CN100525176C - Preventing system for information leakage under cooperative work environment and its realizing method - Google Patents
Preventing system for information leakage under cooperative work environment and its realizing method Download PDFInfo
- Publication number
- CN100525176C CN100525176C CNB2003101149373A CN200310114937A CN100525176C CN 100525176 C CN100525176 C CN 100525176C CN B2003101149373 A CNB2003101149373 A CN B2003101149373A CN 200310114937 A CN200310114937 A CN 200310114937A CN 100525176 C CN100525176 C CN 100525176C
- Authority
- CN
- China
- Prior art keywords
- client
- user
- service end
- file
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
This invention relates to an information leakage protection system of the network safety technological field under co-operative working environment including a customer and a service end, the customer end is mounted on each computer operating protected documents for carrying out protection operation, the service end is mounted on an independent computer in the network for monitoring and controlling computers of the customer end, management certificates and cryptographic keys. The method includes: verifying identity and limit of authority of the user, monitoring the opened documents timely, ciphering the stored contents, in this way, contents stored in the disk are always ciphered information to ensure that documents are always ciphered copied to any places.
Description
Technical field
The present invention relates to the network security technology field, leakage of information crime prevention system and its implementation under particularly a kind of cooperative working environment.
Background technology
Rapid development of network technique makes increasing company, mechanism improve operating efficiency by internal network or VPN net etc.But network has also brought a lot of information security hidden danger when having improved operating efficiency.
Mostly the focus of current information security study is the solution that threatens from internet security, or to the strick precaution of attacking from internal network with to the go beyond one's commission restriction of the information of obtaining of inner network members.Should how to prevent the problem of leakage of information down to relatively large network work environment, for example how a manufacturing industry company prevents that the rival from using it by the electronic drawings and archives problem that not clear channel illegally obtains easily, also lacks effective solution route up to now.
The characteristics of information security hidden danger under the networked coordination operational environment, the many employees that are organization internal are because need of work can normally touch various e-files with external privacy requirements.The e-file that will protect in the network is often widely distributed, because need of work, these files not only are stored on the server in the network, (for example also may be dispersed on employee's the personal computer, a large product is in design process, and its thousands of electronic drawings and archives will be by many engineers collaborative design on different computers); Also can not encrypt fully in advance these files, because constantly there is new file from different computers, the process of collaborative work, dynamically producing continuously.Like this, just exist many potential outlets and can leak the file that needs protection, regardless of being by network or passing through mobile memory medium.
How preventing the illegal leakage of these e-files, has not been that general information security method can solve.Mostly existing solution route is the execution of the system of emphasizing, as monitoring to server access, and the restriction that internal clerks or staff members in a department industrial and commercial bank is, limited safety guarantee---do not allow to encrypt as sending mail, be checked or the like.
Summary of the invention
In view of this, main purpose of the present invention provides the information protection solution in a kind of enterprise network, to solve the leakage of information problem under the cooperative working environment.Leakage of information crime prevention system and its implementation under a kind of cooperative working environment are provided for this purpose.
Another object of the present invention is to provide a kind of information protection way, to improve the reliability and the flexibility of leakage of information protection.
Technical scheme of the present invention
Leakage of information crime prevention system under the cooperative working environment, be made up of client and service end two parts: client is installed on the computer of every needs operation protected file, is used for the execute protection operation; Service end is installed on the independent computer in the network; be used for the computer of execution monitoring and control client, management certificate and key are made authentication operation in client to the operation of protected file to the user; it is characterized in that client is connected by network with service end.
The method of work step of leakage of information crime prevention system under the cooperative working environment:
By said method as can be seen; the invention provides leakage of information crime prevention system and method for work thereof under the cooperative working environment; to dynamically being dispersed in the protected file of each computer in the network; adopt the method that fundamentally prevents leakage of information; the i.e. leakage of information that no matter from what channel causes, the file that obtains is all encrypted.Also prevented from simultaneously to come declassified document and illegal computer to be connected into declassified document in the collaborative work network at other local client softwares of installing that break away from cooperative working environment.On the availability of system, different operating rights can be set to different users; When file is will be with the outside mutual, the authorized person is provided schemes such as manual encryption and decryption; The whole system scheme is complete, has fundamentally solved the leakage of information problem under the cooperative working environment, and various applied environments have all been done consideration, the availability height.
Description of drawings
Fig. 1 is a leakage of information crime prevention system schematic diagram of the present invention.
The technology realization flow figure that Fig. 2 takes precautions against for leakage of information of the present invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below by specific embodiment, the present invention is described in more detail.
Fig. 1 is the schematic diagram of leakage of information crime prevention system.As shown in the figure, crime prevention system mainly comprises by two parts and forming: client and service end.Client is installed in every to be needed to operate on the computer of protected file, is used for the execute protection operation.Service end is installed on the independent computer in the network, is used for the computer of execution monitoring and control client, and management certificate and key are made operations such as authentication to the operation of protected file in client to the user.Be characterised in that client is connected by network with service end.Each functional character composite set of Fig. 1 has constituted system of the present invention.
Service end has with lower device: supervising device 1, identification authentication system 2, database 3, certificate and key management apparatus 4, remote control 5 and data transmission device 6.Be characterised in that data transmission device 6 is connected with supervising device 1, identification authentication system 2, database 3, certificate and key management apparatus 4, remote control 5 respectively by data/address bus.
Client has with lower device: data transmission device 7, key management apparatus 8, dynamic encryption and decryption device 10, key generating device 11, protection authority setting device 12, certification authentication device 13 and certificate generating apparatus 14.Be characterised in that; key management apparatus 8 is connected to data transmission device 7 and dynamic encryption and decryption device 10, key generating device 11; certificate generating apparatus 14 is connected in data transmission device 7 by certification authentication device 13, and protection authority setting device 12 is connected in key generating device 11.
If give in-house network outer personnel, also to pass through manual ciphering and deciphering device 9 to protected file.
Key is used for the encryption and decryption file, and rivest, shamir, adelman is used in the encryption of file.Certificate is that checking user's legitimacy is used, sets up CA (CertificateAuthority certificate verification center) authentication center in service end, uses the certificate authentication mode to determine user's identity and authority thereof.
Protection authority setting device 12 is used for using when user's initial encryption file, carries out the authority set-up mode that the user selects.Authority comprises that the user of different identity is to authorities such as the reading and writing of file, execution, printing, screen copies.
After the protection authority was provided with, key generating device 11 was used to carry out the operation of initial encryption file, and write down and manage encrypted file and corresponding key thereof by key management apparatus 8.Key management apparatus 8 also sends relevant information to service end by data transmission device 6,7 and preserves.When service end Long-distance Control client, carry out associative operation by key management apparatus 8.
Key management apparatus 8 records and management protected file and corresponding key thereof, when client need be opened protected file, key management apparatus provided correct key.
Dynamic encryption and decryption device 10 is dynamically deciphered according to key-pair file when opening protected file, makes the user can be according to the authority reading and writing of files.When protected file was preserved, 10 pairs of file dynamic encryption of dynamic encryption and decryption device guaranteed that the file that leaves on the disk exists with encrypted form forever, reaches the effect that prevents leakage of information.
In client, also have certificate generating apparatus 14, this device is used for some features according to hardware on the computer, the sequence number of hard disk for example, the MAC of network interface card (Media AccessControl media access control layer) address etc. Generates Certificate.Guarantee to move the legitimacy of protected file computer with this certificate, prevent that client is installed in illegal acquired information on the counterfeit computer.This device also generates corresponding certification authentication user identity according to some personal information of user; the user carries the certificate of oneself with media such as mobile disks, can both use protected file with oneself identity and authority on other computers in in-house network or self-defining secure group.
The database 3 of service end is used to deposit information such as the user profile, key, certificate, user's operation of client.User profile, key and certificate are kept in the database of service end, when client needs key and certificate, download from service end, and user right information is included in the user profile.
Certificate and key management apparatus 4 are used for the certificate and the key of management database, can inquire about specific certificate and key in service end, after receiving client-requested, certificate or key that management devices 4 finds client to need pass to client by data transmission device 6,7.
Fig. 2 is technology realization flow figure of the present invention, referring to Fig. 2, the implementation method of Tempest of the present invention is further specified.
