Summary of the invention
Technical matters to be solved by this invention is: a kind of information safety of mobile electronic equipment protection system is provided; Can make things convenient for employee's normal overtime in Intranet or disengaging Intranet environment, can normally use notebook computer to handle private matters or enjoyment amusement function simultaneously under certain condition again.
In addition; The present invention also provides a kind of information safety of mobile electronic equipment guard method; Can make things convenient for employee's normal overtime in Intranet or disengaging Intranet environment, can normally use notebook computer to handle private matters or enjoyment amusement function simultaneously under certain condition again.
For solving the problems of the technologies described above, the present invention adopts following technical scheme:
A kind of information safety of mobile electronic equipment protection system, said system comprise administrative center, are arranged at the encrypting and authenticating unit in the said mobile electronic device, the authentication instrument that is connected with mobile electronic device when using;
Said authentication instrument comprises user's identity information, rights of using information;
Said administrative center is in order to setting the rights of using of each subscriber authentication instrument, and rights of using are write in the corresponding authentication instrument;
Said encrypting and authenticating unit comprises:
-file encryption module in order to execute the file encryption operation, is carried out encipherment protection to enactment document;
-file decryption module in order to automatically file decryption is arrived internal memory through the backstage, does not influence the encrypted state of file on disk;
-internal authentication module in order to send request and to obtain order to administrative center or authentication instrument, allows the user with rights of using to use encrypt file; If no rights of using then can't be used encrypt file, but can use non-encrypted file.
As a kind of preferred version of the present invention, when said mobile electronic device connects said administrative center, through the encrypting and authenticating unit of administrative center's control mobile electronic device;
When said mobile electronic device was not connected with said administrative center, said information safety protection system had judged whether that effective authentication instrument connects; If have,, allow respective user to use encrypt file then through the encrypting and authenticating unit of authentication instrument control mobile electronic device; If do not have, then can't use encrypt file, but can use non-encrypted file.
As a kind of preferred version of the present invention, said encrypting and authenticating unit further comprises logger module, is used for the file operation of recording user on this mobile electronic device, comprise newly-built, copy, move, rename and deletion action.
As a kind of preferred version of the present invention, said administrative center comprises:
User management module in order to carry out different settings to user or user group, makes things convenient for through centralized management that the keeper formulates in real time, the strategy of differentiation;
User identification module in order to the information through online collection user, is used for the identity of verified users and policy information is issued to the formulation user;
Authentication tool management module is provided with authentication instrument rights of using to the user, and said rights of using comprise service time, deciphering, and setting is exported as destination file;
Log query and administration module, searching and managing person's system's setting and user management operation, authorized operation, and the user is to the file operation of mobile electronic device.
As a kind of preferred version of the present invention, said user rs authentication instrument comprises:
Identification module in order to judge according to the user's name of the inside embedding and the title of encrypting and authenticating unit client, is realized corresponding one by one;
The control of authority module, the use of controlling client in order to the cycle that writes according to the inside and control of authority.
The information safety protecting method of a kind of above-mentioned information safety protection system, said method comprises the steps:
The file encryption-decryption step: the file encryption module is executed the file encryption operation, carries out encipherment protection to enactment document; The file decryption module arrives internal memory with file decryption automatically through the backstage, does not influence the encrypted state of file on disk;
The authority setting step: said administrative center sets the rights of using of each subscriber authentication instrument, and rights of using are write in the corresponding authentication instrument;
When said mobile electronic device connects said administrative center, through the encrypting and authenticating unit of administrative center's control mobile electronic device;
When said mobile electronic device was not connected with said administrative center, said information safety protection system had judged whether that effective authentication instrument connects; If have,, allow respective user to use encrypt file then through the encrypting and authenticating unit of authentication instrument control mobile electronic device; If do not have, then can't use encrypt file, but can use non-encrypted file.
As a kind of preferred version of the present invention, when said mobile electronic device during, connect said administrative center at LAN, can only carry out the pressure cryptographic operation, the setting classified papers that the user handles in setting LAN must pass through the pressure encryption; Said administrative center is arranged in the server; Its step is following:
Said mobile electronic device normally is linked into the setting LAN through legal means, guarantees normally to be communicated with server;
The encrypting and authenticating unit of said mobile electronic device is verified to server through sending authorization information to administrative center;
If mobile electronic device is through checking, can normally use the encrypt file of setting in the LAN this moment; If checking is not passed through, can not use the encrypt file of setting in the LAN;
The user carries out normal running, the encrypted daily record that stays user's operation file in setting LAN simultaneously of file when preserving file.
As a kind of preferred version of the present invention, the user that the control desk at keeper's login management center is authorized needs authorizes, and its concrete steps are following:
Keeper's login management center, the correctness of system verification keeper identity and the opereating specification of its mandate;
The keeper chooses the user who needs mandate, sets its service time and operating right;
System judges that its user whether just at the use certificate instrument, will be provided with information if the authentication instrument is still not out of date and export as destination file; If the authentication instrument is expired or this user use certificate instrument not, then point out keeper's access identity verification tool and information will be set to be written in the authentication instrument;
The keeper sends to the mobile electronic device user with destination file or authentication instrument and stays the detail record of mandate.
As a kind of preferred version of the present invention, when the user carried the mobile electronic device out using, its expection Action Target and open corresponding authority can be judged by system, and its concrete steps are following:
The user opens mobile electronic device and normally opens encryption software (encrypting and authenticating unit) client-side program;
Client judges whether the authentication of normal use instrument is arranged on the mobile electronic device, if any then reading corresponding information; Then do not allow the user to use encrypt file if having, and guarantee the not encrypted protection of file of its operation;
Client judges according to the authentication tool information that reads, and in allowed band, then run user normally reads and operate classified papers like its cycle and authority; If not in its scope, the prompting user upgrades to the keeper and authorizes and get into the pattern that can't use encrypt file;
After entering can be used the pattern of encrypt file, program normal recordings user was to the operation of file, and file is carried out encipherment protection.
Beneficial effect of the present invention is: information safety of mobile electronic equipment protection system and method that the present invention proposes; Can make things convenient for employee's normal overtime in Intranet or disengaging Intranet environment, can normally use notebook computer to handle private matters or enjoyment amusement function simultaneously under certain condition again.Surpass its predetermined period when the user uses the cycle of encryption software outside, the present invention can also provide the solution of new mandate.
Embodiment
Specify the preferred embodiments of the present invention below in conjunction with accompanying drawing.
Embodiment one
See also Fig. 1, the present invention has disclosed a kind of information safety of mobile electronic equipment protection system, and said system comprises administrative center, is arranged at the encrypting and authenticating unit in the said mobile electronic device, the authentication instrument that is connected with mobile electronic device when using.Said mobile electronic device can also can be electronic equipments such as mobile phone, PDA for moving notebook computer.
When said mobile electronic device connects said administrative center, through the encrypting and authenticating unit of administrative center's control mobile electronic device.
When said mobile electronic device was not connected with said administrative center, said information safety protection system had judged whether that effective authentication instrument connects; If have,, allow respective user to use encrypt file then through the encrypting and authenticating unit of authentication instrument control mobile electronic device; If do not have, then can't use encrypt file, but can use non-encrypted file.
Below introduce the composition of each module of the present invention respectively.
[authentication instrument]
Said authentication instrument comprises user's identity information, rights of using information.In the present embodiment, said user rs authentication instrument comprises:
Identification module in order to judge according to the user's name of the inside embedding and the title of client, is realized corresponding one by one;
The control of authority module, the use of controlling client in order to the cycle that writes according to the inside and control of authority.
[administrative center]
Said administrative center is in order to setting the rights of using of each subscriber authentication instrument, and rights of using are write in the corresponding authentication instrument.
In the present embodiment, said administrative center comprises:
User management module in order to carry out different settings to user or user group, makes things convenient for through centralized management that the keeper formulates in real time, the strategy of differentiation;
User identification module in order to the information through online collection user, is used for the identity of verified users and policy information is issued to the formulation user;
Authentication tool management module is provided with authentication instrument rights of using to the user, and said rights of using comprise service time, deciphering, and setting is exported as destination file;
Log query and administration module, searching and managing person's system's setting and user management operation, authorized operation, and the user is to the file operation of mobile electronic device.
[encrypting and authenticating unit]
Said encrypting and authenticating unit comprises:
-file encryption module in order to execute the file encryption operation, is carried out encipherment protection to enactment document;
-file decryption module in order to automatically file decryption is arrived internal memory through the backstage, does not influence the encrypted state of file on disk;
-internal authentication module in order to send request and to obtain order to administrative center or authentication instrument, allows the user with rights of using to use encrypt file; If no rights of using then can't be used encrypt file, but can use non-encrypted file.
-logger module is used for the file operation of recording user on this mobile electronic device, comprise newly-built, copy, move, rename and deletion action.
More than introduced information safety of mobile electronic equipment protection system of the present invention; The present invention is when disclosing above-mentioned information safety of mobile electronic equipment protection system; Also disclose the information safety protecting method of above-mentioned information safety protection system, said method comprises the steps:
-file encryption-decryption step: the file encryption module is executed the file encryption operation, carries out encipherment protection to enactment document; The file decryption module arrives internal memory with file decryption automatically through the backstage, does not influence the encrypted state of file on disk;
-authority setting step: said administrative center sets the rights of using of each subscriber authentication instrument, and rights of using are write in the corresponding authentication instrument;
-when said mobile electronic device connects said administrative center, through the encrypting and authenticating unit of administrative center's control mobile electronic device;
-when said mobile electronic device was not connected with said administrative center, said information safety protection system had judged whether that effective authentication instrument connects; If have,, allow respective user to use encrypt file then through the encrypting and authenticating unit of authentication instrument control mobile electronic device; If do not have, then can't use encrypt file, but can use non-encrypted file.
When said mobile electronic device during at LAN, connect said administrative center, can only carry out the pressure cryptographic operation, the setting classified papers that the user handles in setting LAN must pass through the pressure encryption; Said administrative center is arranged in the server; Its step is following:
-said mobile electronic device normally is linked into the setting LAN through legal means, guarantees normally to be communicated with server;
The encrypting and authenticating unit of-said mobile electronic device is verified to server through sending authorization information to administrative center;
If-mobile electronic device is through checking, can normally use the encrypt file of setting in the LAN this moment; If checking is not passed through, can not use the encrypt file of setting in the LAN;
-user carries out normal running, the encrypted daily record that stays user's operation file in setting LAN simultaneously of file when preserving file.
Said method further comprises: the user that the control desk at keeper's login management center is authorized needs authorizes, and its concrete steps are following:
-keeper login management center, the correctness of system verification keeper identity and the opereating specification of its mandate;
-keeper chooses the user who needs mandate, sets its service time and operating right;
-system judges that its user whether just at the use certificate instrument, will be provided with information if the authentication instrument is still not out of date and export as destination file; If the authentication instrument is expired or this user use certificate instrument not, then point out keeper's access identity verification tool and information will be set to be written in the authentication instrument;
-keeper sends to the mobile electronic device user with destination file or authentication instrument and stays the detail record of mandate.
When the user carried the mobile electronic device out using, its expection Action Target and open corresponding authority can be judged by system, and its concrete steps are following:
-user opens mobile electronic device and normally opens the encryption software client-side program;
-client judges whether the authentication of normal use instrument is arranged on the mobile electronic device, if any then reading corresponding information; Then do not allow the user to use encrypt file if having, and guarantee the not encrypted protection of file of its operation;
-client judges according to the authentication tool information that reads, and in allowed band, then run user normally reads and operate classified papers like its cycle and authority; If not in its scope, the prompting user upgrades to the keeper and authorizes and get into the pattern that can't use encrypt file;
-get into can use the pattern of encrypt file after, program normal recordings user is to the operation of file, and file is carried out encipherment protection.
In sum; Information safety of mobile electronic equipment protection system and method that the present invention proposes; Can make things convenient for employee's normal overtime in Intranet or disengaging Intranet environment, can normally use notebook computer to handle private matters or enjoyment amusement function simultaneously under certain condition again.Surpass its predetermined period when the user uses the cycle of encryption software outside, the present invention can also provide the solution of new mandate.
Embodiment two
In intra-company; The employee can not handle the private matters or use notebook to carry out amusement; Can only carry out the pressure cryptographic operation this moment; The employee must pass through the pressure encryption at the file that relates to company's vital strategic secrets that intra-company handles, and prevents that the employee from letting out core document through the mode of initiatively divulging a secret.Its step is following:
1) employee normally is linked into company Intranet the inside through legal means, guarantees normally to lead to server ping;
2) client on the notebook computer is verified to server through send authorization informations such as username and password to administrative center;
3) if notebook computer through checking, can normally use the encrypt file of enterprises at this moment; If checking is not passed through, can not use in-company agent-protected file;
4) employee normally operates, the encrypted daily record that stays the employee at intra-company's operation file simultaneously of file when preserving file.
The keeper can login personnel that control desk works overtime to needs and carry out authentication instrument (EKEY) and authorize, and its concrete steps are following:
1) keeper logins control center, the correctness of system verification keeper identity and the opereating specification of its mandate;
2) keeper chooses the user that need use EKEY outside, sets its service time and operating right;
3) system judges whether its user is using EKEY (time is not out of date), if EKEY is still not out of date information will be set and export as destination file; If EKEY is expired or this user does not use EKEY, then point out the keeper to insert EKEY and the information that will be provided with is written to EKEY the inside;
4) keeper sends to the notebook computer user with destination file or EKEY and stays the detail record of mandate.
When the user carried the notebook computer out using, its expection Action Target and open corresponding authority can be judged by system, and its concrete steps are following:
1) user opens computer and normally opens the encryption software client-side program;
2) client is judged the EKEY whether normal use is arranged on the notebook computer, if any then reading corresponding information; If do not have and then not carry out entertainment mode, do not allow the user to use encrypt file and guarantee the not encrypted protection of file of its operation;
3) client is judged according to the EKEY information that reads, and in allowed band, then run user normally reads and operate agent-protected file like its cycle and authority; If not in its scope, the prompting user upgrades to the keeper and authorizes and get into entertainment mode;
4) get into mode of operation after, program normal recordings user is to the operation of file, and file is carried out encipherment protection.
The present invention has also disclosed the information safety of mobile electronic equipment protection system when disclosing said method, this system comprises encryption software program, administrative center, user identity identification instrument (being the authentication instrument).Below disclose each ingredient respectively.
Wherein, the encryption software program comprises:
I, file encryption module: computer is executed the file encryption operation after encryption software is installed, and protects to in-company core document;
II, file decryption module: automatically file decryption is arrived internal memory through the backstage, do not influence user's use, do not influence the encrypted state of file on disk simultaneously;
III, internal authentication module: be used for the order etc. of sending request and obtaining administrative center to administrative center or other authentication instruments (EKEY etc.);
IV, logger module: be used for the file operation of recording user on this computer (newly-built, copy, move, rename and operation such as deletion).
Wherein, administrative center comprises:
I, user management module: carry out different settings to user or group, make things convenient for through centralized management that the keeper formulates in real time, the strategy of differentiation;
II, user identification module:, be used for the identity of verified users and policy information is issued to the formulation user through online collection user's information;
III, EKEY administration module: can the EKEY rights of using be set to the user,, and can setting be exported as destination file like time, deciphering etc.;
IV, log query and administration module: searching and managing person's system's setting and user management operation, keeper EKEY Authorized operation, and the file operation of user customer notebook computer etc.
Wherein, the user identity identification instrument comprises:
I, identification module: can judge according to the user's name of the inside embedding and the title of client, realize corresponding one by one;
II, control of authority module: the use that client is controlled in cycle that can write according to the inside and control of authority.
Here description of the invention and application is illustrative, is not to want with scope restriction of the present invention in the above-described embodiments.Here the distortion of the embodiment that is disclosed and change are possible, and the replacement of embodiment is known with the various parts of equivalence for those those of ordinary skill in the art.Those skilled in the art are noted that under the situation that does not break away from spirit of the present invention or essential characteristic, and the present invention can be with other form, structure, layout, ratio, and realize with other assembly, material and parts.Under the situation that does not break away from the scope of the invention and spirit, can carry out other distortion and change here to the embodiment that is disclosed.