KR20120101236A - A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof - Google Patents
A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof Download PDFInfo
- Publication number
- KR20120101236A KR20120101236A KR1020110017766A KR20110017766A KR20120101236A KR 20120101236 A KR20120101236 A KR 20120101236A KR 1020110017766 A KR1020110017766 A KR 1020110017766A KR 20110017766 A KR20110017766 A KR 20110017766A KR 20120101236 A KR20120101236 A KR 20120101236A
- Authority
- KR
- South Korea
- Prior art keywords
- document
- authentication
- server
- storage device
- user
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
The present invention relates to a packet analysis-based document management apparatus and method comprising a server, a user terminal, and an agent installed in the user terminal to manage the export of a document stored in the user terminal to an external storage device.
In addition, the present invention is to secure the document management system, and the internal user can export the document to be exported and received the document permission to export through a legal procedure in the server, to prevent damage due to document leakage and to protect important confidential data It relates to a packet analysis-based document management apparatus and method for protecting.
Portable storage devices have rapidly grown in capacity due to the development of technology, and portability has gradually developed. Among them, USB memory has a high data transfer speed and is easy to carry, and thus is widely used as a portable storage device. Due to these advantages, the number of users of portable storage devices has increased, and companies have used portable storage devices to increase work efficiency. As a result, many security problems have emerged. As a result, security companies produce security software products and supply them to enterprises, which has led to the growth of the security software market. Nevertheless, confidential data leaks still occur. Therefore, in order to prevent the leakage of confidential data in advance, it is urgent to introduce a technology of a document management system equipped with a security function that can be easily used in general portable storage devices.
Background technologies of document management systems include DLP (Data Loss Prevention) and encryption technology. DLP is based on confidential information leakage prevention technology, which appeared in 2001, and started from the fact that confidential information leakage prevention technology was initially based on a defense-oriented security paradigm against external attacks, and subsequently information leakage by insiders. As the problem became more severe, the environment gradually changed, with the market demanding to solve the problem increasing. Accordingly, the internal information leakage prevention system is growing rapidly for the purpose of monitoring and blocking leakage.
Early DLP products enabled companies on the network to establish information security policies, monitor email traffic, and identify policy violations. Since then, the protocol has been extended to webmail, FTP, secure webmail, and instant messages, with the ability to prohibit the transmission of information that violates policy. In addition, the ability to identify and protect the exposure of confidential information in file servers, desktops, laptops, and various data repositories has been developed using the same policies used over the network. With this evolution, DLP now provides information protection for endpoints, preventing the copying of confidential information to mobile devices or even downloading against policy violations.
As encryption technology, encryption algorithm is used for secure key distribution and message transfer between Server and Agent. The encryption algorithm used in the present invention is symmetric key encryption, public key encryption and hash algorithm.
Symmetric key cryptography includes DES, AES, SEED, RC5, etc. DES is the basic algorithm of symmetric key cryptography. Symmetric key cryptography means that a sender and a receiver encrypt the same key and transmit the same. DES converts data to 64-bit output using 56-bit keys, using initial permutation and a single iteration process. The cryptographic algorithm takes a 64-bit input and goes through a series of steps to produce a 64-bit output. Decryption is performed in the reverse order of encryption using the same key as encryption.
Public key cryptography is RSA, an Internet encryption and algorithm developed in 1977 by algorithms developed by three mathematicians: Ron Rivest, Adi Shamir, and Leonard Adleman. It is an authentication system. This method uses two large prime numbers to construct the public and private keys by multiplying these numbers and adding operations, which involves deriving the two sets of numbering schemes used. The configured public and private keys can be used to encrypt and decrypt information. The principle of operation is very complex mathematics. The strength of RSA is that it is difficult to find the private key.
Hash algorithms include MD5 and SHA. Hash algorithm is a function that can be used for data integrity and message authentication. It compresses a string of bits of arbitrary length into a hash code which is a fixed length output value. Most hash functions used in cryptographic applications have strong collision resistance. To be required. The hash algorithm can be classified into a hash algorithm based on a block cipher algorithm such as DES and a dedicated hash algorithm. Since the hash algorithm is faster than the block cipher algorithm, the hash algorithm is used in most applications. The hash function is a one-way function that converts inputs of various lengths into fixed short-length outputs and is used for data integrity verification and message authentication.
SUMMARY OF THE INVENTION An object of the present invention is to solve the problems described above, and comprises a server, a user terminal, and an agent installed in the user terminal, and a packet for managing the export of documents stored in the user terminal to an external storage device. It is to provide an analysis-based document management device and method.
