CN101923550A - Method for preventing to copy documents illegally in distributed environment - Google Patents
Method for preventing to copy documents illegally in distributed environment Download PDFInfo
- Publication number
- CN101923550A CN101923550A CN2009101479987A CN200910147998A CN101923550A CN 101923550 A CN101923550 A CN 101923550A CN 2009101479987 A CN2009101479987 A CN 2009101479987A CN 200910147998 A CN200910147998 A CN 200910147998A CN 101923550 A CN101923550 A CN 101923550A
- Authority
- CN
- China
- Prior art keywords
- file
- memory node
- answer
- reply
- replying
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a method for preventing to copy documents illegally in a distributed environment. The method comprises the following three steps: 1) a storage unit which can limit the copying of documents and verify the access program is utilized to construct a distributed storage environment; 2) when the documents leave the distributed storage environment, the documents are processed to be in a state that the original contents of the documents can not be obtained; and 3) only when two premises that the documents return to the distributed storage environment and the associated rated conditions are achieved, are satisfied, the processed documents can recover the original state before the processing. By using the method of the invention, the aim of preventing to copy documents illegally in and out the distributed storage environment can be realized in two aspects of managing copy operation and reducing the real value of document-copying.
Description
Technical field
The document storage system that content of the present invention relates to storage file content under the distributed environment, management document information and file access is provided.Specifically tell about a kind of method that under distributed environment, prevents copy documents illegally.Wherein, by using restriction file copy and the file access control technology of check access program and the restricted switch technology of distributed environment incision exchange of notes part content status, be implemented in the distributed memory system with distributed memory system outside the file physical content not by the purpose of bootlegging.
Background technology
File is the important form of storing data information, and reproducibility is the inherent feature of file.Replicate run is the basic service that file management system (file system) provides, and can increase the convenience that the user uses.By simple replicate run, thousands of parts copy can appear in same e-file.But the property easy to use that replicate run produces has but greatly increased information products by the possibility of piracy for information products (audio/video file, application software and electronic document) manufacturer.
In order to reduce the loss that bootlegging caused of information products, the association area of computing machine has provided multiple solution from the angle of file content visit.For example: aspect audio/video file, technology such as use DRM limit the execution of play operation; Aspect application software, use sequence number respectively and upgrade the installation and upgrade that the means of verifying are come restricted software; Aspect electronic document, checking measures such as access code have been increased to document access.
Said method has effectively suppressed information products and has been replicated the back and the illegal contents visit of initiation, but effectively do not solved the threat of bootlegging to the information products generation, makes the improper propagation of information products and the risk of use still exist.In addition, the safeguard measure that designs at the handling characteristics of information products is given new carrying out and popularizing and made obstacle of using.
Chinese invention patent 200910008922.6 has been introduced a kind of method that user-defined access control mode is provided in file system.Provide the file system of user-defined access control mode to have to support the customized file association accessing operation of user the function of corresponding access control proof procedure.At first, file system provides the multiple verification method that is used for access control work, comprises authentication-access user, authentication-access program, aspects such as authentication-access environment.Secondly, file carries the access control configuration information, is used to write down verification method related with accessing operation and checking desired data content.The 3rd, file system can be called corresponding verification method at each accessing operation according to the setting in the access control configuration information, realizes the self-defining function of access control procedure.
Provide the file system of user-defined access control mode that the platform on a basis is provided for file content protection work from the angle of access visit.In the file system of user-defined access control mode is provided, meet the access control proof procedure of demand by appointment, information products manufacturer can realize protecting the contained file of information products not by the purpose of illegal operation easily.
Internet development makes using of file and storage present distributed feature.Though providing the file system of user-defined access control mode can be implemented in file system inside manages the replicate run of agent-protected file; avoid bootlegging; but because file has mobile demand under the distributed environment, file is not still solved by the risk of bootlegging in moving process.
Summary of the invention
Under distributed environment, if formulate a kind of content protecting mechanism around the physical content of file, guarantee file in the memory location and in the moving process physical content can will do not had the following advantages by bootlegging:
1 protection mechanism centers on the physical content of file and designs, and not at application-specific, has characteristic of strong applicability.
But the safeguard measure of 2 physical content can reduce the exploitation complexity of application program, avoids the developer too much to be concerned about content protecting, and then improves development efficiency.
