KR20120101236A - A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof - Google Patents

A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof Download PDF

Info

Publication number
KR20120101236A
KR20120101236A KR1020110017766A KR20110017766A KR20120101236A KR 20120101236 A KR20120101236 A KR 20120101236A KR 1020110017766 A KR1020110017766 A KR 1020110017766A KR 20110017766 A KR20110017766 A KR 20110017766A KR 20120101236 A KR20120101236 A KR 20120101236A
Authority
KR
South Korea
Prior art keywords
document
authentication
server
storage device
user
Prior art date
Application number
KR1020110017766A
Other languages
Korean (ko)
Inventor
박성욱
Original Assignee
박성욱
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 박성욱 filed Critical 박성욱
Priority to KR1020110017766A priority Critical patent/KR20120101236A/en
Publication of KR20120101236A publication Critical patent/KR20120101236A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

PURPOSE: A device for managing a document based on a packet analysis monitoring a document which is carried out of an external storage device in real and a method thereof are provided to insert an authentication packet in a document stored in a user terminal, and enable the authentication packet to carry an only authentication document out of an external storage device, thereby preventing leakage of the document. CONSTITUTION: A secret code communication unit(31) is distributed a session key from a server. A document authentication request unit(32) requests an authentication by transmitting a document to the server, when a request which is leakage of the document stored in a user terminal to a storage device is inputted. An authentication packet verification unit(33) receives a document which an authentication packet is inserted from the server. The authentication packet verification unit extracts and verifies the authentication packet of the authenticated document. A document leakage unit(34) carries out of the storage device by extracting the document from the authenticated document, when the authentication packet is verified. [Reference numerals] (31) Secret code communication unit; (32) Document authentication request unit; (33) Authentication packet verification unit; (34) Document leakage unit; (35) User authentication unit; (36) Medium control unit

Description

{A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method}

The present invention relates to a packet analysis-based document management apparatus and method comprising a server, a user terminal, and an agent installed in the user terminal to manage the export of a document stored in the user terminal to an external storage device.

In addition, the present invention is to secure the document management system, and the internal user can export the document to be exported and received the document permission to export through a legal procedure in the server, to prevent damage due to document leakage and to protect important confidential data It relates to a packet analysis-based document management apparatus and method for protecting.

Portable storage devices have rapidly grown in capacity due to the development of technology, and portability has gradually developed. Among them, USB memory has a high data transfer speed and is easy to carry, and thus is widely used as a portable storage device. Due to these advantages, the number of users of portable storage devices has increased, and companies have used portable storage devices to increase work efficiency. As a result, many security problems have emerged. As a result, security companies produce security software products and supply them to enterprises, which has led to the growth of the security software market. Nevertheless, confidential data leaks still occur. Therefore, in order to prevent the leakage of confidential data in advance, it is urgent to introduce a technology of a document management system equipped with a security function that can be easily used in general portable storage devices.

Background technologies of document management systems include DLP (Data Loss Prevention) and encryption technology. DLP is based on confidential information leakage prevention technology, which appeared in 2001, and started from the fact that confidential information leakage prevention technology was initially based on a defense-oriented security paradigm against external attacks, and subsequently information leakage by insiders. As the problem became more severe, the environment gradually changed, with the market demanding to solve the problem increasing. Accordingly, the internal information leakage prevention system is growing rapidly for the purpose of monitoring and blocking leakage.

Early DLP products enabled companies on the network to establish information security policies, monitor email traffic, and identify policy violations. Since then, the protocol has been extended to webmail, FTP, secure webmail, and instant messages, with the ability to prohibit the transmission of information that violates policy. In addition, the ability to identify and protect the exposure of confidential information in file servers, desktops, laptops, and various data repositories has been developed using the same policies used over the network. With this evolution, DLP now provides information protection for endpoints, preventing the copying of confidential information to mobile devices or even downloading against policy violations.

As encryption technology, encryption algorithm is used for secure key distribution and message transfer between Server and Agent. The encryption algorithm used in the present invention is symmetric key encryption, public key encryption and hash algorithm.

Symmetric key cryptography includes DES, AES, SEED, RC5, etc. DES is the basic algorithm of symmetric key cryptography. Symmetric key cryptography means that a sender and a receiver encrypt the same key and transmit the same. DES converts data to 64-bit output using 56-bit keys, using initial permutation and a single iteration process. The cryptographic algorithm takes a 64-bit input and goes through a series of steps to produce a 64-bit output. Decryption is performed in the reverse order of encryption using the same key as encryption.

Public key cryptography is RSA, an Internet encryption and algorithm developed in 1977 by algorithms developed by three mathematicians: Ron Rivest, Adi Shamir, and Leonard Adleman. It is an authentication system. This method uses two large prime numbers to construct the public and private keys by multiplying these numbers and adding operations, which involves deriving the two sets of numbering schemes used. The configured public and private keys can be used to encrypt and decrypt information. The principle of operation is very complex mathematics. The strength of RSA is that it is difficult to find the private key.

Hash algorithms include MD5 and SHA. Hash algorithm is a function that can be used for data integrity and message authentication. It compresses a string of bits of arbitrary length into a hash code which is a fixed length output value. Most hash functions used in cryptographic applications have strong collision resistance. To be required. The hash algorithm can be classified into a hash algorithm based on a block cipher algorithm such as DES and a dedicated hash algorithm. Since the hash algorithm is faster than the block cipher algorithm, the hash algorithm is used in most applications. The hash function is a one-way function that converts inputs of various lengths into fixed short-length outputs and is used for data integrity verification and message authentication.

SUMMARY OF THE INVENTION An object of the present invention is to solve the problems described above, and comprises a server, a user terminal, and an agent installed in the user terminal, and a packet for managing the export of documents stored in the user terminal to an external storage device. It is to provide an analysis-based document management device and method.

Also, an object of the present invention is to provide a packet analysis-based document management apparatus and method for exporting a document in which an authentication packet is inserted into a document to be exported through a legal procedure in a server using a technique called packet analysis and authentication packet in a document management system. To provide.

In order to achieve the above object, the present invention relates to a packet analysis-based document management apparatus installed in a user terminal, connected to a network with a server, and managing to export a document stored in the user terminal to an external storage device. An encryption communication unit receiving a session key from the apparatus; A document authentication request unit which transmits the document to the server and requests authentication when a request for exporting the document stored in the user terminal to the storage device is input; An authentication packet verification unit configured to receive a document (hereinafter referred to as an authenticated document) in which an authentication packet is inserted from the server and extract and verify an authentication packet of the authenticated document; And a document exporting unit which extracts a document from the authenticated document and exports the document to the storage device only when the authentication packet of the authenticated document is verified.

In another aspect, the present invention provides a packet analysis-based document management apparatus, the apparatus of claim 1, wherein the apparatus comprises: a user authentication unit for receiving user authentication information and requesting user authentication from a server; And a media control unit which blocks the recognition of the storage device when the storage device is inserted into the user terminal and releases the blocking of the recognition of the storage device when the user authentication is successful.

The present invention provides a packet analysis-based document management apparatus, wherein the encryption communication unit encrypts and transmits a session key request message with a public key of the server, and decrypts a response message received from the server with a public key of the server. And extracting a key.

In another aspect, the present invention provides a packet analysis-based document management apparatus, wherein the user authentication unit transmits the authentication information of the input user and the authentication information of the storage device to the server to request authentication.

The present invention provides a packet analysis-based document management apparatus, wherein the user authentication unit receives authentication information of a server from the server, decrypts the authentication information of the server, and contrasts the hashed authentication information of the storage device. Characterized in that for authenticating the server.

In another aspect, the present invention provides a packet analysis-based document management apparatus, wherein the authentication packet is a value obtained by encrypting a hash value of the document with a private key of the server.

In addition, the present invention relates to a packet analysis-based document management method for managing the export of the document stored in the user terminal to the external storage device by the server, the user terminal, and the agent installed in the user terminal, (a) The agent authenticating a user of the storage device through the server when the storage device is inserted into the user terminal; (b) requesting the server to authenticate the export of the document when the export request of the document stored in the user terminal is requested; (c) the server determining whether to permit the export of the document, and if it is determined as the permission to output, inserting an authentication packet into the document and transmitting it to the agent; (d) receiving, by the agent, a document in which an authentication packet is inserted (hereinafter, an authenticated document) from the server, and extracting and verifying an authentication packet from the authenticated document; And (e) if the authentication packet is verified, exporting the document to the storage device.

In addition, in the packet analysis-based document management method according to the present invention, in step (a), (a1) the agent blocks the recognition of the storage device in the user terminal when the storage device is inserted into the user terminal. Making; (a2) the agent requesting the server to receive a session key; (a3) the agent receiving user authentication information and requesting user authentication from a server; (a4) the server authenticating the user through the authentication information of the user and transmitting an authentication result to the agent; And (a5) the agent receiving an authentication result of user authentication from the server, and if the authentication is successful, releasing the recognition block of the storage device.

The invention also relates to a computer readable recording medium having recorded thereon a program for performing the method.

As described above, according to the packet analysis-based document management apparatus and method according to the present invention, the authentication packet is inserted into the document stored in the user terminal by the server, and by exporting only the document verified by the authentication packet to the external storage device, The effect of preventing the outflow of documents is obtained.

1 is a diagram showing an example of the overall system configuration for implementing the present invention.
2 is a block diagram of the configuration of a packet analysis-based document management apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating a method of distributing a session key according to an embodiment of the present invention.
4 is a flowchart illustrating a method for authenticating a user according to an embodiment of the present invention.
5 is a flowchart illustrating a method of authenticating a exported document according to an embodiment of the present invention.
6 is a flowchart illustrating a packet analysis-based document management method according to an embodiment of the present invention.
7 is a flowchart illustrating a method for authenticating a user according to an embodiment of the present invention.

Description of the Related Art [0002]
10: user terminal 20: external storage device
30: document management device 31: encryption communication unit
32: document authentication request unit 33: authentication packet verification unit
34: document exporting unit 35: user authentication unit
36: media control unit 40: server
50: network

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.

In addition, in describing this invention, the same code | symbol is attached | subjected and the repeated description is abbreviate | omitted.

First, an example of the whole document management system configuration for implementing the present invention will be described with reference to FIG.

As shown in FIG. 1, the entire document management system for implementing the present invention includes a user terminal 10, an external storage device 20, an agent 30, and a server 40.

The user terminal 10 is a terminal having a computing function such as a PC, a notebook computer, a PDA, a tablet PC, and has an internal storage medium such as a hard disk for storing documents. In addition, when the external storage device 20 is inserted, the user terminal 10 recognizes the storage device 20 and uses the storage device 20 as one storage medium.

In this case, a document stored in the user terminal 10, for example, a document stored in a hard disk, may be copied or moved and stored in the external storage device 20.

The external storage device 20 is a portable storage device or a portable storage device, and includes a flash memory, a USB memory, an SD card, a micro SD card, a removable hard disk, and the like. When the external storage device 20 is inserted into the user terminal 10, the external storage device 20 is recognized as one storage medium by the user terminal 10.

The agent 30 is a program device installed in the user terminal 10 and monitors (monitors) a document carried out to the external storage device 20. That is, when a document stored in the user terminal 10 is copied or moved to the external storage device 20, the exported document is monitored in real time so that only the permitted document is exported to the external storage device 20. Here, the export of the document refers to copying or moving the document to the external storage device 20.

Meanwhile, when the external storage device 20 is inserted into the user terminal 10, the agent 30 blocks the user terminal 10 from recognizing the external storage device 20. The external storage device 20 requests authentication information for the external storage device 20 from the user. For example, the user's ID and password are requested.

When the agent 30 authenticates the external storage device 20 through the authentication information input by the user, the agent 30 releases that the recognition of the external storage device 20 in the user terminal 10 is blocked. When the storage device recognition block is released, the external storage device 20 is recognized by the user terminal 10, and the user may access the external storage device 20.

The server 40 is a normal server connected to the network 50, and is connected to the user terminal 10 through the network 50. The server 40 performs data communication with the agent 30 installed in the user terminal 10, and provides a corresponding service in response to the service request of the agent 30.

The server 40 receives the document to be exported from the user terminal 10 and determines whether the document is justified. If it is determined that the document can be exported, the server 40 inserts an authentication packet into the document and permits the export of the document.