Also, an object of the present invention is to provide a packet analysis-based document management apparatus and method for exporting a document in which an authentication packet is inserted into a document to be exported through a legal procedure in a server using a technique called packet analysis and authentication packet in a document management system. To provide.
In order to achieve the above object, the present invention relates to a packet analysis-based document management apparatus installed in a user terminal, connected to a network with a server, and managing to export a document stored in the user terminal to an external storage device. An encryption communication unit receiving a session key from the apparatus; A document authentication request unit which transmits the document to the server and requests authentication when a request for exporting the document stored in the user terminal to the storage device is input; An authentication packet verification unit configured to receive a document (hereinafter referred to as an authenticated document) in which an authentication packet is inserted from the server and extract and verify an authentication packet of the authenticated document; And a document exporting unit which extracts a document from the authenticated document and exports the document to the storage device only when the authentication packet of the authenticated document is verified.
In another aspect, the present invention provides a packet analysis-based document management apparatus, the apparatus of
The present invention provides a packet analysis-based document management apparatus, wherein the encryption communication unit encrypts and transmits a session key request message with a public key of the server, and decrypts a response message received from the server with a public key of the server. And extracting a key.
In another aspect, the present invention provides a packet analysis-based document management apparatus, wherein the user authentication unit transmits the authentication information of the input user and the authentication information of the storage device to the server to request authentication.
The present invention provides a packet analysis-based document management apparatus, wherein the user authentication unit receives authentication information of a server from the server, decrypts the authentication information of the server, and contrasts the hashed authentication information of the storage device. Characterized in that for authenticating the server.
In another aspect, the present invention provides a packet analysis-based document management apparatus, wherein the authentication packet is a value obtained by encrypting a hash value of the document with a private key of the server.
In addition, the present invention relates to a packet analysis-based document management method for managing the export of the document stored in the user terminal to the external storage device by the server, the user terminal, and the agent installed in the user terminal, (a) The agent authenticating a user of the storage device through the server when the storage device is inserted into the user terminal; (b) requesting the server to authenticate the export of the document when the export request of the document stored in the user terminal is requested; (c) the server determining whether to permit the export of the document, and if it is determined as the permission to output, inserting an authentication packet into the document and transmitting it to the agent; (d) receiving, by the agent, a document in which an authentication packet is inserted (hereinafter, an authenticated document) from the server, and extracting and verifying an authentication packet from the authenticated document; And (e) if the authentication packet is verified, exporting the document to the storage device.
In addition, in the packet analysis-based document management method according to the present invention, in step (a), (a1) the agent blocks the recognition of the storage device in the user terminal when the storage device is inserted into the user terminal. Making; (a2) the agent requesting the server to receive a session key; (a3) the agent receiving user authentication information and requesting user authentication from a server; (a4) the server authenticating the user through the authentication information of the user and transmitting an authentication result to the agent; And (a5) the agent receiving an authentication result of user authentication from the server, and if the authentication is successful, releasing the recognition block of the storage device.
The invention also relates to a computer readable recording medium having recorded thereon a program for performing the method.
As described above, according to the packet analysis-based document management apparatus and method according to the present invention, the authentication packet is inserted into the document stored in the user terminal by the server, and by exporting only the document verified by the authentication packet to the external storage device, The effect of preventing the outflow of documents is obtained.
1 is a diagram showing an example of the overall system configuration for implementing the present invention.
2 is a block diagram of the configuration of a packet analysis-based document management apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating a method of distributing a session key according to an embodiment of the present invention.
4 is a flowchart illustrating a method for authenticating a user according to an embodiment of the present invention.
5 is a flowchart illustrating a method of authenticating a exported document according to an embodiment of the present invention.
6 is a flowchart illustrating a packet analysis-based document management method according to an embodiment of the present invention.
7 is a flowchart illustrating a method for authenticating a user according to an embodiment of the present invention.
Description of the Related Art [0002]
10: user terminal 20: external storage device
30: document management device 31: encryption communication unit
32: document authentication request unit 33: authentication packet verification unit
34: document exporting unit 35: user authentication unit
36: media control unit 40: server
50: network
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.
In addition, in describing this invention, the same code | symbol is attached | subjected and the repeated description is abbreviate | omitted.
First, an example of the whole document management system configuration for implementing the present invention will be described with reference to FIG.
As shown in FIG. 1, the entire document management system for implementing the present invention includes a
The
In this case, a document stored in the
The
The
Meanwhile, when the
When the
The
The
The
Prior to the description of the embodiment of the present invention, the symbols used will be described.
The symbols used below are as follows.
*: Participating objects (s: server, c: agent)
K: session key
KU *: * public key
KR *: * 's private key
uID: User ID (or employee number)
Pwd: User password (or password)
SN: Identification information (or serial number) of storage device
Request: Session key request message
E * (): encrypted with key of *
D * (): Decrypt with key of *
TS: timestamp
Auth: User authentication permission message
DB: Storage Database
M: Document to be exported (or exported document)
x: allow export
y: justification
APK: Authentication Packet
Next, the configuration of the packet analysis-based
As shown in FIG. 2, the packet analysis-based
The
That is, the
Even if the user is an authorized user to prevent the data such as files or drawings stored in the
The
Or preferably, the
The
As shown in FIG. 3, the
First, the
E KUs (Request || TS)
After the above process, the
D KRs (E KUs (Request || TS)) = Request '|| TS '
If the request message is confirmed, a session key is generated (S13).
After the above process, the
E KUA (K || Request || TS)
After the above, the
D KRs (E KUA (K || Request || TS)) = K '|| Request '|| TS '
The
E K (K)
The
First, the
That is, the user (or storage device) is registered through the user's ID (or employee number) and password (or password) and identification information (or serial number) of the storage device to be used to use the
As shown in Figure 4, the
After the above process, the
E K (uID || Pwd || SN)
After the above process, the
D K (E K (uID || Pwd || SN)) = uID '|| Pwd '|| SN '
If the decrypted employee number is a legitimate user, it is stored in the database to register the user (S24).
After registering with the server through the user registration step, when the user reconnects his
That is, the
E K (uID || Pwd || SN)
After the above process, the
DB = uID || Pwd || SN
D K (E K (uID || Pwd || SN)) = uID '|| Pwd '|| SN '
uID '|| Pwd '|| SN '
DBIn addition, the
After the above process, the
Auth = E KRs ( H (SN))
The
E K (Auth)
After the above process, the
D K (E K (Auth)) = Auth '
The
D KUs ( E KRs ( H (SN)))
H (SN)When a request for exporting a document stored in the
That is, when a document to be exported is generated, the user encrypts the export permission document through the
E K (M)
After the above process, the
M '= D K (E K (M))
M '
x, yx and y are information for judging validity and allowability of export as described in the symbol description above. This may be modified in accordance with internal policies and is intended to confirm that the user has the right to view the document and that the user is the proper person to use the document.
After the above process, the
Generate hash value of document using hash algorithm for document.
H (M)
The hash generated by the hash algorithm is encrypted with the server's private key.
E KRs (H (M))
Insert the encrypted hash value into the header of the document.
Documents that have been subjected to export allowance documents have authentication packets in the header that can be exported, and users can compare the validity of the authentication packets inserted in the documents when they are sent to their storage devices. do.
That is, the
E K (APK∥M)
The authentication packet verification unit 33 receives a document (or an authenticated document) in which the authentication packet is inserted from the
APK'∥M '= D K (E K (APK∥M))
The authentication packet verification unit 33 verifies the authentication packet (S36). At this time, a hash value obtained by decrypting the authentication packet with the public key of the server and a value generated by the
H (M) = E KUs (APK ')
Only when the authentication packet of the authenticated document is verified, the
Next, a packet analysis based document management method according to an embodiment of the present invention will be described with reference to FIG.
As shown in FIG. 6, in the packet analysis-based document management method according to the present invention, (a) the
In particular, as shown in Figure 7, the step of authenticating the user (S100) is (a1) the
As mentioned above, although the invention made by this inventor was demonstrated concretely according to the Example, this invention is not limited to an Example and can be variously changed in the range which does not deviate from the summary.
The present invention is composed of a server, a user terminal, and an agent installed in the user terminal, and can be applied to develop a packet analysis-based document management system for managing the export of documents stored in the user terminal to an external storage device. .
Claims (9)
An encryption communication unit receiving a session key from the server;
A document authentication request unit which transmits the document to the server and requests authentication when a request for exporting the document stored in the user terminal to the storage device is input;
An authentication packet verification unit which receives a document (hereinafter referred to as an authenticated document) into which an authentication packet is inserted from the server and extracts and verifies an authentication packet of the authenticated document; And,
And a document export unit for extracting a document from the authenticated document and exporting the document to the storage device only when the authentication packet of the authenticated document is verified.
A user authentication unit receiving user authentication information and requesting user authentication to a server; And,
And a media controller for blocking recognition of the storage device when the storage device is inserted into the user terminal and releasing blocking of the storage device upon successful user authentication.
The encryption communication unit encrypts the session key request message with the public key of the server and transmits the packet analysis-based document management apparatus, characterized in that for extracting the session key by decrypting the response message received from the server with the public key of the server.