Among the present invention, prevent under the distributed environment that the core thinking of copy documents illegally from being: at first, file can be employed the environmentally defined in the memory location that can limit file copy and check access program of routine access content; Secondly, outside the memory location that can limit file copy and check access program, the content of file is in processed state makes calling program can't obtain the former meaningful of file; At last, take measures to limit processed file content answer and be the original state before processed.
Based on this thought, when mobile, file content can not be employed routine access outside the memory location of restriction replicate run and check access program.Can not be added by the state of routine access and reply original state and have restriction again, the value of file being carried out replicate run reduces significantly, so solved file in moving process by the problem of bootlegging.Specifically the control electronics prevents that the method for copy documents illegally from comprising aspect following three under distributed environment:
1 several memory nodes are formed a distributed memory system, wherein each memory node content provides file storage service and supports the file access interface, and can access control work that carry out restriction file copy and check access program two aspects be set according to file;
2 files leave before the memory node of living in, and file need become the state of application program inaccessible through transition operation;
3 satisfy when being positioned at any memory node and replying two prerequisites checking successfully, and the file that is in the inaccessible state could pass through answer and operate original form of replying to before the transition operation.
In above-mentioned measure, the state of application program inaccessible is meant that file content handles through means such as encrypting, hide, cut apart, and makes application program can't utilize the file access interface directly to obtain file former meaningful before processed, abbreviation inaccessible state.Transition operation is the operation that file is changed into the inaccessible state, reply operation and be with file by the inaccessible replying state be change before the operation of original form.
Memory node is a storage unit with stores service function, inside comprises the storage space that is used for log file, and provide file access interface around storage space, file management interfaces such as access to content interfaces such as for example, file reads, file writes and new files, deleted file, xcopy.
In the access control work of memory node, the restriction file copy is meant the file copy operation of restriction file association, and the angle of restriction comprises limited subscriber, restricted software, restriction environment etc., even can forbid the generation of file copy.The check access program be program that digital examination carries out access to content whether be have file be provided with in the feature of defined, illegally stored into other positions in order to avoid file content by unknown program.
Memory node provides transition operation and replys operation for the file of needs restriction bootlegging.The occurrence time of file transition operation can occur in the process of leaving memory node of living in, also can occur in and leave before the memory node, leaves after the memory node but can not occur in.File is replied operation and can be occurred in the process that enters memory node, also can occur in to enter after the memory node, enters before the memory node but can not occur in.
Reply check and be the successful execution of guaranteeing to reply operation and must meet answer condition with file association.The answer condition is meant to reply and operates in existence restriction such as the aspect of finishing number of times, time of origin and execution environment.Wherein, finishing number of times exists restriction to be meant around the inaccessible status file that comes from same transition operation to limit replying to exist on the successful total degree; It is in the time of origin of replying operation needs at the appointed time scope that there is restriction in time of origin; The environment that execution environment exists restriction to be meant to reply operation to carry out need possess the regulation feature at aspects such as software, hardware or networks, for example memory node position etc.
Aspect the condition of answer, the answer condition of file association can not change and change because of carrying out the memory node of replying operation.Aspect the answer check, outside storage system, a file is carried out the new file that replicate run obtained, the file that is considered to and is replicated when carrying out the answer check is an identical file.
At work such as access control, transition operation, answer operation and answer checks, the file in the memory node carries specific configuration information, and specifically be used for: (1) indicates the mode of finishing related work; (2) indicate the approach that the related work desired data is finished in the required data of related work or acquisition of finishing.
Based on such scheme, in preventing the storage system of copy documents illegally, file just can be implemented in the physical access aspect and stops file to suffer the purpose of bootlegging by carrying targetedly configuration information, and can guarantee the normal use of file under distributed environment.For example:
Specify following configuration information for a movie file: (1) is forbidden file copy operation generation and is only allowed authorized players to carry out access to content; (2) the concrete course of work of specifying transition operation and answer to operate; (3) it is 1 that answer condition is finished number of times for the answer operation.
Under the support of the storage system that prevents copy documents illegally, this movie file can have following characteristics: (1) can be by bootlegging in storage system; (2) between memory node when mobile, content will be in can't normal play state; (3) but that the movie file that shifts out memory node returns the file number of broadcast state is unique all the time.These characteristics makes the purpose of protection movie file content be achieved.
The user (software marker, movie distributor, the document owner etc.) who electronic file content is had the copyright requirement, if utilize the storage system of the type to propagate and issue file, promptly, compare and wait for that application developers provides various application layer solutions more convenient by specifying configuration information just can be implemented in the purpose of control copy documents illegally under the distributed environment.
Description of drawings
Fig. 1 is the exemplary plot of access control configuration information record form.
Fig. 2 is the exemplary plot of transition operation and the configuration information record form of replying operation.
Fig. 3 is the additional exemplary plot that data structure content record form is set.
Embodiment
Under distributed environment, utilize the storage system that prevents the method for copy documents illegally and realize of the present invention, at first to possess basic memory function, deposit need protected file in, the file access interface can also be provided.In addition, need on the memory function on basis, prevent the generation of bootlegging operation, promptly avoid illegal acquisition can utilize the directly former meaningful document copying of visit of file access interface.Introduce one embodiment of the present invention below, specific as follows:
Storage system
In this enforcement, storage system is made of jointly a plurality of memory nodes and several answer check servers.Wherein, answer check server is to be used for working in coordination with memory node to finish transition operation and reply the network operating server, has the support network of visit mutually between memory node and the answer check server.
In this enforcement, memory node and reply utilizes between the check server based on the identity recognizing technology of digital certificate confirms each other identity.Wherein, the granting of digital certificate is finished by third-party certificate management system, and the identity of the certificate representative of issuing comprises legal memory node and two classifications of legal answer check server.
Memory node
In this enforcement, using provides the file system of user-defined access control mode to build memory node.The implementation of memory node is: center on the part storage space on the computing machine, using provides the file system of user-defined access control mode that file storage service is provided.
In this enforcement, the self-defined accessing control function that memory node utilizes file system to carry is realized the purpose of memory node restriction replicate run and check access program.Concrete mode is:
1 in the access control configuration information of file, selects to meet the method for inspection of restriction replicate run requirement for replicate run.For example, if will refuse replicate run always, then select a regulation checking procedure of returning the method for inspection of authentication failed as replicate run all the time.
2 in the access control configuration information of file, for read operation selects to meet the method for inspection that the check access program requires.For example, if file can only be opened by the abc.exe program, then specify the method for inspection of a checking abc.exe performance of program for read operation.
In this enforcement, in the file system of user-defined access control mode is provided, add transition operation and reply operation.Wherein, the core of transition operation is with encrypted content file, is that encrypted file content is decrypted and reply the core of operating.Because the transition operation core is to file encryption, thereby make that inaccessible status file form is the encrypted state file in this enforcement
In this enforcement, corresponding ciphering process and the decrypting process of transition operation and answer operation adopts based on the right cryptographic algorithm of key.Wherein, the key that uses in ciphering process is an encryption key, and the key that uses in decrypting process is a decruption key.
In this enforcement, the encryption key that transition operation uses all comes from answer check server with the decruption key that answer is manipulated, and promptly key is to checking the server generation by replying.After memory node obtains encryption key or decruption key, only be used for corresponding operation and carry out, key is not preserved.
In this enforcement, in being provided, the file system of user-defined access control mode adds corresponding encrypting module and deciphering module for different cryptographic algorithm, and be used for supporting transition operation and reply the execution of operating.Can call corresponding encrypting module according to the cryptographic algorithm setting of file when transition operation is carried out and finish respective encrypted work.Can call corresponding deciphering module according to the cryptographic algorithm setting of file when replying the operation execution and finish corresponding decryption work.
In this enforcement, provide the interior former data structure that is useful on record accessing control setting information of file system of user-defined access control mode to be retained, but the content that writes down in the data structure is expanded, and the data structure that recorded content is expanded is referred to as the additional data structure that is provided with of file.
In this enforcement, file is additional physical record has been set in the data structure three class data messages are respectively identification information, access control configuration information and the transition operation of file and the configuration information of answer operation.
In this enforcement, the identification information of file is mainly used in the answer condition of sign file association in replying work for inspection, and promptly the file that file identification is identical all has identical answer condition.
In this enforcement, the identification information of file adopts following form to represent: sign maker classification _ sign maker's mark _ file sequence number _ copy number.For example: C_ABC_011198890_010, P_Tom_011123490_011.Wherein: C and P representative sign maker's identity is company or individual; ABC and Tom represent to identify maker's exabyte and name respectively; 011198890 and 011123490 is that the sign maker is used to distinguish the employed file sequence number of the different file of content; 010 and 011 is that the sign maker is used for the identical file of content is distinguished employed document copying number.
In this enforcement, the access control configuration information of file association writes down two required marks of operative association access control configuration information at transition operation with replying to operate to have increased outside the recording method of continuing to use the original access control configuration information of the file system that user-defined access control mode is provided.Specifically can participate in following Example:
The content of a file logging is company's telephone directory, belongs to company ABC and owns.Company ABC wishes that this telephone directory can not be replicated, and must use the Software tool of DocReader.exe by name when wishing to read the content of telephone directory.In addition, company ABC wishes must pass through network authentication at the transition operation and the answer operation of telephone directory file.
Satisfy access control configuration information such as Fig. 1 of above-mentioned requirements.Wherein the mark implication that increases newly because of transition operation and answer operation is as follows:
Reversion is used for mark and replys operation;
Transform is used for the mark transitions operation.
Among Fig. 1, the verification method of verification method tab character string static_user_majie_refuseall representative has the function of returning authentication failed all the time, is used for refusing the execution of replicate run.
In this enforcement, the configuration information of transition operation and answer operation mainly is to comprise the answer check server of the employed cryptographic algorithm of operation implementation, collaborative work and reply the answer condition of using of checking.The configuration information of transition operation and answer operation utilizes the xml SGML to come recorded content.For example, the content that is write down among Fig. 2 is a transition operation and the configuration information of replying operation that file is entrained, and its implication is: the ip address that (1) replys the check server is 202.204.125.66; (2) use RSA cryptographic algorithms; (3) answer condition comprises that the date the latest of carry out replying operation is that on Dec 31st, 2009, the ip address of can only successful execution once replying operation and memory node must belong to three aspects such as China.The implication of newly-increased mark is briefly as follows among Fig. 2:
Transform and reversion control is used for the whole transition operation of mark and replys the configuration information of operation;
Server is used for the IP address that mark is replied the check server;
Algorithm is used for the mark transitions operation and replys the employed cryptographic algorithm of operation;
Condition is used for a mark and a content that the answer condition is relevant;
Type is used for type of replying condition of mark.
In this enforcement, the additional content that data structure is set of file all uses the xml SGML to carry out record, physical record form such as Fig. 3, and wherein the implication of newly-increased mark is briefly as follows:
File setting is used for the additional content that data structure is set of the whole file of mark;
File ID is used for the identification information of tab file.
In this enforcement, need the file of control bootlegging to add the identification information that specified file in the data structure is set at file, simultaneously must be in transition operation and the central answer condition of specifying of part that is provided with of replying operative association.
In this enforcement, file is additional, and data structure is set is that file system Central Plains access control to user-defined access control mode is provided with the content that data structure carries out and expands, thereby the additional data structure that is provided with of file also exists as the part of file, and the file layout that the file system Central Plains access control of its file layout and user-defined access control mode is provided with data structure is identical.
In this enforcement, provide that original accessing operation around the access control configuration information develops into around the additional accessing operation that the data structure internal information is set of file in the user-defined access control mode file system, for example, the read operation implication of original storage control setting information becomes the additional read operation that the data structure internal information is set of file.
In this enforcement, provide the recording mode of original associated access control requirement of accessing operation around the access control configuration information in the user-defined access control mode file system to be used to write down around the additional associated access control requirement of accessing operation that the data structure internal information is set of file.For example, use readconfig to identify the read operation of establishing cream information at access control in the originally access control configuration information, and in this enforcement, readconfig is used to identify at the additional read operation that structure content is set of file.
In this enforcement, when access access control module reads access control configuration information content, at first to finish storage control setting information and location work in the data structure is set in that file is additional, the content of finishing the access control configuration information then reads.
In this enforcement, its record format of encrypted state file that obtains via transition operation is as follows: (1) first is for writing down the form indications that is used for mark encrypted state file, and being specially is to be 3 characters of HAM with 3 bytes and recorded content; (2) second portion is the additional size that data structure is set of log file, is specially and uses 4 bytes to write down an integer; (3) third part is the additional data structure content that is provided with of log file, the additional size that data structure is set of the file that is write down before its byte number depends on; (4) the 4th parts are the size of log file content after encrypted, are specially to use 8 bytes to write down an integer; (5) the 5th parts are the file content of record after encrypted, the size before its byte number depends on behind the log file content-encrypt; (6) the 6th parts are the right mark mark of key that encryption is used, and are specially to use four bytes to write down an integer; (7) the 7th parts are the MD5 of whole encrypted state file, are specially to take 16 bytes.
In this enforcement, the filename of encrypted state file adopts the form that increases the .ham suffix in former literary fame back.For example, the file of file hello.dvd by name is encrypted the back filename and is become hello.dvd.ham.
In this enforcement, be .ham if carry out the file suffix form of replying operation, then to reply operation and be finished, the file name of answer will be removed the .ham suffix.For example, file is called hello.dvd.ham, and then replying successfully hereinafter, the part name becomes hello.dvd.
In this enforcement, the entrained file of original file is additional to be provided with data structure and to be recorded in the encrypted state file, and encrypted state file itself no longer is endowed and the additional data structure that is provided with of file of original file association.
In this enforcement, reply and to operate in when replying file content, also data structure is set replys together file entrained in the encrypted state file is additional.
In this enforcement, after transition operation or answer operation ran succeeded, promptly after obtaining encrypted state file or original file, the file of carrying out transition operation or answer operation was with deleted.
In this enforcement, there is following situation respectively in additional file execution move operation and the replicate run that requirement restriction bootlegging in the data structure is set to file: the target location of (1) move operation is outside the memory node, the move operation workflow obtains the encrypted state file for earlier file being carried out transition operation, then with the encrypted state file movement outside memory node; (2) target location of replicate run is outside the memory node time, the workflow of replicate run is the xcopy that obtains file earlier within memory node, then the xcopy of file is carried out transition operation and obtains the encrypted state file, at last again with this encrypted state file movement outside memory node.
In this enforcement, after the file that becomes encrypted state via transition operation was replicated or moves into memory node, the user replied operation by manually calling, and file content can be replied to being employed the directly former meaningful state of visit of program.
In this enforcement, the file that becomes encrypted state by transition operation can not carried out transition operation once more.Concrete mode is that file system can judge to the form of file that the file that is the encrypted state file layout need not be finished transition operation once more before carrying out transition operation.
In this enforcement, be the encrypted state file if the discovery of file read module is read the form of file, then do not carry out and read action, and make a mistake to the application prompts of calling the file read module in continuation.
In this enforcement, if need the file of restriction bootlegging to specify answer check server in the data structure or do not specify cryptographic algorithm additional setting of file, then memory node uses the answer check server of acquiescence or the cryptographic algorithm of acquiescence.The answer check server of acquiescence and the cryptographic algorithm record of acquiescence are in the configuration information of memory node.
In this enforcement, the acquiescence that writes down on all memory nodes is replied and is checked server all identical with default encryption algorithm.
In this enforcement, if when carrying out transition operation, memory node can't be supported the additional cryptographic algorithm that appointment in the data structure is set of file or can't the additional answer check server that appointment in the data structure is set of access file, and then the transition operation of corresponding document is carried out failure.
In this enforcement, if carry out when replying operation, memory node can't support that contained adding is provided with the cryptographic algorithm of data structure appointment or can't visits the contained additional answer check server that appointment in the data structure is set in the encrypted state file in the encrypted state file, and then the answer of corresponding document operation is carried out and failed.
In this enforcement, memory node can provide environmental informations such as the current software of memory node, hardware and network according to the requirement of replying the check server.
Reply the check server
In this enforcement, reply the check server and can write down following information: (1) file identification information; (2) file transition operation and the used cryptographic algorithm of answer operation; (3) the associated answer condition of file; (4) identifying information that file had of encrypted state; (5) the pairing key of the file of encrypted state to and key to identification number; (6) support to reply other information of checking.
In this enforcement, the identifying information when file is in encrypted state comprises the some locational file contents of file size, MD5 and file.Wherein, the some locational file contents of file relate to three aspects such as size of file content on positional information, locational file content and the position.
In this enforcement, other information of support replying check are meant to reply needs other data message of using in the condition judgment process, for example, when replying the maximum times of condition restriction file successful execution answer operation, need record come the current successful execution of file to reply the number of times of operating.
In this enforcement, reply to exist on the check server and be responsible for generating the right functional module of key, be used for guaranteeing that the cryptographic algorithm of each memory node can correctly work.The right generation of key is each transition operation to replying the check server when asking for encryption key opportunity.
In this enforcement, if replying the key of check server can not support the file transition operation and reply the used cryptographic algorithm of operation generation module, reply the check server and will refuse, promptly refuse memory node and continue to carry out transition operation to memory node provides encryption key.
In this enforcement, reply the every generation pair of secret keys of check server to after, all can for this key to specifying a key to the mark mark.Key has following character to the mark mark: (1) is the data of an integer type; (2) the associated key of the different transition operation of identical file can not be identical to the mark mark, and wherein identical file is meant the file with same file identification information.
In this enforcement, when file header is carried out transition operation, replying the check server can require to ask for the storing encryption key node and provide and be arranged in that file is additional to be provided with file identification information, the file transition operation of data structure and to reply information such as used cryptographic algorithm of operation and file association answer condition, the line item of going forward side by side.
In this enforcement, can't support if carry out the entrained additional answer condition that appointment in the data structure is set of file of transition operation, reply the request that the check server can be refused the execution transition operation of memory node.
In this enforcement, the answer condition of replying the support of check server comprises following three classifications:
The maximum times of operating can successful execution be replied by the encrypted state file institute that 1 restriction comes from same transition operation;
2 restriction encrypted state files can successful execution be replied the time range of operation, promptly reply the operation execution time and reply operation not in the official hour scope time and will be rejected;
Memory node of living in possessed the regulation feature at aspects such as software, hardware or networks when 3 demand files carry out to be replied operation, for example the IP position of memory node etc.
In this enforcement, from the encrypted state file of same transition operation is by file identification information and key identification number to be come well-determinedly, and promptly file identification information and key are considered to come from the encrypted state file of same transition operation to all the same file of mark mark.
Transition operation, answer operation and answer check
In this enforcement, the key step that the file transition operation is carried out is:
The access control check of 1 transition operation;
2 obtain to reply check server and cryptographic algorithm from additional setting of file the data structure;
3 ask for encryption key and key to identification number to replying the check server;
4 call the encryption that encrypting module is finished file content, generate the encrypted state file, and delete original file;
5 to the identifying information of replying check server submission encrypted state file.
In this enforcement, the key step that file is replied the operation execution is:
1 replys the access control check of operation;
The integrality of 2 authenticating documents;
3 in the encrypted state file additional setting of institute's include file obtain to reply check server and cryptographic algorithm the data structure;
4 ask for decruption key to replying the check server;
5 call deciphering module finishes the deciphering of file content and generates original file, and deletion encrypted state file.
In this enforcement, ask for encryption key and key and be to replying the check server in the transition operation implementation the course of work key step of identification number:
1 memory node connects with answer check server;
2 memory nodes are confirmed identity each other with answer check server by utilizing digital certificate technique;
3 memory nodes are submitted the file identification information that file had that is performed transition operation to replying the check server;
4 reply the check servers generate keys to key to the mark mark;
5 reply server returns to memory node with encryption key and key to the mark mark.
In this enforcement, submit to the encrypted state file identification information mainly to comprise the file content of file size, MD5 and some positions to replying the check server in the transition operation implementation, the course of work key step of submission is:
1 memory node is to replying file size and the MD5 that the check server is submitted the encrypted state file to;
2 reply the file size and the MD5 of check server record encrypted state file;
3 reply check server picked at random is no more than some positions of file size and specifies the data of corresponding positions size;
4 reply the check server informs memory node with the position of choosing with related size of data;
5 memory nodes intercept the file content of corresponding size at the correspondence position of encrypted state file, and return to answer check server;
6 reply selected position, the size of choosing and the corresponding file content of check server record.
In this enforcement, in the answer operation implementation be to replying the course of work key step of checking server to ask for decruption key:
1 memory node be connected network element and connect;
2 memory nodes are confirmed identity each other with answer check server by utilizing digital certificate technique;
3 memory nodes provide and are performed the file identification information of replying operation and key to the mark mark to replying the check server;
The 4 encrypted state file identification information of replying check server by utilizing record confirm that memory node has the encrypted state file;
5 reply the check server replys condition judgment;
6 reply the check server returns decruption key.
In this enforcement, to reply in the operation implementation to replying the check server when asking for decruption key, the encrypted state file identification information of replying check server by utilizing record confirms that the course of work that memory node has an encrypted state file is:
1 memory node provides file size and MD5 to replying the check server;
2 reply the check server mates file size and the MD5 that receives with file size that is write down and MD5;
3 reply chosen position and the corresponding size of checking server to be write down when transition operation returns to memory node;
4 memory nodes correspondence position from the encrypted state file extracts the content of giving sizing, and content returned to replys the check server;
5 reply the check server mates content of receiving and the content that is write down.
In this enforcement, transition operation and replying in the implementation of operation, memory node and the access to netwoks of replying between the check server are connected after the foundation, last till that always operation is finished or replys check server refusal corresponding operating and carry out.
In this enforcement, reply the check server at the answer condition of being supported, realize the judgement flow process of corresponding answer condition association respectively.Answer check server can call the corresponding judgment flow process respectively according to the classification that writes down in every answer condition when replying condition judgment and finish the answer condition judgment.
In this enforcement, reply when checking server to reply condition judgment, can judge the every answer condition that is write down respectively.When all answer conditions are all set up, reply the execution that operation is replied in the approval of check server.
In this enforcement, the used data of judgement flow process of answer condition association come from two aspects: the data that are used to characterize answer condition establishment condition that (1) answer condition is write down; (2) replying the check server is that data that condition judgment safeguards or the data of asking for to memory node are replied in support.
In this enforcement, current answer operation completes successfully number of times for the data of supporting the answer condition judgment to safeguard comprise to reply the check server.Current answer operation complete successfully number of times be meant come from same transition operation the encrypted state file successful execution reply the number of times of operation, and the encrypted state file that comes from same transition operation is meant to have same file identification information and the same key encrypted state file to the mark mark.Current answer operation completes successfully number of times and is mainly used in the situation that condition restriction file successful execution is replied the operation maximum times of replying.Replying the check server behind the intact decruption key of memory node transmission, the numerical value that current answer operation completes successfully number of times can increase by 1.
In this enforcement, reply the information that the data of checking server to ask for to memory node for support answer condition judgment comprise software, hardware or the network environment of memory node, be mainly used in the answer condition for replying the situation of operating execution environment., reply and reply the information that the check server can be asked for correspondence to memory node when condition judgment work begins for replying under the situation of operating the execution environment restriction in the condition of answer type.After memory node provided the information of correspondence, the work of replying condition judgment just can continue to carry out.If memory node can't provide corresponding information, then reply check and carry out failure, reply the operation refusal and carry out.
In this enforcement, memory node is when carrying out transition operation or replying operation, if the answer that setting is visited according to file check server can not utilize digital certificate technique to prove the identity of its legal answer check server, then corresponding transition operation or answer operation will be carried out failure.
In this enforcement, reply the check server when the response visit, if the memory node of visit can not utilize digital certificate technique to prove the identity of its legal memory node, then refusal is finished answer check subsequently or encryption key is provided.
In addition, although above a kind of embodiment of the present invention, the form that the present invention is not confined to specific forms or is disclosed of having disclosed.Those skilled in the art can understand after poring over the application, under the prerequisite that does not break away from content of the present invention, scope and spirit and the equivalent things that obtains also in coverage of the present invention.
Claims (10)
1. prevent the method for copy documents illegally under the distributed environment, may further comprise the steps:
(1) several can provide file storage service and support the memory node of file access interface to form a distributed memory system;
(2) before file left memory node of living in, file need change specific form into;
(3) satisfy when being positioned at any memory node and replying two prerequisites checking successfully, the file that is in specific form just can become original form again.
2. specific form described in claim 1, its feature comprises: application program can't utilize the file access interface to get access to file former meaningful before changing.
