CN101938497B - Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof - Google Patents
Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof Download PDFInfo
- Publication number
- CN101938497B CN101938497B CN2010102921101A CN201010292110A CN101938497B CN 101938497 B CN101938497 B CN 101938497B CN 2010102921101 A CN2010102921101 A CN 2010102921101A CN 201010292110 A CN201010292110 A CN 201010292110A CN 101938497 B CN101938497 B CN 101938497B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- file
- sets
- documentation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof. The multistage security file structure comprises a plurality of security levels for distinguishing files in different security levels, and each security level comprises a plurality of file sets not overlapped with each other; each file set comprises a root node as well as a left child node and a right child node which are based on the root node, wherein the left child nodes are member sets capable of accessing the file sets, the right child nodes are files in the file sets, and the root nodes store working secret keys for the member sets to access the files; and apart from containing the files in per se, the right nodes of the file set in a higher security level also contain file sets in the security level one level lower than the file set in the higher security level. The multistage security file structure is used for carrying out distinguishing management to user access authorities and realizes the multistage protecting management of computer files by matching with the control of the user access authorities; and meanwhile, the soft and hard life cycles of the secret keys are increased so that new secret keys and old secrete keys are effectively substituted, thereby the safe use of the secrete keys is realized.
Description
Technical field
The present invention relates to computer file system, more particularly, relate to a kind of multilevel security sets of documentation method to set up of computer file system and file access control thereof and key management user terminal, service terminal, system and method.
Background technology
Traditional computer file system is not supported access privilege control, and file is not encrypted storage, important file and ordinary file are not treated by differentiation, so file can arbitrarily be replicated and propagate, and this is unfavorable for file content safety.
Some computer file system support is encrypted file, but it can't guarantee the safety of encryption key.And the secret key safety of file encryption is most important to file security, in case encryption key is illegally accessed, will bring danger to file protect so.
For example publication number is the patent of invention of CN 1567255A, a kind of storage and access control method of secure file system are disclosed, it is applied to digital signature technology and encryption technology in the file system, by file being carried out digital signature and implementing primitiveness and differentiate, prevents that file is tampered; According to the different security level requirement of file storage, adopt different cryptographic algorithm and Cipher Strengths to be encrypted to storage file, prevent that file is stolen and causes the content such as information leakage.
But there is following shortcoming in above-mentioned prior art: 1, do not distinguish the control access privilege, can not realize flexibly document classification management; 2, the problem that file encryption key upgrades can not be solved, the security requirement of encrypting and protecting files can not be satisfied well.
Summary of the invention
The technical problem to be solved in the present invention is, a kind of multilevel security sets of documentation method to set up and file access control thereof and key management user terminal, service terminal, system and method are provided.
The technical solution adopted for the present invention to solve the technical problems is:
Construct a kind of multilevel security sets of documentation method to set up, wherein, may further comprise the steps:
A plurality of security classifications for distinguishing the different security level document are set, and each described security classification arranges a plurality of not overlapped sets of documentation;
Each described sets of documentation is set to comprise root node, and based on left child node and the right child node of this root node;
Wherein, described left child node is set to access member's group of described sets of documentation, and described right child node is set to the document in the described sets of documentation, and described root node stores the working key for the described document of described member's group access;
The right child node of the sets of documentation that security classification is higher is set to also comprise security classification than the sets of documentation of its low one-level except comprising document itself, and the member in the higher sets of documentation of security classification gives tacit consent to the working key that has the lower sets of documentation of security classification.
Multilevel security sets of documentation method to set up of the present invention, wherein, described sets of documentation is set to adopt numbering Kim to identify, and wherein i represents the affiliated security classification of document in the document group, and m represents the document group corresponding sets of documentation sequence number in affiliated security classification; Each described sets of documentation is set to adopt and self numbers as root node; Wherein, described i and m are natural number.
Multilevel security sets of documentation method to set up of the present invention, wherein, the document setup that comprises in the described right child node is for comprising file content and end-of-file; Wherein,
Described end-of-file comprises: file encryption sign, file access authority sign, key version number;
Described file access authority sign is by file security rank and affiliated sets of documentation information structure.
Multilevel security sets of documentation method to set up of the present invention, wherein, described working key is set to comprise: file access control authority sign, key version number, cipher controlled symbol, key material, random number, the soft life cycle of key and the hard life cycle of key;
Wherein, the hard life cycle of described key is the key life cycle that computer system sets; The soft life cycle of described key is the key out-of-service time that the other reasons before the hard life cycle of key finishes causes.
The present invention also provides a kind of file access control based on foregoing multilevel security sets of documentation method to set up and key management user terminal, wherein, comprising:
User login services device authentication module is used for obtaining user ID, user key and user's login time, and sends to service terminal;
Key generates and the use module, for the generation working key, and by replacing between key soft or hard life cycle, the new and old key of cipher controlled symbol realization;
Document management module is used for storage file, and the corresponding file protect range information of user ID of login is sent to service terminal.
The present invention also provides a kind of file access control based on foregoing multilevel security sets of documentation method to set up and cipher key management services terminal, wherein, comprising:
User authentication module, the user key that is used for preserving according to service end carries out the legitimacy authentication to the user, after validated user passes through, generates one and the shared key of user terminal communication according to user key and login time, is used for transmitting feedback information;
The authority configuration module, be used for the completing user authority change, determine user right;
Key management module is used for finishing distribution, renewal and the maintenance of key;
Document management module is used for dividing rank, minute group to file, and the rank of file and group information is sent to key management module;
Key control module is used for considering by the fileinfo that user right configuration, user's restricted rights and user side are protected, and determines to distribute to user's key material.
The present invention also provides a kind of file access control and key management system based on foregoing multilevel security sets of documentation method to set up, wherein, comprises foregoing user terminal, and the service terminal that is connected with described user terminal communication.
The present invention also provides a kind of file access control and key management method based on foregoing multilevel security sets of documentation method to set up, wherein, may further comprise the steps:
Obtain user ID, user key and user's login time;
The user key of preserving according to service end carries out the legitimacy authentication to the user, after validated user passes through, generates one and the shared key of user terminal communication according to user key and login time, with the feedback information of transferring service terminal;
According to the corresponding file protect range information of user ID of login, divide rank, minute group to file, finish distribution, renewal and the maintenance of key;
The fileinfo of protecting by user right configuration, user's restricted rights and user side considers, and determines to distribute to user's key material;
According to the key material that distributes, generate working key.
File access control of the present invention and key management method, wherein, the described fileinfo of protecting by user right configuration, user's restricted rights and user side considers, and determines that the key material step of distributing to the user specifically may further comprise the steps:
Obtain user's default privilege;
The filter user restricted rights;
Filter user does not need the key that uses;
Determine finally to distribute to user's key material.
File access control of the present invention and key management method, wherein, the described renewal process of finishing key may further comprise the steps:
Whether the hard life cycle of key that checks key expires;
If the hard life cycle of key expires, the cipher controlled symbol of this key more recent version key is set, the replace old key is removed old key;
If the hard life cycle of key does not expire, judge again whether the soft life cycle of key expires;
If the soft life cycle of key expires, obtain this key redaction key identification, set new key, the cipher controlled symbol of this key legacy version key is set, upgrade the key information of tree structure;
If the soft life cycle of key does not expire, finish inspection.
The present invention divides rank to encrypt storage by adopting multilevel security sets of documentation method to set up to file, as long as the user has normally reading and writing of files of enough authorities, does not affect the file-sharing of validated user, has also satisfied the security requirement of file simultaneously.
Based on multilevel security sets of documentation method to set up of the present invention, access privilege is distinguished management, cooperate the control of access privilege, user's access rights can be set flexibly, reach the refinement management to document classification.All will carry out authentication to the user who enters the file protect district, legal user just can enter the file protect district, prevents unauthorized access, forbids that the disabled user is to any operation of protected file.Realized the multi-stage protection management of computer documents.
Simultaneously, the present invention also for the potential safety hazard of Key Exposure, regularly or in case of necessity upgrades key, so that key uses safety, thereby guarantees the safety of encrypting and protecting files.
Description of drawings
The invention will be further described below in conjunction with drawings and Examples, in the accompanying drawing:
Fig. 1 is the multilevel security sets of documentation structure chart of preferred embodiment of the present invention;
Fig. 2 is the key management figure of preferred embodiment of the present invention;
Fig. 3 is the sets of documentation key updating flow chart of preferred embodiment of the present invention;
Fig. 4 is the cipher controlled flow process of preferred embodiment of the present invention;
Fig. 5 is encryption key distribution and the user right change schematic diagram of preferred embodiment of the present invention;
Fig. 6 is file access control and the key management system functional module structure figure of preferred embodiment of the present invention;
Fig. 7 is file access control and each functional module information interaction view of key management system of preferred embodiment of the present invention.
Embodiment
The multilevel security sets of documentation structure that the multilevel security sets of documentation method to set up of the embodiment of the invention arranges as shown in Figure 1, this embodiment may further comprise the steps: a plurality of security classifications for distinguishing the different security level document are set, and each security classification arranges a plurality of not overlapped sets of documentation; Each sets of documentation is set to comprise root node, and based on left child node and the right child node of this root node.Wherein, left child node is set to be member's group that can the access document group, and right child node is set to be the document in the sets of documentation, and root node stores the working key for member's group access document.The right child node of the sets of documentation that security classification is higher is set to also comprise security classification than the sets of documentation of its low one-level except comprising document itself, and the member in the higher sets of documentation of security classification gives tacit consent to the working key that has the lower sets of documentation of security classification.
In the present embodiment, preferably, sets of documentation is set to adopt numbering K
ImIdentify, wherein i represents the affiliated security classification of document in the document group, and m represents the document group corresponding sets of documentation sequence number in affiliated security classification; Each sets of documentation is set to adopt and self numbers as root node.Wherein, i and m are natural number.
In the present embodiment, preferably, the document setup that comprises in the right child node is for comprising file content and end-of-file.Wherein, as shown in table 1 below, end-of-file comprises: file encryption sign, file access authority sign, key version number.File access authority sign is by file security rank and affiliated sets of documentation information structure.
Table 1 file structure
Wherein, as shown in table 2 below, the working key in the various embodiments described above is set to comprise: file access control authority sign, key version number, cipher controlled symbol, key material, random number, the soft life cycle of key and the hard life cycle of key.Wherein, the hard life cycle of key is the key life cycle that computer system sets; The soft life cycle of key is the key out-of-service time that the other reasons before the hard life cycle of key finishes causes.
Table 2 key structure
Below in conjunction with accompanying drawing 1, be elaborated with the forming process to the multilevel security sets of documentation structure in above-described embodiment:
At first according to security classification document is divided into some grades, here hypothesis Pi(1≤i≤3 that fall into three classes), corresponding three security classifications are respectively sensitivity level, confidential and top secret.Then, in each security classification, can according to the enterprise practical needs be divided into not overlapped sets of documentation Kim(wherein i show which security classification document belongs to, and m indicates which sets of documentation in the sensitivity level).
Each sets of documentation has different working keys, and it is used for the file of sets of documentation is carried out encryption and decryption.It is root node that a sets of documentation can generate such tree: a sets of documentation ID, and left side child nodes (left child node) M is for accessing member's group of the document group, and the right child nodes (right child node) D is the document in the sets of documentation, as shown in Figure 1.Like this, by the root node of sets of documentation, the member in the member group and the file of the document group have had related, and this also illustrates, the member in member's group can operate the file that belongs to sets of documentation by the key of sets of documentation.
The higher sets of documentation of protection level the right child nodes is except the document of itself, and the sets of documentation protection level is than the right child nodes that also all becomes it of its low one-level.From top to bottom, by that analogy, the sets of documentation that these represent with the form of tree forms the key management figure that is mapped by member, key and document, as shown in Figure 2, supposes that each sets of documentation has two members and two files.
In key management figure, as shown in Figure 2, discuss with regard to the tree structure of single sets of documentation, by relation between layers, be in the working key of the sets of documentation that can have this group document and low protection rank under other member's default situations of high first class of protection level.For example, the member under the Kim can have the working key of m group document in the l level of maintaining secrecy, and has simultaneously all working key lower than security classification l.And each sets of documentation is not overlapped, the addressable member of each sets of documentation also is not overlapped, member's the caused key updating that enters/withdraw from can manage according to key management figure as shown in Figure 2 in the renewal of therefore, the distribution of member's working key, sets of documentation key, the member's group.
The present invention also provides a kind of file access control and key management method of the multilevel security sets of documentation method to set up based on the front, wherein, may further comprise the steps:
Obtain user ID, user key and user's login time;
The user key of preserving according to service end carries out the legitimacy authentication to the user, after validated user passes through, generates one and the shared key of user terminal communication according to user key and login time, with the feedback information of transferring service terminal;
According to the corresponding file protect range information of user ID of login, divide rank, minute group to file, finish distribution, renewal and the maintenance of key;
The fileinfo of protecting by user right configuration, user's restricted rights and user side considers, and determines to distribute to user's key material;
According to the key material that distributes, generate working key.
In above-described embodiment, the fileinfo of protecting by user right configuration, user's restricted rights and user side considers, and determines to distribute to user's key material step, i.e. cipher controlled, flow chart specifically may further comprise the steps as shown in Figure 4: obtain user's default privilege; The filter user restricted rights; Filter user does not need the key that uses; Determine finally to distribute to user's key material.
In above-described embodiment, finish the renewal process flow chart of sets of documentation key as shown in Figure 3, may further comprise the steps: whether the hard life cycle of key that checks key expires; If the hard life cycle of key expires, the cipher controlled symbol of this key more recent version is set, the replace old key is removed old key, upgrades the key information of tree structure, finishes renewal; If the hard life cycle of key does not expire, judge again whether the soft life cycle of key expires; If the soft life cycle of key expires, obtain the key identification of this key redaction, set new key, set the cipher controlled symbol of this key legacy version key, upgrade the key information of tree structure, finish renewal; If the soft life cycle of key does not expire, finish inspection.
Wherein, the sets of documentation key updating, key version number according to old key sets new key version number, specifically last negate of key version number of old key, obtain the key version number of new key, purpose is to distinguish with old key, can easily obtain new key according to the file access control authority sign+key version number of old key again.Then set more material and the life cycle of new key, and the old and new's cipher controlled symbol that new key is set is 11, is different from old key, the old and new's cipher controlled symbol of old key then is set to 10, and expression the old and new key exists simultaneously.In the key management graph structure, be stored in the node information of the document group.The server-assignment key only need read the key information on the relevant documentation group node during to the user, and when new and old key existed simultaneously, new and old edition all will send to the user.When the hard life cycle of the old key of discovering server has been got over the phase, will replace old key with new key, and namely the information of old key be removed from the sets of documentation node, and the old and new's cipher controlled of new key symbol is set to 00.
When reading file and need to use key, at first if the access rights of match user legal, are searched for the sign consistent with (file access authority sign+key version number) in the file header again in user's working key tabulation, then take out the content of working key, file content is decrypted.After operating writing-file is finished, when file is saved in disk, need to be encrypted file content.At first, judge by file the old and new cipher controlled symbol whether the encryption key of file should upgrade, if command character is 10, illustrate that then the encryption key of this document is in the succession of the old by the new stage.First last negate of key version number in the file header, search for and (file access authority sign+key version number) consistent sign in the tabulation in user's the working key again, take out this key-pair file and be encrypted preservation.
It will be appreciated that, corresponding relation between user, key and the file that key management figure of the present invention (accompanying drawing 2) mentions is a kind of logical relation, can understand more intuitively and realize the management of user right and key by the form of figure, it is a lot of that but the method that can represent this logical relation also has, and therefore is not limited to content represented in the accompanying drawing.
The present invention also provides a kind of file access control and key management user terminal of the multilevel security sets of documentation method to set up based on the front, with service terminal communication connection, comprise that user login services device authentication module, key generate and use module and document management module.Wherein, user login services device authentication module is used for obtaining user ID, user key and user's login time, and sends to service terminal; Key generates and the use module, for the generation working key, and by replacing between key soft or hard life cycle, the new and old key of cipher controlled symbol realization; Document management module is used for storage file, and the corresponding file protect range information of user ID of login is sent to service terminal.
The present invention also provides a kind of file access control and cipher key management services terminal of the multilevel security sets of documentation method to set up based on the front, comprises user authentication module, authority configuration module, key management module, document management module and key control module.Wherein, user authentication module, the user key that is used for preserving according to service end carries out the legitimacy authentication to the user, after validated user passes through, generate one and the shared key of user terminal communication according to user key and login time, be used for the feedback information of transferring service terminal; The authority configuration module, be used for the completing user authority change, determine user right; Key management module is used for finishing distribution, renewal and the maintenance of key; Document management module is used for dividing rank, minute group to file, and the rank of file and group information is sent to key management module; Key control module is used for considering by the fileinfo that user right configuration, user's restricted rights and user side are protected, and determines to distribute to user's key material.
The present invention also provides a kind of file access control and key management system based on the multilevel security sets of documentation method to set up described in the embodiment of front, as shown in Figure 6, comprise user terminal and service terminal among the embodiment of front, the information interaction between this user terminal and the service terminal as shown in Figure 7.User's game server authentication module of user terminal, it need to provide to server end the feedback of the information such as user ID, user key and landing time and waiting for server; Key generates and uses module mainly to be responsible for the generation of paper work key and the coordination between the new and old key: when only entering the file protect district, ability spanned file working key, when the user withdrawed from the file protect district, this module was destroyed all working key, the safety of using to reach key; Realize that by key soft or hard life cycle, cipher controlled symbol etc. the seamless of new and old key replaces, and need not the user participate in.Document management module is responsible for the file extent that user terminal is protected, and server end need to provide the user side file to have the key material of information control distribution according to this module.
The user authentication module of service terminal is responsible for user's debarkation authentication, the user key that utilizes server end to preserve carries out the legitimacy authentication to the user, validated user is by after authenticating, this module user's key and landing time generate one and the shared key of user terminal communication, are used for the feedback information of delivery server end.The authority configuration module be responsible for user right change, determine user right.Key management module is of paramount importance, and realizing the use safety of key, it is responsible for the work such as distribution, renewal, maintenance of key by it.Document management module mainly is responsible for minute rank, minute group of file, then these information is passed to key management module.The function of key control module is the key material that Control Server is distributed to which needs of user, and it is to consider by the fileinfo that user right configuration, user's restricted rights and user side are protected, and determines to distribute to user's key material.
In the system of the present embodiment, as shown in Figure 5, when encryption key distribution and change during user right, at user terminal and server end, the communication between them and separately the processing of the inside task of need to finishing have respectively:
At user terminal: user log-in authentication, and login time sent to server in the lump as random number, preserve this login time T at user side simultaneously.The user uses the login key of oneself and login time to produce user key, the key material that deciphering is returned by server key management/key control module and the working key of spanned file.
At server end: server is determined authority under this user according to the ID of user in key management figure, cooperate key control module again, determines which key the user should distribute.Server by utilizing user logins key and generates user key, and the key material that encryption should distribute also sends to the user.When enterprise staff withdrawed from enterprise, employed key must upgrade during employee work.ID and authorization policy management according to the employee determine that the key needs of which sets of documentation upgrade, and upgrade operation and sets of documentation key updating similar.When having new employee to add enterprise, only the employee need to be added to the sets of documentation under him.When enterprise staff is transferred, when authority changes, can determine that the key needs of which sets of documentation upgrade according to ID and the authorization policy management of employee in key management figure between business enterprice sector.
The present invention divides rank to encrypt storage by adopting multilevel security sets of documentation method to set up to file, as long as the user has normally reading and writing of files of enough authorities, does not affect the file-sharing of validated user, has also satisfied the security requirement of file simultaneously.
Based on multilevel security sets of documentation method to set up of the present invention, access privilege is distinguished management, cooperate the control of access privilege, user's access rights can be set flexibly, reach the refinement management to document classification.All will carry out authentication to the user who enters the file protect district, legal user just can enter the file protect district, prevents unauthorized access, forbids that the disabled user is to any operation of protected file.Realized the multi-stage protection management of computer documents.
Simultaneously, the present invention also for the potential safety hazard of Key Exposure, regularly or in case of necessity upgrades key, so that key uses safety, thereby guarantees the safety of encrypting and protecting files.
Should be understood that, for those of ordinary skills, can be improved according to the above description or conversion, and all these improvement and conversion all should belong to the protection range of claims of the present invention.
Claims (10)
1. a multilevel security sets of documentation method to set up is characterized in that, may further comprise the steps:
A plurality of security classifications for distinguishing the different security level document are set, and each described security classification arranges a plurality of not overlapped sets of documentation;
Each described sets of documentation is set to comprise root node, and based on left child node and the right child node of this root node;
Wherein, described left child node is set to access member's group of described sets of documentation, and described right child node is set to the document in the described sets of documentation, and described root node stores the working key for the described document of described member's group access;
The right child node of the sets of documentation that security classification is higher is set to also comprise security classification than the sets of documentation of its low one-level except comprising document itself, and the member in the higher sets of documentation of security classification gives tacit consent to the working key that has the lower sets of documentation of security classification;
Described working key is set to also comprise file access control authority sign and key version number, described sets of documentation also is used for key updating, set the key version number of new working key according to the key version number of old working key, last negate of key version number with described old working key, obtain the key version number of described new working key, obtain new key according to the key version number of the file access control authority sign of old working key and new working key.
2. multilevel security sets of documentation method to set up according to claim 1 is characterized in that, described sets of documentation is set to adopt numbering K
ImIdentify, wherein i represents the affiliated security classification of document in the document group, and m represents the document group corresponding sets of documentation sequence number in affiliated security classification; Each described sets of documentation is set to adopt and self numbers as root node; Wherein, described i and m are natural number.
3. multilevel security sets of documentation method to set up according to claim 1 is characterized in that, the document setup that comprises in the described right child node is for comprising file content and end-of-file; Wherein,
Described end-of-file comprises: file encryption sign, file access authority sign, key version number;
Described file access authority sign is by file security rank and affiliated sets of documentation information structure.
4. multilevel security sets of documentation method to set up according to claim 1 is characterized in that, described working key is set to also comprise: cipher controlled symbol, key material, random number, the soft life cycle of key and the hard life cycle of key;
Wherein, the hard life cycle of described key is the key life cycle that computer system sets; The soft life cycle of described key is the key out-of-service time that the other reasons before the hard life cycle of key finishes causes.
5. file access control and key management user terminal based on a multilevel security sets of documentation method to set up claimed in claim 1 is characterized in that, comprising:
User login services device authentication module is used for obtaining user ID, user key and user's login time, and sends to service terminal;
Key generates and the use module, for the generation working key, and by replacing between key soft or hard life cycle, the new and old key of cipher controlled symbol realization;
Document management module is used for storage file, and the corresponding file protect range information of user ID of login is sent to service terminal.
6. file access control and cipher key management services terminal based on a multilevel security sets of documentation method to set up claimed in claim 1 is characterized in that, comprising:
User authentication module, the user key that is used for preserving according to service end carries out the legitimacy authentication to the user, after validated user passes through, generates one and the shared key of user terminal communication according to user key and login time, is used for transmitting feedback information;
The authority configuration module, be used for the completing user authority change, determine user right;
Key management module is used for finishing distribution, renewal and the maintenance of key;
Document management module is used for dividing rank, minute group to file, and the rank of file and group information is sent to key management module;
Key control module is used for considering by the fileinfo that user right configuration, user's restricted rights and user side are protected, and determines to distribute to user's key material.
7. file access control and key management system based on a multilevel security sets of documentation method to set up claimed in claim 1, it is characterized in that, comprise user terminal as claimed in claim 5, and the service terminal as claimed in claim 6 that is connected with described user terminal communication.
8. file access control and key management method based on a multilevel security sets of documentation method to set up claimed in claim 1 is characterized in that, may further comprise the steps:
Obtain user ID, user key and user's login time;
The user key of preserving according to service end carries out the legitimacy authentication to the user, after validated user passes through, generates one and the shared key of user terminal communication according to user key and login time, with the feedback information of transferring service terminal;
According to the corresponding file protect range information of user ID of login, divide rank, minute group to file, finish distribution, renewal and the maintenance of key;
The fileinfo of protecting by user right configuration, user's restricted rights and user side considers, and determines to distribute to user's key material;
According to the key material that distributes, generate working key.
9. file access control according to claim 8 and key management method; it is characterized in that; the described fileinfo of protecting by user right configuration, user's restricted rights and user side considers, and determines that the key material step of distributing to the user specifically may further comprise the steps:
Obtain user's default privilege;
The filter user restricted rights;
Filter user does not need the key that uses;
Determine finally to distribute to user's key material.
10. file access control according to claim 8 and key management method is characterized in that, the described renewal process of finishing key may further comprise the steps:
Whether the hard life cycle of key that checks key expires;
If the hard life cycle of key expires, the cipher controlled symbol of this key more recent version key is set, the replace old key is removed old key;
If the hard life cycle of key does not expire, judge again whether the soft life cycle of key expires;
If the soft life cycle of key expires, obtain this key redaction key identification, set new key, the cipher controlled symbol of this key legacy version key is set, upgrade the key information of tree structure;
If the soft life cycle of key does not expire, finish inspection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102921101A CN101938497B (en) | 2010-09-26 | 2010-09-26 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102921101A CN101938497B (en) | 2010-09-26 | 2010-09-26 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101938497A CN101938497A (en) | 2011-01-05 |
| CN101938497B true CN101938497B (en) | 2013-01-30 |
Family
ID=43391626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102921101A Expired - Fee Related CN101938497B (en) | 2010-09-26 | 2010-09-26 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101938497B (en) |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102271332B (en) * | 2011-07-18 | 2017-09-12 | 中兴通讯股份有限公司 | End message time slot scrambling and device |
| CN102938762B (en) * | 2012-10-26 | 2015-09-09 | 深圳出入境检验检疫局信息中心 | A kind of file safety management system based on mobile terminal |
| CN104517062A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Method and device for sub authority document management based on document object model |
| CN103746798B (en) * | 2013-12-12 | 2017-12-26 | 中国科学院深圳先进技术研究院 | A kind of data access control method and system |
| CN104182503A (en) * | 2014-08-18 | 2014-12-03 | 上海众恒信息产业股份有限公司 | Cloud platform data access safety isolation method |
| CN105389364B (en) * | 2015-11-06 | 2020-02-04 | 中国科学院自动化研究所 | Digital cultural relic safety sharing system |
| CN105426776A (en) * | 2015-11-13 | 2016-03-23 | 浪潮软件集团有限公司 | Electronic document management device and method |
| CN105930742A (en) * | 2016-04-18 | 2016-09-07 | Ubiix有限公司 | Enterprise archive monitoring, transmitting and retransmitting method and device and applied communication equipment |
| CN106603509B (en) * | 2016-11-29 | 2020-07-07 | 中科曙光信息技术无锡有限公司 | Enterprise document management method |
| CN107368749B (en) * | 2017-05-16 | 2020-09-15 | 阿里巴巴集团控股有限公司 | File processing method, device, equipment and computer storage medium |
| CN108427889A (en) * | 2018-01-10 | 2018-08-21 | 链家网(北京)科技有限公司 | Document handling method and device |
| CN110493168A (en) * | 2018-07-19 | 2019-11-22 | 江苏恒宝智能系统技术有限公司 | Medical curative effect based on asymmetric encryption techniques monitors sharing method |
| CN109284426B (en) * | 2018-08-23 | 2021-02-19 | 中信天津金融科技服务有限公司 | Multi-data document classification system based on permission level |
| CN109408464A (en) * | 2018-10-10 | 2019-03-01 | 广州力挚网络科技有限公司 | A kind of graded access method and apparatus |
| CN109614792B (en) * | 2018-11-29 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Hierarchical file key management method |
| CN109635905B (en) * | 2018-12-06 | 2022-09-02 | 南京中孚信息技术有限公司 | Two-dimensional code generation method, device and system |
| CN109743292A (en) * | 2018-12-12 | 2019-05-10 | 杭州安恒信息技术股份有限公司 | A kind of method and system of shared data cascade protection |
| CN111259435A (en) * | 2020-01-09 | 2020-06-09 | 平安科技(深圳)有限公司 | Contract encryption and decryption method and device and computer readable storage medium |
| CN111782911A (en) * | 2020-07-24 | 2020-10-16 | 三一重能有限公司 | Document management method and system and electronic equipment |
| CN111984590A (en) * | 2020-09-01 | 2020-11-24 | 冠群信息技术(南京)有限公司 | System and method for identifying, filing and storing paper documents |
| CN112214656B (en) * | 2020-09-15 | 2022-08-19 | 湖南汽车工程职业学院 | Scientific research document management system convenient for searching safety |
| CN116108423B (en) * | 2023-04-12 | 2023-06-20 | 福昕鲲鹏(北京)信息科技有限公司 | Rights management method and device for open format document OFD |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859086A (en) * | 2005-12-31 | 2006-11-08 | 华为技术有限公司 | Content grading access control system and method |
| CN101047978A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method for updating key in user's set |
| CN101442404A (en) * | 2008-12-30 | 2009-05-27 | 北京中企开源信息技术有限公司 | Multilevel management system and method for license |
| CN101605137A (en) * | 2009-07-10 | 2009-12-16 | 中国科学技术大学 | Safe distribution file system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7606801B2 (en) * | 2005-06-07 | 2009-10-20 | Varonis Inc. | Automatic management of storage access control |
-
2010
- 2010-09-26 CN CN2010102921101A patent/CN101938497B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859086A (en) * | 2005-12-31 | 2006-11-08 | 华为技术有限公司 | Content grading access control system and method |
| CN101047978A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method for updating key in user's set |
| CN101442404A (en) * | 2008-12-30 | 2009-05-27 | 北京中企开源信息技术有限公司 | Multilevel management system and method for license |
| CN101605137A (en) * | 2009-07-10 | 2009-12-16 | 中国科学技术大学 | Safe distribution file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101938497A (en) | 2011-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101938497B (en) | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof | |
| US9031876B2 (en) | Managing keys for encrypted shared documents | |
| CN106462718B (en) | Store the rapid data protection of equipment | |
| CN106330868B (en) | A kind of high speed network encryption storage key management system and method | |
| EP3585023B1 (en) | Data protection method and system | |
| KR20050074494A (en) | Method and device for authorizing content operations | |
| JP2011150693A (en) | Information management system, information management method and apparatus, and encryption method and program | |
| CN102567688B (en) | File confidentiality keeping system and file confidentiality keeping method on Android operating system | |
| US8200964B2 (en) | Method and apparatus for accessing an encrypted file system using non-local keys | |
| KR20130039354A (en) | Database management system and encrypting method thereof | |
| CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
| CN101159754A (en) | Internet application management system operating on intelligent mobile terminal | |
| CN105740725A (en) | File protection method and system | |
| US7412603B2 (en) | Methods and systems for enabling secure storage of sensitive data | |
| CN106203137B (en) | A kind of classified papers access safety system | |
| CN202455386U (en) | Safety system for cloud storage | |
| CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
| CN104021335A (en) | Password service method based on extensible password service framework | |
| CN202872828U (en) | A circulation control system of files | |
| WO2017126571A1 (en) | Ciphertext management method, ciphertext management device, and program | |
| CN103051593A (en) | Method and system for secure data ferry | |
| CN101692266A (en) | Method of intensively encrypting and protecting files by using hidden partition (HPA) and CPU ID | |
| EP3455763A1 (en) | Digital rights management for anonymous digital content sharing | |
| CN103577771A (en) | Virtual desktop data leakage-preventive protection technology on basis of disk encryption | |
| CN103391187B (en) | A kind of method of cloud storage security control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130130 Termination date: 20180926 |