In the time will operating protected file on the client, at first verify user's identity and authority, the legitimacy of computer.User's identity identifies with multiple mode, as unique certificate of user account number, user, user's fingerprint sign etc.Different users uses same computer also to differentiate by user's identity, guarantees that different users has different operating rights on a computer.The legitimacy of computer also will verify, determines the legitimacy of computer, for example the hard disk sequence number of computer, the hardware address of network interface card etc. by getting hardware identifier on the computer.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1, leakage of information crime prevention system under a kind of cooperative working environment, be made up of client and service end two parts: client is the computer of every needs operation protected file, is used for the execute protection file operation; Service end is mounted in the computer in the network; the authority that is used for execution monitoring and control client; management certificate and key; the user is made authentication operation in the operation to protected file; the legal identity of service end checking user side, the operation information of recording user, and to the rights of using of the file opened, carry out encryption to preserving content, it is characterized in that; client is connected by network with service end, and service end has with lower device:
Supervising device (1) is used to show the operating state of all clients of accepting management;
Identification authentication system (2), determine whether the user can operate, when client has protected file to be operated, client sends a request to service end, determine whether and to operate by the identification authentication system identifying user identity, and only by verifying the back user's authority is sent to client at user identity, after the server-side certificate client, before opening protected file, client is decrypted operation by the dynamic encryption and decryption device, and operation information is sent to the server end record, so that the file that is opened is monitored, and control according to active user's authority, prevent leakage of information, simultaneously the information that generates is encrypted;
The authority of client after according to server authentication carried out decryption oprerations by the dynamic encryption and decryption device, protected file operated, and operation information is sent to the server end record; If the identification authentication system authentication failed then determines it is illegal operation requests, then return results stops this operation to client by client, does not then allow protected file is operated;
Database Unit (3) is used to deposit user profile, key, certificate, the user's operation information of client; User profile, key and certificate are kept in the database of service end, when client needs key and certificate, from service end download user authority information;
Certificate and key management apparatus (4), the certificate and the key that are used for the database of management service end are after service end is inquired about specific certificate and key, received client-requested, the certificate or the key that find client to need pass to client by data transmission device (6);
Remote control (5) is used for management and controls all clients, and client is sent various command, and these orders are sent to client by data transmission device (6), to the authority of user's setting;
Data transmission device (6), be used for the transfer of data between client and the service end, service end manages client, if leave in-house network, do not connect service end, then the certification authentication device of client can not receive legitimacy information and the authority information that service end is returned, client can not be operated protected file, and protected file is to be kept on the computer of client with the form of encrypting, and does not have the deciphering of client, and fileinfo does not leak;
Data transmission device (6) is connected with supervising device (1), identification authentication system (2), Database Unit (3), certificate and key management apparatus (4), remote control (5) respectively by data/address bus.
According to leakage of information crime prevention system under the cooperative working environment of claim 1, it is characterized in that 2, client has with lower device:
Second data transmission device (7) is used for the transfer of data between client and the service end;
Key management apparatus (8), record and management protected file and corresponding key thereof;
Dynamic encryption and decryption device (10) is dynamically deciphered according to key-pair file when opening protected file, makes the user can be according to the authority reading and writing of files, when protected file is preserved, to the file dynamic encryption;
Key generating device (11) is used to carry out the operation of initial encryption file;
Protection authority setting device (12) is used for using when user's initial encryption file, carries out the authority set-up mode that the user selects;
Certification authentication device (13) is used to verify whether user or computer be legal;
Certificate generating apparatus (14) is used for the feature according to hardware on the computer, Generates Certificate;
Key management apparatus (8) is connected to second data transmission device (7) and dynamic encryption and decryption device (10), key generating device (11); certificate generating apparatus (14) is connected in second data transmission device (7) by certification authentication device (13), and protection authority setting device (12) is connected in key generating device (11).
3, the method that leakage of information is taken precautions against under a kind of cooperative working environment, its step is as follows:
Step 201, the legitimacy of identifying user identity is to send request by client to service end, when service end is proved to be successful, user's authority is sent to client, the authority of client after according to server authentication operated protected file, if authentication failed does not then allow protected file operation, then the user can see that application software returns the files and reports of not opening;
Step 202 after checking is passed through, is carried out decryption oprerations by the dynamic encryption and decryption device, and operation information is sent to the server end record before opening protected file;
Step 203, dynamic encryption and decryption device monitor constantly to the file that is opened, and judges that whether decrypted file open after, in this way, then according to the active user authority of this file controlled, and prevents the leakage of information; As not being to open after decrypted, service end monitors retouching operation to the file that is opened; Data transmission device transmits various information with cipher mode between client and service end, after information is sent to service end, service end is carried out various management to client, if leave in-house network, do not connect service end, then the certification authentication device of client can not receive legitimacy information and the authority information that service end is returned, client can not be operated protected file, and protected file is to be kept on the computer of client with the form of encrypting, do not have the deciphering of client, fileinfo can not leak;
Step 204, decrypted file are edited the back and are preserved, and then do encryption to preserving content, and the content that is kept at like this on the disk all is information encrypted forever, has guaranteed that like this file is copied to other places by any way and all encrypts.
According to the method for leakage of information crime prevention system under the cooperative working environment of claim 3, it is characterized in that 4, described user identity is that unique certificate of adopting user account number, user, user's fingerprint is as identify label.
5, according to the method for leakage of information crime prevention system under the cooperative working environment of claim 3, it is characterized in that, the legitimate verification of computer identifies to determine the legitimacy of computer as computer hardware by the hardware address of getting hard disk sequence number on the computer or network interface card.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2003101149373A CN100525176C (en) | 2003-11-14 | 2003-11-14 | Preventing system for information leakage under cooperative work environment and its realizing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2003101149373A CN100525176C (en) | 2003-11-14 | 2003-11-14 | Preventing system for information leakage under cooperative work environment and its realizing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1617487A CN1617487A (en) | 2005-05-18 |
CN100525176C true CN100525176C (en) | 2009-08-05 |
Family
ID=34760246
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2003101149373A Expired - Fee Related CN100525176C (en) | 2003-11-14 | 2003-11-14 | Preventing system for information leakage under cooperative work environment and its realizing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100525176C (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101291244B (en) * | 2007-04-16 | 2011-07-20 | 深圳市维信联合科技有限公司 | Network security management method and system thereof |
CN101068224B (en) * | 2007-06-18 | 2010-07-28 | 北京亿企通信息技术有限公司 | Information monitoring method in instant messaging system |
CN101330383B (en) * | 2007-06-19 | 2011-09-14 | 瑞达信息安全产业股份有限公司 | Credible system for monitoring network resource based on user identification and action |
CN101833625A (en) * | 2010-05-11 | 2010-09-15 | 上海众烁信息科技有限公司 | File and folder safety protection method based on dynamic password and system thereof |
CN103716354B (en) * | 2012-10-09 | 2017-02-08 | 慧盾信息安全科技(苏州)股份有限公司 | Security protection system and method for information system |
CN104376270A (en) * | 2013-08-12 | 2015-02-25 | 深圳中兴网信科技有限公司 | File protection method and system |
-
2003
- 2003-11-14 CN CNB2003101149373A patent/CN100525176C/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN1617487A (en) | 2005-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6002772A (en) | Data management system | |
US6741991B2 (en) | Data management system | |
US5745573A (en) | System and method for controlling access to a user secret | |
US5956403A (en) | System and method for access field verification | |
US7346769B2 (en) | Method for selective encryption within documents | |
CN101512490B (en) | Securing data in a networked environment | |
US20020046350A1 (en) | Method and system for establishing an audit trail to protect objects distributed over a network | |
EP0864959A2 (en) | Data management system | |
US20080310619A1 (en) | Process of Encryption and Operational Control of Tagged Data Elements | |
US20060282674A1 (en) | Data management system | |
US20030051172A1 (en) | Method and system for protecting digital objects distributed over a network | |
CN105103488A (en) | Policy enforcement with associated data | |
JP2006526851A (en) | Data object management in dynamic, distributed and collaborative environments | |
US20030237005A1 (en) | Method and system for protecting digital objects distributed over a network by electronic mail | |
CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
CN105740725A (en) | File protection method and system | |
CN114175580B (en) | Enhanced secure encryption and decryption system | |
JP4755737B2 (en) | Portable storage medium encryption system, data carrying method using the system, and portable storage medium | |
KR100286904B1 (en) | System and method for security management on distributed PC | |
CN100525176C (en) | Preventing system for information leakage under cooperative work environment and its realizing method | |
TWI381285B (en) | Rights management system for electronic files | |
CN106650492B (en) | A kind of multiple device file guard method and device based on security catalog | |
Reddy et al. | Enterprise Digital Rights Management for Document Protection | |
JP2001312466A (en) | Portable computer information management system | |
CN116506180A (en) | Recruitment software privacy protection method and system based on encryption authorization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090805 Termination date: 20101114 |