquiring file ciphertext content in the file to be decrypted;
and in the safe operation environment, decrypting file ciphertext content in the file to be decrypted according to the random key and the inode information of the file to be decrypted to obtain file plaintext content of the file to be decrypted.
6. The method of claim 5, wherein the decrypting the file ciphertext content of the file to be decrypted according to the random key and the inode information of the file to be decrypted to obtain the file plaintext content of the file to be decrypted comprises:
generating a second intermediate key with the same key length as the random key according to the key length of the random key and the inode information of the file to be decrypted;
generating a target decryption key according to the random key and the second intermediate key;
and according to the target decryption key, decrypting the file ciphertext content in the file to be decrypted based on a preset symmetric encryption and decryption mode to obtain the file plaintext content of the file to be decrypted.
7. The method of any of claims 1-6, wherein the secure execution environment is a trusted execution environment TEE.
8. A data leakage prevention apparatus, comprising:
the target component determining module is used for determining a target security component for constructing a security running environment of the file to be protected in response to a file encryption instruction of the file to be protected;
the random key generation module is used for constructing a safe operation environment by adopting the target safe component and acquiring a random key generated by the safe operation environment in the construction process;
the encryption content determining module is used for carrying out encryption processing on the initial file content in the file to be protected according to the random key and the inode information of the file to be protected in the safe operation environment to obtain the encryption file content of the file to be protected;
and the file content updating module is used for updating the initial file content in the file to be protected by adopting the encrypted file content so as to prevent the file data of the file to be protected from being leaked.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data leakage prevention method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the data leakage prevention method of any one of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311197520.1A CN116933275A (en) | 2023-09-18 | 2023-09-18 | Data leakage prevention method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311197520.1A CN116933275A (en) | 2023-09-18 | 2023-09-18 | Data leakage prevention method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116933275A true CN116933275A (en) | 2023-10-24 |
Family
ID=88381142
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311197520.1A Pending CN116933275A (en) | 2023-09-18 | 2023-09-18 | Data leakage prevention method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116933275A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103745164A (en) * | 2013-12-20 | 2014-04-23 | 中国科学院计算技术研究所 | File secure storage method and system thereof based on environmental identification |
| CN109218295A (en) * | 2018-08-22 | 2019-01-15 | 平安科技(深圳)有限公司 | Document protection method, device, computer equipment and storage medium |
| CN110110548A (en) * | 2019-04-12 | 2019-08-09 | 深圳市中易通安全芯科技有限公司 | The correlation technique that file encryption stores under credible performing environment based on encryption chip |
| CN113014539A (en) * | 2020-11-23 | 2021-06-22 | 杭州安芯物联网安全技术有限公司 | Internet of things equipment safety protection system and method |
| WO2021208690A1 (en) * | 2020-11-11 | 2021-10-21 | 平安科技(深圳)有限公司 | Method and apparatus for data encryption and decryption, device, and storage medium |
| CN114528545A (en) * | 2022-02-18 | 2022-05-24 | 中国农业银行股份有限公司 | Data protection method, device, equipment and storage medium |
| CN115374483A (en) * | 2022-10-24 | 2022-11-22 | 北京智芯微电子科技有限公司 | Data secure storage method and device, electronic equipment, medium and chip |
-
2023
- 2023-09-18 CN CN202311197520.1A patent/CN116933275A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103745164A (en) * | 2013-12-20 | 2014-04-23 | 中国科学院计算技术研究所 | File secure storage method and system thereof based on environmental identification |
| CN109218295A (en) * | 2018-08-22 | 2019-01-15 | 平安科技(深圳)有限公司 | Document protection method, device, computer equipment and storage medium |
| CN110110548A (en) * | 2019-04-12 | 2019-08-09 | 深圳市中易通安全芯科技有限公司 | The correlation technique that file encryption stores under credible performing environment based on encryption chip |
| WO2021208690A1 (en) * | 2020-11-11 | 2021-10-21 | 平安科技(深圳)有限公司 | Method and apparatus for data encryption and decryption, device, and storage medium |
| CN113014539A (en) * | 2020-11-23 | 2021-06-22 | 杭州安芯物联网安全技术有限公司 | Internet of things equipment safety protection system and method |
| CN114528545A (en) * | 2022-02-18 | 2022-05-24 | 中国农业银行股份有限公司 | Data protection method, device, equipment and storage medium |
| CN115374483A (en) * | 2022-10-24 | 2022-11-22 | 北京智芯微电子科技有限公司 | Data secure storage method and device, electronic equipment, medium and chip |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107078904B (en) | Hybrid cryptographic key derivation | |
| CN106529308B (en) | data encryption method and device and mobile terminal | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| WO2016053729A1 (en) | Method and system for secure management of computer applications | |
| US20230325516A1 (en) | Method for file encryption, terminal, electronic device and computer-readable storage medium | |
| CN104463012A (en) | Virtual machine image file exporting and importing method and device | |
| CN108574567A (en) | Private file protection and cryptographic-key management system and method, the information processing terminal | |
| CN109934001A (en) | A kind of data ciphering method based on normal cloud model | |
| CN117220865A (en) | Longitude and latitude encryption method, longitude and latitude verification device and readable storage medium | |
| CN116781425B (en) | Service data acquisition method, device, equipment and storage medium | |
| CN113794706B (en) | Data processing method and device, electronic equipment and readable storage medium | |
| US11133926B2 (en) | Attribute-based key management system | |
| CN112182602A (en) | Disk residual information protection method and device and computer readable storage medium | |
| CN116405199A (en) | Encryption method, device, equipment and medium based on NTRU algorithm and SM2 algorithm | |
| CN103605927A (en) | Encryption and decryption method based on embedded Linux system | |
| CN115883199A (en) | File transmission method and device, electronic equipment and storage medium | |
| CN114884714B (en) | Task processing method, device, equipment and storage medium | |
| CN116248258A (en) | Password detection method, device, equipment and storage medium | |
| CN113609156B (en) | Data query and write method and device, electronic equipment and readable storage medium | |
| CN115858914A (en) | Method, device and system for inquiring hiding trace, terminal equipment and storage medium | |
| CN116933275A (en) | Data leakage prevention method, device, equipment and storage medium | |
| CN112565156A (en) | Information registration method, device and system | |
| CN116668026B (en) | Method, device, equipment and storage medium for processing password card data | |
| CN111079165B (en) | Data processing method, data processing device, equipment and storage medium | |
| CN117150451A (en) | Radar starting method, radar starting device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |