CN104318174A - Document protecting method, document protecting devices and document protecting system - Google Patents
Document protecting method, document protecting devices and document protecting system Download PDFInfo
- Publication number
- CN104318174A CN104318174A CN201410589445.8A CN201410589445A CN104318174A CN 104318174 A CN104318174 A CN 104318174A CN 201410589445 A CN201410589445 A CN 201410589445A CN 104318174 A CN104318174 A CN 104318174A
- Authority
- CN
- China
- Prior art keywords
- document
- equipment
- heartbeat
- document protection
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a document protecting method, document protecting devices and a document protecting system. Each document protecting device comprises a secret key import device, a state verifier and a document controller. Each secret key import device is applicable to importing user authority information into the corresponding state verifier, the user authority information is exported from a document protecting server and contains user identification and relevant valid time ranges, and resident computing devices in the document protecting devices with the user identification are allowed not to be in heartbeat connection with the document protecting server within the valid time ranges; each state verifier is applicable to determining whether contents of documents in the corresponding computing device are allowed to be decrypted or not according to whether the current time is within the corresponding valid time ranges of the document protecting device or not; each document controller is applicable to invoking the corresponding state verifier to determine whether the read contents of the documents are allowed to be decrypted or not when the contents of the documents are read by monitored applications. The document protecting method, the document protecting devices and the document protecting system have the advantage that document encryption and decryption operation can be normally carried out on document protecting clients which temporarily lose contact with the document protecting server.
Description
Technical field
The present invention relates to computing machine and internet arena, be specifically related to a kind of document protection method, equipment and system.
Background technology
Along with the universal of computer technology and network technology and development, abundant network data resource is that the life of people brings great convenience, and also brings many puzzlements simultaneously.Such as, in enterprise, the document that employee is easy to some to relate to corporate secret is sent to outside enterprise, thus causes document to be divulged a secret.Therefore, it is possible to protection document produces to prevent the scheme of document content unofficial biography thereupon.
A kind of scheme of document of protecting of current existence carries out encryption and decryption to document; namely on the computing machine of user, document protection client is installed; document is stored in document memory with encrypted test mode; when allowing user need browsing document content; the document content of encryption read out from document memory and deciphers, thus expressly presenting to user.And when user to have carried out document content revising wait after and when storing, document protection client can be encrypted the document content, and to be stored in document memory.Even if like this document is copied to outside from document memory, the document is also encrypted state, thus the risk preventing document content to leak.
In this scheme, whether user also need not pay close attention to document and be operated as ordinary by encryption and decryption, is called transparent encryption and decryption scheme.This scheme can solve the problem that document content leaks very well.
A problem of this scheme is; the program needs the computing equipment of user can be connected to document protection server; thus the document protection client of installing on the user computing device can be allowed to keep communicating, to determine the authority etc. of document protection client process document with document protection server.But the computing equipment used along with user is more and more lighter.The computing equipment that user is probably used moves to outside company; such as go on business to other places and carry the notebook etc. used in company; now because document protection server disposition is in intra-company; this computing equipment can be caused cannot to be connected to document protection server and to cause document protection client on the computing device to work, and normal file encryption-decryption operation cannot be carried out.
Like this, although this scheme can prevent document content from leaking effectively, user is gone out simultaneously temporarily, also there is too many inconvenience.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of the document protection method, equipment and the system that overcome the problems referred to above or solve the problem at least in part.
According to an aspect of the present invention, provide a kind of document protection equipment, reside in computing equipment, the document proterctive equipment comprises: key imports equipment, the user right information derived from document protection server is suitable for import in state verification device, wherein said user right information comprises user ID and scope effective time that is associated, and described effective time, scope was that the resident computing equipment with the document protection equipment of this user ID can not carry out with document protection server the time range that heartbeat is connected; Whether state verification device, be suitable for according to current time within the effective time of document protection equipment, determines whether to allow to be decrypted the document content in computing equipment; And document control device, be suitable for the operation of the application in monitoring calculation equipment to document, when monitoring application and reading document content, call state verification device to determine whether permission and read document content is decrypted.
Alternatively, document protection equipment according to the present invention also comprises encryption/decryption module, is couple to document control device; When document control device call state verification device determine allow read document content is decrypted time, call encryption/decryption module from computing equipment, obtain the document content of encryption and be decrypted, decryption content is placed in temporary memory space and reads for application; When document control device monitors application memory document content, call encryption/decryption module and the content in temporary memory space is encrypted, and the document of storage encryption.
Alternatively; document protection equipment according to the present invention also comprises Client Agent module; described client-side code modules comprises heartbeat module; described heartbeat module is suitable for carrying out heartbeat with document protection server and communicates; and after each heartbeat confirms, determine that document control device carries out the time of heartbeat communication next time, and notify status validator upgrades the time point that next time carries out heartbeat communication; so that when time point arrives, trigger heartbeat module and again initiate heartbeat communication.
Alternatively, document protection equipment according to the present invention also comprises rule management, is couple to document control device, and safeguards the document function rule of various application; Document control device, when monitoring the operation of applying document, obtains the document function rule of application, and determines whether this application can carry out the document operation from described rule management.
Alternatively; in document protection equipment according to the present invention; Client Agent module is also suitable for communicating with document protection server, and is couple to described document control device, is sent to document protection server with the document function record monitored by described document control device.
According to a further aspect in the invention, provide a kind of document protection method, be suitable for running in computing equipment, the document guard method comprises: import in computing equipment by the user right information derived from document protection server, wherein said user right information comprises user ID and scope effective time that is associated, and described effective time, scope was that the resident computing equipment with the document protection equipment of this user ID can not carry out with document protection server the time range that heartbeat is connected; And the application in monitoring calculation equipment is to the operation of document, when monitoring application and reading document content, according to current time whether within the effective time of document protection equipment, determine whether to allow to be decrypted the document content in computing equipment.
Alternatively, document protection method according to the present invention also comprises: when determining to allow to be decrypted read document content, from computing equipment, obtain the document content of encryption and be decrypted, decryption content being placed in temporary memory space and reading for application; When monitoring application memory document content, the content in temporary memory space is encrypted, and the document of storage encryption.
Alternatively; document protection method according to the present invention also comprises: carry out heartbeat with document protection server and communicate; and after each heartbeat confirms; determine that next time carries out the time of heartbeat communication; and upgrade the time point that next time carries out heartbeat communication; so that when time point arrives, again initiate heartbeat communication.
Alternatively, document protection method according to the present invention also comprises: when monitoring the operation of applying document, obtains the document function rule of application, and determines whether this application can carry out the document operation.
Alternatively, document protection method according to the present invention also comprises: communicate with document protection server, so that the document function monitored record is sent to document protection server.
According to another aspect of the invention, provide a kind of file protection system, comprise document protection server, described document protection server comprises key equipment leading out, and being suitable for derives user right information; And one or more computing equipment, be connected with described document protection server communication, and in computing equipment resident with good grounds document protection equipment of the present invention
In document protection scheme according to the present invention; computing equipment lose with document protection server be temporarily connected time; can import in computing equipment by the user right information derived from document protection server, this user right information comprises scope effective time of the document protection equipment resided in computing equipment.When monitoring application and reading document content; according to current time whether within the effective time of document protection equipment; determine whether to allow to be decrypted the document content in computing equipment, thus the document protection client temporarily losing connection with document protection server can be allowed normally to carry out the document protection work such as encryption and decryption.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the structural representation of file protection system according to an embodiment of the invention;
Fig. 2 shows the structural representation of document protection equipment according to an embodiment of the invention;
Fig. 3 shows the schematic flow sheet of document protection method according to an embodiment of the invention;
Fig. 4 shows in the embodiment of the present invention surface chart creating offline authorization file; And
Fig. 5 is arranged as the block diagram realized according to the Example Computing Device 900 of document protection method of the present invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Fig. 1 shows the structural representation of file protection system 100 according to an embodiment of the invention.As shown in Figure 1, file protection system 100 comprises document protection server 110 and one or more computing equipment 120 communicated to connect by network and document protection server 110.All resident in each computing equipment 120 have document protection equipment 200 (also can be described as document protection client).Computing equipment 120 can be any equipment that can process electronic data in this area, includes but not limited to desktop computer, notebook computer, personal digital assistant, intelligent mobile terminal and panel computer etc.Usually run modern operating system in computing equipment 120, utilize the hardware resource that operating system is come in Management Calculation equipment 120.In general, modern operating system can be divided into user's space layer and inner nuclear layer.According to one embodiment of the present invention, document protection equipment 200 not only runs at user's space layer, and its some parts run in the inner nuclear layer of operating system.
Document protection equipment 200 communicates with document protection server 110, thus the particular document can guaranteeing in computing equipment 120 can not the miscellaneous equipment outside computing equipment 120 be checked, amendment etc.According to an embodiment, the computing equipment not being provided with document protection equipment 200 can not opening document.In addition, document protection server 110 can also comprise log memory 112.In each computing equipment 120 document proterctive equipment 200 monitor, each application all can be sent to document protection server 110 to the operation note of document and be stored in log memory 112.Like this, when finding that certain document is leaked, can define according to the operation note stored in log memory 112 may be which computing equipment 120 there occurs and leaks.Can determine that document is by the risk leaked by carrying out statistical study to the operation note stored in log memory 112 in addition.
Document protection server 110 can also comprise authentication parts 114, is suitable for carrying out authentication to the user at each computing equipment place, thus guarantees that the user only having certification to pass through just can use computing equipment 120 to carry out document function.
Document protection server 110 can also comprise rule memory 116, wherein stores different user and uses the various rule that should be used for carrying out document function.Such as general user, word word processing can be used should to be used for browsing and revising word document, but can not printed document.And for general financial staff, then Excel Form Handle can be utilized should to be used for opening, browsing financial documentation, but exploitation document can not be browsed.And for the Chief Financial Officer of company, for financial documentation, there is whole authority.The rule that document protection server 110 can store in update rule storer 116 as required, and send to corresponding document protection equipment 200, so that document protection equipment 200 can determine the authority etc. of document function according to this rule.
In addition, the list of application that document is protected that in file protection system, each document protection equipment 200 is supported in rule memory 116, can also be stored, and the form etc. of supporting documentation protection.
Document protection server 110 also comprises key equipment leading out 118; this key equipment leading out 118 can derive the authority information be associated with certain user from document protection server 110; these information comprise user ID, and resident have the computing equipment of the document protection equipment of this mark can not carry out with document protection server the time limit etc. that heartbeat communicates.
Fig. 4 shows in the embodiment of the present invention surface chart creating offline authorization file.With reference to Fig. 4, offline authorization file (i.e. user right information) can be created on document protection server 110, comprise Start Date, start time, Close Date, end time, import password, confirm password.After document protection server 120 creates offline authorization file; by key equipment leading out 118, this offline authorization file can be derived; and interim and document protection server 110 can be imported to lose in the computing equipment 120 of connection; thus make the document protection equipment 200 that temporarily loses with document protection server 110 in the computing equipment 120 of connection, utilize this offline authorization file to carry out normal encryption and decryption operation to document.
The example data structure of the user right information derived is as follows:
In superincumbent exemplary construction, szSrvID is the mark of document protection server 110, for determining that this offline authorization file is for communicating with the heartbeat which document protection server 110 carries out.SzTermID is the mark of computing equipment 120.According to one embodiment of the present invention, the user ID in offline authorization file can be the unique identification of computing equipment 120.Like this, specific computing equipment 120 is only had just can to import this offline authorization file.Such as when computing equipment 120 is mobile terminal, this user ID can be the IMEI of mobile terminal.Because computing equipment 120 distributes to special user usually.By using the unique identification of computing equipment 120 as the user ID in offline authorization file, can prevent other user to be imported to by the offline authorization file distributing to him in the computing equipment 120 being not yet assigned to him and thus the encrypted document obtained in this computing equipment 120, thus further enhance the security of computing equipment.
According to another embodiment of the invention, szTermID can also be the unique identification of certain user.Because the document protection equipment resided in computing equipment 120 has the user ID be associated, the document protection equipment only with respective user mark just can import this offline authorization file.This is suitable for the situation that computing equipment 120 may be used by multiple user.
Below the concrete formation of document protection equipment 200 and principle of work are described in detail.Fig. 2 shows the structural representation of document protection equipment 200 according to an embodiment of the invention.As shown in Figure 2, document protection equipment 200 comprises key importing equipment 250, state verification device 260 and document control device 220.
When document protection equipment 200 is interim and document protection server 110 loses connection; such as; carrying residently has the user of the computing equipment 120 of the document proterctive equipment 200 to go on business; or; the network failure of this computing equipment 120, then can import equipment 250 by key and the user right information derived from document protection server 110 (or being called offline authorization file) is imported to state verification device 260.
Described user right information comprises user ID and scope effective time that is associated, and described effective time, scope was that the resident computing equipment with the document protection equipment of this user ID can not carry out with document protection server the time range that heartbeat communicates.Namely in this time range; computing equipment 120 does not need to carry out heartbeat with document protection server 110 and communicates; just can start document protection equipment 200 and carry out the document protection operations such as normal encryption and decryption, wherein said user ID can be the hardware ID of computing equipment.For the offline authorization file created shown in Fig. 4, its, scope was that " 2014-07-0111:33 " is to " 2014-08-3111:33 " effective time.
In addition, key imports equipment 250 and can also verify the content of the user right information imported, such as carry out password authentification and hardware ID coupling, after determining to mate with oneself, again scope effective time wherein stored is read out, and scope effective time being updated to state verification device 260 is arranged.The exemplary codes realizing this function is as follows:
Document control device 220 is suitable for the operation of the application in monitoring calculation equipment to document.When document content is read in document control device 220 application monitored in computing equipment 120, call state verification device 260 and determine whether to allow to be decrypted read document content.
In one implementation, document control device 220 runs in user's space layer and application layer, and adopts application layer API HOOK (being commonly called as hook) technology.When various application operates document, the operation requests such as document control device 220 utilizes API HOOK can intercept and capture in advance at the system API place of application layer to comprise document to open, revises, copies, shears, pastes, screenshotss, printing, thus process accordingly.
Whether state verification device 260 can according to current time within the effective time of document protection equipment, determine whether to allow to be decrypted the document content in computing equipment, if current time is within the effective time of document protection equipment, then allow to be decrypted the document content in computing equipment; If current time is not within the effective time of document protection equipment, then do not allow to be decrypted the document content in computing equipment.The exemplary codes realizing this function is as follows:
According to one embodiment of the present invention, when computing equipment 120 adopts Windows, state verification device 260 can by effective time (such as, carry out the time of heartbeat communication next time) be stored in the registration table of system, thus encryption/decryption module 230 can be facilitated to obtain effective time.
In one implementation; described user right information also comprises the cumulative time be associated with user ID, and this cumulative time represents that the computing equipment having imported this user right information can start the maximum time that document protection equipment carries out document protection operation by off-line.Correspondingly; state verification device 260 is when determining that current time is within the effective time of document protection equipment; also need the off-line judging document protection equipment further whether to be less than or equal to this cumulative time start-up time; if; then allow to be decrypted the document content in computing equipment; otherwise, do not allow to be decrypted the document content in computing equipment.
According to one embodiment of present invention, document protection equipment 200 can also comprise encryption/decryption module 230, is couple to document control device 220.When document control device 220 call state verification device 260 determine allow read document content is decrypted time, call encryption/decryption module 230 from computing equipment 120, obtain the document content of encryption and be decrypted, decryption content is placed in temporary memory space (such as internal memory) and reads for application.When document control device 220 monitors application memory document content, call encryption/decryption module 230 and the content in temporary memory space is encrypted, and the document of storage encryption (being such as stored into hard disk).
The encryption and decryption operation of encryption/decryption module 230 is sightless for upper layer application, or perhaps transparent.When be applied in open or edit specified documents time, encryption/decryption module 230, by being automatically encrypted unencrypted document, is deciphered automatically to the document encrypted.Document stores with encrypted test mode on the permanent storage of computing equipment 120, and when various operation is carried out in application, exists in temporary memory space with clear-text way.Once the document leaves the environment of file protection system, these documents cannot be opened because application cannot obtain the service of deciphering automatically, thus play the effect of protection document content.Encryption/decryption module 230 can adopt any encryption and decryption technology of this area to carry out the operation of document encryption and decryption, and does not depart from protection scope of the present invention.
According to one embodiment of present invention, document protection equipment 200 can also comprise rule management 210, is couple to document control device 220, and the document function rule of maintenance support list of application that document is protected and application.Such as, some application can only opening document and can not editing.Document control device 220, when monitoring the operation of applying document, obtains the document function rule of application, and determines whether this application can carry out the document operation from described rule management 210.Wherein, this list of application of the document proterctive equipment and document function rule; can when the document proterctive equipment can communicate with document protection server 110; from document protection server 110; obtain in the rule memory 116 of especially document protection server 110, and be updated to described rule management 210.
In order to communicate with document protection server 110, document protection equipment 200 can also comprise Client Agent module 240.Client Agent module 240 is couple to document control device 220 and communicates with document protection server 110; to obtain the document function rule of up-to-date list of application and application from document protection server 110; and the document function record that document control device 220 can be monitored is sent to document protection server 110; such as be stored in log memory 112; thus can follow-up this operation note be analyzed, determine that document is divulged a secret path and may by the document of divulging a secret.
Client Agent module 240 can also comprise authentication parts 242; when computing equipment 120 is online; it is by carrying out alternately with the authentication parts 114 in document protection server 110; thus to document protection equipment 200; especially the user on document protection equipment 200 carries out certification, and only allows the document protection equipment 200 that passes through of certification to start document control device 220 to carry out document function control.
Client Agent module 240 can also comprise heartbeat module 244; described heartbeat module 244 is suitable for carrying out heartbeat with document protection server 110 and communicates; and after each heartbeat confirms; determine that document control device carries out the time of heartbeat communication next time; and notify status validator 260 upgrades the time point that next time carries out heartbeat communication; so that when time point arrives, trigger heartbeat module 244 and again initiate heartbeat communication.
Heartbeat module 244 can communicate with the corresponding module in document protection server in timing; or; heartbeat according to document protection server responds the heartbeat call duration time determined next time, to determine that the document protection client also communicates with document protection server with correct user identity.The exemplary codes realizing heartbeat communication is as follows:
Heartbeat module can after each heartbeat confirms, determine that client carries out the time of heartbeat communication and the effective time of active client next time, and notify status validator upgrades these time points, to work as time point then, trigger heartbeat module and again verify.The exemplary codes realizing this function is as follows:
Document protection equipment 200 according to the present invention computing equipment lose with document protection server be temporarily connected time; can the user right information derived from document protection server be imported in computing equipment; when monitoring application and reading document content; according to current time whether within the effective time of document protection equipment; determine whether to allow to be decrypted the document content in computing equipment, thus the document protection client temporarily losing connection with document protection server can be allowed normally to carry out the document protection work such as encryption and decryption.
Fig. 3 shows the schematic flow sheet of document protection method 300 according to an embodiment of the invention.Document protection method 300 is suitable for performing in the computing equipment 120 described in Fig. 1, is particularly suited for performing in the document protection equipment 200 shown in Fig. 2.
Document protection method 300 starts from step S310.In step S310, the user right information derived from document protection server is imported in computing equipment.When computing equipment is interim and document protection server loses connection; such as; the user carrying this computing equipment goes on business; or; the network failure of this computing equipment, then can import to the user right information derived from document protection server (or being called offline authorization file) in computing equipment.
Scope effective time that user right information comprises user ID and is associated.Effective time, scope was that the resident computing equipment with the document protection equipment of this user ID can not carry out with document protection server the time range that heartbeat communicates; namely in this time range; computing equipment does not need to carry out heartbeat with document protection server and communicates; just can start document protection equipment and carry out the document protection operations such as normal encryption and decryption, wherein said user ID can be the hardware ID of computing equipment.
Can also verify the content of the user right information imported, such as, carry out password authentification and hardware ID coupling, after determining to mate with oneself, then scope effective time wherein stored is read out.
In step s 320; application in monitoring calculation equipment is to the operation of document; when monitoring application and reading document content, according to current time whether within the effective time of document protection equipment, determine whether to allow to be decrypted the document content in computing equipment.Particularly, when determining to allow to be decrypted read document content, from computing equipment, obtaining the document content of encryption and be decrypted, decryption content being placed in temporary memory space and reading for application; When monitoring application memory document content, the content in temporary memory space is encrypted, and the document of storage encryption.
According to one embodiment of present invention; described document protection method 300 also comprises: carry out heartbeat with document protection server and communicate; and after each heartbeat confirms; determine that next time carries out the time of heartbeat communication; and upgrade the time point that next time carries out heartbeat communication; so that when time point arrives, again initiate heartbeat communication.
According to one embodiment of present invention, described document protection method 300 also comprises: when monitoring the operation of applying document, obtains the document function rule of application, and determines whether this application can carry out the document operation.
According to one embodiment of present invention, described document protection method 300 also comprises: communicate with document protection server, so that the document function monitored record is sent to document protection server.
According to document protection method 300 of the present invention; computing equipment lose with document protection server be temporarily connected time; can the user right information derived from document protection server be imported in computing equipment; when monitoring application and reading document content; according to current time whether within the effective time of document protection equipment; determine whether to allow to be decrypted the document content in computing equipment, thus the document protection client temporarily losing connection with document protection server can be allowed normally to carry out the document protection work such as encryption and decryption.
Fig. 5 is arranged as the block diagram realized according to the Example Computing Device 900 of document protection method of the present invention.This computing equipment 900 may be used for realizing according to computing equipment 120 of the present invention equally.
In basic configuration 902, computing equipment 900 typically comprises system storage 906 and one or more processor 904.Memory bus 908 may be used for the communication between processor 904 and system storage 906.
Depend on the configuration of expectation, processor 904 can be the process of any type, includes but not limited to: microprocessor (μ P), microcontroller (μ C), digital information processor (DSP) or their any combination.Processor 904 can comprise the high-speed cache of one or more rank of such as on-chip cache 910 and second level cache 912 and so on, processor core 914 and register 916.The processor core 914 of example can comprise arithmetic and logical unit (ALU), floating-point unit (FPU), digital signal processing core (DSP core) or their any combination.The Memory Controller 918 of example can use together with processor 904, or in some implementations, Memory Controller 918 can be an interior section of processor 904.
Depend on the configuration of expectation, system storage 906 can be the storer of any type, includes but not limited to: volatile memory (such as RAM), nonvolatile memory (such as ROM, flash memory etc.) or their any combination.System storage 906 can comprise operating system 920, one or more application 922 and routine data 924.Application 922 can comprise the document protection equipment 926 being configured to realize document protection method.Routine data 924 can comprise and can be used for user right information 928 as described here.In some embodiments, application 922 can be arranged as and utilize routine data 924 to operate on an operating system.
Computing equipment 900 can also comprise the interface bus 940 communicated contributed to from various interfacing equipment (such as, output device 942, Peripheral Interface 944 and communication facilities 946) to basic configuration 902 via bus/interface controller 930.The output device 942 of example comprises Graphics Processing Unit 948 and audio treatment unit 950.They can be configured to contribute to communicating with the various external units of such as display or loudspeaker and so on via one or more A/V port 952.Example Peripheral Interface 944 can comprise serial interface controller 954 and parallel interface controller 956, they can be configured to the external unit contributed to via one or more I/O port 958 and such as input equipment (such as, keyboard, mouse, pen, voice-input device, touch input device) or other peripheral hardwares (such as printer, scanner etc.) and so on and communicate.The communication facilities 946 of example can comprise network controller 960, and it can be arranged to is convenient to via one or more communication port 964 and the communication of one or more other computing equipments 962 by network communication link.
Network communication link can be an example of communication media.Communication media can be presented as computer-readable instruction, data structure, program module in the modulated data signal of such as carrier wave or other transmission mechanisms and so on usually, and can comprise any information delivery media." modulated data signal " can be such signal, the change of one or more or it of its data centralization can the mode of coded message in the signal be carried out.As nonrestrictive example, communication media can comprise the wire medium of such as cable network or private line network and so on, and such as sound, radio frequency (RF), microwave, infrared (IR) or other wireless medium are at interior various wireless mediums.Term computer-readable medium used herein can comprise both storage medium and communication media.
Computing equipment 900 can be implemented as a part for small size portable (or mobile) electronic equipment, and these electronic equipments can be such as cell phone, personal digital assistant (PDA), personal media player equipment, wireless network browsing apparatus, individual helmet, application specific equipment or the mixing apparatus that can comprise any function above.Computing equipment 900 can also be embodied as the personal computer comprising desktop computer and notebook computer configuration.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the document protection equipment of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (10)
1. a document protection equipment, resides in computing equipment, and the document proterctive equipment comprises:
Key imports equipment, the user right information derived from document protection server is suitable for import in state verification device, wherein said user right information comprises user ID and scope effective time that is associated, and described effective time, scope was that the resident computing equipment with the document protection equipment of this user ID can not carry out with document protection server the time range that heartbeat communicates;
Whether state verification device, be suitable for according to current time within the effective time of document protection equipment, determines whether to allow to be decrypted the document content in computing equipment; And
Document control device, is suitable for the operation of the application in monitoring calculation equipment to document, when monitoring application and reading document content, calls state verification device to determine whether permission and is decrypted read document content.
2. document protection equipment as claimed in claim 1, also comprises encryption/decryption module, is couple to document control device; And
When document control device call state verification device determine allow read document content is decrypted time, call encryption/decryption module from computing equipment, obtain the document content of encryption and be decrypted, decryption content is placed in temporary memory space and reads for application; When document control device monitors application memory document content, call encryption/decryption module and the content in temporary memory space is encrypted, and the document of storage encryption.
3. document protection equipment as claimed in claim 1 or 2; also comprise Client Agent module; described client-side code modules comprises heartbeat module; described heartbeat module is suitable for carrying out heartbeat with document protection server and communicates; and after each heartbeat confirms, determine that document control device carries out the time of heartbeat communication next time, and notify status validator upgrades the time point that next time carries out heartbeat communication; so that when time point arrives, trigger heartbeat module and again initiate heartbeat communication.
4. document protection equipment as claimed in claim 3, also comprises rule management, is couple to document control device, and safeguards the document function rule of various application; And
Document control device, when monitoring the operation of applying document, obtains the document function rule of application, and determines whether this application can carry out the document operation from described rule management.
5. document protection equipment as claimed in claim 4; wherein; Client Agent module is also suitable for communicating with document protection server, and is couple to described document control device, is sent to document protection server with the document function record monitored by described document control device.
6. a document protection method, be suitable for running in computing equipment, the document guard method comprises:
The user right information derived from document protection server is imported in computing equipment, wherein said user right information comprises user ID and scope effective time that is associated, and described effective time, scope was that the resident computing equipment with the document protection equipment of this user ID can not carry out with document protection server the time range that heartbeat communicates; And
Whether the application in monitoring calculation equipment, to the operation of document, when monitoring application and reading document content, according to current time within the effective time of document protection equipment, determines whether to allow to be decrypted the document content in computing equipment.
7. document protection method as claimed in claim 6, also comprises:
When determining to allow to be decrypted read document content, from computing equipment, obtaining the document content of encryption and be decrypted, decryption content being placed in temporary memory space and reading for application;
When monitoring application memory document content, the content in temporary memory space is encrypted, and the document of storage encryption.
8. document protection method as claimed in claims 6 or 7; also comprise: carry out heartbeat with document protection server and communicate; and after each heartbeat confirms; determine that next time carries out the time of heartbeat communication; and upgrade the time point that next time carries out heartbeat communication; so that when time point arrives, again initiate heartbeat communication.
9. document protection method as claimed in claim 8, also comprises: when monitoring the operation of applying document, obtains the document function rule of application, and determines whether this application can carry out the document operation.
10. a file protection system, comprises
Document protection server, described document protection server comprises key equipment leading out, and being suitable for derives user right information; And
One or more computing equipment, is connected with described document protection server communication, and resident just like the document protection equipment according to any one of claim 1 to 5 in computing equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410589445.8A CN104318174A (en) | 2014-10-28 | 2014-10-28 | Document protecting method, document protecting devices and document protecting system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410589445.8A CN104318174A (en) | 2014-10-28 | 2014-10-28 | Document protecting method, document protecting devices and document protecting system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104318174A true CN104318174A (en) | 2015-01-28 |
Family
ID=52373405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410589445.8A Pending CN104318174A (en) | 2014-10-28 | 2014-10-28 | Document protecting method, document protecting devices and document protecting system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104318174A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105868416A (en) * | 2016-05-26 | 2016-08-17 | 湖南洋达信息科技有限公司 | On-line file design management system and method |
| CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
| CN108268796A (en) * | 2017-01-04 | 2018-07-10 | 珠海金山办公软件有限公司 | A kind of outline management method and device based on offline cryptogram |
| CN108280353A (en) * | 2017-01-05 | 2018-07-13 | 珠海金山办公软件有限公司 | A kind of judgment method and device of security document operation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090089591A1 (en) * | 2007-09-27 | 2009-04-02 | Protegrity Corporation | Data security in a disconnected environment |
| CN102156844A (en) * | 2011-04-22 | 2011-08-17 | 南京邮电大学 | Implementation method of electronic document on-line/off-line safety management system |
| CN102831360A (en) * | 2012-08-06 | 2012-12-19 | 江苏敏捷科技股份有限公司 | Personal electronic document safety management system and management method thereof |
| CN103310131A (en) * | 2012-03-13 | 2013-09-18 | 纬创资通股份有限公司 | Method and system for protecting software authorization |
| US20130247222A1 (en) * | 2011-09-16 | 2013-09-19 | Justin Maksim | Systems and Methods for Preventing Access to Stored Electronic Data |
-
2014
- 2014-10-28 CN CN201410589445.8A patent/CN104318174A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090089591A1 (en) * | 2007-09-27 | 2009-04-02 | Protegrity Corporation | Data security in a disconnected environment |
| CN102156844A (en) * | 2011-04-22 | 2011-08-17 | 南京邮电大学 | Implementation method of electronic document on-line/off-line safety management system |
| US20130247222A1 (en) * | 2011-09-16 | 2013-09-19 | Justin Maksim | Systems and Methods for Preventing Access to Stored Electronic Data |
| CN103310131A (en) * | 2012-03-13 | 2013-09-18 | 纬创资通股份有限公司 | Method and system for protecting software authorization |
| CN102831360A (en) * | 2012-08-06 | 2012-12-19 | 江苏敏捷科技股份有限公司 | Personal electronic document safety management system and management method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 李雪飞: ""文档安全系统的设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105868416A (en) * | 2016-05-26 | 2016-08-17 | 湖南洋达信息科技有限公司 | On-line file design management system and method |
| CN108268796A (en) * | 2017-01-04 | 2018-07-10 | 珠海金山办公软件有限公司 | A kind of outline management method and device based on offline cryptogram |
| CN108280353A (en) * | 2017-01-05 | 2018-07-13 | 珠海金山办公软件有限公司 | A kind of judgment method and device of security document operation |
| CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895096B2 (en) | Systems and methods for transparent SaaS data encryption and tokenization | |
| CN109587101B (en) | Digital certificate management method, device and storage medium | |
| CN107533608A (en) | Credible renewal | |
| CN104361294B (en) | A kind of document protection method, equipment and system | |
| WO2018142143A2 (en) | Terminal for conducting electronic transactions | |
| US10970421B2 (en) | Virus immune computer system and method | |
| US11132438B2 (en) | Virus immune computer system and method | |
| CN107409129A (en) | Use the mandate in accesses control list and the distributed system of group | |
| CN102945337A (en) | On-line self-help management method and system of Subversion user password | |
| CN104318174A (en) | Document protecting method, document protecting devices and document protecting system | |
| US10664588B1 (en) | Virus immune computer system and method | |
| CN104348838A (en) | Document management system and method | |
| US20220353092A1 (en) | System and Method for Secure Internet Communications | |
| CN103036852A (en) | Method and device for achieving network login | |
| CN103763370B (en) | A kind of method, system and device for changing mobile terminal workspace screen-lock password | |
| US10592697B1 (en) | Virus immune computer system and method | |
| CN104408376A (en) | File protection method, equipment and system | |
| CN104361265A (en) | Document protection method, device and system | |
| Kang et al. | A strengthening plan for enterprise information security based on cloud computing | |
| CN107967430B (en) | A kind of document protection method, equipment and system | |
| CN103955652A (en) | File encryption method and device based on Andriod equipment authentication | |
| Cabianca | Ensuring Data Protection | |
| CN116319082A (en) | Processing method, system, equipment and medium of configuration data based on block chain | |
| CN114861200A (en) | Data processing method, device, equipment and storage medium | |
| Luo et al. | Toward mobile smart data file protection box |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150128 |
|
| RJ01 | Rejection of invention patent application after publication |