CN101729550A - Digital content safeguard system based on transparent encryption and decryption method thereof - Google Patents

Digital content safeguard system based on transparent encryption and decryption method thereof Download PDF

Info

Publication number
CN101729550A
CN101729550A CN 200910218880 CN200910218880A CN101729550A CN 101729550 A CN101729550 A CN 101729550A CN 200910218880 CN200910218880 CN 200910218880 CN 200910218880 A CN200910218880 A CN 200910218880A CN 101729550 A CN101729550 A CN 101729550A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
module
digital content
step
encryption
decryption
Prior art date
Application number
CN 200910218880
Other languages
Chinese (zh)
Other versions
CN101729550B (en )
Inventor
何路
安娜
张汉宁
房鼎益
李磊
杨朕
杨红
杭继春
汤战勇
王妮
章哲
胡伟
苏琳
赵玉洁
陈�峰
陈晓江
高丽
高沛
Original Assignee
西北大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention belongs to the field of information safety, providing a digital content safeguard system based on transparent encryption and decryption. The system comprises a transparent encryption and decryption module, an access control module, a monitoring module, a certificate authority module, a communication proxy module, a management center and a permission server module, wherein the transparent encryption and decryption module, the access control module and the monitoring module are on a client side, and the management center and the permission server module are on a server side; the client side and the server side are connected by the communication proxy module and the permission server module. Aiming at the safeguard system, the invention provides a dynamic encryption and decryption method which carries out encryption and access control to digital content as well as opens, reads and writes cipher texts. The method realizes transparent encryption and decryption to the digital content by realizing filtering driving on the bottom layer of an operating system and records an intact log to all operation of a user, thus improving system safety, and greatly improving encryption and decryption speed. Compared with the existing like products, the system of the invention has the advantages of safe and efficient encryption mode, fine grit access control, perfect log audit function and convenient and efficient management mode.

Description

基于透明加解密的数字内容安全防护系统及加解密方法 Transparent encryption and decryption of digital content security systems and encryption methods based on

技术领域 FIELD

[0001] 本发明属于信息安全领域,具体涉及一种基于透明加解密的数字内容安全防护系 [0001] The present invention belongs to the field of information security, particularly relates to a digital content security system based on encryption and decryption is transparent

统及加解密方法。 System and method for encryption and decryption. 背景技术 Background technique

[0002] 随着计算机的普遍应用和Internet的飞速发展,越来越多技术发明、创新等依赖计算机技术,因此,很多核心的机密文档以电子化形式存储在计算机上,甚至绝大多数的企业核心技术文档本身就是设计图纸、程序源代码等的电子文档。 [0002] With the rapid development of widespread use of computers and the Internet, more and more technological invention, innovation depend on computer technology, therefore, on the computer, or even most of the core business of many confidential documents stored in electronic form the document itself is the core technology of design drawings, source code and other electronic documents. 因此,技术进步给信息安全带来了新的挑战,网络技术的普及和移动办公设备、移动存储设备、笔记本电脑的广泛使用等,在给人们带来高效和方便的同时又增加了信息被侦听、截获及非法拷贝的危险。 Therefore, the information security technological advances to bring new challenges, network technology and the popularity of mobile office equipment, mobile storage devices, widely used in notebook computers, etc., to bring efficiency and convenience while increasing the information is investigation listen, intercepted and dangers of illegal copies. 据调研机构调查结果显示,每年都会发生大量的企业敏感数据丢失事件,电子文件泄露对企业所造成的损失是极其惨重的。 According to the survey research firm shows that take place every year a large number of sensitive corporate data loss, disclosure of electronic documents for the loss of business caused by extremely heavy. 而当这种情况涉及国家机密方面,所造成的损失更是不可估量的。 And when aspects of this case involves state secrets, damage caused is immeasurable. 为了防止机密泄漏,企业采取了各种各样的文件加密措施,同时也出现了很多对文件进行加密的技术出现。 In order to prevent leakage of confidential, companies have used a variety of file encryption, there has also been a lot of technology to encrypt the file appears.

[0003] 加解密技术分为静态加解密和动态加解密,静态加解密是指在加密期间,待加密的数据处于未使用状态,这些数据一旦加密,用户在使用前需首先通过静态解密得到明文, 然后才能使用;动态加密即透明加解密技术,是指数据在使用过程中,系统自动对数据进行加解密操作,不改变用户对文件的访问(打开、读、写等)习惯,无需用户的干预,表面看来, 访问加密的文件和访问未加密的文件基本相同,因此对合法用户来说这些加密文件是"透明的",即好像没有加密一样,但对于没有访问权限的用户,即使通过其它非常规手段得到了加密文件也无法使用。 [0003] The encryption technology is divided into static and dynamic encryption and decryption, decryption means static during the encryption, data to be encrypted is not in use, once the encrypted data, the user is first plaintext before use static decrypting before you can use; dynamic encryption that is transparent encryption technology, refers to data in use, the system automatically for data encryption and decryption operations, does not change the user access to files (open, read, write, etc.) habits without the user's intervention, apparently, to access encrypted files and access unencrypted files is basically the same, so these encrypted files for legitimate users is "transparent", that does not seem to encryption, but the user does not have access, even by other unconventional means to get the encrypted files can not be used. 由于透明加解密技术不改变用户的使用习惯,而且无需用户太多干预操作即可实现文件的安全,因而近年来得到了广泛的应用。 Since the transparent encryption technology does not change the user's habits, and without much user intervention operation to achieve the security document, which in recent years has been widely used.

[0004] 目前市场上已经有很多透明加解密的安全产品实现了对数字内容的保护,但存在着各种各样的不足和缺陷: [0004] There are already a lot of transparent encryption and decryption of security products to achieve the protection of digital content on the market, but there are a variety of shortcomings and deficiencies:

[0005] 1、安全性低。 [0005] 1, security is low. 大数产品采用在操作系统用户态完成加解密操作,这种方式安全性低,会造成数字内容在使用过程中"明文落地",即明文内容存储在磁盘上的情况,易造成机密信息的失密和泄露; Large numbers of products using the operating system user mode to complete the encryption and decryption operations, this way security is low, will cause the digital content in the course of "expressly landing", that is, as expressly content stored on disk, could easily lead to compromised confidential information and leakage;

[0006] 2、速度低。 [0006] 2, a low speed. 由于在操作系统用户态完成的加解密操作,其速度比较低,导致处理文 Since decryption operation is completed the operating system user mode acceleration, its speed is relatively low, resulting in processed sentence

件效率不够高;例如上海索远Docsecurity系统,未采用过滤驱动程序且改变文档格式,使 Members are not efficient; e.g. trihexyphenidyl away Docsecurity system filter driver is not used to change the document format and the

得加密文件必须用限定的应用程序操作,速度较低,并影响了用户的使用习惯; Encrypted file must have an application defined operation with the low speed, and affects the user's habits;

[0007] 3、权限控制细化不够。 [0007] 3, access control refinement is not enough. 虽然大多安全产品能够允许或拒绝用户访问受保护的数字 While most security products can allow or deny users access to protected digital

内容,但对不能提供更加细分化的权限控制,这种静态的提供"全部或零"权限的安全产品 Content, but can not provide more segmentation of access control, such static to provide "all or zero" permission security products

不能满足当今动态的业务需求。 We can not meet today's dynamic business needs. 例如铁巻电子文档安全系统,虽然引入了过滤驱动技术,但 Such as iron Volume electronic document security system, despite the introduction of filter driver technology, but

不支持细粒度的权限控制,无法满足用户的动态需求; It does not support fine-grained access control, unable to meet the dynamic needs of users;

[0008] 4、监控机制欠缺。 [0008] 4, the lack of monitoring mechanisms. 大多同类产品设计较简单,没有实现对数字内容使用行为进行完善的跟踪记录。 Most similar products design is relatively simple, does not implement the digital content usage behavior to perfect track record. 发明内容 SUMMARY

[0009] 为了克服上述现有加解密技术同类产品的不足和缺陷,本发明的目的在于,提供一种基于透明加解密的数字内容安全防护系统以及加解密方法,本发明通过在操作系统底层实现过滤驱动,从而实现对数字内容的透明加解密,本发明结合透明加解密技术、访问控制技术和数字权限管理技术,不但提高了系统的安全性,而且加解密速度有了很大的提升。 [0009] In order to overcome the above disadvantages and drawbacks of similar prior art encryption products, object of the present invention is to provide a transparent digital content encryption and decryption and security system based on encryption and decryption methods, the present invention is achieved by the underlying operating system filter driver, in order to achieve the digital content encryption and decryption is transparent, the present invention incorporates a transparent encryption technology, access control and digital rights management technology, not only improves the security of the system, and the speed of encryption and decryption has been greatly improved. [0010] 为了实现上述任务,本发明采用的技术方案如下: [0010] To achieve the above tasks, the present invention employs the following technical solutions:

[0011] —种基于透明加解密的数字内容安全防护系统,由客户端和服务端组成,客户端包括: [0011] - kind of digital content security system based on transparent encryption and decryption by the client and server composed of clients including:

[0012] 透明加解密模块,与通信代理模块交互,用于接收应用程序通过通信代理模块发来的数字内容加密请求,并根据请求对数字内容加密;在打开、读、写操作过程中,通过通信代理模块从服务端动态获取所需的密钥、权限信息,并根据这些信息对被访问的数字内容进行动态加解密; [0012] Transparent encryption and decryption modules, interactive communications with the agent module, for receiving the application program through the communication sent by the agent module requests the digital content encryption, and the encrypted digital content according to the request; open, read, write operation of the process by communication agent module dynamically obtain the required key, permission information from the server, and dynamic decryption of the digital content is accessed based on the information;

[0013] 认证授权模块,与通信代理模块交互,向服务端权限服务器发送身份认证信息请求,根据权限服务器返回身份信息对登陆用户进行身份认证,同时从服务端权限服务器获得权限信息,根据身份信息和权限信息对用户进行控制;用户能够通过认证授权模块为其他用户进行密文授权分发; [0013] authentication and authorization modules, the proxy module to interactively communicate with, to send to the server permissions server authentication information request, return identity information under the authority server login user authentication, and access rights information from the server rights server, according to the identity information and rights information to the user control; ciphertext user can authorize other users to distribute authentication and authorization module;

[0014] 监控模块,与通信代理模块交互,记录用户对系统的使用、对数字内容的操作;通过通信代理模块将记录的操作日志传入服务端的权限服务器并保存在数据库中,以便对数字内容的使用进行审计与追踪; [0014] The monitoring module, agent module to interact with the communication record usage of the system, the operation of the digital content; via the communication agent module the recorded operation log incoming service end permission server and stored in the database, so that the content of the digital use audit and tracking;

[0015] 访问控制模块,与通信代理模块交互,用于在用户对数字内容进行访问过程中,截获应用程序对数字内容的打开操作,通过透明加解密模块构造的数据结构获取数字内容的全路径;根据数字内容的全路径从服务端的权限服务器获得数字内容的内容ID及相应权限信息,根据权限信息控制用户对密文的使用; Full Path [0015] The access control module, interactive communications with the agent module, for a user to access the digital content during the opening operation of the intercept application of digital content, obtaining data structure of a transparent digital content encryption and decryption module is configured ; obtaining the digital content from the server according to the full path of the rights to the server a digital content and a content ID corresponding authority information, the authority information according to user control of the ciphertext;

[0016] 通信代理模块,用以客户端其他各模块与服务端各模块之间的通信连接,发送各 [0016] The communication agent module for a communication connection between the client modules and the other end of each service module, each transmit

种请求或接收请求返回信息,传递客户端与服务端所需数据,屏蔽服务器的异构; [0017] 服务端包括: Species return information or receiving a request, the required data transfer heterogeneous client and server, the server's screen; [0017] The server comprises:

[0018] 管理中心,为系统管理员提供对系统用户管理的统一的接口界面,包括添加新用户、添加用户分组,用户注册时对用户身份进行验证,查看用户对数字内容的操作日志; [0019] 权限服务器,通过通信代理同客户端各模块交换信息,接收客户端各模块发出的身份认证请求、权限信息请求或密钥信息请求,根据相应请求从数据库中获得数据,返回给客户端各模块的所需信息; [0018] Management Center, provides system administrators with a unified interface to the user interface for system management, including adding new users, add user groups, user identity verification when the user registration, view the user operation log to digital content; [0019 ] rights server through a communication with the proxy client modules to exchange information, receive a client authentication request sent by each module, a key authority information request or information request according to the corresponding request data obtained from the database, each module back to the client the required information;

[0020] 数据库,用以保存客户的身份信息,数字内容的权限信息、密钥信息、用户操作日志; [0020] database, to save the customer's identity information, digital content rights information, key information, user operation log;

[0021] 服务端的管理中心和权限服务器分别与数据库连接,服务端和客户端通过通信代理模块和权限服务器连接。 [0021] The server management center and the rights server are connected to the databases, services and client connected via a communication module and a rights server proxy.

[0022] 基于透明加解密的数字内容安全防护系统对数字内容的加密保护方法,包括以下步骤: [0022] Based on the transparent encryption and decryption of digital content security system for encrypting digital content protection method, comprising the steps of:

[0023] 步骤2Q1 :用户通过应用程序选择需要加密保护的数字内容,包括选择一个文件,一次性选择多个文件或者选择整个文件夹; [0023] Step 2Q1: select a user encrypted digital content by the application program, comprising selecting a file, select multiple files or select the entire folder;

[0024] 步骤202 :应用程序向通信代理模块发送加密请求; [0024] Step 202: the application sends a request to the encrypted communication agent module;

[0025] 步骤203 :通信代理模块收到加密请求后,转发给透明加解密模块; [0025] Step 203: After receiving the encrypted communications agent module requests forwarded to the transparent encryption and decryption module;

[0026] 步骤204 :透明加解密模块收到请求后,将请求保存在自身维护的请求链表中; [0026] Step 204: the transparent encryption and decryption module after receiving the request, the request is stored in the list maintained by the request;

[0027] 步骤205 :当应用程序关闭时,透明加解密模块对用户选择的数字内容加密,并在 [0027] Step 205: when the application is closed, transparent encryption and decryption module encrypts the digital content selected by the user, and

数字内容的尾部添加加密标识,用来区分明文和密文,同时将加密密钥通过通信代理模块 Adding tail digital content encryption identifier used to distinguish between plaintext and ciphertext, while the encryption key via the communication agent module

传送给权限服务器存储; Transmitted to the rights server storage;

[0028] 步骤206 :加密结束后,透明加解密模块把密文写入磁盘保存。 [0028] Step 206: After the encryption, the transparent ciphertext decryption module written to disk storage. [0029] 上述加密标识组成部分如下: [0029] The encryption identifier following components:

[0030] 301 :标志位,标志该内容是否是受保护内容,占用128个字节; [0030] 301: flag, flag whether the content is protected content, occupies 128 bytes;

[0031] 302 :内容ID,唯一标识一个数字内容,由当前时间(精确到秒)、MAC地址和16位 [0031] 302: content ID, that uniquely identifies a digital content, from the current time (accurate to the second), MAC address and 16-bit

随机字符序列三部分组成,占用256个字节。 Random character sequence composed of three parts, occupies 256 bytes.

[0032] 303 :内容类型,用来存储数字内容的原始类型信息,如定义Office文档中的Word 文档为MSOOl, Excel文档类型为MS002等,占用256个字节。 [0032] 303: content type, type information is stored to the original digital content, as defined Office Word document to document MSOOl, Excel document type MS002 and occupy the 256 bytes.

[0033] 304 :加密算法,用来存储该数字内容采用的加密算法类型,以便在后续的加解密操作时采用相同的算法,占用256个字节。 [0033] 304: encryption algorithm for storing the digital content encryption algorithm type used, so that the same algorithm applied at the time of the subsequent decryption operation, occupies 256 bytes.

[0034] 305 :预留字节,为后续的扩展提供预留空间,占用128个字节。 [0034] 305: reserved bytes, to provide headroom for the subsequent extension, occupies 128 bytes.

[0035] 基于透明加解密的数字内容安全防护系统的密文授权分发的方法包括以下步 [0035] The method of ciphertext decryption authorization transparent digital content security system based on a distribution comprises the steps

骤: Step:

[0036] 步骤401 :用户通过应用程序选择受保护内容; [0036] Step 401: the application by the user selecting the protected content;

[0037] 步骤402 :用户通过应用程序选择需授权的用户和权限信息,向认证授权模块发送授权请求; [0037] Step 402: the user selects for an authorized user through the application and permission information, sends an authorization request to the authentication authorization module;

[0038] 步骤403 :认证授权模块接收授权请求,通过通信代理模块向权限服务器发出更 [0038] Step 403: the authentication and authorization module receives the authorization request, sent to the authorization server via the communication more proxy module

新权限请求,包括将原权限取交集或并集;权限服务器更新用户的权限信息并返回结果; New permission request, including original rights on the intersection or union; rights authority server update information of the user and returns the result;

[0039] 步骤404 :认证授权模块收到请求返回信息,将受保护数字内容通过U盘、email、 [0039] Step 404: return authentication and authorization module receives the request message, the protected digital content through the U disk, email,

网络共享等方式分发给授权用户,用户收到数字内容后根据授予的权限进行使用; Sharing network, distributed to authorized users, users receive digital content using the privileges granted;

[0040] 基于透明加解密的数字内容安全防护系统的动态加解密方法,动态加解密在数字 [0040] The method of dynamic encryption transparent encryption and decryption of digital content security system based on encryption and decryption of digital dynamic

内容打开、读、写操作中进行,其中: Content open, read, write operation is performed, in which:

[0041] 数字内容打开过程包括以下步骤: [0041] The opening process of digital content comprising the steps of:

[0042] 步骤501 :用户通过应用程序选择需要打开的受保护数字内容; [0042] Step 501: select a user through an application to open the protected digital content by;

[0043] 步骤502 :应用程序向透明加解密模块发送IRP_MJ_CREATE请求; [0043] Step 502: the application sends a request to IRP_MJ_CREATE transparent encryption and decryption module;

[0044] 步骤503 :透明加解密模块截获IRP_MJ_CREATE请求后,构造IRP查询该数字内容 [0044] Step 503: After IRP_MJ_CREATE transparent encryption and decryption module intercepts the request, configured to query the digital content IRP

的尾部是否有加密标志,如有,表明此数字内容是密文,则构造数据结构记录该文件相关信 Tail whether encryption flag, and if so, this indicates that the digital content is encrypted, the data structure of the file structure of the recording channel associated

息,以便在对所有打开数字内容的后续操作中区分明文和密文,然后清空系统缓存,跳到步 Interest, in order to distinguish between plaintext and ciphertext in the open digital content for all subsequent operations, and then clear the system cache, skip to step

骤504 ;如果没有加密标识,则表明不是密文,跳到步骤506 ;该透明加解密模块构造的数据 Step 504; if no encryption identifier, the cipher text indicates otherwise, go to step 506; transparent data encryption and decryption module configuration

结构包括以下部分: Structure comprises the following sections:

[0045] l)ListEntry,为Windows内核链表结构; [0045] l) ListEntry, the Windows kernel linked list structure;

[0046] 2)FsContext,实际为数字内容控制块FCB的指针,唯一标志该数字内容; [0047] 3)Pid,为访问该数字内容的进程ID ; [0046] 2) FsContext, actual control of the digital content of the pointer block FCB, the only sign of the digital content; [0047] 3) Pid, ​​to access the digital content ID of the process;

8[0048] 4)FilePath,存储数字内容全路径; 8 [0048] 4) FilePath, the full path to store digital content;

[0049] 步骤504 :透明加解密模块从密文的加密标识中获取内容ID,根据该内容ID,通过 [0049] Step 504: the transparent encryption and decryption module acquires the content ID from the encrypted identification of the ciphertext, based on the content ID, by

通信代理从权限服务器获取用户对该密文的权限信息和密钥信息,根据用户的权限信息判断用户是否有权限打开该内容,若有,则用相应的密钥解密该内容,然后执行步骤505;否则,不予解密,应用程序提示用户无权打开; Communication agent obtained from rights server the user rights information to the cipher text and the key information, if there is permission to open the content information to determine the user according to the user's authority, if so, the decryption key corresponding with the content, then the step 505 ; otherwise, shall not be decrypted application prompts the user does not open;

[0050] 步骤505 :访问控制模块通过通信代理从权限服务器获得数字内容权限信息,根据权限信息执行细粒度的权限控制,包括菜单、按钮的可用性,剪贴板的复制和粘贴、程序之间的拖拽、OLE数据交换、截屏的控制; [0051] 步骤506 :把数字内容显示给用户; [0052] 对密文进行读操作包括以下步骤: [0050] Step 505: access control module obtained by communication proxy server a digital content rights from the rights information, the authority information according to the authority performing fine-grained control, including availability copy and paste menu, button, clipboard, drag between programs pulled, OLE data exchange, the control screen shot; [0051] step 506: the digital content to the user; [0052] ciphertext read operation comprising the steps of:

[0053] 步骤601 :应用程序向底层过滤驱动程序发送IRP_MJ_READ请求; [0054] 步骤602 :透明加解密模块收到IRP_MJ_READ请求后,判断Irp- > Flags是否为IRP_NOCACH或IRP_PAGING_IO,是则执行步骤603,否则,透明加解密模块不做处理,而是调用操作系统的默认处理函数PassThroughLowerDriver ; [0053] Step 601: the application requesting filter driver transmits to the underlying IRP_MJ_READ; [0054] Step 602: After receiving the transparent encryption and decryption module IRP_MJ_READ request, determines Irp-> Flags whether or IRP_PAGING_IO IRP_NOCACH, a step 603 is executed, otherwise, the process is not transparent encryption and decryption modules, but the default operating system call handler PassThroughLowerDriver;

[0055] 步骤603 :保存Read Irp所带Buffer指针,申请与Buffer同样大小的Sw即Buffer j [0055] Step 603: Read Irp brought Buffer pointer saved, and the application of the same size Sw i.e. Buffer Buffer j

[0056] 步骤604 :将原Buffer替换为SwapBuffer,设置完成例程ReadProcCompletion, 然后等待过滤驱动程序处理的返回结果; [0056] Step 604: Replace the original Buffer SwapBuffer, provided completion routine ReadProcCompletion, then wait filter driver returns the processed result;

[0057] 步骤605 :完成例程被激活,透明加解密模块将SwapBuffer中的数据用密钥进行解密,并将解密后数据拷贝到原Buffer中; [0057] Step 605: the completion routine is activated, the transparent data encryption and decryption module decrypts SwapBuffer using the key, and copy the original data to the Buffer decrypted;

[0058] 步骤606 :还原Irp Buffer指针Irp- > MdlAddress禾P Irp- > UserBuffer ; [0058] Step 606: Reduction Irp Buffer Pointer Irp-> MdlAddress Wo P Irp-> UserBuffer;

[0059] 步骤607 :把解密后的数字内容显示给用户; [0059] Step 607: The decrypted digital content to the user;

[0060] 对密文进行写操作包括以下步骤: [0060] ciphertext write operation includes the steps of:

[0061] 步骤701 :应用程序发送IRP_MJ_WRITE请求; [0061] Step 701: the application sends a request IRP_MJ_WRITE;

[0062] 步骤702 :透明加解密模块截获IRP_MJ_WRITE请求,判断Irp- > Flags是否为IRP_N0CACHE或IRP_PAGING_I0,是则执行步骤703,否则PassThroughLowerDriver (Irp), 透明加解密模块不做处理,直接返回; [0062] Step 702: IRP_MJ_WRITE transparent encryption and decryption module intercepts the request, determines Irp-> Flags IRP_N0CACHE whether or IRP_PAGING_I0, then Step 703 is otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module without processing directly returns;

[0063] 步骤703 :保存Write Irp所带Buffer指针,申请同样大小的SwapBuffer ; [0064] 步骤704 :将Buffer中数据进行加密并将加密后的数据拷贝到Sw即Buffer中; [0065] 步骤705 :将原Buffer替换为SwapBuffer,设置完成例程(WriteProcCompletion),等待底层过滤驱动程序处理的返回结果; [0063] Step 703: Buffer Pointer Save Write Irp carried apply the same size SwapBuffer; [0064] Step 704: Buffer the data in the encrypted data and the encrypted copy to the Buffer i.e. Sw; [0065] Step 705 : replace the original Buffer SwapBuffer, provided completion routine (WriteProcCompletion), the processing waits for the underlying filter driver returns the result;

[0066] 步骤706 :完成例程被激活,还原Irp Buffer指针Irp- > MdlAddress和Irp- > UserBuffer ; [0066] Step 706: the completion routine is activated, reducing Irp Buffer Pointer Irp-> MdlAddress and Irp-> UserBuffer;

[0067] 步骤707 :系统将加密后的数字内容保存到计算机磁盘上。 [0067] Step 707: The system will save the encrypted digital content on computer disk.

[0068] 当打开的多个数字内容中有密文时,步骤503还包括以下步骤:透明加解密模块在密文打开时对其创建一个新的文件节点,数据结构中的内核链表结构(ListEntry)将所有打开的密文的文件节点串联为链表,以区分打开的数字内容中的明文和密文,当密文关闭时,其节点被删除。 [0068] When a plurality of digital content have open ciphertext, step 503 further comprises the step of: creating a new file to its node transparent encryption and decryption module opens in the ciphertext, the kernel linked list structure (data structure of the ListEntry ) all open files ciphertext series node linked list, to distinguish open digital content in plaintext and ciphertext, the ciphertext closed when that node is deleted.

[0069] 在步骤505中,访问控制模块通过通信代理从权限服务器获得相应的权限信息,并根据权限信息执行细粒度的权限控制的过程包括以下步骤: [0069] In step 505, the access control module to obtain the corresponding rights information from the rights server via the communication agent, and comprising the steps of a process of fine-grained execution permission authority information control:

[0070] 步骤801 :用户通过应用程序打开受保护的数字内容,应用程序发送内容的打开操作请求; [0070] Step 801: the user opens the protected digital content, sends the content application request by the opening operation of the application;

[0071] 步骤802 :访问控制模块截获应用程序的打开操作请求,通过透明加解密模块构造的数据结构获取数字内容的全路径。 [0071] Step 802: the access control module intercepts the opening operation of the application request, obtain the full path of the data structure of the digital content encryption and decryption module configured transparent.

[0072] 步骤803 :访问控制模块根据数字内容的全路径,通过通信代理向权限服务器发送请求,权限服务器返回数字内容的内容ID及相应的权限信息。 [0072] Step 803: the access control module in accordance with the full path to the digital content transmission request, the server returns the digital content rights of the content ID and the corresponding rights information to the authorization server via a communication proxy.

[0073] 步骤804 :访问控制模块根据获得的权限信息执行细粒度的权限控制,包括菜单、 按钮的可用性,剪贴板的复制和粘贴、程序之间的拖拽、OLE数据交换、截屏等方式的控制。 [0073] Step 804: The access control module executes the rights information obtaining fine-grained access control, copy and paste including menus, buttons availability, clipboard, drag, OLE data exchange between programs, and other forms of screenshots control. [0074] 与现有技术相比,本发明的有益效果如下: [0074] Compared with the prior art, the beneficial effects of the present invention are as follows:

[0075] 1.加密方式安全高效。 [0075] 1. The safe and efficient encryption. 由于本发明采用基于底层过滤驱动实现的透明加解密,与传统的在应用层实现加解密方式相比,此方式提高了系统的安全性,同时加解密速度有了很大提升,经过测试:对于35M的文件,传统的应用层实现加解密需2分钟,而本发明基于底层过滤驱动实现加解密仅需6秒钟。 Since the present invention uses encryption and decryption based on an underlying transparent filter drive implementations, the application layer in the conventional manner as compared to encryption and decryption, this method increases the security of the system, while the speed of encryption and decryption has been greatly improved, tested: For 35M file, the application layer of the conventional encryption and decryption to 2 minutes, but the present invention is implemented based on an underlying encryption and decryption filter driver only 6 seconds.

[0076] 2.细粒度权限控制。 [0076] 2. fine-grained access control. 本发明根据数字内容拥有者的不同需求,编写COM插件实现对重要应用软件(如Word、 Excel、 AutoCad)的控制,对其它不支持插件开发的软件采用Hook技术,灵活设置权限,从而满足了用户不断增长的需求。 The present invention according to the different needs of digital content owners, to write COM plug-ins to achieve control of important applications (such as Word, Excel, AutoCad), using Hook technology to other software does not support plug-in development, flexible set permissions to meet the user growing demand. 个人或组均可赋权,权限具体包括完全控制、只读几次,打印几次、可复制、可另存、可编辑、失效日期、有效时间等,这对于传统的静态提供"全部或零"权限的安全产品是一个很大的突破。 You can empower individuals or groups, specifically including full control permissions, read only a few times, print times, can be copied, can save, edit, expiration date, the effective time, which provided for the traditional static "All or zero" product safety authority is a big breakthrough.

[0077] 3.日志审计功能完善。 [0077] 3. log audit function is perfect. 本发明对用户对受保护内容的所有操作(如打开、保存、另存、打印等)都做详细的日志记录,提供全面的日志审计功能,对涉密数字内容外泄的事后追查取证提供有力支持。 The present invention for the user to operate all protected content (such as open, save, save, print, etc.) do detailed logging to provide comprehensive log audit function, the contents of leaked secret digital forensics to track down afterwards to provide strong support .

[0078] 4.管理方式便捷高效。 [0078] 4. convenient and efficient management. 本发明的数字安全防护系统的管理中心采用B/S结构,Web 管理灵活方便,适合在使用环境内任何主机对管理中心的访问,为管理员提供统一的接口界面对系统进行配置管理;用户注册时对用户身份进行验证;查询用户详细的操作日志。 Digital Security Manager system according to the present invention employ B / S structure, the Web management flexibility, suitable for use in any host access to the management center within the environment, to provide a unified interface to an administrator of the system configuration management interface; Register when the user identity verification; to query the user detailed operation log.

附图说明 BRIEF DESCRIPTION

[0079] 图1为本发明的数字内容安全防护系统结构图; [0079] FIG 1 the digital content security system configuration diagram of the present invention;

[0080] 图2为对需要保护的数字内容的加密保护过程图; [0080] FIG. FIG. 2 is a process to encrypt digital content requiring protection;

[0081] 图3为加密标识结构图; [0081] FIG. 3 is a block diagram of encryption identifier;

[0082] 图4为用户将密文进行授权分发过程图; [0082] FIG. 4 is a user authorization ciphertext FIG distribution process;

[0083] 图5为数字内容的打开过程流程图; [0083] FIG. 5 is a flowchart showing the process of opening the digital content;

[0084] 图6为对密文进行读操作的流程图; [0084] FIG 6 is a flowchart illustrating a read operation of ciphertext;

[0085] 图7为对密文进行写操作的流程图; [0085] FIG. 7 is a flowchart of write operation on the ciphertext;

[0086] 图8为访问控制模块对密文进行访问控制的过程图; [0086] FIG. 8 is the access control module of FIG ciphertext access control process;

[0087] 以下结合附图对本发明作进一步详细说明。 [0087] conjunction with the drawings of the present invention will be further described in detail.

具体实施方式 Detailed ways

[0088] 本发明适用的操作系统有-Microsoft Windows XP, Microsoft Windows2000,Microsoft Windows 2003,Microsoft Windows vista等;硬件环境-Pentium(R) 3CPU, 256M 内存以上;应用软件-Microsoft Office2000/XP/2003/2007, Adobe Reader, AutoCAD等; 适用的开发语言:C++,C,C#。 [0088] The invention is suitable operating system -Microsoft Windows XP, Microsoft Windows2000, Microsoft Windows 2003, Microsoft Windows vista etc; hardware environment -Pentium (R) 3CPU, 256M memory or more; application software -Microsoft Office2000 / XP / 2003 / 2007, Adobe Reader, AutoCAD, etc.; suitable development languages: C ++, C, C #.

[0089] 参见图l,一种基于透明加解密的数字内容安全防护系统,包括客户端和服务端, 其中, [0089] Referring to FIG. L, based transparent encryption and decryption of digital content security system, comprising a client and a server, wherein,

[0090] 客户端包括以下各单元: [0090] The client includes the following units:

[0091] 透明加解密模块,与通信代理模块交互,用于接收应用程序通过通信代理模块发来的数字内容加密请求,并根据请求对数字内容加密;在打开、读、写操作过程中,通过通信代理模块从服务端动态获取所需的密钥、权限信息,并根据这些信息对被访问的数字内容进行动态加解密; [0091] Transparent encryption and decryption modules, interactive communications with the agent module, for receiving the application program through the communication sent by the agent module requests the digital content encryption, and the encrypted digital content according to the request; open, read, write operation of the process by communication agent module dynamically obtain the required key, permission information from the server, and dynamic decryption of the digital content is accessed based on the information;

[0092] 认证授权模块,与通信代理模块交互,向服务端权限服务器发送身份认证信息请求,根据权限服务器返回身份信息对登陆用户进行身份认证,同时从服务端权限服务器获得权限信息,根据身份信息和权限信息对用户进行控制;用户能够通过认证授权模块为其他用户进行密文授权分发; [0092] authentication and authorization modules, the proxy module to interactively communicate with, to send to the server permissions server authentication information request, return identity information under the authority server login user authentication, and access rights information from the server rights server, according to the identity information and rights information to the user control; ciphertext user can authorize other users to distribute authentication and authorization module;

[0093] 监控模块,与通信代理模块交互,记录用户对系统的使用、对数字内容的操作;通过通信代理模块将记录的操作日志传入服务端的权限服务器并保存在数据库中,以便对数字内容的使用进行审计与追踪; [0093] The monitoring module, agent module to interact with the communication record usage of the system, the operation of the digital content; via the communication agent module the recorded operation log incoming service end permission server and stored in the database, so that the content of the digital use audit and tracking;

[0094] 访问控制模块,与通信代理模块交互,用于在用户对数字内容进行访问过程中,截获应用程序对数字内容的打开操作,通过透明加解密模块构造的数据结构获取数字内容的全路径;根据数字内容的全路径从服务端的权限服务器获得数字内容的内容ID及相应权限信息,根据权限信息控制用户对密文的使用; Full Path [0094] The access control module, interactive communications with the agent module, for a user to access the digital content during the opening operation of the intercept application of digital content, obtaining data structure of a transparent digital content encryption and decryption module is configured ; obtaining the digital content from the server according to the full path of the rights to the server a digital content and a content ID corresponding authority information, the authority information according to user control of the ciphertext;

[0095] 通信代理模块,用以客户端其他各模块与服务端各模块之间的通信连接,发送各种请求或接收请求返回信息,传递客户端与服务端所需数据,屏蔽服务器的异构,即服务器如果有变动,不用修改其它模块,只需修改通信代理模块。 [0095] The communication agent module for a communication connection between the client modules and the other end of each of the service module, sending or receiving a request to return a variety of information, necessary data transfer client and server, the server heterogeneous shield that if there are changes in the server, without modifying other modules, simply modify the communication agent module.

[0096] 服务端为系统管理员提供一个方便快捷安全有效的管理控制中心,所有的客户端请求都通过服务端权限服务器得到响应,服务端包括以下各单元: [0096] server provides system administrators with a convenient safe and effective management control centers, all clients have been in response to a request by the server access to the server, the server includes the following units:

[0097] 管理中心,为系统管理员提供对系统用户管理的统一的接口界面,包括添加新用户、添加用户分组,用户注册时对用户身份进行验证,查看用户对数字内容的操作日志; [0098] 权限服务器,通过通信代理同客户端各模块交换信息,接收客户端各模块发出的身份认证请求、权限信息请求或密钥信息请求,根据相应请求从数据库中获得数据,返回给客户端各模块的所需信息; [0097] Management Center, provides system administrators with a unified interface to the user interface for system management, including adding new users, add user groups, user identity verification when the user registration, view the user operation log to digital content; [0098 ] rights server through a communication with the proxy client modules to exchange information, receive a client authentication request sent by each module, a key authority information request or information request according to the corresponding request data obtained from the database, each module back to the client the required information;

[0099] 数据库,用以保存客户的身份信息,数字内容的权限信息、密钥信息、用户操作日志; [0099] database, to save the customer's identity information, digital content rights information, key information, user operation log;

[0100] 服务端的管理中心和权限服务器模块分别与数据库连接,服务端和客户端通过通 [0100] The server management center and the rights server are connected to the database module, and client services pass through

信代理模块和权限服务器模块的连接交换信息。 Connection module and authority trusted agent server module to exchange information.

[0101] 以上各模块之间的主要接口如下: [0101] the primary interface between the above modules are as follows:

[0102] 透明加解密_通信代理接口:用于透明加解密模块向通信代理模块发送获取数字内容的权限和密钥等信息的请求。 [0102] _ transparent encryption and decryption communication proxy interface: transparent encryption and decryption module for transmitting to the communication agent module obtains the rights of digital content and the key information or the like requests. 通过DeviceIoControl实现。 DeviceIoControl achieve.

[0103] 认证授权-通信代理接口:用于认证授权模块向通信代理模块发送身份认证消 [0103] Authentication Authorization - Agent Communication Interface: authentication and authorization module for transmitting to the communication agent module authentication elimination

11息,获取文件权限信息等。 11 interest rates, access to file permissions information. 通过管道通信机制实现。 Communication mechanism is achieved by the pipe.

[0104] 监控-通信代理接口:用于监控模块向通信代理模块发送用户操作日志操作信息,通过COM接口实现通信。 [0104] Monitoring - Agent Communication Interface: monitoring module for transmitting user operation information of the operation log to the communication agent module communicate via the COM interface.

[0105] 访问控制-通信代理接口:用于访问控制模块向通信代理模块发送请求,获得文件的权限、客户端认证等信息。 [0105] Access Control - Agent Communication Interface: The control module sends a request for access to the communication agent module, obtaining the right to the file, the client authentication information. 通过Windows管道机制实现通信。 Communicate through Windows pipe mechanism.

[0106] 通信代理-权限服务器接口:用于通信代理模块转发来自客户端其他模块的请求,如获得文件的权限信息、加密密钥、用户操作日志等信息。 [0106] Communication Agents - authority server interface: a communication proxy forwards the request from the client module to other modules, such as access to the file permission information, encryption key, the user operation log information. 通过SSL加密信道实现通信。 Achieved by SSL encryption communication channel. [0107] 权限服务器和管理中心之间没有直接通信,各自与服务端数据库直接通信。 There is no direct communication between the [0107] access to the server and the management center, and each database server communicate directly. [0108] 客户端与应用程序连接,底层过滤驱动程序与应用程序的通信通过DeviceloControl实现。 [0108] The client application is connected with the underlying communication driver filter applications through DeviceloControl achieved.

[0109] 在该系统中,数字内容的访问控制通过客户端的访问控制模块完成,通过编写COM 插件实现对重要应用软件(如Word、 Excel、 AutoCad)的控制,对不支持插件开发的软件采用Hook技术拦截信息,并对剪贴板的复制和粘贴、程序之间的拖拽、OLE数据交换、截屏等方式均进行控制,实现两个目的:一是保证的应用程序与非涉密的应用程序之间的数据交换只进不出,例如,若Word文档被加密后,其内容就不能被粘贴到非涉密的0utLook中, 或者粘贴出的内容是乱码;二是加密软件之间能够进行正常的数据交换,例如,过Word和Excel均为受保护进程,则数据可以从Word复制粘贴到Excel中。 [0109] In this system, access to digital content is controlled by the client access control module to complete, to achieve control of important applications (such as Word, Excel, AutoCad) by writing COM plug-ins, the software does not support plug-in development using Hook technology to intercept information, and the clipboard to copy and paste, drag and drop, OLE data exchange between programs, screen shots, etc. are controlled to achieve two objectives: first, to ensure that the application and the application of non-classified data exchange between not only into, for example, if the Word document is encrypted, its contents can not be adhered to the non-classified 0utLook or pasting the content is a distortion; the second is to ensure normal between encryption software data exchange, for example, through the Word and Excel are protected process, the data can be copied and paste from Word to Excel. 通过上述方式实现细粒度的访问控制,并且COM插件和系统Hook与底层过滤驱动程序有工作状态验证机制, 一旦上层的访问控制与监控模块被恶意修改或破坏,透明加解密服务将自动停止。 Fine-grained access control by the above-described manner, and the plug-ins and COM Hook system filter driver with the underlying authentication mechanism working state, once the access control and monitoring of the upper module is maliciously modified or destroyed, transparent encryption and decryption services will automatically stop. [0110] 参见图2,在每个数字内容被使用之前,需要根据其重要程度对其进行加密保护, 不需要加密保护的数字内容是明文,需要加密保护并被透明加解密模块加密后的数字内容为密文,基于透明加解密的数字内容安全防护系统对数字内容的加密保护方法包括以下步骤: [0110] Referring to Figure 2, prior to each of the digital content is used, the importance of which need to be encrypted, the encrypted digital content protection is expressly not required, the need to encrypt and protect digital transparent encryption and decryption module encrypts SUMMARY ciphertext, based transparent encryption and decryption of digital content security system for encrypting digital content protection method comprising the steps of:

[0111] 步骤201 :用户通过应用程序选择需要加密保护的数字内容,包括选择一个文件、 一次性选择多个文件、选择整个文件夹,该选择的操作方式支持多种方式,如右键、拖拽、属性页等; [0111] Step 201: the user selects digital content to be encrypted by the protected application, including selecting a file, select multiple files, select the entire folder, the selected operating mode supports a variety of ways, such as right, drag , the property page and so on;

[0112] 步骤202 :应用程序向通信代理模块发送加密请求; [0112] Step 202: the application sends a request to the encrypted communication agent module;

[0113] 步骤203 :通信代理模块收到加密请求后,转发给透明加解密模块; [0113] Step 203: After receiving the encrypted communications agent module requests forwarded to the transparent encryption and decryption module;

[0114] 步骤204 :透明加解密模块收到请求后,将请求保存在自身维护的请求链表中; [0114] Step 204: the transparent encryption and decryption module after receiving the request, the request is stored in the list maintained by the request;

[0115] 步骤205 :当应用程序关闭时,透明加解密模块对用户选择的数字内容加密,并在 [0115] Step 205: when the application is closed, transparent encryption and decryption module encrypts the digital content selected by the user, and

数字内容的尾部添加加密标识,用来区分明文和密文,同时将加密密钥通过通信代理模块 Adding tail digital content encryption identifier used to distinguish between plaintext and ciphertext, while the encryption key via the communication agent module

传送给权限服务器模块存储; Storage permission transmitted to the server module;

[0116] 步骤206 :加密结束后,透明加解密模块把密文写入磁盘保存; [0116] Step 206: After the encryption, transparent encryption and decryption module writes ciphertext storage disk;

[0117] 参见图3,透明加解密模块加密文件时,在文件尾部添加的加密标识包括以下部分: [0117] Referring to Figure 3, a transparent encrypted file encryption and decryption module, the end of the file encryption identifier adding portion comprises:

[0118] 301 :标志位,标志该内容是否是受保护内容,占用128个字节; [0118] 301: flag, flag whether the content is protected content, occupies 128 bytes;

[0119] 302 :内容ID,唯一标识一个数字内容,由当前时间(精确到秒)、MAC地址和16位 [0119] 302: content ID, that uniquely identifies a digital content, from the current time (accurate to the second), MAC address and 16-bit

随机字符序列三部分组成,占用256个字节; Random character sequence composed of three parts, occupies 256 bytes;

[0120] 303 :内容类型,用来存储数字内容的原始类型信息,如定义Office文档中的Word文档为MSOOl, Excel文档类型为MS002等,占用256个字节; [0120] 303: content type, for storing the original digital contents type information, as defined in the Office Word document is a document MSOOl, Excel document type MS002 and occupy the 256 bytes;

[0121] 304 :加密算法,用来存储该数字内容采用的加密算法类型,以便在后续的加解密操作时采用相同的算法,占用256个字节; [0121] 304: encryption algorithm for storing the digital content encryption algorithm type used, so that the same algorithm applied at the time of the subsequent decryption operation, occupies 256 bytes;

[0122] 305 :预留字节,为后续的扩展提供预留空间,占用128个字节。 [0122] 305: reserved bytes, to provide headroom for the subsequent extension, occupies 128 bytes.

[0123] 参见图4,一种基于透明加解密的数字内容安全防护系统的密文授权分发的方法, [0123] Referring to Figure 4, a method of distributing a cipher-based authorization transparent encryption and decryption of digital content security system,

包括以下步骤: Comprising the steps of:

[0124] 步骤401 :用户通过应用程序选择受保护内容; [0124] Step 401: the application by the user selecting the protected content;

[0125] 步骤402 :用户通过应用程序选择需授权的用户并选择权限信息,向认证授权模块发送授权请求; [0125] Step 402: the user selects the application for an authorized user by the selected authority information and transmits an authorization request to the authorization module authentication;

[0126] 步骤403 :认证授权模块接收授权请求,通过通信代理模块向服务端权限服务器发出更新权限请求,包括将原权限取交集或并集;权限服务器更新用户的权限信息并返回结果; [0126] Step 403: the authentication and authorization module receives the authorization request, the request, including taking an intersection or the original rights and permissions set by issuing an update to the server agent module communication rights server; rights authority server update information of the user and returns the result;

[0127] 步骤404 :认证授权模块收到请求返回信息,将受保护文件通过U盘、email、网络共享等方式分发给授权用户,用户收到文件后根据授予的权限进行使用; [0128] Windows NT系统对数字内容和设备的访问过程首先对应驱动层为IRP_MJ_ CREATE,最后操作对应驱动层为IRP—MJ—CLOSE,为避免系统缓存造成的数据泄露,在IRP_ MJ_CREATE和IRP_MJ_CL0SE操作中均对缓存进行清空处理,IRP_MJ_READ和IRP_MJ_WRITE 对应应用程序的读写请求,读写所操作的数据存于IRP(1/0 Request Packet,是1/0管理器根据应用程序发出的请求构造的固定数据格式)。 [0127] Step 404: return authentication and authorization module receives the request message, the protected file distributed to authorized users through the U disk, email, sharing network, after receiving the user file used according to permissions granted; [0128] Windows NT system access process digital content and device first corresponding to the driving layer IRP_MJ_ CREATE, the last operation corresponds to the driving layer IRP-MJ-CLOSE, in order to avoid data leakage system cache result, all of the cache in IRP_ MJ_CREATE and IRP_MJ_CL0SE operation flush processing, and write IRP_MJ_READ IRP_MJ_WRITE a corresponding application request, the data read and write operations stored in IRP (1/0 request Packet, is 1/0 manager constructed in accordance with a request issued by the application fixed data format). 透明加解密是在系统对数据的打开、读、 写操作中完成的,在上述操作中,上层应用程序向透明加解密模块发出相应的读写请求,透明加解密模块过滤掉应用程序对缓存的读写请求,只对非缓存读写请求进行相应操作,系统通过判断读写请求中标志是否为IRP—NOCACH和IRP_PAGING_IO来判断是否为非缓存读写。 Data encryption and decryption is transparent to the system in the open, read, write operation is completed, in the above operation, the upper application encryption and decryption module appropriate read and write requests issued to the transparent, transparent encryption and decryption module for filtering out the application cache read and write requests, only the non-cached read request corresponding to the operating system by determining whether the read IRP-NOCACH IRP_PAGING_IO and to determine whether the non-cached read request flag.

[0129] 基于透明加解密的数字内容安全防护系统的动态加解密方法,该方法在数字内容打开、读、写操作中进行,其中: [0129] The method of dynamic encryption transparent encryption and decryption of the digital content based on security systems, in which the digital content to open, read, write operation is performed, wherein:

[0130] 参见图5,数字内容打开过程包括以下步骤: [0130] Referring to Figure 5, the digital content opening process comprising the steps of:

[0131] 步骤501 :用户通过应用程序选择需要打开的受保护数字内容; [0131] Step 501: select a user through an application to open the protected digital content by;

[0132] 步骤502 :应用程序向透明加解密模块发送IRP_MJ_CREATE请求; [0132] Step 502: the application sends a request to IRP_MJ_CREATE transparent encryption and decryption module;

[0133] 步骤503 :透明加解密模块截获IRP_MJ_CREATE请求后,构造IRP查询该数字内容 [0133] Step 503: After IRP_MJ_CREATE transparent encryption and decryption module intercepts the request, configured to query the digital content IRP

的尾部是否有加密标志,如有,表明此文件是密文,则构造数据结构记录该文件相关信息, Tail whether encryption flag, and if so, indicates that the file is a ciphertext, the file structure of the data structure of the recording information,

以便在对所有打开数字内容的后续操作中区分明文和密文,然后清空系统缓存,跳到步骤 In order to distinguish between plaintext and ciphertext digital content of all open subsequent operation, and then clear the system cache, jumps to step

504 ;如果没有加密标识,则表明不是密文,跳到步骤506 ;该透明加解密模块构造的数据结 504; if no encryption identifier, the cipher text indicates otherwise, go to step 506; the transparent encryption and decryption module configured data structure

构包括以下部分: Configuration includes the following components:

[0134] l)ListEntry,为Windows内核链表结构; [0134] l) ListEntry, the Windows kernel linked list structure;

[0135] 2)FsContext,实际为数字内容控制块FCB的指针,唯一标志该数字内容; [0136] 3)Pid,为访问该数字内容的进程ID ; [0137] 4)FilePath,存储数字内容全路径; [0135] 2) FsContext, real block FCB pointers digital content control, the only sign of the digital content; [0136] 3) Pid, ​​to access the digital content process ID; [0137] 4) FilePath, store digital content Full path;

[0138] 步骤504 :透明加解密模块从密文的加密标识中获取内容ID,根据该内容ID通过通信代理从权限服务器获取用户对该密文的权限信息和密钥信息,根据用户的权限信息判断用户是否有权限打开该内容,如果有,则用相应的密钥解密该内容,然后执行步骤505 ; 否则,不予解密,应用程序提示用户无权打开; [0138] Step 504: the transparent encryption and decryption modules encrypt the content ID identifying the ciphertext, the ciphertext obtain user rights information from the rights server and the key information based on the content ID through a communication agent, according to the authority information of the user determine whether the user has permission to open the content, if any, with the corresponding key to decrypt the content, then step 505 is performed; otherwise, shall not be decrypted application prompts the user does not open;

[0139] 步骤505 :访问控制模块通过通信代理从权限服务器获得数字内容权限信息,根 [0139] Step 505: the access control module to obtain the digital content rights information from the rights server via the communication proxy root

据权限信息执行细粒度的权限控制,包括菜单、按钮的可用性,剪贴板的复制和粘贴、程序 According to information rights permission to perform fine-grained control, including copy and paste the availability of menus, buttons, clipboard, programs

之间的拖拽、OLE数据交换、截屏的控制; Between the drag, OLE data exchange, the control screen shot;

[0140] 步骤506 :把数字内容显示给用户。 [0140] Step 506: the digital content to the user.

[0141] 参见图6,对密文进行读操作包括以下步骤: [0141] Referring to Figure 6, the ciphertext read operation comprising the steps of:

[0142] 步骤601 :应用程序向底层过滤驱动程序发送IRP_MJ_READ请求; [0143] 步骤602 :透明加解密模块收到IRP_MJ_READ请求后,判断Irp- > Flags是否为IRP_NOCACH或IRP_PAGING_IO,是则执行步骤603,否则,透明加解密模块不做处理,而是调用操作系统的默认处理函数PassThroughLowerDriver ; [0142] Step 601: the application requesting filter driver transmits to the underlying IRP_MJ_READ; [0143] Step 602: After receiving the transparent encryption and decryption module IRP_MJ_READ request, determines Irp-> Flags whether or IRP_PAGING_IO IRP_NOCACH, a step 603 is executed, otherwise, the process is not transparent encryption and decryption modules, but the default operating system call handler PassThroughLowerDriver;

[0144] 步骤603 :保存Read Irp所带Buffer指针,申请与Buffer同样大小的Sw即Buffer j [0144] Step 603: Read Irp brought Buffer pointer saved, and the application of the same size Sw i.e. Buffer Buffer j

[0145] 步骤604 :将原Buffer替换为SwapBuffer,设置完成例程ReadProcCompletion, 然后等待底层过滤驱动程序处理的返回结果; [0145] Step 604: Replace the original Buffer SwapBuffer, provided completion routine ReadProcCompletion, and then wait for the underlying filter driver returns the processed result;

[0146] 步骤605 :完成例程被激活,透明加解密模块将SwapBuffer中的数据用密钥进行解密,并将解密后数据拷贝到原Buffer中; [0146] Step 605: the completion routine is activated, the transparent data encryption and decryption module decrypts SwapBuffer using the key, and copy the original data to the Buffer decrypted;

[0147] 步骤606 :还原Irp Buffer指针Irp- > MdlAddress禾P Irp- > UserBuffer ; [0148] 步骤607 :把解密后的数字内容显示给用户。 [0147] Step 606: Reduction Irp Buffer Pointer Irp-> MdlAddress Wo P Irp-> UserBuffer; [0148] Step 607: The decrypted digital content to the user. [0149] 参见图7,对密文进行写操作包括以下步骤: [0150] 步骤701 :应用程序发送IRP_MJ_WRITE请求; [0149] Referring to Figure 7, writes the ciphertext comprises the steps of: [0150] Step 701: the application sends a request IRP_MJ_WRITE;

[0151] 步骤702 :透明加解密模块截获IRP_MJ_WRITE请求,判断Irp- > Flags是否为IRP_N0CACHE或IRP_PAGING_I0,是则执行步骤703,否则PassThroughLowerDriver (Irp), 透明加解密模块不做处理,直接返回; [0151] Step 702: IRP_MJ_WRITE transparent encryption and decryption module intercepts the request, determines Irp-> Flags IRP_N0CACHE whether or IRP_PAGING_I0, then Step 703 is otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module without processing directly returns;

[0152] 步骤703 :保存Write Irp所带Buffer指针,申请同样大小的Sw即Buffer ; [0153] 步骤704 :将Buffer中数据进行加密并将加密后的数据拷贝到Sw即Buffer中; [0154] 步骤705 :将原Buffer替换为SwapBuffer,设置完成例程(WriteProcCompletion),等待底层过滤驱动程序处理的返回结果,如写操作是否成功,写了多少字节; [0152] Step 703: Save Write Irp brought Buffer pointer, i.e., the application of the same size Sw Buffer; [0153] Step 704: Buffer the data in the encrypted data and the encrypted copy to the Buffer i.e. Sw; [0154] step 705: replace the original Buffer SwapBuffer, provided completion routine (WriteProcCompletion), the processing waits for the underlying filter driver returns the result as the write operation was successful, the number of bytes to write;

[0155] 步骤706 :完成例程被激活,还原Irp Buffer指针Irp- > MdlAddress和Irp- > UserBuffer ; [0155] Step 706: the completion routine is activated, reducing Irp Buffer Pointer Irp-> MdlAddress and Irp-> UserBuffer;

[0156] 步骤707 :系统将加密后的数字内容保存到计算机磁盘上。 [0156] Step 707: The system will save the encrypted digital content on computer disk.

[0157] 在上述对数字内容的读写过程中,加解密操作均在SwapBuffer中进行,原始Irp 所带的数据缓冲区为明文,而对磁盘的读写均为密文,这样既保证了明文数据不落地又避免了与应用程序的数据操作可能产生的冲突。 [0157] encryption and decryption operations are performed in the above-described process of reading and writing in the digital content SwapBuffer, the original Irp carried plaintext data buffer, and to read and write to the disk are ciphertext, it will ensure the plaintext data do not fall and avoid conflicts with data manipulation application that may arise.

[0158] 另外,当打开的多个数字内容中有密文时,步骤503还包括以下步骤:透明加解密模块在密文打开时对其创建一个新的文件节点,数据结构中的内核链表结构(ListEntry) 将所有打开的密文的文件节点串联为链表,以区分打开的数字内容中的明文和密文,当密文关闭时,其节点被删除。 [0158] Further, when a plurality of digital content have open ciphertext, step 503 further comprises the step of: creating a new file to its node transparent encryption and decryption module opens in the ciphertext, the kernel linked list data structure (the ListEntry) all open files ciphertext series node linked list, to distinguish open digital content in plaintext and ciphertext, the ciphertext closed when that node is deleted.

14[0159] 参见图8,步骤505中访问控制模块通过通信代理从权限服务器获得相应的权限信息,并根据权限信息执行细粒度的权限控制的过程包括以下步骤: 14 [0159] Referring to FIG. 8, step 505, the access control module obtains the rights information from the rights corresponding to communicate via a proxy server, and comprising the steps of a process of fine-grained execution permission authority information control:

[0160] 步骤801 :用户通过应用程序打开受保护的数字内容,应用程序发送内容的打开操作请求; [0160] Step 801: the user opens the protected digital content, sends the content application request by the opening operation of the application;

[0161] 步骤802 :访问控制模块截获应用程序的打开操作请求,通过透明加解密模块构造的数据结构获取数字内容的全路径; [0161] Step 802: the access control module intercepts the opening operation of the application request, through the transparent encryption and decryption module configured to obtain a full path data structure of the digital content;

[0162] 步骤803 :访问控制模块根据数字内容的全路径,通过通信代理向权限服务器发送请求,权限服务器返回数字内容的内容ID及相应的权限信息; [0162] Step 803: the access control module in accordance with the full path to the digital content transmission request, the server returns the digital content rights of the content ID and the corresponding rights information to the authorization server via a communication agent;

[0163] 步骤804 :访问控制模块根据获得的权限信息执行细粒度的权限控制,包括菜单、 按钮的可用性,剪贴板的复制和粘贴、程序之间的拖拽、OLE数据交换、截屏等方式的控制。 [0163] Step 804: The access control module executes the rights information obtaining fine-grained access control, copy and paste including menus, buttons availability, clipboard, drag, OLE data exchange between programs, and other forms of screenshots control. [0164] 为了达到事前防御事后追踪的目的,客户端监控模块对用户进行的所有关键操作(如打开、保存、另存、打印等)记录了详细的操作日志,所有的日志操作信息都可以通过服务端的管理中心查询。 [0164] In order to achieve the purpose of pre-defense after the track, all the key operations client monitoring module to the user (such as open, save, save, print, etc.) recorded a detailed operation log, all the log operation information are available through the service end management center inquiry.

Claims (7)

  1. 一种基于透明加解密的数字内容安全防护系统,由客户端和服务端组成,其特征在于:所述的客户端包括:透明加解密模块,与通信代理模块交互,用于接收应用程序通过通信代理模块发来的数字内容加密请求,并根据请求对数字内容加密;在打开、读、写操作过程中,通过通信代理模块从服务端动态获取所需的密钥、权限信息,并根据这些信息对被访问的数字内容进行动态加解密;认证授权模块,与通信代理模块交互,向服务端权限服务器发送身份认证信息请求,根据权限服务器返回身份信息对登陆用户进行身份认证,同时从服务端权限服务器获得权限信息,根据身份信息和权限信息对用户进行控制;用户能够通过认证授权模块为其他用户进行密文授权分发;监控模块,与通信代理模块交互,记录用户对系统的使用、对数字内容的操作;通过通 A digital content security system based transparent encryption and decryption, by the client and server, and is characterized in that: said client comprising: a transparent encryption and decryption modules, interactive communications with the agent module, for receiving the application program through a communication proxy module sent encrypted digital content request, and the encrypted digital content according to the request; open, read, write operation of the process, the required dynamic access key, permission information from the server via the communication proxy module, and based on this information digital content is accessed dynamic encryption; authentication and authorization module, the agent module to interactively communicate with, to send authentication information request to the server access to the server, returns identity information under the authority server login user authentication, at the same time from the server permissions server obtains the authority information, the user controls the identity information and the rights information; user to other users ciphertext authorization distributed authentication and authorization module; monitoring module, interacting with the communication agent module records the user of the system, digital content operation; by-pass 代理模块将记录的操作日志传入服务端的权限服务器并保存在数据库中,以便对数字内容的使用进行审计与追踪;访问控制模块,与通信代理模块交互,用于在用户对数字内容进行访问过程中,截获应用程序对数字内容的打开操作,通过透明加解密模块构造的数据结构获取数字内容的全路径;根据数字内容的全路径从服务端的权限服务器获得数字内容的内容ID及相应权限信息,根据权限信息控制用户对密文的使用;通信代理模块,用以客户端其他各模块与服务端各模块之间的通信连接,发送各种请求或接收请求返回信息,传递客户端与服务端所需数据,屏蔽服务器的异构,支持离线方式使用该系统;所述的服务端包括:管理中心,为系统管理员提供对系统用户管理的统一的接口界面,包括添加新用户、添加用户分组,用户注册时对用户身份进行验 Proxy module the recorded operation log of incoming service rights server side and stored in a database, to use the digital content auditing and tracking; access control module, the agent interacts with the communication module for the user process to access the digital content , the intercept application opens to the digital content operation, obtaining the full path of the digital content by the data structure of a transparent encryption and decryption module configuration; information according to the full path of the digital content to obtain the digital content from the server permission server content ID and the corresponding privileges, the use permission information of the user to control the ciphertext; communication agent module for a communication connection between the client modules and the other end of each of the service module, sending or receiving a request to return a variety of information, transmitted by the client and server data to be shielded heterogeneous servers, using the system offline mode; the server comprising: a management center, to provide a unified interface to the system user management interface for system administrators, including adding new users, user packets to add, to verify user identity when the user registration 证,查看用户对数字内容的操作日志;权限服务器,通过通信代理同客户端各模块交换信息,接收客户端各模块发出的身份认证请求、权限信息请求或密钥信息请求,根据相应请求从数据库中获得数据,返回给客户端各模块的所需信息;数据库,用以保存客户的身份信息,数字内容的权限信息、密钥信息、用户操作日志;服务端的管理中心和权限服务器分别与数据库连接,服务端和客户端通过通信代理模块和权限服务器连接。 Permit the user to view the operation log of the digital contents; rights server through a communication with the proxy client modules to exchange information, receive a client authentication request sent by each module, a key authority information request or information request according to a corresponding request from the database obtaining data, and return the required information for each module to the client; database, to save the customer's identity information, digital content rights information, key information, user operation log; server management centers and are connected to the database server permissions , service and client communication via the proxy server module and permissions.
  2. 2. 权利要求1所述的基于透明加解密的数字内容安全防护系统对数字内容的加密保护方法,其特征在于,该方法包括以下步骤:步骤201 :用户通过应用程序选择需要加密保护的数字内容,包括选择一个文件,一次性选择多个文件或者选择整个文件夹;步骤202 :应用程序向通信代理模块发送加密请求;步骤203 :通信代理模块收到加密请求后,转发给透明加解密模块;步骤204 :透明加解密模块收到请求后,将请求保存在自身维护的请求链表中;步骤205 :当应用程序关闭时,透明加解密模块对用户选择的数字内容加密,并在数字内容的尾部添加加密标识,用来区分明文和密文,同时将加密密钥通过通信代理模块传送给权限服务器存储;步骤206 :加密结束后,透明加解密模块把密文写入磁盘保存。 Digital content security system based on encryption transparent encryption and decryption of the digital content protection method according to claim 1, characterized in that the method comprises the following steps: Step 201: the user selects digital content to be encrypted by the protected application , comprising selecting a file, select multiple files or select the entire folder; step 202: the application sends a request to the encrypted communication agent module; step 203: after receiving the encrypted communications agent module requests forwarded to the transparent encryption and decryption module; step 204: the transparent encryption and decryption module after receiving the request, the request is stored in the list maintained by the request; step 205: when the application is closed, transparent encryption and decryption module encrypts the digital content selected by the user, and the digital content in the tail Add encryption identifier used to distinguish between plaintext and ciphertext, while the encryption key to the rights server via the communication agent storage module; step 206: after the encryption, the transparent ciphertext decryption module written to disk storage.
  3. 3. 如权利要求2所述的方法,其特征在于,所述的加密标识组成部分如下:,301. 标志位,标志该内容是否是受保护内容,占用128个字节;,302. 内容ID,唯一标识一个数字内容,由当前时间(精确到秒)、MAC地址和16位随机字符序列三部分组成,占用256个字节;,303. 内容类型,用来存储数字内容的原始类型信息,如定义Office文档中的Word文档为MSOOl, Excel文档类型为MS002等,占用256个字节; ,304. 加密算法,用来存储该数字内容采用的加密算法类型,以便在后续的加解密操作时采用相同的算法,占用256个字节;,305. 预留字节,为后续的扩展提供预留空间,占用128个字节。 3. The method according to claim 2, wherein said encryption identifier components are as follows:., 301 flag, flag whether the content is protected content, occupies 128 bytes;, 302 in Content ID. uniquely identifying a digital content, from the current time (accurate to the second), MAC address and 16-bit random character sequence composed of three parts, occupies 256 bytes;, content type 303, for storing the original digital contents type information. , the encryption algorithm 304, to store the digital content encryption algorithm type used for the subsequent decryption operation plus; is as defined Office Word document to document MSOOl, Excel document type MS002 and occupy the 256 bytes. using the same algorithm, occupies 256 bytes; 305 bytes reserved, provide reserve space for subsequent extension, occupies 128 bytes.
  4. 4. 权利要求1所述的基于透明加解密的数字内容安全防护系统的密文授权分发的方法,其特征在于,包括以下步骤:步骤401 :用户通过应用程序选择受保护内容;步骤402 :用户通过应用程序选择需授权的用户和权限信息,向认证授权模块发送授权请求;步骤403 :认证授权模块接收授权请求,通过通信代理模块向服务端权限服务器发出更新权限请求,包括将原权限取交集或并集;权限服务器更新用户的权限信息并返回结果;步骤404 :认证授权模块收到请求返回信息,将受保护数字内容通过U盘、email、网络共享等方式分发给授权用户,用户收到数字内容后根据授予的权限进行使用; The method of distribution authorization ciphertext transparent encryption and decryption of digital content security system based on the claim 1, characterized in that it comprises the following steps: Step 401: the application by the user selecting the protected content; Step 402: User select the desired application user authorized by rights information and sends the authorization request to the authorization module authentication; step 403: the authentication and authorization module receives the authorization request, issuing an update permission request to the server via the communication rights server agent module, comprising the original rights intersected or union; update user rights authority server and returns the result information; step 404: return authentication and authorization module receives the request message, the protected digital content to authorized users through the U disk, email, sharing network, the user receives after the use of digital content according to the permissions granted;
  5. 5. 权利要求1所述的基于透明加解密的数字内容安全防护系统的动态加解密方法,其特征在于,所述的动态加解密方法在数字内容打开、读、写操作中进行,其中:所述的数字内容打开过程包括以下步骤:步骤501 :用户通过应用程序选择需要打开的受保护数字内容;步骤502 :应用程序向透明加解密模块发送IRP_MJ_CREATE请求;步骤503 :透明加解密模块截获IRP_MJ_CREATE请求后,构造IRP查询该数字内容的尾部是否有加密标志,如有,表明此数字内容是密文,则构造数据结构记录该文件相关信息,以便在对所有打开数字内容的后续操作中区分明文和密文,然后清空系统缓存,跳到步骤504 ;如果没有加密标识,则表明不是密文,跳到步骤506 ;该透明加解密模块构造的数据结构包括以下部分:1) ListEntry,为Windows内核链表结构;2) FsContext,实际为数字内容控制块FCB的指 Content-based Digital Security Dynamic transparent encryption and decryption of the encryption and decryption method of claim 1, wherein said dynamic encryption method in a digital content to open, read, write operation is performed, wherein: the digital content described later opening process comprises the following steps: step 501: the user selects the protected digital content need to be opened by the application program; step 502: the application sends IRP_MJ_CREATE request to the transparent encryption and decryption module; step 503: transparent encryption and decryption module intercepts IRP_MJ_CREATE request after configuration of the digital content IRP tail query whether there is an encryption flag, and if so, this indicates that the digital content is encrypted, the data structure of the file structure of the recording information, in order to distinguish the plaintext digital content of all open and subsequent operation ciphertext, then empty the cache system, skip to step 504; if no encryption identifier, the cipher text indicates otherwise, go to step 506; a data structure that transparent encryption and decryption module configuration includes the following components: 1) ListEntry, for the Windows kernel list structure; 2) FsContext, the actual content of the digital control block refers to the FCB ,唯一标志该数字内容;3) Pid,为访问该数字内容的进程ID ;4) FilePath,存储数字内容全路径;步骤504 :透明加解密模块从密文的加密标识中获取内容ID,根据该内容ID,通过通信代理从权限服务器获取用户对该密文的权限信息和密钥信息,根据用户的权限信息判断用户是否有权限打开该内容,若有,则用相应的密钥解密该内容,然后执行步骤505;否则,不予解密,应用程序提示用户无权打开;步骤505 :访问控制模块通过通信代理从权限服务器获得数字内容权限信息,根据权限信息执行细粒度的权限控制,包括菜单、按钮的可用性,剪贴板的复制和粘贴、程序之间的拖拽、OLE数据交换、截屏的控制;步骤506 :把数字内容显示给用户;所述的对密文进行读操作包括以下步骤:步骤601 :应用程序向底层过滤驱动程序发送IRP_MJ_READ请求;步骤602 :透明加解密模块 And the unique identification of the digital content; 3) Pid, ​​to access the digital content process ID; 4) FilePath, storing digital contents full path; Step 504: transparent encryption and decryption module acquires the content ID from the encryption identifier ciphertext, according to this content ID, obtaining permission from a user through a proxy server to the communication permission information and the key information ciphertext open the content right information based on whether the user has permission judgment, if so, decrypts the content with the corresponding key, then step 505 is executed; otherwise, shall not be decrypted application prompts the user does not open; step 505: access control module obtains digital content rights information from the rights server communication via a proxy, according to the access control rights to perform fine-grained information, including menus, the availability of a button, copy and paste clipboard, drag, OLE data exchange between programs, screen shots control; step 506: the digital content to the user; the ciphertext read operation comprising the following steps: 601: the application sends a request to the underlying filter driver IRP_MJ_READ; step 602: transparent encryption and decryption module 到IRP_MJ_READ请求后,判断Irp- > Flags是否为IRP_N0CACH或IRP_PAGING_I0,是则执行步骤603,否则,透明加解密模块不做处理,而是调用操作系统的默认处理函数PassThroughLowerDriver ;步骤603 :保存Read Irp所带Buffer指针,申请与Buffer同样大小的SwapBuffer ;步骤604 :将原Buffer替换为SwapBuffer,设置完成例程ReadProcCompletion,然后等待过滤驱动程序处理的返回结果;步骤605 :完成例程被激活,透明加解密模块将SwapBuffer中的数据用密钥进行解密,并将解密后数据拷贝到原Buffer中;步骤606 :还原Irp Buffer指针Irp- > MdlAddress和Irp- > UserBuffer ;步骤607 :把解密后的数字内容显示给用户;所述的对密文进行写操作包括以下步骤:步骤701 :应用程序发送IRP_MJ_WRITE请求;步骤702 :透明加解密模块截获IRP_MJ_WRITE请求,判断Irp- > Flags是否为IRP_NOCACHE或IRP_PAGING_I0,是则执行步骤703,否则PassThroughLowerDriver (Ir IRP_MJ_READ to the request, determines Irp-> Flags IRP_N0CACH whether or IRP_PAGING_I0, a step 603 is executed, otherwise, not transparent encryption and decryption processing module, it calls the default handler PassThroughLowerDriver operating system; Step 603: the save Read Irp Buffer pointer with application of the same size with Buffer SwapBuffer; step 604: replace the original Buffer SwapBuffer, provided completion routine ReadProcCompletion, then wait filter driver returns the processing result; step 605: Finish routine is activated, the transparent encryption and decryption the module is carried out with data SwapBuffer key decryption, the original and copy data to the Buffer decrypted; step 606: restore Buffer pointer Irp is Irp-> MdlAddress and Irp-> UserBuffer; step 607: the decrypted digital content display to a user; ciphertext said write operation includes the following steps: step 701: the application sends a request IRP_MJ_WRITE; step 702: IRP_MJ_WRITE transparent encryption and decryption module intercepts the request, determines Irp-> Flags IRP_NOCACHE whether or IRP_PAGING_I0, is then performed step 703, otherwise PassThroughLowerDriver (Ir p),透明加解密模块不做处理,直接返回;步骤703 :保存Write Irp所带Buffer指针,申请同样大小的SwapBuffer ;步骤704 :将Buffer中数据进行加密并将加密后的数据拷贝到SwapBuffer中;步骤705 :将原Buffer替换为Sw即Buffer,设置完成例程(WriteProcCompletion),等待底层过滤驱动程序处理的返回结果;步骤706 :完成例程被激活,还原Irp Buffer指针Irp- > MdlAddress禾P Irp- >UserBuffer ;步骤707 :系统将加密后的数字内容保存到计算机磁盘上。 P), a transparent encryption and decryption module without processing directly returns; Step 703: Buffer Pointer Save Write Irp carried apply the same size SwapBuffer; Step 704: Buffer the data in the encrypted data and the encrypted copy to the SwapBuffer ; step 705: replace the original Buffer Buffer Sw i.e., provided completion routine (WriteProcCompletion), waiting for the underlying filter driver returns the processing result; step 706: Finish routine is activated, Irp is restored Buffer pointer Irp-> MdlAddress Wo P Irp-> UserBuffer; step 707: the system will save the encrypted digital content on computer disk.
  6. 6. 如权利要求5所述的方法,其特征在于,当打开的多个数字内容中有密文时,步骤503还包括以下步骤:透明加解密模块在密文打开时对其创建一个新的文件节点,数据结构中的内核链表结构(ListEntry)将所有打开的密文的文件节点串联为链表,以区分打开的数字内容中的明文和密文,当密文关闭时,其节点被删除。 6. The method according to claim 5, wherein, when a plurality of digital content have open ciphertext, step 503 further comprises the steps of: a transparent encryption and decryption module to create a new open them in cipher text the file node, the data structure kernel linked list structure (the ListEntry) all open files node ciphertext series of linked lists, to distinguish the digital content is opened in the plaintext and ciphertext, when the ciphertext is closed, which node is deleted.
  7. 7. 如权利要求5所述的方法,其特征在于,在步骤505中,访问控制模块通过通信代理从权限服务器获得相应的权限信息,并根据权限信息执行细粒度的权限控制的过程包括以下步骤:步骤801 :用户通过应用程序打开受保护的数字内容,应用程序发送内容的打开操作请求;步骤802 :访问控制模块截获应用程序的打开操作请求,通过透明加解密模块构造的数据结构获取数字内容的全路径;步骤803 :访问控制模块根据数字内容的全路径,通过通信代理向权限服务器发送请求,权限服务器返回数字内容的内容ID及相应的权限信息;步骤804 :访问控制模块根据获得的权限信息执行细粒度的权限控制,包括菜单、按钮的可用性,剪贴板的复制和粘贴、程序之间的拖拽、OLE数据交换、截屏等方式的控制。 7. The method according to claim 5, wherein, in the step 505, the access control module to obtain the corresponding rights information from the rights server via the communication agent, and comprising the steps of a process of fine-grained execution permission authority information control : step 801: the user opens the protected digital content, the application program sends the contents of the opening operation requested by the application program; step 802: the access control module intercepts the application opening operation request access to digital content through a data structure of a transparent encryption and decryption module configuration content ID and the corresponding authority information access control module, transmitted in accordance with the full path of the digital content through the communication proxy to the authorization server requests, the rights server returns the digital content; step 804:: step 803; the full path to the access control module in accordance with the obtained rights information to perform fine-grained access control, including drag and drop between the availability of menus, buttons, and copy and paste the clipboard, programs, OLE control mode data exchange, screen shots, and so on.
CN 200910218880 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof CN101729550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910218880 CN101729550B (en) 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910218880 CN101729550B (en) 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof

Publications (2)

Publication Number Publication Date
CN101729550A true true CN101729550A (en) 2010-06-09
CN101729550B CN101729550B (en) 2012-07-25

Family

ID=42449751

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910218880 CN101729550B (en) 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof

Country Status (1)

Country Link
CN (1) CN101729550B (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860438A (en) * 2010-06-30 2010-10-13 上海华御信息技术有限公司 Local data secret leakage prevention system and method based on secret-related data flow direction encryption
CN101977190A (en) * 2010-10-25 2011-02-16 北京中科联众科技有限公司 Digital content encryption transmission method and server side
CN102202062A (en) * 2011-06-03 2011-09-28 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN102280929A (en) * 2010-06-13 2011-12-14 中国电子科技集团公司第三十研究所 A power scada system information security system
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN102609667A (en) * 2012-02-22 2012-07-25 浙江机电职业技术学院 Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program
CN102609637A (en) * 2011-12-20 2012-07-25 北京友维科软件科技有限公司 Audit protection system for data leakage
CN102685086A (en) * 2011-04-14 2012-09-19 天脉聚源(北京)传媒科技有限公司 File access method and system
CN102739793A (en) * 2012-07-03 2012-10-17 厦门简帛信息科技有限公司 Intelligent terminal, management system and method of digital resource
CN103078866A (en) * 2013-01-14 2013-05-01 成都西可科技有限公司 Transparent encryption method for mobile platform
CN103095482A (en) * 2011-11-07 2013-05-08 上海宝信软件股份有限公司 Program development maintenance system
CN103164659A (en) * 2011-12-13 2013-06-19 联想(北京)有限公司 Method for realizing data storage safety and electronic device
CN103269343A (en) * 2013-05-21 2013-08-28 福建畅云安鼎信息科技有限公司 Business data safety control platform
CN103488949A (en) * 2013-09-17 2014-01-01 上海颐东网络信息有限公司 Electronic document security system
CN103632107A (en) * 2012-08-23 2014-03-12 苏州慧盾信息安全科技有限公司 Mobile terminal information safety protection system and method
CN103679050A (en) * 2013-12-31 2014-03-26 中国电子科技集团公司第三研究所 Security management method for enterprise-level electronic documents
CN103995990A (en) * 2014-05-14 2014-08-20 江苏敏捷科技股份有限公司 Method for preventing electronic documents from divulging secrets
CN104063633A (en) * 2014-04-29 2014-09-24 航天恒星科技有限公司 Safe auditing system based on filter driver
CN104145444A (en) * 2012-02-29 2014-11-12 良好科技公司 Method of operating a computing device, computing device and computer program
CN104243149A (en) * 2013-06-19 2014-12-24 北京搜狗科技发展有限公司 Encrypting and decrypting method, device and server
CN104424404A (en) * 2013-09-07 2015-03-18 镇江金软计算机科技有限责任公司 Implementation method for realizing third-party escrow system through authorization management
CN104680079A (en) * 2015-02-04 2015-06-03 上海信息安全工程技术研究中心 Electronic document security management system and electronic document security management method
CN104683477A (en) * 2015-03-18 2015-06-03 哈尔滨工程大学 Sharing file operation filtering method based on SMB protocol
CN104915601A (en) * 2014-03-12 2015-09-16 三星电子株式会社 System and method of encrypting folder in device
CN105095693A (en) * 2015-07-13 2015-11-25 江苏简果科技发展有限公司 Method and system for safely sharing digital asset based on Internet
CN105337954A (en) * 2014-10-22 2016-02-17 航天恒星科技有限公司 Method and device for encryption and decryption of IP message in satellite communication
CN105471832A (en) * 2014-10-22 2016-04-06 航天恒星科技有限公司 Processing method and device of IP packet in satellite communication
CN105574429A (en) * 2015-11-30 2016-05-11 东莞酷派软件技术有限公司 File data encryption and decryption method and device and terminal
CN105893852A (en) * 2015-06-04 2016-08-24 济南亚东软件科技有限公司 First author leakage prevention application system based on Windows EFS transparent encryption

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100568251C (en) 2006-03-23 2009-12-09 沈明峰;李胜磊;张 勇;王 军 Protecting method for security files under cooperative working environment
CN101098224B (en) 2006-06-28 2010-08-25 中色科技股份有限公司 Method for encrypting/deciphering dynamically data file
CN100592313C (en) 2008-04-30 2010-02-24 李 硕;来学嘉;闫季鸿 Electric document anti-disclosure system and its implementing method

Cited By (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102280929B (en) 2010-06-13 2013-07-03 中国电子科技集团公司第三十研究所 System for information safety protection of electric power supervisory control and data acquisition (SCADA) system
CN102280929A (en) * 2010-06-13 2011-12-14 中国电子科技集团公司第三十研究所 A power scada system information security system
CN101860438A (en) * 2010-06-30 2010-10-13 上海华御信息技术有限公司 Local data secret leakage prevention system and method based on secret-related data flow direction encryption
CN101977190A (en) * 2010-10-25 2011-02-16 北京中科联众科技有限公司 Digital content encryption transmission method and server side
CN101977190B (en) 2010-10-25 2013-05-08 北京中科联众科技股份有限公司 Digital content encryption transmission method and server side
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN102685086A (en) * 2011-04-14 2012-09-19 天脉聚源(北京)传媒科技有限公司 File access method and system
CN102202062B (en) 2011-06-03 2013-12-25 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN102202062A (en) * 2011-06-03 2011-09-28 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN103095482A (en) * 2011-11-07 2013-05-08 上海宝信软件股份有限公司 Program development maintenance system
CN103095482B (en) * 2011-11-07 2015-10-21 上海宝信软件股份有限公司 Program development and maintenance system
CN103164659A (en) * 2011-12-13 2013-06-19 联想(北京)有限公司 Method for realizing data storage safety and electronic device
CN102609637A (en) * 2011-12-20 2012-07-25 北京友维科软件科技有限公司 Audit protection system for data leakage
CN102609667A (en) * 2012-02-22 2012-07-25 浙江机电职业技术学院 Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program
CN104145444B (en) * 2012-02-29 2018-07-06 黑莓有限公司 The method of operating a computing device, a computing device and a computer program
CN104145444A (en) * 2012-02-29 2014-11-12 良好科技公司 Method of operating a computing device, computing device and computer program
CN102739793A (en) * 2012-07-03 2012-10-17 厦门简帛信息科技有限公司 Intelligent terminal, management system and method of digital resource
CN103632107A (en) * 2012-08-23 2014-03-12 苏州慧盾信息安全科技有限公司 Mobile terminal information safety protection system and method
CN103632107B (en) * 2012-08-23 2017-10-13 慧盾信息安全科技(苏州)股份有限公司 A terminal information security system and method for mobile
CN103078866B (en) * 2013-01-14 2015-11-04 成都西可科技有限公司 Transparent encryption mobile platform
CN103078866A (en) * 2013-01-14 2013-05-01 成都西可科技有限公司 Transparent encryption method for mobile platform
CN103269343A (en) * 2013-05-21 2013-08-28 福建畅云安鼎信息科技有限公司 Business data safety control platform
CN103269343B (en) * 2013-05-21 2017-08-25 福建畅云安鼎信息科技有限公司 Business data security management and control platform
CN104243149A (en) * 2013-06-19 2014-12-24 北京搜狗科技发展有限公司 Encrypting and decrypting method, device and server
CN104243149B (en) * 2013-06-19 2018-05-29 北京搜狗科技发展有限公司 Encryption and decryption methods, devices and servers
CN104424404A (en) * 2013-09-07 2015-03-18 镇江金软计算机科技有限责任公司 Implementation method for realizing third-party escrow system through authorization management
CN103488949B (en) * 2013-09-17 2016-08-17 上海颐东网络信息有限公司 An electronic document security protection system
CN103488949A (en) * 2013-09-17 2014-01-01 上海颐东网络信息有限公司 Electronic document security system
CN103679050A (en) * 2013-12-31 2014-03-26 中国电子科技集团公司第三研究所 Security management method for enterprise-level electronic documents
CN104915601A (en) * 2014-03-12 2015-09-16 三星电子株式会社 System and method of encrypting folder in device
CN104063633B (en) * 2014-04-29 2017-05-31 航天恒星科技有限公司 A safe-based audit system filter driver
CN104063633A (en) * 2014-04-29 2014-09-24 航天恒星科技有限公司 Safe auditing system based on filter driver
CN103995990A (en) * 2014-05-14 2014-08-20 江苏敏捷科技股份有限公司 Method for preventing electronic documents from divulging secrets
CN105337954A (en) * 2014-10-22 2016-02-17 航天恒星科技有限公司 Method and device for encryption and decryption of IP message in satellite communication
CN105471832A (en) * 2014-10-22 2016-04-06 航天恒星科技有限公司 Processing method and device of IP packet in satellite communication
CN104680079A (en) * 2015-02-04 2015-06-03 上海信息安全工程技术研究中心 Electronic document security management system and electronic document security management method
CN104683477B (en) * 2015-03-18 2018-08-31 哈尔滨工程大学 Species filtering operation based on a shared file protocol smb
CN104683477A (en) * 2015-03-18 2015-06-03 哈尔滨工程大学 Sharing file operation filtering method based on SMB protocol
CN105893852A (en) * 2015-06-04 2016-08-24 济南亚东软件科技有限公司 First author leakage prevention application system based on Windows EFS transparent encryption
CN105095693A (en) * 2015-07-13 2015-11-25 江苏简果科技发展有限公司 Method and system for safely sharing digital asset based on Internet
CN105574429A (en) * 2015-11-30 2016-05-11 东莞酷派软件技术有限公司 File data encryption and decryption method and device and terminal

Also Published As

Publication number Publication date Type
CN101729550B (en) 2012-07-25 grant

Similar Documents

Publication Publication Date Title
US6289450B1 (en) Information security architecture for encrypting documents for remote access while maintaining access control
US7171557B2 (en) System for optimized key management with file groups
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
US6941456B2 (en) Method, system, and program for encrypting files in a computer system
US7103771B2 (en) Connecting a virtual token to a physical token
US7617541B2 (en) Method and/or system to authorize access to stored data
US7434252B2 (en) Role-based authorization of network services using diversified security tokens
US8601263B1 (en) Storing encrypted objects
US7434048B1 (en) Controlling access to electronic documents
US20120036370A1 (en) Protecting Documents Using Policies and Encryption
US20070011749A1 (en) Secure clipboard function
US20100235649A1 (en) Portable secure data files
US20070016771A1 (en) Maintaining security for file copy operations
US20070011469A1 (en) Secure local storage of files
US20030023559A1 (en) Method for securing digital information and system therefor
US20030196114A1 (en) Persistent access control of protected content
US7200747B2 (en) System for ensuring data privacy and user differentiation in a distributed file system
US20090031128A1 (en) Transparent aware data transformation at file system level for efficient encryption and integrity validation of network files
US20070113266A1 (en) Operating system independent data management
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
US20070022285A1 (en) Administration of data encryption in enterprise computer systems
US7562232B2 (en) System and method for providing manageability to security information for secured items
US20140019753A1 (en) Cloud key management
US20040025037A1 (en) System and method for manipulating a computer file and/or program
US20030110169A1 (en) System and method for providing manageability to security information for secured items

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
EXPY Termination of patent right or utility model