The user authentication unit packet analysis-based document management device, characterized in that for requesting authentication by transmitting the authentication information of the user and the authentication information of the storage device to the server.
The user authentication unit receives the authentication information of the server from the server, the packet analysis-based document management, characterized in that for authenticating the server against the value hashed authentication information of the storage device by decrypting the authentication information of the server Device.
The authentication packet is a packet analysis-based document management device, characterized in that the value hashed the document is encrypted with the private key of the server.
(a) the agent authenticating a user of the storage device through the server when the storage device is inserted into the user terminal;
(b) requesting the server to authenticate the export of the document when the export request of the document stored in the user terminal is requested;
(c) the server determining whether to permit the export of the document, and if it is determined as the permission to output, inserting an authentication packet into the document and transmitting it to the agent;
(d) receiving, by the agent, a document in which an authentication packet is inserted (hereinafter, an authenticated document) from the server, and extracting and verifying an authentication packet from the authenticated document; And,
(e) the agent, if the authentication packet is verified, the packet analysis-based document management method comprising the step of exporting the document to the storage device.
(a1) the agent blocking the recognition of the storage device in the user terminal when the storage device is inserted into the user terminal;
(a2) the agent requesting the server to receive a session key;
(a3) the agent receiving user authentication information and requesting user authentication from a server;
(a4) the server authenticating the user through the authentication information of the user and transmitting an authentication result to the agent; And,
(a5) The agent receives the authentication result of the user authentication from the server, and if the authentication is successful, packet analysis-based document management method comprising the step of releasing the recognition block of the storage device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110017766A KR20120101236A (en) | 2011-02-28 | 2011-02-28 | A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110017766A KR20120101236A (en) | 2011-02-28 | 2011-02-28 | A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20120101236A true KR20120101236A (en) | 2012-09-13 |
Family
ID=47110474
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020110017766A KR20120101236A (en) | 2011-02-28 | 2011-02-28 | A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20120101236A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101636802B1 (en) * | 2016-03-02 | 2016-07-07 | (주)지란지교소프트 | File management method and system for preventing security incident by portable memory |
US9560032B2 (en) | 2014-07-17 | 2017-01-31 | Electronics And Telecommunications Research Institute | Method and apparatus for preventing illegitimate outflow of electronic document |
KR20190084832A (en) * | 2018-01-09 | 2019-07-17 | 신선우 | Cyber secure safety box |
-
2011
- 2011-02-28 KR KR1020110017766A patent/KR20120101236A/en not_active Application Discontinuation
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9560032B2 (en) | 2014-07-17 | 2017-01-31 | Electronics And Telecommunications Research Institute | Method and apparatus for preventing illegitimate outflow of electronic document |
KR101636802B1 (en) * | 2016-03-02 | 2016-07-07 | (주)지란지교소프트 | File management method and system for preventing security incident by portable memory |
KR20190084832A (en) * | 2018-01-09 | 2019-07-17 | 신선우 | Cyber secure safety box |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10652015B2 (en) | Confidential communication management | |
CN107810617B (en) | Secret authentication and provisioning | |
US9852300B2 (en) | Secure audit logging | |
JP5860815B2 (en) | System and method for enforcing computer policy | |
CA2690755C (en) | System and method of per-packet keying | |
US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
US9165148B2 (en) | Generating secure device secret key | |
CN105100076A (en) | Cloud data security system based on USB Key | |
KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
EP1079565A2 (en) | Method of securely establishing a secure communication link via an unsecured communication network | |
KR20210153419A (en) | Apparatus and method for authenticating device based on certificate using physical unclonable function | |
CN108616516A (en) | A kind of third party's plaintext password method of calibration based on multiple encryption algorithms | |
KR20120101236A (en) | A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof | |
CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
Campbell | Supporting digital signatures in mobile environments | |
El Fray et al. | Practical authentication protocols for protecting and sharing sensitive information on mobile devices | |
Shah et al. | Third party public auditing scheme for security in cloud storage | |
TW202347147A (en) | Anti-cloning architecture for device identity provisioning | |
JP2005217665A (en) | Communications system, transmitter, receiver and communication method | |
KR20180052481A (en) | Method and apparatus for time-locked client-side deduplication | |
Kravitz | Open mobile alliance secure content exchange: introducing key management constructs and protocols for compromise-resilient easing of DRM restrictions | |
Barker et al. | NIST DRAFT Special Publication 800-130 | |
JP2005026762A (en) | Security maintenance method in wireless communication network, system, apparatus, security program, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |