A kind of permission identifying method of electronic document and system
Technical field
The present invention relates to a kind of permission identifying method and system of electronic document, relate in particular to a kind of electronic document permission identifying method and system that utilizes external portable equipment.
Background technology
Electronic document is easy to duplicate and propagates relative paper document and say more and more wider being employed because of it, and simultaneously also just because of it is easy to duplicate and propagate, the permission of electronic document authentication just becomes when last big important problem.
In the prior art, some software adds user right permission setting data in electronic document, to guarantee that the user who only secures permission just can read, the mode of this control of authority can limit the reading of unauthorized user, duplicates but its maximum problem is to prevent permission, that is to say, a user who is awarded permissions, by duplicating and distribute his permission,, just can realize destruction to the permission authentication goals such as the license number of announcing him on the internet.
In order to solve the problem that permission is duplicated; some software has added the computer Recognition data in electronic document; can only on the computing machine of binding, read with the user who guarantees to secure permission; this mode has limited user's reading environment; the permission that use is replicated still can't be read shielded electronic document on the computing machine of unbundling, thereby has solved the problem that causes permitting the authentication inefficacy of duplicating of permitting to a certain extent.But also brought new problem simultaneously, promptly limited the convenience that the user reads.Because most computers is to be inconvenient to move usually, and a paper document can be carried so that in a reading arbitrarily by the user.This has also just limited the further widespread use of electronic document.
Summary of the invention
The objective of the invention is to address the above problem; a kind of permission identifying method and system of electronic document are provided; it can read shielded electronic document easily in any place, has also guaranteed simultaneously at unauthorized or authorizes that electronic document can not be by normal reading under the situation about can't verify.
Technical scheme of the present invention is: a kind of permission identifying method of electronic document wherein, comprises following verification step:
A. the user has the portable hardware device of shielded electronic document to connect on computers binding, this portable hardware device and this computing machine consist of a client together, wherein said portable hardware device has unique hardware characteristics, and described client receives the user mark of user by described computing machine input;
B. server sends a message to described client and checks the portable hardware device that whether has connected with described electronic document binding, if connect, then obtained described hardware characteristics and gone to step c by client, read authority otherwise pin, checking finishes;
C. described client is committed to the user's mark of described hardware characteristics, input and the electronic document identification number of described electronic document correspondence in the server, the hardware characteristics of authorizing portable hardware device, user's mark of authorized user, the electronic document identification number and the set of the relationship maps between the authorization of binding have been stored on the wherein said server, whether described server matched and searched in described relationship maps set exists the authorization of client correspondence with checking, if existence is then authorized this user and is read authority, read authority otherwise pin, checking finishes; Step c further comprises:
What c1. client will read earlier submits to the server requests inquiry together by user's mark of user's input and the hardware characteristics that gets access to;
C2. server is marked at the corresponding authorization of inquiry in the described relationship maps according to hardware characteristics of being submitted to by client among the step c1 and user, then this authorization is returned to client if exist, otherwise returns to the notice of client validation failure;
C3. after the client authorization that server returns in receiving step c2, be committed to requests verification in the server together with the electronic document identification number of attempting to open;
C4. whether they mate server with reference to described relationship maps set checking behind authorization that receives step c3 client and electronic document identification number, if the match is successful then returns to the notice of client validation success, otherwise return the notice of authentication failed;
C5. client is then authorized the user reading authority to described electronic document if receive the notice of server authentication success, if receive the notice of server authentication failure, then forbids the reading authority of user to described electronic document.
The permission identifying method of above-mentioned electronic document, wherein, in described relationship maps set, the hardware characteristics of described mandate and authorized user mark are to shine upon one to one, there are one-to-many or many-to-one mapping between the electronic document identification number of described authorized user mark and binding, a unique authorization of the common decision of the electronic document identification number of described mandate hardware characteristics, authorized user mark and binding.
The permission identifying method of above-mentioned electronic document, wherein, described hardware characteristics is the computer data piece that the acquisition hardware parameter also obtains this hardware parameter through the pre-defined algorithm conversion from described portable hardware device, described portable hardware device comprises portable hard drive, flash disk, the USB electron key, dongle, mobile phone, PDA, the MP3 player, the somatic fingerprint input equipment, electronic ID card, described hardware parameter correspondence can be the sequence number of portable hard drive, the product mark of flash disk and identification of the manufacturer, the sequence number of USB electron key, the dongle sequence number, the mobile phone card number, the sequence number of PDA, the sequence number of MP3 player, the somatic fingerprint that the somatic fingerprint input equipment is gathered, the unique identifying number of electronic ID card.
The permission identifying method of above-mentioned electronic document, wherein, described electronic document identification number is automatically generated by a predetermined algorithm, is additional on the corresponding electronic document and is stored in simultaneously in the described server.
The permission identifying method of above-mentioned electronic document wherein, also comprises the registration process of a following new user or new hardware:
A) hardware characteristics of the portable hardware device that is attached thereto of client collection, and read user's mark of user's input when registering, submit to server together;
B) server is marked at inquiry in the relationship maps set according to hardware characteristics that receives and user, if hardware characteristics or user's mark with gather in existing hardware characteristics or user's mark do not overlap, then the relationship maps with this hardware characteristics and user's mark is added in this set, otherwise hardware characteristics and the user's mark relationship maps that receives covered existing relationship maps.
The permission identifying method of above-mentioned electronic document wherein, also comprises a following permission application process:
A) hardware characteristics of the portable hardware device that is attached thereto of client collection is obtained user's mark of input and the electronic document identification number that protection is authorized in request, submits to server application license request together;
B) data and the permission application of server receiving step in a), checking can be authorized the condition of its permission in described set, if meet then and return the permission of being authorized, will permit hardware characteristics, user's mark, electronic document identification number that comprises in the application and the permission of being authorized to be stored in the server simultaneously to client.
The present invention also protects a kind of permission Verification System of electronic document, wherein, comprising:
Client, be connected by the portable hardware device of this electronic document of binding and formed together on arbitrary computing machine, comprise the hardware characteristics collecting unit, user's mark input block, the electronic document reading unit, the query with permission unit, the License Authentication unit, described hardware characteristics collecting unit is gathered unique hardware characteristics from described portable hardware device, described user's mark input block receives user's mark of user's input, described electronic document reading unit reads the pairing unique identifying number of electronic document that portable hardware device comprises, described query with permission unit receives hardware characteristics, user's mark also proposes the query with permission request, and described License Authentication unit receives the electronic document identification number and proposes the License Authentication request;
Server, comprise license management unit and data storage cell, there is the mandate hardware characteristics in the described data storage cell, the authorized user mark, the electronic document identification number of binding, the set of all relationship maps between the authorization, described license management unit receives data and the query with permission request from client query with permission unit, and return the authorization that in mapping set, inquires, this authorization passes to the License Authentication unit again, license management unit in the server receives data and the License Authentication request from client License Authentication unit, whether the verification msg association mates, and returning the checking result, described electronic document reading unit determines whether to read operation according to this checking result.
The permission Verification System of above-mentioned electronic document, wherein, described client also comprises user register unit or hardware registering unit, described server also comprises service management unit, this user register unit or hardware registering unit receive log-on data and are committed to described service management unit, be stored in the described data storage cell, described log-on data comprises user's mark of importing when hardware characteristics is registered with new user or comprises new hardware characteristics and original user's mark of user's input.
The permission Verification System of above-mentioned electronic document, wherein, described client also comprises the permission application unit, described permission application unit will be permitted the request of application and the license management unit that data are committed to server, after empirical tests is authorized the condition of permission, to permit the data of application and the permission of being authorized to be stored in the data storage cell when the permission that will authorize returns to the permission application unit, described permission request for data comprises hardware characteristics, user's mark and electronic document identification number.
It is as follows that the present invention contrasts the beneficial effect of prior art: method and system of the present invention is to be that each authorized user distributes a unique identity marks, and require the user to provide a portable hardware device in order to obtain unique hardware characteristics, and for each part electronic document that is distributed to authorized user distributes a license number, and simultaneously and unique feature binding of the portable hardware device that provides of this authorized user mark and this authorized user with this license number.When the user attempts to open shielded electronic document; check at first whether subscriber computer has connected bound portable set; if connect; then obtain its unique feature; and the License Info of binding with it to server lookup; if exist, verify further that then whether this permission is complementary with the electronic document that the user attempts to open.If the verification passes, then License Authentication is finished, and the user can the shielded electronic document of normal reading, otherwise the License Authentication failure, the user can't read shielded electronic document.Because the non-reproduction of hardware device has guaranteed the non-reproduction of the reading permission of the protected electronic documents of binding with it.And the portability of hardware device also can make the user read shielded electronic document easily in any place.
Description of drawings
Fig. 1 is the process flow diagram of the proof procedure embodiment of electronic document permission identifying method of the present invention.
Fig. 2 is the process flow diagram of the user registration course embodiment of electronic document permission identifying method of the present invention.
Fig. 3 is the process flow diagram of the permission application process embodiment of electronic document permission identifying method of the present invention.
Fig. 4 is the synoptic diagram of an embodiment of relationship maps of the present invention.
Fig. 5 is the synoptic diagram of another embodiment of relationship maps of the present invention.
Fig. 6 is the synoptic diagram of a preferred embodiment of electronic document permission Verification System of the present invention.
Fig. 7 is the synoptic diagram of another preferred embodiment of electronic document permission Verification System of the present invention.
Fig. 8 is the synoptic diagram of another preferred embodiment of electronic document permission Verification System of the present invention.
Embodiment
The invention will be further described below in conjunction with drawings and Examples.
The present invention needs the information of mutual cross-correlation mapping between the client and server to realize.Client generally is a computing machine and is connected a portable hardware device on this computing machine, this portable hardware device has a unique hardware parameter, hardware device can be portable hard drive, flash disk, USB KEY (USB electron key), mobile phone, PDA, MP3 player etc., so the corresponding hardware parameter can be sequence number, mobile phone card number, the sequence number of PDA (personal digital assistant), the sequence number of MP3 player of the PID of sequence number, flash disk of portable hard drive and VID (product mark and identification of the manufacturer), USB KEY etc. with it.This portable hardware device can be gathered similar these hardware parameter and obtain unique hardware characteristics by certain specific algorithmic transformation.This hardware characteristics can be a computer data piece, and not reproducible, can not show and can not artificially import.Electronic document identification number and electronic document self are one to one, are to be generated automatically by a specific algorithm according to electronic document, and this identification number is additional on the corresponding electronic document, also is stored in the server simultaneously.The user is by computing machine input user mark.
And all authorize the set of the relationship maps of being set up between the electronic document identification number of user's mark, all bindings of hardware characteristics, all authorized users of portable hardware device and the corresponding authorization in general storage on the server.Relationship maps is called binding relationship again like this, generally has dual mode, respectively as shown in Figure 4 and Figure 5.Relationship maps shown in Figure 4 is illustrated on the portable hardware device and has bound a plurality of electronic documents, mapping is to set up like this: hardware characteristics 1, user's mark 2 are one to one, and same user's mark 2 can be corresponding with a plurality of electronic document identification number 4, same user's mark 2 and the different different permissions 3 of electronic document identification number 4 decisions.Relationship maps shown in Figure 5 is illustrated on the different portable hardware devices and reads same electronic document by different users, mapping is to set up like this: hardware characteristics 1 and user's mark 2 are one to one, and different user's marks 2 and same electronic document identification number 4 are set up many-to-one relation, also are different user's marks 2 and the different permission 3 of same electronic document identification number 4 decisions.In conjunction with and comparison diagram 4 and Fig. 5 as can be known, portable equipment of the corresponding one by one explanation of hardware characteristics 1 and user's mark 2 can only specify a user to use, and permission 3 of the common binding of hardware characteristics 1, user's mark 2 and electronic document 4 identification numbers.Because the non-reproduction of hardware characteristics 1, so even should permit 3 by bootlegging, announcement, distribution, propagation, its unbundling copy also can't use.Owing to permission 3 and 4 bindings of electronic document identification number, permit 3 also can't read other electronic documents of unbundling again so utilize.
Proof procedure when the following describes the user and utilizing portable hardware device to attempt to open shielded electronic document.The portable hardware device that the user at first will bind this electronic document connects on computers, together form client, and by this computing machine input user mark, the addresses of items of mail that this user's mark can be the user, ID (identity number) card No., user name etc., permission identifying method carries out following proof procedure then.See also Fig. 1, show the flow process of proof procedure.
Step 101: server sends a message to client and checks the portable hardware device that whether has connected with this electronic document binding, if connect, goes to step 102, otherwise goes to step 109.
Step 102: client is obtained the hardware characteristics of portable hardware device.
Step 103: client reads user's user's mark by computing machine input before, submits to server and to the server requests query with permission together with the hardware characteristics of obtaining in the step 102.
Step 104: in server, whether exist, then go to step 105 if exist, otherwise go to step 109 according to the hardware characteristics of portable hardware device, the corresponding with it permission of user's mark inquiry of user's input.
Step 105: the permission that server will inquire returns to client.
Step 106: permission that client will receive and the electronic document identification number that will open are committed to server.
Step 107: server checks whether permission and the identification number in the step 106 mates, if coupling then goes to step 108, otherwise goes to step 109.
Step 108: be proved to be successful, will verify that the result returns to client.
Step 109: authentication failed, will verify that the result returns to client.
Step 110: client judges whether the checking result is successful, if then go to step 111, otherwise go to step 112.
Step 111: open shielded electronic document for the complete reading of user.
Step 112: pin shielded electronic document and illegally read to prevent the user.
In permission identifying method,, also should possess new user's registering functional except above-mentioned authentication function.During new user, the user connects portable hardware device on computers in registration, and imports new user's mark and be committed to together in the server, to set up the new related of a hardware characteristics and user's mark in server.Certainly, also can register new portable hardware device, the user also can connect new portable hardware device on computers, and input user mark is committed in the server together, to set up the new related of a hardware characteristics and user's mark in server.Especially after the portable hardware device that the user provides is lost, is damaged, the corresponding hardware feature just can't be obtained with it, thereby make that user's mark of binding can't be verified with it, just need come user bound mark again in this case, delete old hardware characteristics simultaneously by gathering new hardware characteristics.Please continue to consult Fig. 2, show new user's register flow path, as follows:
Step 201: client acquisition hardware feature, read new user's mark of user's registration, and be committed to server together.
Step 202: server checks that in the relationship maps set hardware characteristics and user in the step 201 mark whether to overlap with original, if overlap, go to step 203, otherwise go to step 204.
Step 203: will delete original association, and add the new related of hardware characteristics and user's mark, and promptly cover.
Step 204: add the new related of hardware characteristics and user's mark.
Above-mentioned steps has been described the new user's mark of interpolation on original portable hardware device.Should be understood that the step that new portable hardware device is associated with old user's mark is similar with it, so no longer be repeated in this description.
In permission identifying method, the user also may authorize permission for new electronic document on the server on original portable hardware device and user's mark basis, and this purpose realizes by flow process as shown in Figure 3:
Step 301: the hardware characteristics of the portable hardware device that the client collection is attached thereto, obtain user's mark of user input and attempt to authorize the identification number of the electronic document of permission, these are submitted to server together and apply for license request.
Step 302: server is judged could authorize permission, if can, then go to step 303, otherwise go to step 304.
Step 303: server is authorized permission, and this permission is returned to client, simultaneously with this hardware characteristics, user's mark, electronic document identification number and the association store of authorizing permission on server.