The server 40 transmits the document in which the authentication packet is inserted (hereinafter referred to as an authenticated document) to the agent 30 again. The agent 30 receives the authenticated document from the server 40, extracts the authentication packet to verify the authentication packet, and when the authentication packet is verified, the agent 30 exports the document to the external storage device 20.

Prior to the description of the embodiment of the present invention, the symbols used will be described.

The symbols used below are as follows.

*: Participating objects (s: server, c: agent)

K: session key

KU *: * public key

KR *: * 's private key

uID: User ID (or employee number)

Pwd: User password (or password)

SN: Identification information (or serial number) of storage device

Request: Session key request message

E * (): encrypted with key of *

D * (): Decrypt with key of *

TS: timestamp

Auth: User authentication permission message

DB: Storage Database

M: Document to be exported (or exported document)

x: allow export

y: justification

APK: Authentication Packet

Next, the configuration of the packet analysis-based document management device 30 according to an embodiment of the present invention will be described in more detail with reference to FIG. The packet analysis based document management apparatus 30 refers to the agent 30 described above. The document management device 30 is a program device installed in the user terminal 10.

As shown in FIG. 2, the packet analysis-based document management apparatus 30 according to the present invention includes a cryptographic communication unit 31, a document authentication request unit 32, an authentication packet verification unit 33, and a document export unit 34. It is composed of In addition, the apparatus may further include a user authenticator 35 and a media controller 36.

The media controller 36 blocks the recognition of the storage device 20 when the external storage device 20 is inserted into the user terminal 10, and releases the recognition block of the storage device 20 when the user authentication is successful.

That is, the media controller 36 forcibly releases the connection to the connected storage devices 20 so that the storage device cannot be used. Media control (or recognition blocking) is controlled by Win32 API functions and controls the connection (or device recognition) to the device through the kernel.

Even if the user is an authorized user to prevent the data such as files or drawings stored in the user terminal 10 from leaking to the outside, a control that cannot store / copy the file without permission of the administrator is necessary. Therefore, the storage device 20 should be recognized as a device and a drive, and the transmission of the file should be controlled by setting control values for controlling the use of the storage device.

The media controller 36 controls the transfer of files by releasing all connections only to the connected storage device 20. When transferring a file that is allowed to be externally transferred, the media control is temporarily released to permit the file transfer. At this time, the file that is not allowed to transmit is controlled by the presence or absence of an authentication packet due to packet analysis during file transfer.

Or preferably, the media controller 36 recognizes the storage device 20 when the user authentication or the user's storage device is authenticated. As a result, the user may determine to which location of the storage device 20 to transfer the file. On the other hand, whether the actual file is transmitted or not is again determined by the authentication packet.

The encryption communication unit 31 receives a session key from the server. In particular, the encryption communication unit 31 encrypts and transmits the session key request message with the public key of the server 40, and extracts the session key by decrypting the response message received from the server 40 with the public key of the server 40.

As shown in FIG. 3, the encryption communication unit 31 receives the session key from the server 40 by transmitting a session key request message to the server 40.

First, the encryption communication unit 31 encrypts the session key request message (Request) and the time staff (TS) with the public key of the server and transmits it to the server 40 (S11).

E KUs (Request || TS)

After the above process, the server 40 checks the session key request message by decrypting the value received from the agent 30 with the private key of the server 40 (S12).

D KRs (E KUs (Request || TS)) = Request '|| TS '

If the request message is confirmed, a session key is generated (S13).

After the above process, the server 40 encrypts the generated session key K, the received session key request message, and the time stamp TS with the public key of the agent 30, and transmits them to the agent (S14).

E KUA (K || Request || TS)

After the above, the encryption communication unit 31 decrypts the value received from the server 40 with the private key of the agent to extract the session key (S15).

D KRs (E KUA (K || Request || TS)) = K '|| Request '|| TS '

The encryption communication unit 31 encrypts the received session key with the session key and transmits it to the server, thereby performing key synchronization between the server 40 and the agent 30 (S16).

