CN103530570B - A kind of electronic document safety management system and method - Google Patents
A kind of electronic document safety management system and method Download PDFInfo
- Publication number
- CN103530570B CN103530570B CN201310439495.3A CN201310439495A CN103530570B CN 103530570 B CN103530570 B CN 103530570B CN 201310439495 A CN201310439495 A CN 201310439495A CN 103530570 B CN103530570 B CN 103530570B
- Authority
- CN
- China
- Prior art keywords
- file
- module
- encryption
- document
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000008569 process Effects 0.000 claims abstract description 47
- 238000005516 engineering process Methods 0.000 claims abstract description 24
- 238000007639 printing Methods 0.000 claims abstract description 10
- 238000012544 monitoring process Methods 0.000 claims description 11
- 230000009471 action Effects 0.000 claims description 4
- 238000010009 beating Methods 0.000 claims description 3
- 238000011217 control strategy Methods 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000009792 diffusion process Methods 0.000 claims description 3
- 238000004321 preservation Methods 0.000 claims description 3
- 230000002123 temporal effect Effects 0.000 claims description 3
- 238000000151 deposition Methods 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 28
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- HDDSHPAODJUKPD-UHFFFAOYSA-N fenbendazole Chemical compound C1=C2NC(NC(=O)OC)=NC2=CC=C1SC1=CC=CC=C1 HDDSHPAODJUKPD-UHFFFAOYSA-N 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 235000015170 shellfish Nutrition 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/106—Enforcing content protection by specific content processing
- G06F21/1063—Personalisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
- Document Processing Apparatus (AREA)
Abstract
A kind of electronic document safety management system and method, including driving the transparent encryption/decryption module of layer, application layer security to control and transparent encryption/decryption module, intelligent file and process feature recognition module, file outgoing Off-line control module, document screen watermark and printing watermark control module, security policy manager module, key management module;System core technology is the driven management in client, and the kernel mode being positioned at Windows operating system runs, and is to meet system to call the demand of file system by I/O manager;The data encryption platform of system will take over the file system of whole Windows operating system, is responsible for file system and provides the service of the most transparent encryption and decryption data.The present invention provides a kind of electronic document safety management system and method, by improving electronic document safety precautions, introduces transparent encipher-decipher method, it is achieved safety that electronic document off-line is high and user friendly.
Description
[technical field]
The present invention relates to technical field of digital content security, be specifically related to a kind of electronic document safety management system
System and method.
[background technology]
The development maked rapid progress along with modern technologies brings much essence to the various aspects of social life
Change.Along with computer technology and the development of Automated Technology in Office, electronic document also arises at the historic moment.
So-called electronic document refers to generate in digital device and environment, with digital form be stored in tape,
The carrier such as disk, CD, relies on the digital device such as computer and reads, processes and can be on a communication network
The file transmitted and archives.The appearance of electronic document makes file and archives from " tangible " trend " nothing
Shape ", bring vigor and vitality to archives work, but also propose new challenge to archives work simultaneously.
Wherein, electronic document safety and privacy problem are the new problems that Archives Workers is faced.
The management of electronic document is an interdisciplinary study integrating computer science and archival science, archives
Management personnel are while possessing the rudimentary knowledge such as archives speciality, it is necessary to possess modern communications, electronics calculates
Machine application and the knowledge such as network technology, plant maintenance.The foundation of electronic document has broken what archive office isolated
Pattern.Being respectively arranged with pass link and define an organic whole on network, therefore document staff is necessary
Unite cooperation, make electronic document at whole life cycle by tight control and management, make information obtain
Protect safely, and utilize this wide information platform of network to draw newest fruits both domestic and external, constantly
Put into practice, innovate, improve the capacity of scientific research, design more reasonable, more scientific, safer electronic record system
System.
Electronic record secrecy in utilization and safety are particularly significant, and e-file warehouse-in is converted into electronics shelves
After case, without exception must not be for public use, its utilization must be strictly according to the regulation of file secrecy regulation, to electronics shelves
Case user control of authority to be carried out, arranges classification search access right.Prevent unrelated person to electronic record system
The unauthorized access of system, prevents divulging a secret and damage information during utilizing.Meanwhile, electronic document management system
The overall process that system reply utilizes carries out effective tracing and monitoring, automatically carries out relevant record, as to utilization
The foundation of work verification.System also should have stronger fault-tolerant ability, it is to avoid owing to faulty operation is brought
Irremediable loss.
Authentication is the behaviour that communicating pair carried out examining and confirming the other side's identity before substantial data transmission
Make, be the defence line arranged to illegal invasion person.Access control technology is that user accesses computerized information system
The technology that the authority of system is controlled.It can guarantee while sharing information resources facilitating general user
The safety of classified information, is to take precautions against illegal invasion person to steal the defence line, another road of classified information.Encryption technology
May insure that the non-public property of concerning security matters electronic file content, be to ensure that the important side of e-file confidentiality
Method, its objective is to take certain digital method to wear camouflage through classified information, makes the illegal invasion person cannot
Solve classified information real meaning.
In a word, the safe and secret of electronic document relates to all many factors.It is from management and technology, soft
The many-side such as part and hardware proposes more requirement.Archives Workers constantly should be summed up in working practice
Experience and lessons, make electronic document management work progressively move towards scientific, institutionalization, unifying, efficiently,
Operate in the environment of safety, service to the public.
Chinese invention patent 200910083158.9 discloses a kind of electronic document safe-guard system and side
Method, by setting up electronic document safe-guard system, it is achieved safety verification, control of authority and daily record and literary composition
Shelves distribution.But, electronic document is not carried out transparent encryption and decryption, electronic document content existence is replicated, usurps
The security breaches such as change.
Chinese invention patent 201110217836.3 discloses a kind of electronic document safety management system, China
Patent of invention 20121004114.6 discloses a kind of electronic document safety based on maltilevel security protection mechanism
Distribution method, Chinese invention patent 201210411606.5 discloses a kind of electronics based on security level identification literary composition
Shelves access control method, Chinese invention patent 201210299203.6 discloses that a kind of electronic document is multiple adds
Close and grading management method, it is asymmetric that above technology achieves safety certification, control of authority and electronic document
Encryption and decryption.But, encryption process is not transparent, and user needs to carry out document manual Encrypt and Decrypt mistake
Journey, causes inconvenience to the user.
Chinese invention patent 201210154777.4 disclose a kind of complete online document separate and reduction be
System and method, it is achieved that the asymmetric encryption and decryption of safety certification, control of authority and electronic document.But, add solution
Close process is not transparent, needs the existence in " Separate Storage district ", the safety in " Separate Storage district "
Become the weak link of whole electronic document safety.
To sum up, no matter prior art is that independent which kind of method of employing all exists different defects, electronic document
Safety and the ease for use of user operation cannot be met.
In view of this, the present inventor furthers investigate for the defect of prior art, then has this case to produce.
[summary of the invention]
The technical problem to be solved is to provide a kind of electronic document safety management system and method,
By improving electronic document safety precautions, introduce transparent encipher-decipher method, it is achieved electronic document off-line
High safety and user friendly.
The present invention is achieved in that
A kind of electronic document safety management system, it is characterised in that: include driving the transparent encryption/decryption module of layer,
Application layer security controls and outside transparent encryption/decryption module, intelligent file and process feature recognition module, file
Send out Off-line control module, document screen watermark and print watermark control module, security policy manager module,
Key management module;
The described transparent encryption/decryption module of driving layer: in the target of the encryption that Internet driving determination strategy issues
Address, is carried out judging whether to encryption, in client by driving when user accesses certain application system
Browser is monitored, once file separately preserves or downloads, proceeds by encryption;File is adopted
How much encrypt how many, from the how many encryption and decryption strategy of the how many deciphering of disk reading with write disk;When from this locality
Submit document when uploading to application system server, client carry out judging on file decryption and monitoring
Pass to server, ensure server stored in clear;
Described application layer security controls and transparent encryption/decryption module: use the application programming interfaces of Windows
Interception Technology realizes the interception to file operation and monitoring, it is possible to intercepts duplication, preserve and deletion action,
Require different operations to be intercepted and lets pass, according to document security level, user right according to difference simultaneously
Carry out security control and transparent encryption and decryption;Using dynamic DLL substitute mode, system uses to be replaced and revises
The mode of operating system bottom dynamic link library intercepts All Files read-write operation, and according to document security level,
User right carries out security control and transparent encryption and decryption;Utilize operation information Interception Technology, close according to document
Level, user right are to operation, including preserving, revise, replicate, clip and paste, paste, print, screenshotss,
Carry out security control and transparent encryption and decryption;
Intelligent file and process feature recognition module: identify literary composition according to file content at operating system nucleus
Part type, and thereby confirm that whether this document encrypts file, and each encryption file adds file body
Part information, log file attribute information, controlled process is identified by operating system nucleus;
File outgoing Off-line control module: be not intended to the type of outgoing document, support all of application program
Outgoing management;For the document that level of confidentiality degree is high, control how long outgoing document uses on which platform computer
Time, use how many times;For the document that level of confidentiality degree is low, username and password is only used to be controlled by;
Editor, copy and separately depositing for outgoing document is controlled, and the alternative external user that controls is accessing
Need Connection Service device to carry out forcing authentication during encrypted document, the reading authority of user can be regained at any time;
Document screen watermark and print watermark control module: document browses editing process being opened, system
Automatically increasing watermark information in screen or printing content, watermark information includes user profile, temporal information,
Take pictures after opening document for user or illegal as tracing time printed document content is illegally diffused into outside
The person liable of diffusion;
Security policy manager module: be responsible for user accessed destination address, document security level, user right,
User operation control, watermark control strategy are managed collectively and issue, and other modules are according to the peace issued
Full strategy carries out corresponding security control and transparent encryption and decryption;
Key management module: be responsible for symmetry, the generation of unsymmetrical key, secure distribution, safety store,
Safety destroys lifecycle management, the key needed for providing for encryption/decryption module.
A kind of electronic document method for managing security, including downloading file, the use of file off-line, upper transmitting file
Three steps;
Described download file, specifically includes following steps:
Step 101: start;
Step 102: drive the transparent encryption/decryption module of layer to initialize, obtain plan from security policy manager module
Slightly, key is obtained from key management module;
Step 103: drive layer to monitor user's access-controlled target and be downloaded or save as operation;
Step 104: drive layer to enter according to security policy information, user operation file level of confidentiality, user right
Row judges;
Step 105: judge whether automatically to encrypt, be, proceed to step 106, no, proceed to step 107;
Step 106: call driving layer transparent encryption/decryption module encryption and download file, preserve ciphertext;
Step 107: preserve in plain text;
Described file off-line uses, and specifically includes following steps:
Step 201: start;
Step 202: application layer security controls and transparent encryption/decryption module initializes, from security policy manager
Module acquisition strategy, obtains key from key management module;
Step 203: application layer security controls and transparent encryption/decryption module is by intercepting or replacement technology monitoring
Application layer to the preservation of controlled file, revise, replicate, clip and paste, paste, print, screenshotss operation;
Step 204: judge whether valid operation according to strategy, level of confidentiality, authority, legitimate processes identification;
Step 205: it is legal to determine whether, is, proceeds to step 206, no, proceeds to step 212;
Step 206: determine whether ciphertext, is to proceed to step 207, no, proceeds to step 208;
Step 207: call application layer security control and the deciphering of transparent encryption/decryption module;
Step 208: after deciphering, clear content send corresponding legitimate processes to carry out valid operation;
Step 209: operating process has screen to show, carries out screen watermark control, has printing then to carry out beating
Print watermark controls;
Step 210: in operating process, by triggering, the clear content in memory cache drives that layer is transparent adds
Deciphering module is encrypted automatically, by driving layer to decipher when legitimate processes need to read;
Step 211: when pass closed file or operation complete, by application layer encryption file content, after encrypting
Ciphertext content be saved in correspondence cryptograph files in;
Step 212: cancel user operation;
Described upper transmitting file, specifically includes following steps:
Step 301: start;
Step 302: drive the transparent encryption/decryption module of layer to initialize, obtain plan from security policy manager module
Slightly, key is obtained from key management module;
Step 303: drive layer to monitor user's access-controlled destination address and carry out upload operation;
Step 304: determine whether ciphertext, is to proceed to step 305, no, proceeds to step 306;
Step 305: call driving layer transparent encryption/decryption module decrypting ciphertext;
Step 306: uploaded in plain text to service end by escape way.
It is an advantage of the current invention that: achieve a kind of safe plan of electronic document based on transparent encryption and decryption technology
Omit and implementation method.By using the overall process uploaded to be controlled from download, off-line offline document,
Each generic operation is used to control off-line from driving layer for the automatic encryption and decryption of file and memory cache to application layer
Encryption and decryption timely automated with file content, it can be ensured that offline document is being downloaded, uses, uploaded each stage
Security control, illegal operation will can only obtain encrypted ciphertext, it is to avoid protected e-file is in plain text
The leakage of content, the valid operation of validated user can obtain cleartext information by automatic decrypting process simultaneously,
The transparency of this process makes security control process not affect user operation habits and operating experience, it is ensured that
The friendly of security control and service efficiency.The present invention can be greatly improved the offline secure of electronic document,
Ensure that user uses friendly and service efficiency simultaneously.Links all roots to electronic document security control
Control according to document security level and user right comprehensively.Transparent encryption process had both improve safety, kept away
The security breaches of manpower-free's encryption and decryption, improve again user friendly and operating efficiency.
[accompanying drawing explanation]
The invention will be further described the most in conjunction with the embodiments.
Fig. 1 is present system principle schematic.
Fig. 2 is download file idiographic flow schematic diagram in the present invention.
Fig. 3 is that in the present invention, off-line files uses idiographic flow schematic diagram.
Fig. 4 is that in the present invention, upper transmitting file uses idiographic flow schematic diagram.
[detailed description of the invention]
The present invention is a kind of electronic document safety management system and method, and system core technology is in client
Driven management, be positioned at Windows operating system kernel mode run, by I/O manager for meet system
The demand of file system is called by system;The data encryption platform of system will take over whole Windows operation
The file system of system, is responsible for file system and provides the service of the most transparent encryption and decryption data.
When there is a need to controlled application program operationally, driver will monitor that the I/O of this program moves
Making, when application program carries out file write operation, it can be encrypted by system automatically, then gives lower floor and sets
Standby driver completes real disk write activity.
When monitoring the action of reading, first identify whether this file is the most encrypted file, if
It is encryption file, then automatically the data reading internal memory is decrypted when reading.So in application journey
Sequence seems, similarly is what does not the most occur.The all of use habit of user is all without being affected.
Using to write and how much add how many and read how much to solve how many encryption and decryption strategies, therefore encryption and decryption work is basic
Do not affect performance and the file read-write speed of system.
The system of the present invention is by driving the control of the transparent encryption/decryption module of layer, application layer security and transparent encryption and decryption
Module, intelligent file and process feature recognition module, file outgoing Off-line control module, document screen water
Print and printing watermark control module, security policy manager module, key management module composition.Such as Fig. 1 institute
Show.Below each module is described in detail:
1, the transparent encryption/decryption module of layer is driven:
The transparent encryption and decryption of document class data is by encrypting file itself, be effectively file storage,
The links such as transmission, use provide protective measure.Use and drive layer encryption technology, with operation system for identifying
Foundation, in the destination address of the encryption that Internet driving determination strategy issues, when user accesses certain application
Judged by driving during system, load encrypting module, in client, browser is monitored, once
Encryption, the safety that effective safeguard file lands then is proceeded by when file separately preserves or downloads.System exists
On the basis of transparent encryption and decryption, how many employing write disks is encrypted how many, many from disk reading for file
Decipher how many encryption and decryption strategies less, need not during file process whole file is first deciphered and could be operated,
Reduce system resource take, ensure cooperative office system user's service efficiency, improve encryption and decryption performance and
File read-write speed, few perceptibility reducing the use of original operation system document.
Carried out judging and monitoring inciting somebody to action by client when document uploads to application system server when submitting from this locality
File decryption is uploaded onto the server, and ensures server stored in clear, to the application such as full-text search of function,
Data backups etc. do not produce any impact, have ensured the reliability of system.
2, application layer security controls and transparent encryption/decryption module:
The application programming interfaces Interception Technology using Windows realizes the interception to file operation and monitoring,
Duplication can be intercepted, preserve and the operation such as deletion, the most also want to require different according to difference
Operation intercepts and lets pass, and carries out security control and transparent encryption and decryption according to document security level, user right.
Using dynamic DLL substitute mode, system uses replaces and revises operating system bottom dynamic link library
Mode reach to intercept the purpose of All Files read-write operation, and carry out according to document security level, user right
Security control and transparent encryption and decryption.
Utilize operation information Interception Technology, according to document security level, user right to operation (preserve, revise,
Replicate, clip and paste, paste, print, screenshotss etc.) carry out security control and transparent encryption and decryption.
3, key close reason module:
The purpose setting up information security system should be to ensure that the people that the data in system can only be had permission visits
Asking, unauthorized person then cannot have access to data.Protection data are not only intended to make data correct, long
Exist for a long time, it is often more important that, the people that should not see data will be allowed to can't see.During this, information
Authenticating user identification and information content encryption need to use AES.
In order to solve, information is open to be transmitted and cipher key management considerations, it is allowed to the communication on unsafe media is double
Side's exchange information, the key rivest, shamir, adelman reached an agreement safely needs two keys: disclose close
Key (publickey) and private cipher key (privatekey).Public-key cryptography and private cipher key are a pair, if
With public-key cryptography, data are encrypted, only could decipher with corresponding private cipher key;If with privately owned
Data key is encrypted, then only could decipher with corresponding public-key cryptography.Because encryption is conciliate
Close use two different keys, so this algorithm is called rivest, shamir, adelman, for user
Identification;Using the algorithm of identical key to be called symmetric encipherment algorithm if encrypting with deciphering, being used for believing
Breath content-encrypt.
Receiving party has the private cipher key of oneself, even if other people intercept and capture through adding when file access
Close session, but cannot be carried out deciphering thus ensure that the safety of session key, also ensure that transmission literary composition
The safety of part.Two encrypting and decrypting processes are achieved: the encryption of file itself in document transmission process
Deciphering and the encrypting and decrypting of session key, this is come by symmetric cryptography deciphering and asymmetric encryption deciphering respectively
Realize.The algorithm of the archives encipherment protection of project uses the close AES doing accreditation of state to perform, symbol
Close the safety requirements of country and State Grid Corporation of China.
Key management module is responsible for symmetry, the generation of unsymmetrical key, secure distribution, safety storage, peace
The lifecycle managements such as full destruction, the key needed for providing for encryption/decryption module.
4, intelligent file and process feature recognition module:
Realize identifying file type at operating system nucleus according to file content rather than file extension,
And thereby confirm that whether this document encrypts file.And each encryption file adds file identity information,
The file attribute informations such as the owner of log file, date of formation.Realize operating system nucleus to controlled enter
Journey is identified and not only relies on application name, in any case amendment application name, can be by just
True identifies.
5, file outgoing Off-line control module:
It is not intended to the type of outgoing document, supports that the outgoing of all of application program manages.For level of confidentiality degree
High document can control how long outgoing document uses on which platform computer, uses how many times;Right
In level of confidentiality degree low can only use username and password to be controlled by.For outgoing document editor, copy
Shellfish and the control saved as, simultaneously when performing these and controlling, do not affect normally making of the file of client own
With.The alternative external user that controls needs Connection Service device to carry out forcing identity when accessing encrypted document
Certification, can regain the reading authority of user at any time.
6, document screen watermark and printing watermark control module:
Document browses editing process being opened, and system is automatically at screen or print and increase watermark letter in content
Breath, watermark information includes user profile, temporal information etc., takes pictures for user or beat after opening document
As the person liable tracing illegal diffusion when print document content is illegally diffused into outside.
7, security policy manager module:
Security policy manager module is responsible for accessing user destination address, document security level, user right, use
The family operation security strategy such as control, watermark control strategy is managed collectively and issues, other modules according to
The security strategy issued carries out corresponding security control and transparent encryption and decryption.
Specifically used flow process is described below in detail:
Electronic document offline secure controls outside point download file, the use of file off-line, files passe, file
Sending out several the stage, each stage is all implemented security control by system, it is ensured that do not stay potential safety hazard, its China and foreign countries
The stage of sending out is the system optional stage, and in relatively independent and other several stages, system can not realize this stage,
The outgoing stage is not described further.
Owing to e-file is downloading to the downloading process of client from service end, just layer is driven automatically to add
Close, what user was immediately seen can only be ciphertext, and this process is transparent, enforceable to user.
Then ciphertext automatically can be deciphered by off-line operational phase, only validated user by native system
Use, leave native system and such as will copy elsewhere outside file, or there is no the user of enough authorities, or have
Authority consults amendment but clear content is replicated and pastes elsewhere, by application layer security control by lack of competence
System and automatically encryption and decryption and the duplicate protection driving the automatic encryption and decryption of layer, in all will be unable to see clear text file
Hold, and the file after validated user legitimate processes will can obtain and operate deciphering automatically by native system is believed
Breath, validated user is not aware that the existence of automatic encryption process, i.e. automatically encryption and decryption and safety
It is transparent for controlling validated user.Off-line use during, security strategy have arrange watermark control,
Will addition of watermark content on the display screen and on printer page, watermark content includes that user identity is believed
Breath, thus when printing paper document or screen shot content leaks as clue and the card following the trail of the person of leaking
According to.
E-file upload procedure is by automatically deciphering upload service end after driving layer safety verification, to legal
Being transparent equally for user, its operation is identical with common upload procedure.
Idiographic flow refers to Fig. 2 to Fig. 4.
Download file, specifically include following steps:
Step 101: start;
Step 102: drive the transparent encryption/decryption module of layer to initialize, obtain plan from security policy manager module
Slightly, key is obtained from key management module;
Step 103: drive layer to monitor user's access-controlled target and be downloaded or save as operation;
Step 104: drive layer to enter according to security policy information, user operation file level of confidentiality, user right
Row judges;
Step 105: judge whether automatically to encrypt, be, proceed to step 106, no, proceed to step 107;
Step 106: call driving layer transparent encryption/decryption module encryption and download file, preserve ciphertext;
Step 107: preserve in plain text;
File off-line uses, and specifically includes following steps:
Step 201: start;
Step 202: application layer security controls and transparent encryption/decryption module initializes, from security policy manager
Module acquisition strategy, obtains key from key management module;
Step 203: application layer security controls and transparent encryption/decryption module is by intercepting or replacement technology monitoring
Application layer to the preservation of controlled file, revise, replicate, clip and paste, paste, print, screenshotss operation;
Step 204: judge whether valid operation according to strategy, level of confidentiality, authority, legitimate processes identification;
Step 205: it is legal to determine whether, is, proceeds to step 206, no, proceeds to step 212;
Step 206: determine whether ciphertext, is to proceed to step 207, no, proceeds to step 208;
Step 207: call application layer security control and the deciphering of transparent encryption/decryption module;
Step 208: after deciphering, clear content send corresponding legitimate processes to carry out valid operation;
Step 209: operating process has screen to show, carries out screen watermark control, has printing then to carry out beating
Print watermark controls;
Step 210: in operating process, by triggering, the clear content in memory cache drives that layer is transparent adds
Deciphering module is encrypted automatically, by driving layer to decipher when legitimate processes need to read;
Step 211: when pass closed file or operation complete, by application layer encryption file content, after encrypting
Ciphertext content be saved in correspondence cryptograph files in;
Step 212: cancel user operation;
Upper transmitting file, specifically includes following steps:
Step 301: start;
Step 302: drive the transparent encryption/decryption module of layer to initialize, obtain plan from security policy manager module
Slightly, key is obtained from key management module;
Step 303: drive layer to monitor user's access-controlled destination address and carry out upload operation;
Step 304: determine whether ciphertext, is to proceed to step 305, no, proceeds to step 306;
Step 305: call driving layer transparent encryption/decryption module decrypting ciphertext;
Step 306: uploaded in plain text to service end by escape way.
Present invention achieves a kind of electronic document security strategy based on transparent encryption and decryption technology and realization side
Method.By using the overall process uploaded to be controlled from download, off-line offline document, from driving layer
Each generic operation is used to control and in file off-line for the automatic encryption and decryption of file and memory cache to application layer
Hold timely automated encryption and decryption, it can be ensured that the safety control in each stage is being downloaded, used, uploads to offline document
System, illegal operation will can only obtain encrypted ciphertext, it is to avoid letting out of protected e-file clear content
Dew, the valid operation of validated user can obtain cleartext information by automatic decrypting process simultaneously, this process
The transparency makes security control process not affect user operation habits and operating experience, it is ensured that security control
Friendly and service efficiency.The present invention can be greatly improved the offline secure of electronic document, ensures simultaneously
User uses friendly and service efficiency.All close according to document to the links of electronic document security control
Level and user right control comprehensively.Transparent encryption process had both improve safety, it is to avoid manually add
The security breaches of deciphering, improve again user friendly and operating efficiency.
Claims (2)
1. an electronic document safety management system, it is characterised in that: include driving layer transparent encryption and decryption mould
Block, application layer security control and transparent encryption/decryption module, intelligent file and process feature recognition module, literary composition
Part outgoing Off-line control module, document screen watermark and printing watermark control module, security policy manager mould
Block, key management module;
The described transparent encryption/decryption module of driving layer: in the target of the encryption that Internet driving determination strategy issues
Address, is carried out judging whether to encryption, in client by driving when user accesses certain application system
Browser is monitored, once file separately preserves or downloads, proceeds by encryption;File is adopted
How much encrypt how many, from the how many encryption and decryption strategy of the how many deciphering of disk reading with write disk;When from this locality
Submit document when uploading to application system server, client carry out judging on file decryption and monitoring
Pass to server, ensure server stored in clear;
Described application layer security controls and transparent encryption/decryption module: use the application programming interfaces of Windows
Interception Technology realizes the interception to file operation and monitoring, it is possible to intercepts duplication, preserve and deletion action,
Require different operations to be intercepted and lets pass, according to document security level, user right according to difference simultaneously
Carry out security control and transparent encryption and decryption;Using dynamic DLL substitute mode, system uses to be replaced and revises
The mode of operating system bottom dynamic link library intercepts All Files read-write operation, and according to document security level,
User right carries out security control and transparent encryption and decryption;Utilize operation information Interception Technology, close according to document
Level, user right are to operation, including preserving, revise, replicate, clip and paste, paste, print, screenshotss,
Carry out security control and transparent encryption and decryption;
Intelligent file and process feature recognition module: identify literary composition according to file content at operating system nucleus
Part type, and thereby confirm that whether this document encrypts file, and each encryption file adds file body
Part information, log file attribute information, controlled process is identified by operating system nucleus;
File outgoing Off-line control module: be not intended to the type of outgoing document, support all of application program
Outgoing management;For the document that level of confidentiality degree is high, control how long outgoing document uses on which platform computer
Time, use how many times;For the document that level of confidentiality degree is low, username and password is only used to be controlled by;
Editor, copy and separately depositing for outgoing document is controlled, and the alternative external user that controls is accessing
Need Connection Service device to carry out forcing authentication during encrypted document, the reading authority of user can be regained at any time;
Document screen watermark and print watermark control module: document browses editing process being opened, system
Automatically increasing watermark information in screen or printing content, watermark information includes user profile, temporal information,
For when content is illegally diffused into outside as the foundation of the person liable tracing illegal diffusion;
Security policy manager module: be responsible for user accessed destination address, document security level, user right,
User operation control, watermark control strategy are managed collectively and issue, and other modules are according to the peace issued
Full strategy carries out corresponding security control and transparent encryption and decryption;
Key management module: be responsible for symmetry, the generation of unsymmetrical key, secure distribution, safety store,
Safety destroys lifecycle management, the key needed for providing for encryption/decryption module.
2. an electronic document method for managing security, it is characterised in that: include downloading file, file off-line
Use, three steps of upper transmitting file;
Described download file, specifically includes following steps:
Step 101: start;
Step 102: drive the transparent encryption/decryption module of layer to initialize, obtain plan from security policy manager module
Slightly, key is obtained from key management module;
Step 103: drive layer to monitor user's access-controlled target and be downloaded or save as operation;
Step 104: drive layer to enter according to security policy information, user operation file level of confidentiality, user right
Row judges;
Step 105: judge whether automatically to encrypt, be, proceed to step 106, no, proceed to step 107;
Step 106: call driving layer transparent encryption/decryption module encryption and download file, preserve ciphertext;
Step 107: preserve in plain text;
Described file off-line uses, and specifically includes following steps:
Step 201: start;
Step 202: application layer security controls and transparent encryption/decryption module initializes, from security policy manager
Module acquisition strategy, obtains key from key management module;
Step 203: application layer security controls and transparent encryption/decryption module is by intercepting or replacement technology monitoring
Application layer to the preservation of controlled file, revise, replicate, clip and paste, paste, print, screenshotss operation;
Step 204: according to security policy information, user operation file level of confidentiality, user right, legal enter
Journey identification judges whether valid operation;
Step 205: it is legal to determine whether, is, proceeds to step 206, no, proceeds to step 212;
Step 206: determine whether ciphertext, is to proceed to step 207, no, proceeds to step 208;
Step 207: call application layer security control and the deciphering of transparent encryption/decryption module;
Step 208: after deciphering, clear content send corresponding legitimate processes to carry out valid operation;
Step 209: operating process has screen to show, carries out screen watermark control, has printing then to carry out beating
Print watermark controls;
Step 210: in operating process, by triggering, the clear content in memory cache drives that layer is transparent adds
Deciphering module is encrypted automatically, by driving layer to decipher when legitimate processes need to read;
Step 211: when pass closed file or operation complete, by application layer encryption file content, after encrypting
Ciphertext content be saved in correspondence cryptograph files in;
Step 212: cancel user operation;
Described upper transmitting file, specifically includes following steps:
Step 301: start;
Step 302: drive the transparent encryption/decryption module of layer to initialize, obtain plan from security policy manager module
Slightly, key is obtained from key management module;
Step 303: drive layer to monitor user's access-controlled destination address and carry out upload operation;
Step 304: determine whether ciphertext, is to proceed to step 305, no, proceeds to step 306;
Step 305: call driving layer transparent encryption/decryption module decrypting ciphertext;
Step 306: uploaded in plain text to service end by escape way.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310439495.3A CN103530570B (en) | 2013-09-24 | 2013-09-24 | A kind of electronic document safety management system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310439495.3A CN103530570B (en) | 2013-09-24 | 2013-09-24 | A kind of electronic document safety management system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103530570A CN103530570A (en) | 2014-01-22 |
CN103530570B true CN103530570B (en) | 2016-08-17 |
Family
ID=49932572
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310439495.3A Active CN103530570B (en) | 2013-09-24 | 2013-09-24 | A kind of electronic document safety management system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103530570B (en) |
Families Citing this family (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104917741B (en) * | 2014-07-19 | 2018-10-02 | 国家电网公司 | A kind of plain text document public network secure transmission system based on USBKEY |
CN104123508B (en) * | 2014-07-21 | 2017-01-25 | 浪潮电子信息产业股份有限公司 | Design method based on intranet data security protection engine |
CN104182691B (en) * | 2014-08-22 | 2017-07-21 | 国家电网公司 | data encryption method and device |
CN104281789A (en) * | 2014-09-30 | 2015-01-14 | 南京新模式软件集成有限公司 | Method for integrated outgoing of electronic files |
CN104318172A (en) * | 2014-10-21 | 2015-01-28 | 合肥星服信息科技有限责任公司 | File nonproliferation technology based on local area network personalized features |
CN104361265A (en) * | 2014-10-28 | 2015-02-18 | 深圳市大成天下信息技术有限公司 | Document protection method, device and system |
CN107967430B (en) * | 2014-10-28 | 2019-10-18 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
CN104601548A (en) * | 2014-12-24 | 2015-05-06 | 深圳市大成天下信息技术有限公司 | Generation method and device of encrypted file and computing equipment |
CN105787375A (en) * | 2014-12-25 | 2016-07-20 | 华为技术有限公司 | Privilege control method of encryption document in terminal and terminal |
CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
CN105893852A (en) * | 2015-06-04 | 2016-08-24 | 济南亚东软件科技有限公司 | First author leakage prevention application system based on Windows EFS transparent encryption |
CN105512565A (en) * | 2015-11-26 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Method and server for preventing electronic document leakage |
CN105631355B (en) * | 2015-12-18 | 2019-09-06 | 北京奇虎科技有限公司 | A kind of data processing method and device |
CN105631359B (en) * | 2015-12-23 | 2018-10-23 | 北京奇虎科技有限公司 | A kind of control method and device of web page operation |
CN105844173A (en) * | 2016-03-23 | 2016-08-10 | 福建正孚软件有限公司 | Memory-level file encryption and decryption method and device |
CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
CN108268791A (en) * | 2016-12-30 | 2018-07-10 | 珠海金山办公软件有限公司 | The production method and device of a kind of outgoing document |
CN106846138A (en) * | 2016-12-31 | 2017-06-13 | 融捷科技(武汉)有限公司 | Supply chain financial platform document file management system |
CN108664797A (en) * | 2017-03-30 | 2018-10-16 | 北京北信源软件股份有限公司 | It is a kind of for pdf documents into rower it is close and verification method and device |
CN108959951B (en) * | 2017-05-19 | 2021-01-12 | 北京瑞星网安技术股份有限公司 | Method, device and equipment for document security protection and readable storage medium |
CN107343009A (en) * | 2017-08-18 | 2017-11-10 | 广东电网有限责任公司信息中心 | A kind of Electronic Archival Security protects system |
CN109995735A (en) * | 2017-12-31 | 2019-07-09 | 中国移动通信集团重庆有限公司 | Downloading and application method, server, client, system, equipment and medium |
CN108632369A (en) * | 2018-04-28 | 2018-10-09 | 杰思敏(上海)信息科技有限公司 | A kind of safe display management method of ship electronic drawing |
CN109344652A (en) * | 2018-10-08 | 2019-02-15 | 北京爱普安信息技术有限公司 | A kind of encryption and decryption method and system |
CN109918934A (en) * | 2019-03-15 | 2019-06-21 | 山东省农业机械科学研究院 | Research and development data safety and secrecy system based on tri- layers of dynamic encryption technology of AES |
US11443056B2 (en) * | 2019-09-20 | 2022-09-13 | International Business Machines Corporation | File access restrictions enforcement |
CN110795766B (en) * | 2019-11-04 | 2022-04-08 | 苏州苏大苏航档案数据保全有限公司 | Electronic file data security system and method |
CN111046403A (en) * | 2019-12-06 | 2020-04-21 | 西安和光明宸科技有限公司 | Electronic document safety management system |
CN111324900A (en) * | 2020-02-18 | 2020-06-23 | 上海迅软信息科技有限公司 | Anti-disclosure system for enterprise data security |
CN111259431A (en) * | 2020-02-18 | 2020-06-09 | 上海迅软信息科技有限公司 | Computer software data encryption system and encryption method thereof |
CN112347434B (en) * | 2020-11-12 | 2024-03-26 | 上海银行股份有限公司 | Method for realizing self-adaptive screen watermarking |
CN112948870A (en) * | 2021-04-13 | 2021-06-11 | 北京国联易安信息技术有限公司 | Electronic document security management method and management system based on big data |
CN113553554A (en) * | 2021-07-12 | 2021-10-26 | 国网青海省电力公司信息通信公司 | Operation and maintenance system for radio stations in data |
CN113806785B (en) * | 2021-10-11 | 2023-12-08 | 北京晓航众芯科技有限公司 | Method and system for carrying out security protection on electronic document |
CN114065239A (en) * | 2021-11-08 | 2022-02-18 | 清远市中盛合力网络科技有限公司 | Electronic archive filing method, system, computer equipment and storage medium |
CN114297684A (en) * | 2021-12-29 | 2022-04-08 | 广州睿冠信息科技有限公司 | Engineering document safety management system |
CN114417425B (en) * | 2022-03-28 | 2022-06-17 | 成都智达万应科技有限公司 | Document security preview and tracing method based on OAuth |
CN115242488A (en) * | 2022-07-20 | 2022-10-25 | 广东瑞普科技股份有限公司 | Domestic network security operation and maintenance system and method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1786867A (en) * | 2005-09-22 | 2006-06-14 | 深圳市江波龙电子有限公司 | Method for ciphering and diciphering of file, safety managing storage apparatus and system method thereof |
CN102103667A (en) * | 2009-12-16 | 2011-06-22 | 富士施乐株式会社 | Document use managing system, document processing apparatus, manipulation authority managing apparatus, document managing apparatus and computer readable medium |
CN102867155A (en) * | 2012-08-22 | 2013-01-09 | 句容市盛世软件有限公司 | Multiple-encryption and graded-management method for electronic files |
CN103281302A (en) * | 2013-04-28 | 2013-09-04 | 苏州亿倍信息技术有限公司 | Management method and management system for realizing information security |
-
2013
- 2013-09-24 CN CN201310439495.3A patent/CN103530570B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1786867A (en) * | 2005-09-22 | 2006-06-14 | 深圳市江波龙电子有限公司 | Method for ciphering and diciphering of file, safety managing storage apparatus and system method thereof |
CN102103667A (en) * | 2009-12-16 | 2011-06-22 | 富士施乐株式会社 | Document use managing system, document processing apparatus, manipulation authority managing apparatus, document managing apparatus and computer readable medium |
CN102867155A (en) * | 2012-08-22 | 2013-01-09 | 句容市盛世软件有限公司 | Multiple-encryption and graded-management method for electronic files |
CN103281302A (en) * | 2013-04-28 | 2013-09-04 | 苏州亿倍信息技术有限公司 | Management method and management system for realizing information security |
Non-Patent Citations (2)
Title |
---|
一种基于系统驱动的文件透明加密系统的实现;吴慧玲等;《计算机与现代化》;20100531(第5期);全文 * |
文件透明加密技术研究与实现;余俊等;《信息通信》;20091231(第6期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103530570A (en) | 2014-01-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103530570B (en) | A kind of electronic document safety management system and method | |
CN106330868B (en) | A kind of high speed network encryption storage key management system and method | |
CN101729550B (en) | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof | |
CN101853363B (en) | File protection method and system | |
CN102624699B (en) | Method and system for protecting data | |
CN103561034B (en) | A kind of secure file shared system | |
CN100568251C (en) | The guard method of security files under cooperative working environment | |
CN104104692B (en) | A kind of virtual machine encryption method, decryption method and encryption and decryption control system | |
CN100592313C (en) | Electric document anti-disclosure system and its implementing method | |
CN202795383U (en) | Device and system for protecting data | |
CN105426775B (en) | A kind of method and system for protecting smart mobile phone information security | |
CN111274599A (en) | Data sharing method based on block chain and related device | |
CN103701611A (en) | Method for accessing and uploading data in data storage system | |
CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
CN103745162B (en) | A kind of secure network file storage system | |
CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
CN103413100B (en) | File security protection system | |
CN103326999A (en) | File safety management system based on cloud service | |
CN107301544A (en) | A kind of safe Wallet System of block chain | |
CN107368747A (en) | A kind of mobile office method, service end, client and system | |
CN103686716A (en) | Android access control system for enhancing confidentiality and integrality | |
CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
CN105740725A (en) | File protection method and system | |
CN104219077A (en) | Information management system for middle and small-sized enterprises | |
CN109063499A (en) | A kind of electronic record area authorization method and system that flexibly can configure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB03 | Change of inventor or designer information |
Inventor after: Ni Shilong Inventor after: Su Jiangwen Inventor after: Chen Qian Inventor after: Yan Lifei Inventor before: Ni Shilong Inventor before: Su Jiangwen Inventor before: You Pengnan |
|
COR | Change of bibliographic data | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |