Background technology
In recent years, along with the development of network and universal, internet (Internet) and LAN (LocalAreaNetwork; LAN) main tool of office automation is become gradually.And the transmission of network file is undoubtedly the primary demand of people to network, so-called web document transfer refers to that file is followed certain rule and transmitted between each computer by internet or LAN, such as the exchange between client and client, between client and server or between server and server, realize resource-sharing.
Present many enterprises, especially the scale of group enterprise is increasing, all establishing branch company all over the world, in order to realize general headquarters and branch company or the file transfer between branch company and branch company or resource-sharing, mostly all having set up LAN in each branch company inside.In order to realize the transfer of data of high speed, large carrying capacity and high security, most employing private line access, namely by special circuit, respective LAN is carried out interconnected, the feature of private line access is that transmission speed is fast, on-line normalization stable and transmission data encipher, and its attainable business has Enterprise Resources Planning (EnterpriseResourcePlanning; ERP), office automation (OfficeAutomation; OA) copy etc. of data interconnection, ERP or OA file.
Client in existing network and the exchange between client, between client and server or between server and server, realizing resource-sharing is based on the technology of sharing of windows acquiescence, utilizes network TCP/IP transmission technology to realize resource-sharing.But, in the application of reality, need file-sharing to be required usually operator has certain computer knowledge and technical ability, and in the process of file-sharing, movement and the event trace of intra-sharing file can not be recorded, and then with sharing, safe hidden danger and the increase of management cost are caused to the safe transmission of file.
Thus, how a kind of effective management means is provided, to solve the aforementioned problems in the prior, has become practitioner in the art's problem demanding prompt solution in fact.
Summary of the invention
The shortcoming of prior art in view of the above, the object of the present invention is to provide a kind of file security shared system and file security shared server, client, for solving in prior art the problems such as the increase that there is safe hidden danger and management cost.
For achieving the above object and other relevant objects, the invention provides a kind of file security shared server, be applied in the network architecture including multiple client, described file security shared server at least comprises: initialization module, generates the file of a server ID and permission client-access when initialization procedure; Monitoring module, connecting described initialization module, for monitoring the information from each client; Log management module, connects described monitoring module, for recording operation and the Operation Log of described server; Client manager module, connects described monitoring module, after receiving the information from a client, divides into groups to make can mutually access between the client of same group to described client; Statistics management module, connects described client manager module, for adding up the operation note of shared file in each client; Strategy distribution module, connect described client manager module, group for distributing described client manager module is encrypted with generation server key, generates the read-write of Long-distance Control shared file and the strategy of number of operations simultaneously, and gives each client by this strategy and server key distribution.
In file security shared server of the present invention, also comprise network management module, connect described client manager module, after receiving the information from a client, extract the IP information of this client and mac address information with the long-range IP arranging each client.
In file security shared server of the present invention, also comprise access administration module, connect described network management module, the IP arranged according to described network management module is to make access or mutually isolated mutually between client.
In file security shared server of the present invention, also comprise Sharing Management module, connect described log management module, Long-distance Control with open or close respectively this client share.
In file security shared server of the present invention, the described monitoring module information monitored from each client comprises the machine number information of client, IP address information and mac address information.
In file security shared server of the present invention, the operation note of described shared file comprises opens at least one in number of times, establishment fileinfo and deleted file information.
The present invention also provides a kind of file security to share client, be applied to and include in the network architecture of server, and be connected with at least another client in same group in the described network architecture, described file security is shared client and is at least comprised: obtain sharing module, the communal space of the client in traversal server or same group, and when prestoring shared file in the described communal space, it is monitored; Controlling sharing module, connecting described acquisition sharing module, for choosing the shared file of monitoring; Cipher key initialization module, connects described control shared file module, according to machine number and the user number generation symmetric key of described client; File encryption module, connects described control shared file module, is encrypted according to described symmetric key to the shared file chosen; Key management module, connects described cipher key initialization module, the symmetric key of described cipher key initialization CMOS macro cell and machine number and user number is matched, and generates related information; Key Acquisition Module, connects described key management module, according to described related information demand file management; Strategy acquisition module, connects described server, obtain that described server issues for the read-write of Long-distance Control shared file and the strategy of number of operations and server key; Document management module, connect described Key Acquisition Module, file sharing module and tactful acquisition module, according to described related information, the strategy issue described server and the symmetric key of server key and cipher key initialization CMOS macro cell contrast, and in contrast by rear request decryption sharing file; Deciphering module, connects described document management module, provides the read-write operation of shared file after receiving the decoding request of described document management module; Logging modle, connects described deciphering module, in order to record the operation note of described deciphering module and to be uploaded to described server.
Share in client at file security of the present invention, the shared file of described file encryption module encryption comprises from the shared file in the server communal space and from the shared file in the communal space of the client in same group.
Another file security shared system of the present invention, comprises above-mentioned file security shared server and file security shares client.
As mentioned above, file security shared system of the present invention and file security shared server, client, do not require that operator has certain computer knowledge and technical ability, and in the process of file-sharing, movement and the event trace of intra-sharing file can be recorded, and then strengthen the safe transmission of file and share and cause safety management, thus realize carrying out effective management and pre-Anti-theft to inner shared file.
Embodiment
Below by way of specific instantiation, embodiments of the present invention are described, those skilled in the art the content disclosed by this specification can understand other advantages of the present invention and effect easily.The present invention can also be implemented or be applied by embodiments different in addition, and the every details in this specification also can based on different viewpoints and application, carries out various modification or change not deviating under spirit of the present invention.
Refer to Fig. 1.It should be noted that, the diagram provided in the present embodiment only illustrates basic conception of the present invention in a schematic way, then only the assembly relevant with the present invention is shown in graphic but not component count, shape and size when implementing according to reality is drawn, it is actual when implementing, and the kenel of each assembly, quantity and ratio can be a kind of change arbitrarily, and its assembly layout kenel also may be more complicated.
Refer to Fig. 1, the invention provides a kind of file security shared system, share client 3 by file security shared server 1 and multiple file security to form, multiple file securities in the described network architecture share client 3 can be arranged in same group or different groups, described file security shared server 1 at least comprises: initialization module 10, monitor module 11, log management module 12, client manager module 13, statistics management module 14, strategy distribution module 15, network management module 16, access administration module 17, and Sharing Management module 18.
Described initialization module 10 generates a server ID and allows the file of client-access when initialization procedure; When namely authorizing initialization, the server ID generated when mainly server is installed allows the shared file of client with adding, server is put and can be worked.
Described monitoring module 11 connects described initialization module 10, for monitoring the information from each client; Described monitoring module 11 information monitored from each client comprises the machine number information of client, IP address information and mac address information.
Described log management module 12 connects described monitoring module 11, for recording operation and the Operation Log of described server; Described log management module 12 is also for daily record and the server Operation Log of management server operation.
Described client manager module 13 connects described monitoring module 11, after receiving the information from a client, divides into groups to make can mutually access between the client of same group to described client; Particularly, the machine number information of described client manager module 13 client of supervising based on described monitoring module 11, IP address information or mac address information divide into groups to it.
Described statistics management module 14 connects described client manager module 13, for adding up the operation note of shared file in each client; In the present embodiment, the operation note of described shared file comprises opens at least one or multiple in number of times, establishment fileinfo and deleted file information.In the implementation process of reality, described statistics management module 14 is connected to the logging modle that described file security shares client 3, receives the operation note that described logging modle is uploaded.
Described strategy distribution module 15 connects described client manager module 13, group for distributing described client manager module 13 is encrypted with generation server key, generate the read-write of Long-distance Control shared file and the strategy of number of operations simultaneously, and give each client by this strategy and server key distribution.
Described network management module 16 connects described client manager module 13, after receiving the information from a client, extracts the IP information of this client and mac address information with the long-range IP arranging each client.Namely monitor and pass the IP information and mac address information of coming from client, and can the IP of long-range this client of change, to realize the network management to each client.
Described access administration module 17 connects described network management module 16, and the IP arranged according to described network management module 16 is to make access or mutually isolated mutually between client.
Described Sharing Management module 18 connects described log management module 12, Long-distance Control with open or close respectively this client share.
Described file security is shared client 3 and is at least comprised: obtain sharing module 30, controls sharing module 31, cipher key initialization module 32, file encryption module 33, key management module 34, Key Acquisition Module 35, document management module 36, strategy acquisition module 37, deciphering module 38, logging modle 39.
The communal space of the client in described acquisition sharing module 30 traversal server or same group, and when prestoring shared file in the described communal space, it being monitored, from computer traversal share and supervise whether create shared.
Described control sharing module 31 connects described acquisition sharing module 30, for choosing the shared file of monitoring; Namely shared file is controlled, and could must access and normal read-write by remote computer under permission.
Described cipher key initialization module 32 connects described control shared file module, according to machine number and the user number generation symmetric key AES(AdvancedEncryptionStandard of described client, and the Advanced Encryption Standard in cryptography).
Described file encryption module 33 connects described control shared file module, is encrypted the shared file chosen according to described symmetric key; In the present embodiment, the shared file that described file encryption module 33 is encrypted comprises from the shared file in the server communal space and from the shared file in the communal space of the client in same group.
Described key management module 34 connects described cipher key initialization module 32, and the symmetric key generate described cipher key initialization module 32 and machine number and user number match, and generates related information.
Described Key Acquisition Module 35 connects described key management module 34, according to described related information demand file management.
Described tactful acquisition module 37 connects described server, obtain that described server issues for the read-write of Long-distance Control shared file and the strategy of number of operations and server key.
Described document management module 36 connects described Key Acquisition Module 35, file sharing module and tactful acquisition module 37, according to described related information, the symmetric key that the strategy issue described server and server key and cipher key initialization module 32 generate contrasts, and in contrast by rear request decryption sharing file.
Described deciphering module 38 connects described document management module 36, provides the read-write operation of shared file after receiving the decoding request of described document management module 36.Described logging modle 39 connects described deciphering module 38, in order to record the operation note of described deciphering module 38 and to be uploaded to described server.
In summary, after client initialization is complete, start TSR, and detect whether carry out unhook test, then travel through all share directories of machine and share directory monitored and uses the user name of machine number and machine to carry out symmetric cryptography.By replacement of keys (key management) and tactful contrast, read-write operation and record are carried out to shared file.And got on by the server that is saved in that log pattern is real-time, provide data to the statistics management module 14 of server.File management is liked shared safety by the strategy of comparison server, resides and accepts the policy information from server.
File security shared system provided by the invention mainly solves the mutual copied files of Intranet does not have file to move the problem with event trace, adopt the management system of this patent design can managing internal shared file effectively, and do not need the computer knowledge that the document management of great number also need not be too many, its main performing step is as follows:
First, initialization server, authorizes this computer according to the ID of a machine, and realizes the monitor function of server; Secondly, install client in inside, client generates a user name according to every platform computer and machine number is sent to server end, and detects intra-sharing file and be dealt into server in the lump, and is encrypted by file; Then, allow user be in identical group as long as divide to mix at the strategy of server and allow access mutually, client computer is just with normally equally accessing the computer that other are equipped with client, can certainly change after the user name of the automatic generation of client on server and machine number carry out certification and access, finally, everyone operation note and the File Open situation of client computer shared file is checked with the journal function of server.
In sum, file security shared system of the present invention and file security shared server, client, do not require that operator has certain computer knowledge and technical ability, and in the process of file-sharing, movement and the event trace of intra-sharing file can be recorded, and then strengthen the safe transmission of file and share and cause safety management, thus realize carrying out effective management and pre-Anti-theft to inner shared file.So the present invention effectively overcomes various shortcoming of the prior art and tool high industrial utilization.
Above-described embodiment is illustrative principle of the present invention and effect thereof only, but not for limiting the present invention.Any person skilled in the art scholar all without prejudice under spirit of the present invention and category, can modify above-described embodiment or changes.Therefore, such as have in art usually know the knowledgeable do not depart from complete under disclosed spirit and technological thought all equivalence modify or change, must be contained by claim of the present invention.