E K (K)

The user authentication unit 35 registers a user in the server 40 and, if already registered, receives the authentication information of the user and requests the server 40 for user authentication. In this case, the user authentication unit 35 transmits the received authentication information of the user and the authentication information of the storage device 20 to the server 40 to request authentication.

First, the user authentication unit 35 registers a user (or storage device) with the server 40 if the user (or storage device) is not registered with the server 40.

That is, the user (or storage device) is registered through the user's ID (or employee number) and password (or password) and identification information (or serial number) of the storage device to be used to use the storage device 20. . That is, as an example of the authentication information of the user, the user's ID (or employee number) and password are used. In addition, as an example of the authentication information of the storage device, the serial number of the storage device is used.

As shown in Figure 4, the user authentication unit 35 receives the user's ID (or employee number) and password (or password) (S21).

After the above process, the user authentication unit 35 encrypts the received employee number, password, and serial number of the connected storage device with the session key and transmits the encrypted number to the server 40 (S22).

E K (uID || Pwd || SN)

After the above process, the server 40 decrypts the received value with the session key and checks whether the user is a legitimate user (S23).

D K (E K (uID || Pwd || SN)) = uID '|| Pwd '|| SN '

If the decrypted employee number is a legitimate user, it is stored in the database to register the user (S24).

After registering with the server through the user registration step, when the user reconnects his storage device 20, the user authentication unit 35 performs user authentication (or storage device authentication) through the employee number and password.

That is, the user authentication unit 35 encrypts the received employee number, password, and serial number of the connected storage device with the session key and transmits the encrypted number to the server 40 (S25).

E K (uID || Pwd || SN)

After the above process, the server 40 decrypts the received value with the session key and compares it with the database. If the values match, authentication information is issued.

DB = uID || Pwd || SN

D K (E K (uID || Pwd || SN)) = uID '|| Pwd '|| SN '

uID '|| Pwd '|| SN '

Figure pat00001
DB

In addition, the user authentication unit 35 receives the authentication information of the server from the server 40, decrypts the authentication information of the server, and prepares the server 40 against the hashed value of the authentication information of the storage device 20. Authenticate

After the above process, the server 40 encrypts the issued authentication information with a session key (S27).

Auth = E KRs ( H (SN))

The user authentication unit 35 receives the encrypted authentication information from the server 40 (S28).

E K (Auth)

After the above process, the user authentication unit 35 decrypts the received value with the session key (S29).

D K (E K (Auth)) = Auth '

The user authentication unit 35 receives the authentication information, decrypts the authentication information with the public key of the server, confirms whether the server is legitimate, and stores the authentication information so that the storage device can be used.

D KUs ( E KRs ( H (SN)))

Figure pat00002
H (SN)

When a request for exporting a document stored in the user terminal 10 to the storage device 20 is input, the document authentication request unit 32 transmits the document to the server 40 to request authentication.

That is, when a document to be exported is generated, the user encrypts the export permission document through the agent 30 with a session key and transmits the document to the server 40 (S31).

E K (M)

After the above process, the server 40 decrypts the received value with the session key, determines the validity of the document and whether it is allowed to be exported, and then generates a hash value of the document and inserts it into the document (S32).

M '= D K (E K (M))

M '

Figure pat00003
x, y

x and y are information for judging validity and allowability of export as described in the symbol description above. This may be modified in accordance with internal policies and is intended to confirm that the user has the right to view the document and that the user is the proper person to use the document.

After the above process, the server 40 inserts an authentication packet into the document (S33). At this time, the authentication packet is a value encrypted by hashing the document with the private key of the server 40.

Generate hash value of document using hash algorithm for document.

H (M)

The hash generated by the hash algorithm is encrypted with the server's private key.

E KRs (H (M))

Insert the encrypted hash value into the header of the document.

Documents that have been subjected to export allowance documents have authentication packets in the header that can be exported, and users can compare the validity of the authentication packets inserted in the documents when they are sent to their storage devices. do.

That is, the server 40 encrypts the session key and transmits the encrypted certificate packet to the document (hereinafter referred to as an authenticated document) agent 30 (S34).

E K (APK∥M)

The authentication packet verification unit 33 receives a document (or an authenticated document) in which the authentication packet is inserted from the server 40, and extracts an authentication packet of the authenticated document (S35).

APK'∥M '= D K (E K (APK∥M))

The authentication packet verification unit 33 verifies the authentication packet (S36). At this time, a hash value obtained by decrypting the authentication packet with the public key of the server and a value generated by the agent 30 to generate a new hash value for the document M are compared.

H (M) = E KUs (APK ')

Only when the authentication packet of the authenticated document is verified, the document exporting unit 34 extracts the document from the authenticated document and exports the document to the storage device 20. That is, when a legitimate authentication packet is inserted, the user may transmit the document to the storage device 20.

Next, a packet analysis based document management method according to an embodiment of the present invention will be described with reference to FIG.

As shown in FIG. 6, in the packet analysis-based document management method according to the present invention, (a) the agent 30 stores the storage device through the server 40 when the storage device 20 is inserted into the user terminal 10. Authenticating the user of step 20) (S100); (b) requesting to export the document stored in the user terminal 10 to the server 40 when requesting to export the document (S200); (c) the server 40 determines whether to permit the export of the document, and if it is determined as the permission to output, inserting an authentication packet into the document and transmitting it to the agent 30 (S300); (d) the agent 30 receiving a document (hereinafter, an authenticated document) in which an authentication packet is inserted from the server 40, extracting and verifying an authentication packet from the authenticated document; And (S400) and (e) the agent 30 is configured to export the document to the storage device 20 when the authentication packet is verified (S500).

In particular, as shown in Figure 7, the step of authenticating the user (S100) is (a1) the agent 30, when the storage device 20 is inserted into the user terminal 10, the storage device in the user terminal 10 Blocking recognition of 20; (a2) the agent 30 requesting the server 40 to receive a session key; (a3) the agent 30 receiving user authentication information and requesting user authentication from the server 40; (a4) the server 40 authenticating the user through the authentication information of the user, and transmitting the authentication result to the agent 30; And, (a5) the agent 30 is configured to receive the authentication result of the user authentication from the server 40, and if the authentication is successful, releasing the recognition block of the storage device 20.

As mentioned above, although the invention made by this inventor was demonstrated concretely according to the Example, this invention is not limited to an Example and can be variously changed in the range which does not deviate from the summary.

The present invention is composed of a server, a user terminal, and an agent installed in the user terminal, and can be applied to develop a packet analysis-based document management system for managing the export of documents stored in the user terminal to an external storage device. .

Claims (9)

A packet analysis-based document management apparatus installed in a user terminal, connected to a network with a server, and managing to export a document stored in the user terminal to an external storage device,
An encryption communication unit receiving a session key from the server;
A document authentication request unit which transmits the document to the server and requests authentication when a request for exporting the document stored in the user terminal to the storage device is input;
An authentication packet verification unit which receives a document (hereinafter referred to as an authenticated document) into which an authentication packet is inserted from the server and extracts and verifies an authentication packet of the authenticated document; And,
And a document export unit for extracting a document from the authenticated document and exporting the document to the storage device only when the authentication packet of the authenticated document is verified.
The method of claim 1, wherein the device,
A user authentication unit receiving user authentication information and requesting user authentication to a server; And,
And a media controller for blocking recognition of the storage device when the storage device is inserted into the user terminal and releasing blocking of the storage device upon successful user authentication.
The method of claim 1,
The encryption communication unit encrypts the session key request message with the public key of the server and transmits the packet analysis-based document management apparatus, characterized in that for extracting the session key by decrypting the response message received from the server with the public key of the server.
The method of claim 2,
The user authentication unit packet analysis-based document management device, characterized in that for requesting authentication by transmitting the authentication information of the user and the authentication information of the storage device to the server.
The method of claim 4, wherein
The user authentication unit receives the authentication information of the server from the server, the packet analysis-based document management, characterized in that for authenticating the server against the value hashed authentication information of the storage device by decrypting the authentication information of the server Device.
The method of claim 1,
The authentication packet is a packet analysis-based document management device, characterized in that the value hashed the document is encrypted with the private key of the server.
In the packet analysis-based document management method for managing the export of the document stored in the user terminal to an external storage device by a server, a user terminal, and an agent installed in the user terminal,
(a) the agent authenticating a user of the storage device through the server when the storage device is inserted into the user terminal;
(b) requesting the server to authenticate the export of the document when the export request of the document stored in the user terminal is requested;
(c) the server determining whether to permit the export of the document, and if it is determined as the permission to output, inserting an authentication packet into the document and transmitting it to the agent;
(d) receiving, by the agent, a document in which an authentication packet is inserted (hereinafter, an authenticated document) from the server, and extracting and verifying an authentication packet from the authenticated document; And,
(e) the agent, if the authentication packet is verified, the packet analysis-based document management method comprising the step of exporting the document to the storage device.
The method of claim 7, wherein the step (a),
(a1) the agent blocking the recognition of the storage device in the user terminal when the storage device is inserted into the user terminal;
(a2) the agent requesting the server to receive a session key;
(a3) the agent receiving user authentication information and requesting user authentication from a server;
(a4) the server authenticating the user through the authentication information of the user and transmitting an authentication result to the agent; And,
(a5) The agent receives the authentication result of the user authentication from the server, and if the authentication is successful, packet analysis-based document management method comprising the step of releasing the recognition block of the storage device.

A computer-readable recording medium having recorded thereon a program for performing the method of claim 7.
KR1020110017766A 2011-02-28 2011-02-28 A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof KR20120101236A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020110017766A KR20120101236A (en) 2011-02-28 2011-02-28 A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020110017766A KR20120101236A (en) 2011-02-28 2011-02-28 A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof

Publications (1)

Publication Number Publication Date
KR20120101236A true KR20120101236A (en) 2012-09-13

Family

ID=47110474

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020110017766A KR20120101236A (en) 2011-02-28 2011-02-28 A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof

Country Status (1)

Country Link
KR (1) KR20120101236A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101636802B1 (en) * 2016-03-02 2016-07-07 (주)지란지교소프트 File management method and system for preventing security incident by portable memory
US9560032B2 (en) 2014-07-17 2017-01-31 Electronics And Telecommunications Research Institute Method and apparatus for preventing illegitimate outflow of electronic document
KR20190084832A (en) * 2018-01-09 2019-07-17 신선우 Cyber secure safety box

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9560032B2 (en) 2014-07-17 2017-01-31 Electronics And Telecommunications Research Institute Method and apparatus for preventing illegitimate outflow of electronic document
KR101636802B1 (en) * 2016-03-02 2016-07-07 (주)지란지교소프트 File management method and system for preventing security incident by portable memory
KR20190084832A (en) * 2018-01-09 2019-07-17 신선우 Cyber secure safety box

Similar Documents

Publication Publication Date Title
US10652015B2 (en) Confidential communication management
CN107810617B (en) Secret authentication and provisioning
US9852300B2 (en) Secure audit logging
JP5860815B2 (en) System and method for enforcing computer policy
CA2690755C (en) System and method of per-packet keying
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
US9165148B2 (en) Generating secure device secret key
CN105100076A (en) Cloud data security system based on USB Key
KR101739203B1 (en) Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption
EP1079565A2 (en) Method of securely establishing a secure communication link via an unsecured communication network
KR20210153419A (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN108616516A (en) A kind of third party's plaintext password method of calibration based on multiple encryption algorithms
KR20120101236A (en) A secure document management device based on realtime packet analysis for monitoring transfer to portable storages and the method thereof
CN114553566B (en) Data encryption method, device, equipment and storage medium
Campbell Supporting digital signatures in mobile environments
El Fray et al. Practical authentication protocols for protecting and sharing sensitive information on mobile devices
Shah et al. Third party public auditing scheme for security in cloud storage
TW202347147A (en) Anti-cloning architecture for device identity provisioning
JP2005217665A (en) Communications system, transmitter, receiver and communication method
KR20180052481A (en) Method and apparatus for time-locked client-side deduplication
Kravitz Open mobile alliance secure content exchange: introducing key management constructs and protocols for compromise-resilient easing of DRM restrictions
Barker et al. NIST DRAFT Special Publication 800-130
JP2005026762A (en) Security maintenance method in wireless communication network, system, apparatus, security program, and storage medium

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application