Step 304: server is not authorized permission.
The condition that wherein above-mentioned permission is authorized can be specified by the user in advance.
Fig. 1 has disclosed the permission identifying method of electronic document of the present invention jointly to flow implementation example shown in Figure 3.Then the permission Verification System of using this method is described below.
Fig. 6 shows the embodiment of the permission Verification System that can only realize the Authority Verification function.As shown in Figure 6, system is made of jointly client 601 and server 602.Client 601 reality are made up of arbitrary computing machine and the portable hardware device that is connected the binding electronic document on this computing machine.Client 601 is made up of hardware characteristics collecting unit 603, user's mark input block 604, electronic document reading unit 605, query with permission unit 606, License Authentication unit 607.Server 602 is made up of license management unit 608 and data storage cell 609.
Hardware characteristics collecting unit 602 is gathered unique hardware characteristics from the portable hardware device that connects, user's mark input block 604 receives user's mark of user's input, and electronic document reading unit 605 reads the pairing unique identifying number of electronic document that portable hardware device comprises.Query with permission unit 606 receives from the hardware characteristics of hardware characteristics collecting unit 602, from user's input marking of user's mark input block 604, these data is committed in the license management unit 608 of server 602, and the inquiry that asks for permission.
License management unit 608 basis in the relationship maps set of data storage cell 609 is carried out query with permission from the data of query with permission unit 606, and the permission that will inquire returns to query with permission unit 606.Query with permission unit 606 is sent to License Authentication unit 607 after receiving this permission, send license management unit 608 to together with the electronic document identification number with portable hardware device binding, the result that will verify after the coupling checking among this returns to License Authentication unit 607.If showing, the checking result that electronic document reading unit 605 receives exists in the server and this portable hardware device, the label of user's input and the permission of attempting to open that electronic document mated, then open this electronic document, give the authority that this user reads, otherwise will pin this electronic document.
Fig. 7 has added two functional units on embodiment basis shown in Figure 6, make this system possess the update functions of authorized user.As shown in Figure 7, on client 701, add a user register unit 702, and on the basis of server 703, added a service management unit 704.User register unit 702 receives the hardware characteristics of original portable hardware device and user's mark of user's new registration, and these are submitted to service management unit 704.Association store new between data that service management unit 704 is new with these and the data is in data storage cell 705.Miscellaneous part is with embodiment illustrated in fig. 6 identical, so no longer describe at this.
Should be understood that also and can change user register unit into new hardware registering unit, be used to register the hardware characteristics of new portable hardware device; Perhaps user register unit and new hardware registering unit are arranged in the client together.Such realization is structurally with above-mentioned identical, so no longer describe at this.
Fig. 8 has added a functional unit on embodiment basis shown in Figure 7, make this system possess the function for the new permission of new electronic document application.As shown in Figure 8, on client 801, added a permission application unit 802.This permission application unit 802 receives original hardware characteristics, user's mark and new electronic document identification number, and is committed to together in the license management unit 803 of server.License management unit 803 judges whether permission satisfies the condition of authorizing, then authorize permission and to return to permission application unit 802 if satisfy, will permit simultaneously, with permit related hardware characteristics, user's mark, electronic document identification number and related itself all being stored in the data storage cell 804.
Should be understood that the said permission identifying method of the present invention actual be a kind of with the unique License Authentication method that is characterized as the basis of hardware, but not a kind of people is intellection.And inventive point of the present invention is to be to utilize the uniqueness of hardware and non-reproduction to avoid shielded electronic document to be read in the system of other unbundlings; this hardware hardware device that is of portable form again simultaneously; this just makes permission have certain dirigibility again, and convenient shielded electronic document is read in other places.
The foregoing description provides to those of ordinary skills and realizes or use of the present invention; those of ordinary skills can be under the situation that does not break away from invention thought of the present invention; the foregoing description is made various modifications or variation; thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.