CN101098224B - Method for encrypting/deciphering dynamically data file - Google Patents
Method for encrypting/deciphering dynamically data file Download PDFInfo
- Publication number
- CN101098224B CN101098224B CN2006100180298A CN200610018029A CN101098224B CN 101098224 B CN101098224 B CN 101098224B CN 2006100180298 A CN2006100180298 A CN 2006100180298A CN 200610018029 A CN200610018029 A CN 200610018029A CN 101098224 B CN101098224 B CN 101098224B
- Authority
- CN
- China
- Prior art keywords
- file
- key
- module
- sman
- keypoldispatch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for dynamically encrypting and decrypting data document, which comprises that in network condition, via C/S mode, manager centralized controls important documents of user computer, the system dynamically decrypts and encrypts clear text, the important documents can only be read or changed under the control of server in special network condition, which content is shown as cryptogram when off the network condition, when user copies clear text document from other places, the documents can not be changed when the system is sensitive, or else, in storage, the documents are converted into cryptogram type. The invention is based on software platform, correlated only with operation system, but not application programs, to dynamically encrypt and decrypt the data documents, therefore, the data documents can only work in private network condition, while the leaked document is in cryptogram type, to protect intellectual property.
Description
Technical field:
The present invention relates to the technical field of LAN data file security, a kind of method to data file dynamic encryption and decryption.
Background technology:
Along with further developing of computer and network technology thereof, global information integral and national security contradiction are progressively outstanding.Show to selling that from public document, enterprise engineering drawing, S.O.P. all kinds of documents are vital to steadily effectively moving of government, company.Therefore, information security has become the core of current government and enterprise security.Mention information security, people will expect virus damage and assault naturally.Actually this is not so, the loss that the loss that government and enterprise are caused because of information is stolen is caused considerably beyond virus damage and assault.According to authoritative institution investigation, the security threat 2/3rds or more is from divulging a secret and internal staff's crime, but not viral and external hacker causes.Network security protections such as fire compartment wall, intrusion detection, spacer assembly are for preventing that outside invasion from having irreplaceable effect; seem and have no way out and divulge a secret for inside; perhaps, the hacker who really has purpose to steal or destroy information just is being hidden in inside, may cause serious threat to government and enterprise at any time.
Our technical documentation or classified papers all are to be in expressly state such as word file, dwg drawing file etc., be easy to be blazed abroad and can open and use by the participant, as more existing systems as in soft mine dam, the network security row of company of SURFILTER etc. all be to monitor and can not stop the generation of this behavior.
Summary of the invention:
For the technical solution document or classified papers are easily divulged a secret from the participant such as word file, dwg drawing file and other clear text file and inner criminal blazes abroad and can open and use, the purpose of this invention is to provide a kind of method to data file dynamic encryption and decryption; This method is based on Microsoft's platform; only relevant with operating system and with concrete application program irrelevant the data file is carried out dynamic encryption and decryption, its data file can only be operated in the present networks environment, even the data file leakage; also be to be in the ciphertext state, played the effect that protects the intellectual property.
In order to realize the foregoing invention purpose, the present invention adopts following technical scheme:
A kind of method to data file dynamic encryption and decryption, this method are in to data file dynamic encryption and decryption system, by server subscriber data file are carried out the qualified method of Collective qualification; Vital document encryption and decryption to needing protection simultaneously; Efficient in order to guarantee to visit has used grouping algorithm that these files are encrypted; Different sensitive documents has different keys, and all keys generate, distribute, store and backup by server;
Described data file dynamic encryption and decryption system is comprised: client, server end and switch;
A, client after described client-side program to data file dynamic encryption and decryption system has been installed, are controlled by the strategy that server end is formulated, and the sensitive document of client is carried out dynamically encryption and decryption handle; Function is divided as follows:
A.) client layer comprises: key distribution and strategic control module KeyPolDispatch are used for the server end authentification of user, consult the key of each file with server end; Process monitoring module DSMon is used for driving and the service routine monitoring;
B.) core layer comprises: file monitor driver module FsFilter, be used for file read-write operation is controlled, and vital document is made sensitivity label, sensitive document is carried out encryption and decryption; Process monitoring driver module PsMon: the current state and the classification that are used for process that system is opened are monitored;
B, server end, be used for the data base administration of strategy customization and key, comprise: administration module SMan, be used for that integrality to user and client software authenticates, generates, distributes, storage and backup keys, comprising: file conversion, authentification of user, key generation, key distribution and back-up storage; Database D B is used to finish to user profile, fileinfo, the storage that key information carries out;
C, switch are used for connecting the client and server end by the ssl protocol transmission;
This method comprises the steps:
(1) after server OS starts, runtime server end administration module SMan and database D B; Server end administration module SMan is used to monitor the key distribution that runs on client and the connection request of strategic control module KeyPolDispatch;
(2) during the subscriber computer os starting, load document monitoring driver module FsFilter, process monitoring driver module PsMon, and start client key distribution and strategic control module KeyPolDispatch, process monitoring module DSMon;
(3) client key distribution is set up SSL with strategic control module KeyPolDispatch with server end administration module SMan and is connected consulting session key;
(4) user logins to administration module SMan by key distribution and strategic control module KeyPolDispatch, and key distribution and strategic control module KeyPolDispatch extract the feature of key distribution and strategic control module KeyPolDispatch, process monitoring module DSMon, file monitor driver module FsFilter and process monitoring driver module PsMon for administration module SMan checking; After having only checking correct, administration module SMan just can provide key to key distribution and strategic control module KeyPolDispatch in the operation afterwards;
(5) file monitor driver module FsFilter monitors common process will open a sensitive document time, and notice key distribution and strategic control module KeyPolDispatch are to the key of administration module SMan application this document;
(6) key of administration module SMan passback this document, key distribution and strategic control module KeyPolDispatch pass to file monitor driver module FsFilter to this key;
When (7) common process read this document, file monitor driver module FsFilter was decrypted content, and after this, system enters sensitiveness;
(8) during common process revised file, when system is in sensitiveness, if the file that is modified be sensitive document and key on this machine, then encrypt storage, otherwise to the key of server application presents or create a new key and mark, and then encrypt storage;
(9) when system is in sensitiveness, if the file that is modified is not a sensitive document, file monitor driver module FsFilter will require key distribution and strategic control module KeyPolDispatch to encrypt required parameter for this file allocation that is modified, encrypt storage, and the file that is modified is made sensitivity label;
(10) during close file, if sensitive document and key on this machine, are then destroyed key;
(11) during common process creation file, if control strategy requires file that this common process creates must the ciphertext storage time, then to new key of administration module SMan application; Administration module SMan generates a new key, unique file sequence number and initial value IV, administration module SMan passes to key distribution and strategic control module KeyPolDispatch to new key, unique file sequence number and initial value IV, and encrypts these new keys of storage, unique file sequence number and initial value IV.
Because adopt technique scheme, the present invention has following superiority:
This a kind of method to data file dynamic encryption and decryption, based on Microsoft's platform, only relevant with operating system and with concrete application program irrelevant the data file is carried out dynamic encryption and decryption, be that realization to data file dynamic encryption and decryption is an inventive point with the file monitor driving; Our data file can only be operated in the network environment of our company like this, even data file is revealed, also is to be in the ciphertext state, has played the effect that protects the intellectual property.
Solve in the development of internet technology progressively distinct issues of global information integral and national security contradiction, solved maintaining secrecy and steadily effectively operation of public document, enterprise engineering drawing, S.O.P. and all kinds of documents; Overcome from divulging a secret and inner criminal, may cause serious threat to government and enterprise at any time.
Overcome technical documentation or classified papers and easily blazed abroad by the participant such as word file, dwg drawing file etc., and the generation that can stop its File Open to use.
The present invention has obtained trying out in the emphasis section office of my institute, has played the effect that well protects the intellectual property, and also makes us keep perch in commercial competition.
Description of drawings:
Fig. 1, be the system architecture diagram of data file dynamic encryption and decryption method;
Fig. 2, be the workflow diagram of data file dynamic encryption and decryption method;
Embodiment:
As shown in fig. 1: this kind operates in the windows network environment the method for data file dynamic encryption and decryption, and its equipment connects each client through switch by twisted-pair feeder by server end; The keeper is generated strategy by server end in the structure of native system, by C/S model, the vital document in the centralized control subscriber computer, and by FTP client FTP other expressly carries out the management of dynamic encryption and decryption to its word file, dwg drawing file etc.; These vital documents can only could be read or be revised by server controls in the particular network environment of the dynamic encryption and decryption program of data file quilt; In case break away from the network environment at its place, its content just occurs with the ciphertext form; When the user copies sensitive document into expressly from other places, make amendment when these files can not be in sensitiveness in system, otherwise during storage, will be converted into the ciphertext form automatically and deposit.
This kind be to the software of data file dynamic encryption and decryption, and the client of its system configuration function after the client-side program of this software has been installed, is controlled by the strategy that server end is formulated, and the sensitive document of client carried out dynamically encryption and decryption handle; The function of its client is divided as follows:
A.) client layer comprises: key distribution is used for the server end authentification of user, consults the key of each file with server end; Process monitoring is used for driving and service routine monitoring (DSMon); Policy control is used for the server end authentification of user, consults the key of each file with server end.
B.) core layer comprises: file monitor drives (FsFilter), is used for to file read-write operation and controls, and vital document is made sensitivity label, and sensitive document is carried out encryption and decryption; Process monitoring drives (PsMon): the current state and the classification that are used for process that system is opened are monitored;
Key distribution is with policy control: with the server end authentification of user, consult the key of each file with server end; Drive and service routine monitoring (DSMon): when starting, the integrality of client-side program is verified at every turn.
This kind is to the software of data file dynamic encryption and decryption, and the server end of its system configuration function after the server of this software has been installed, is used for the formulation of strategy and the data base administration of key, and its function is divided as follows:
A.) hypervisor (SMan).Be used for that integrality to user and client software authenticates, generates, distributes, storage and backup keys, comprising: file conversion, authentification of user, key generation, key distribution and back-up storage;
B.) database (DB) is used to finish user profile, fileinfo, and key information is stored.
This kind is to the software of data file dynamic encryption and decryption, and the switch of its system configuration function is used for connecting the client and server end by the ssl protocol transmission; Its ssl protocol is secure socket layer protocol (Securesocket Layer), mainly be to use the RSA arithmetic and the confidentiality and integrity of digital certificate technique protection message transmission X.509, it can not guarantee information non repudiation, mainly be applicable to the message transmission between point-to-point, Web Server mode commonly used; Secure socket layer protocol (SSL) is the security protocol based on the WEB application that Netscape proposes.
A kind of method to data file dynamic encryption and decryption in native system, is carried out the qualified method of Collective qualification by server to subscriber data file; Simultaneously to the method for the vital document encryption and decryption that needs protection; Efficient in order to guarantee to visit has used grouping algorithm that these files are encrypted; Different sensitive documents has different keys, so key generates, distributes, stores and backup by server;
As shown in Figure 2: its workflow is as follows:
1, in the windows network environment, after server OS starts (1), runtime server end service routine SMan and database D B, promptly ask (4), upload current daily record (5) by management, server end service routine SMan monitors the connection request of KeyPolDispatch, waits (2) to be connected.
2, during the subscriber computer os starting (16) of client, load document filter drive program FsFilter, PsMon, and start client service program KeyPolDispatch, DSMon certificate server (17).
3, client service program KeyPolDispatch sets up SSL with server end service routine SMan and is connected, and consulting session key, server end enter connection request and judge (3).
4, when the service routine SMan user login (6) of the KeyPolDispatch of user by client to server end, KeyPolDispatch extracts the feature of KeyPolDispatch, DSMon, FsFilter and PsMon and verifies for the audit user profile (7) of the service routine SMan of server end.Enter by denying (8), after checking is correct, by, successful information (9) sent to finishing (10), the service routine SMan of server end just can provide key to client KeyPolDispatch in the operation afterwards, and authentication authorization and accounting server (17) passes through to encryption and decryption thread manager (18); After authentication failed, do not pass through, transmission failure information (11) is to finishing (10), and the service routine SMan of server end can show error message (28) by client certificate server (17), and process time-delay (29) is once more to server authentication.
5, the file filter of client monitoring driver FsFilter (23) monitors the common process of encryption and decryption thread manager (18),
In the time will opening a sensitive document (19), notice KeyPolDispatch is to the key of the service routine SMan of server end application this document, i.e. key request (15).
6, the key of the service routine SMan of server end passback this document, KeyPolDispatch passes to client file to this key and filters monitoring program FsFilter (23).
7, when common process reads this document, client file filter F sFilter (23) is decrypted content by encryption and decryption thread manager (18), and after this, system enters sensitiveness; Encrypt file stream (20) and document flow (21) are read.
8, when common process revised file, when system is in sensitiveness, if the file that is modified be sensitive document (19) and key on this client computer, then encrypt storage; Otherwise to the key of server application presents or create a new key and mark, and then encrypt storage.
9, when system is in sensitiveness, if the file that is modified is not sensitive document (19), through letting pass by (22), will require KeyPolDispatch by the file filter device FsFilter (23) of client is that it distributes and encrypts required parameter, encrypt storage, and it is made sensitivity label.
10, when close file, if sensitive document (19) and key be on this machine, then encryption and decryption thread manager (18) is destroyed key.
11, when common process creation file, if control strategy requires file that this common process creates must the ciphertext storage time, then to new key of the service routine SMan of server end application.Service routine SMan generates a new key, unique file sequence number and initial value IV, and the service routine SMan of server end passes to KeyPolDispatch to these values, and encrypts these values of storage.
If, system whether shut down (24) be the shutdown attitude, whether system is handling sensitive document (25), if system arrives end (27) through delay process again to finishing (26).
If when the user worked in this LAN environment, other clear text file such as its word file, dwg drawing file can only could be read or be revised by server controls in this particular network environment; When the user copies sensitive document into expressly from other places, make amendment when these files can not be in sensitiveness in system, otherwise during storage, will be converted into the ciphertext form automatically and deposit; In case break away from the network environment at its place, its content just occurs with the ciphertext form.
Claims (1)
1. method to data file dynamic encryption and decryption, it is characterized in that: this method is in to data file dynamic encryption and decryption system, by server subscriber data file is carried out the qualified method of Collective qualification; Vital document encryption and decryption to needing protection simultaneously; Efficient in order to guarantee to visit has used grouping algorithm that these files are encrypted; Different sensitive documents has different keys, and all keys generate, distribute, store and backup by server;
Described data file dynamic encryption and decryption system is comprised: client, server end and switch;
A, client after described client-side program to data file dynamic encryption and decryption system has been installed, are controlled by the strategy that server end is formulated, and the sensitive document of client is carried out dynamically encryption and decryption handle; Function is divided as follows:
A.) client layer comprises: key distribution and strategic control module KeyPolDispatch are used for the server end authentification of user, consult the key of each file with server end; Process monitoring module DSMon is used for driving and the service routine monitoring;
B.) core layer comprises: file monitor driver module FsFilter, be used for file read-write operation is controlled, and vital document is made sensitivity label, sensitive document is carried out encryption and decryption; Process monitoring driver module PsMon: the current state and the classification that are used for process that system is opened are monitored;
B, server end, be used for the data base administration of strategy customization and key, comprise: administration module SMan, be used for that integrality to user and client software authenticates, generates, distributes, storage and backup keys, comprising: file conversion, authentification of user, key generation, key distribution and back-up storage; Database D B is used to finish to user profile, fileinfo, the storage that key information carries out;
C, switch are used for connecting the client and server end by the ssl protocol transmission;
This method comprises the steps:
(1) after server OS starts, runtime server end administration module SMan and database D B; Server end administration module SMan is used to monitor the key distribution that runs on client and the connection request of strategic control module KeyPolDispatch;
(2) during the subscriber computer os starting, load document monitoring driver module FsFilter, process monitoring driver module PsMon, and start client key distribution and strategic control module KeyPolDispatch, process monitoring module DSMon;
(3) client key distribution is set up SSL with strategic control module KeyPolDispatch with server end administration module SMan and is connected consulting session key;
(4) user logins to administration module SMan by key distribution and strategic control module KeyPolDispatch, and key distribution and strategic control module KeyPolDispatch extract the feature of key distribution and strategic control module KeyPolDispatch, process monitoring module DSMon, file monitor driver module FsFilter and process monitoring driver module PsMon for administration module SMan checking; After having only checking correct, administration module SMan just can provide key to key distribution and strategic control module KeyPolDispatch in the operation afterwards;
(5) file monitor driver module FsFilter monitors common process will open a sensitive document time, and notice key distribution and strategic control module KeyPolDispatch are to the key of administration module SMan application this document;
(6) key of administration module SMan passback this document, key distribution and strategic control module KeyPolDispatch pass to file monitor driver module FsFilter to this key;
When (7) common process read this document, file monitor driver module FsFilter was decrypted content, and after this, system enters sensitiveness;
(8) during common process revised file, when system is in sensitiveness, if the file that is modified be sensitive document and key on this machine, then encrypt storage, otherwise to the key of server application presents or create a new key and mark, and then encrypt storage;
(9) when system is in sensitiveness, if the file that is modified is not a sensitive document, file monitor driver module FsFilter will require key distribution and strategic control module KeyPolDispatch to encrypt required parameter for this file allocation that is modified, encrypt storage, and the file that is modified is made sensitivity label;
(10) during close file, if sensitive document and key on this machine, are then destroyed key;
(11) during common process creation file, if control strategy requires file that this common process creates must the ciphertext storage time, then to new key of administration module SMan application; Administration module SMan generates a new key, unique file sequence number and initial value IV, administration module SMan passes to key distribution and strategic control module KeyPolDispatch to new key, unique file sequence number and initial value IV, and encrypts these new keys of storage, unique file sequence number and initial value IV.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100180298A CN101098224B (en) | 2006-06-28 | 2006-06-28 | Method for encrypting/deciphering dynamically data file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100180298A CN101098224B (en) | 2006-06-28 | 2006-06-28 | Method for encrypting/deciphering dynamically data file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101098224A CN101098224A (en) | 2008-01-02 |
| CN101098224B true CN101098224B (en) | 2010-08-25 |
Family
ID=39011768
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100180298A Expired - Fee Related CN101098224B (en) | 2006-06-28 | 2006-06-28 | Method for encrypting/deciphering dynamically data file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101098224B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572659B (en) * | 2008-04-30 | 2012-08-15 | 北京明朝万达科技有限公司 | Network sharing range control method for files |
| CN101572698B (en) * | 2008-04-30 | 2014-07-02 | 北京明朝万达科技有限公司 | Network transmission common encryption method for files |
| CN101729550B (en) * | 2009-11-09 | 2012-07-25 | 西北大学 | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof |
| CN102609667A (en) * | 2012-02-22 | 2012-07-25 | 浙江机电职业技术学院 | Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program |
| CN103413100B (en) * | 2013-08-30 | 2016-09-07 | 国家电网公司 | File security protection system |
| CN104572169B (en) * | 2014-09-10 | 2017-10-27 | 中电科技(北京)有限公司 | A kind of software distribution and installation system based on UEFI |
| CN104506545B (en) * | 2014-12-30 | 2017-12-22 | 北京奇安信科技有限公司 | Leakage prevention method and device |
| DE102015114544A1 (en) * | 2015-08-31 | 2017-03-02 | Uniscon Universal Identity Control Gmbh | Method for secure and efficient access to connection data |
| CN105245336B (en) * | 2015-11-12 | 2019-01-18 | 南威软件股份有限公司 | A kind of file encryption management system |
| CN107426151B (en) * | 2017-03-31 | 2020-07-31 | 武汉斗鱼网络科技有限公司 | File decryption method and device |
| CN112115493B (en) * | 2020-09-16 | 2022-11-18 | 安徽长泰科技有限公司 | Data leakage protection system based on data acquisition |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1263305A (en) * | 1999-02-09 | 2000-08-16 | Lg电子株式会社 | Digital data file scrambler and its method |
| EP1324565A1 (en) * | 2001-12-12 | 2003-07-02 | Pervasive Security Systems Inc. | Method and architecture for providing access to secured data from non-secured clients |
| CN1545295A (en) * | 2003-11-17 | 2004-11-10 | 中国科学院计算技术研究所 | A method for user-oriented remote access control of network file system |
-
2006
- 2006-06-28 CN CN2006100180298A patent/CN101098224B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1263305A (en) * | 1999-02-09 | 2000-08-16 | Lg电子株式会社 | Digital data file scrambler and its method |
| EP1324565A1 (en) * | 2001-12-12 | 2003-07-02 | Pervasive Security Systems Inc. | Method and architecture for providing access to secured data from non-secured clients |
| CN1545295A (en) * | 2003-11-17 | 2004-11-10 | 中国科学院计算技术研究所 | A method for user-oriented remote access control of network file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101098224A (en) | 2008-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101098224B (en) | Method for encrypting/deciphering dynamically data file | |
| CN100568251C (en) | The guard method of security files under cooperative working environment | |
| CN109561047B (en) | Encrypted data storage system and method based on key remote storage | |
| US8135135B2 (en) | Secure data protection during disasters | |
| CN100592313C (en) | Electric document anti-disclosure system and its implementing method | |
| US9647834B2 (en) | Systems and methods with cryptography and tamper resistance software security | |
| US20020046350A1 (en) | Method and system for establishing an audit trail to protect objects distributed over a network | |
| CN103530570A (en) | Electronic document safety management system and method | |
| CN103490895A (en) | Industrial control identity authentication method and device with state cryptographic algorithms | |
| WO2003107156A2 (en) | METHOD FOR CONFIGURING AND COMMISSIONING CSMs | |
| CN102227734A (en) | Client computer for protecting confidential file, server computer therefor, method therefor, and computer program | |
| CN101848207A (en) | Information-leakage prevention system based on integrated control management | |
| CN105740725A (en) | File protection method and system | |
| CN102170424A (en) | Mobile medium safety protection system based on three-level security architecture | |
| CN104219077A (en) | Information management system for middle and small-sized enterprises | |
| CN107563221A (en) | A kind of certification decoding security management system for encrypting database | |
| TWI573079B (en) | Information security management system and method for electronic document | |
| CN1819590A (en) | Enciphering method of computer electronic documents | |
| CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
| TWI381285B (en) | Rights management system for electronic files | |
| CN115221538B (en) | Encryption method and system suitable for financial data | |
| CN101826964A (en) | Outgoing document security management system supporting collaboration | |
| CN115022044A (en) | Storage method and system based on multi-cloud architecture | |
| Min et al. | Practices of agile manufacturing enterprise data security and software protection | |
| McGowan et al. | SAN security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100825 Termination date: 20110628 |