3. memory node described in claim 1, its feature comprises: memory node can limit replicate run with file association according to file setting.
4. memory node described in claim 1, its feature comprises: memory node can come the program of access file content is tested according to file setting.
5. reply check described in claim 1, its feature comprises: whether the action of replying check sets up with the answer condition of file association for confirming, sets up then to reply and checks successfully, is false and then replys the check failure.
6. reply check described in claim 1, its feature comprises: outside distributed memory system, carry out the resulting new file of replicate run at a file, being considered to and being replicated file when replying check is same file.
7. answer condition described in claim 5, its feature comprises: the answer condition of a file is all identical in whole distributed memory system.
8. answer condition described in claim 5, its feature comprises: there is restriction in the number of times that requires to become original form again.
9. answer condition described in claim 5, its feature comprises: the time of origin scope up to specification that requires to become again original form.
10. answer condition described in claim 5, its feature comprise that the environment that requires to become original form again has the regulation feature at aspects such as software, hardware or networks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101479987A CN101923550A (en) | 2009-06-15 | 2009-06-15 | Method for preventing to copy documents illegally in distributed environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101479987A CN101923550A (en) | 2009-06-15 | 2009-06-15 | Method for preventing to copy documents illegally in distributed environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101923550A true CN101923550A (en) | 2010-12-22 |
Family
ID=43338492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101479987A Pending CN101923550A (en) | 2009-06-15 | 2009-06-15 | Method for preventing to copy documents illegally in distributed environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101923550A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108491504A (en) * | 2011-06-23 | 2018-09-04 | 慧与发展有限责任合伙企业 | Method and device for decentralized configuration management |
-
2009
- 2009-06-15 CN CN2009101479987A patent/CN101923550A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108491504A (en) * | 2011-06-23 | 2018-09-04 | 慧与发展有限责任合伙企业 | Method and device for decentralized configuration management |
| CN108491504B (en) * | 2011-06-23 | 2021-08-24 | 慧与发展有限责任合伙企业 | Method and apparatus for distributed configuration management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101979586B1 (en) | IoT DEVICE MANAGED BASED ON BLOCK CHAIN, SYSTEM AND METHOD THEREOF | |
| EP1942430B1 (en) | Token Passing Technique for Media Playback Devices | |
| CN109740384A (en) | Data based on block chain deposit card method and apparatus | |
| JP3763393B2 (en) | COMMUNICATION SYSTEM, TERMINAL DEVICE, RECORDING MEDIUM RECORDING REPRODUCTION PROGRAM, SERVER DEVICE, AND RECORDING MEDIUM RECORDING SERVER PROGRAM | |
| RU2352985C2 (en) | Method and device for authorisation of operations with content | |
| US7260721B2 (en) | Information processing method, information processing apparatus and recording medium | |
| US7451202B2 (en) | Information management system having a common management server for establishing secure communication among groups formed out of a plurality of terminals | |
| KR100520476B1 (en) | Digital contents issuing system and digital contents issuing method | |
| KR101296195B1 (en) | A method for controlling access to file systems, related system, SIM card and computer program product for use therein | |
| KR101517942B1 (en) | Apparatus and method for using secure removable media in digital rights management | |
| EP3031001A1 (en) | Secure data storage | |
| JP2008529341A (en) | Private and controlled ownership sharing | |
| JP7412725B2 (en) | Authentication method and authentication device | |
| JP2005275839A (en) | Software use permission method and system | |
| CN108650261A (en) | Mobile terminal system software method for burn-recording based on remote encryption interaction | |
| CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
| JP2009105737A (en) | Content data management system and method | |
| KR20060015552A (en) | Method of updating revocation list | |
| KR100286904B1 (en) | System and method for security management on distributed PC | |
| JP6533542B2 (en) | Secret key replication system, terminal and secret key replication method | |
| CN101243469A (en) | Digital license migration from first platform to second platform | |
| CN107133499A (en) | A kind of software copyright protecting method, client, service end and system | |
| US20020196946A1 (en) | Method for migrating a base chip key from one computer system to another | |
| KR20050032016A (en) | Method of managing file structure in memory card and its related technology | |
| US8755521B2 (en) | Security method and system for media playback devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20101222 |