CN105516056A - Encrypted file protection system and protection method thereof - Google Patents
Encrypted file protection system and protection method thereof Download PDFInfo
- Publication number
- CN105516056A CN105516056A CN201410493178.4A CN201410493178A CN105516056A CN 105516056 A CN105516056 A CN 105516056A CN 201410493178 A CN201410493178 A CN 201410493178A CN 105516056 A CN105516056 A CN 105516056A
- Authority
- CN
- China
- Prior art keywords
- file
- client
- client device
- server
- agent software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides an encrypted file protection system and a protection method, being applied between a client device and a server. When the client device requires to download a file and the server verifies that the client device possesses a download right, the file is encrypted according to a secret key corresponding to the client device, and the client device is commanded to download the file. When the client device wants to open the encrypted file, the information of the client device is transmitted to the server to confirm that the client device is an authorized client which can open the encrypted file. If the client device is an authorized client indeed, the encrypted file is decrypted by means of the secret key possessed by the client device, and the decrypted file is opened according to a usage rule recorded in the server. Therefore, the encrypted file protection system can prevent the file from downloading illegally and copying to an unauthorized client illegally after being downloaded.
Description
Technical field
The present invention relates to a kind of protection system and guard method, especially relate to a kind of protection system and guard method of encrypt file.
Background technology
Due to numerical data, such as file, archives, video-audio data etc. are easy to be transmitted via media such as network, CD or Portable disks by illegal and download, therefore all the time, how effectively to protect important numerical data, real is considerable in the art research and development problem.
In general, important numerical data can be encrypted via key itself, to guarantee the only having holder of key can open the numerical data after encryption.But, along with developing rapidly of science and technology, there is many technology in fact on the market and the 3rd people can be assisted illegally to crack enciphered data, in other words, merely with the protected mode that double secret key numerical data is encrypted, cannot meet the demand of user.
Moreover general company and enterprise are in order to ensure the fail safe of classified papers, and the server being therefore used for storing classified papers usually all can through encryption.But, when those classified papers be supplied to inner employee or the client of outside, after supplier downloads, the classified papers that namely this server cannot be downloaded those carry out management and control and tracking.Thus, the classified papers after those downloads are easily illegally obtained by the 3rd people and use, and cause enterprise to suffer serious infringement.
Summary of the invention
Main purpose of the present invention; be protection system and guard method that a kind of encrypt file is provided; according to the key corresponding to the client device of request download file for file carries out real-time encrypted, can bind together with asking the client device downloaded so as to making encrypt file.
Another main purpose of the present invention; be protection system and guard method that a kind of encrypt file is provided; can when client device wants file opening; whether verification client device is authorized client; and judging whether client device is held correct key and be can be encrypt file and be decrypted, using so as to being illegally copied on other client device after avoiding file download.
In order to realize above-mentioned object, present invention is disclosed a kind of encrypt file guard method, applying to a client device and a server, wherein this client device has a Client Agent software, and this server has a server end management software, comprising:
A) this Client Agent software obtains an encrypt file and carries out local side unlatching;
B) information of this client device is transmitted to this server;
C) this server end management software is according to this information received, and judges whether this client device is the authorized client can opening this encrypt file;
If d) this client device is this authorized client, this Client Agent software judges whether the client key itself held can be this encrypt file and be decrypted;
If this client key that e) this Client Agent software is held can be the deciphering of this encrypt file, to this server end management software, inquiry is proposed further, to confirm the service regeulations whether current breakdown action of this client device meets this encrypt file and be set; And
If f) this breakdown action meets this service regeulations, deciphering this encrypt file is a file, and opens this file according to these service regeulations.
As mentioned above, wherein also comprise a step g: if this client device is not this authorized client, or this client key that this Client Agent software is held cannot be deciphered for this encrypt file, or this breakdown action does not meet this service regeulations, then respond the forbidden message of this breakdown action.
As mentioned above, wherein this information of this client device is the MAC addresses (MediaAccessControlAddress, MACAddress) of this client device, and the authorization code of this Client Agent software.
As mentioned above, wherein in this step f, the application program in this client device is allowed to open this file by this Client Agent software.
As mentioned above, wherein in this step c, this information that this server end management software comparison receives, and the authorization privilege data that this encrypt file presets, judging whether this client device is this authorized client, wherein this encrypt file of this authorization privilege data record one shared object that can be shared and this service regeulations.
As mentioned above, wherein also comprise the following steps: before this step a
A01) to this server end management software, one file application requests is proposed;
A02) this file that will carry out sharing is selected;
A03) this shared object of this file is set;
A04) these service regeulations of this file are set; And
A05) this shared object and this service regeulations are saved as these authorization privilege data of this file.
As mentioned above, wherein also comprise the following steps: before this step a
A11) this Client Agent software proposes the download request of this file to this server end management software;
A12) this server end management software takes out corresponding user's data according to the log-on message of this Client Agent software, and wherein this user's data storing is in this server;
A13) this server end management software obtains these authorization privilege data of this file;
A14) these user's data of comparison and this authorization privilege data, to judge whether this Client Agent software has the download permission of this file;
A15) if this Client Agent software has the download permission of this file, this server end management software obtains this corresponding client key according to these user's data, and wherein this client key is stored in this server;
A16) this client key is used to be encrypted this file, to produce this encrypt file; And
A17) this encrypt file is provided to download for this Client Agent software.
As mentioned above; when wherein this server end management software produces this encrypt file; by the information of this client device with ask time of downloading to put into this encrypt file, and this encrypt file guard method also comprises a step h: the time that the information of this client device and request are downloaded with watermark mode Dynamic Announce on this file that is unlocked.
As mentioned above, wherein also comprise the following steps: before this step a
A21) this Client Agent software is installed in this client device;
A22) be connected to this server after this Client Agent software startup to log in first;
A23) log-on message of this Client Agent software is saved as this user's data by this server end management software, and produces this exclusive client key of this Client Agent software according to these user's data;
A24) this this client key of server end management software record, and make this client key produce with these user's data associating; And
A25) this this client key of Client Agent software records.
As mentioned above, wherein also comprise a step I: after step f, this Client Agent software returns an opening information to this server end management software.
In order to achieve the above object, present invention further teaches a kind of encrypt file protection system, comprising:
One Client Agent software, is installed on a client device, comprises:
One authority filtering module, transmits information to one server of this client device, to confirm that this client device is the authorized client being allowed to open this encrypt file when this client device is for opening an encrypt file; And
One file decryption Executive Module, after this client device of confirmation is this authorized client, it is a file that the client key adopting this Client Agent software to hold deciphers this encrypt file, and this file is opened when current breakdown action meets the service regeulations that this file is set, wherein these service regeulations are stored in this server;
One server end management software, is installed on this server be connected by network with this client device, comprises:
Whether one authority filters administration module, links up with this authority filtering module, be this authorized client with this client device of this validation of information by receiving;
One key management module, when this Client Agent software logs in this server first, log-on message according to this Client Agent software makes this exclusive client key, and wherein this client key is recorded in this Client Agent software and this server end management software simultaneously;
One encryption and decryption control module, has a download encrypting module, and in time receiving the download request of this Client Agent software to this file, this client key obtaining this Client Agent software corresponding is encrypted this file, to produce this encrypt file; And
One Data Control hinge, in order to process, integrates and changes the data and instruction that this authority filters administration module, this key management module and this encryption and decryption control module.
As mentioned above, wherein this file is through a server key encryption of this server, this encryption and decryption control module also has a download deciphering module, in time receiving the download request of this Client Agent software to this file, obtain this server key to be decrypted to produce an original document to this file, and make this download encrypting module be encrypted this original document with this client key, to produce this encrypt file.
As mentioned above, wherein this Client Agent software also comprises a client encrypt module, after this client device editor completes an archive files, this client key adopting this Client Agent software to hold is encrypted this archive files, and this archive files after encryption is uploaded to the storage of this server by this client device.
As mentioned above, wherein this encryption and decryption control module also has:
One uploads deciphering module, and after this archive files of reception, this client key obtaining this client device corresponding is decrypted this archive files, to produce original document archives; And
One uploads encrypting module, and the server key obtaining this server default is encrypted these original document archives, to produce this file.
As mentioned above, wherein this server stores use record data, and this this client device of use record data record is to the opening information of this encrypt file.
As mentioned above, wherein this server stores authorization privilege data of this file, these service regeulations of this this file of authorization privilege data record and a shared object, wherein this information of this client device and this shared object of this file are compared, to confirm whether this client device is this authorized client by this authority filtration administration module.
The technique effect that the present invention can reach against existing technologies is, this server, when the request receiving download file, can first confirm whether the client device of the request that sends has the download permission of this file, avoids this file to suffer illegal download whereby.In addition, this server can use the key corresponding with the client device of asking to download be encrypted for this file and produce this encrypt file.Whereby, this encrypt file can be bound together with asking this client device downloaded, the device replication stopping other uses this encrypt file.
Further, when client device will open this encrypt file, need judge whether this client device is the authorized client being allowed to open this encrypt file by this server, and this client device also needs the key by holding in advance to be decrypted this encrypt file.Thus, the possibility that this encrypt file is illegally used can be got rid of further.
In addition, when this file is required shared on that server, also can set the service regeulations of this file on this server.Thus, when this client device opens this encrypt file, also needing these service regeulations in accordance with presetting, this file so can be avoided to suffer unconfined abuse.
Accompanying drawing explanation
Fig. 1 is the system architecture diagram of the first specific embodiment of the present invention;
Fig. 2 is the system block diagrams of the first specific embodiment of the present invention;
Fig. 3 is the Client Agent software schematic diagram of the first specific embodiment of the present invention;
Fig. 4 is the server end management software schematic diagram of the first specific embodiment of the present invention;
Fig. 5 is the register flow path figure of the first specific embodiment of the present invention;
Fig. 6 is the file-sharing application flow chart of the first specific embodiment of the present invention;
Fig. 7 is that the encrypt file of the first specific embodiment of the present invention downloads flow chart;
Fig. 8 is that the encrypt file of the second specific embodiment of the present invention downloads flow chart;
Fig. 9 is that the encrypt file of the first specific embodiment of the present invention opens flow chart;
Reference numeral
1: server 10: server end management software
101: Data Control hinge 102: authority filters administration module
103: key management module 104: encryption and decryption control module
1041: download encrypting module 1042: download decryption module
1043: upload deciphering module 1044: upload encrypting module
11: file 12: user's data
13: client key 14: authorization privilege data
15: use record data 16: encryption
2: client device 20: Client Agent software
201: authority filtering module 202: file decryption Executive Module
203: client encrypt module 21: internal client equipment
22: external client equipment 3: network system
31: coded communication pipeline S10 ~ S18: registration step
S20 ~ S28: procedure to apply S30 ~ S42, S50 ~ S56: download step
S60 ~ S76: open step
Embodiment
A now just preferred embodiment of the present invention, coordinates accompanying drawing to be described in detail as follows.
With reference to Fig. 1 and Fig. 2, be respectively system architecture diagram and the system block diagrams of the first specific embodiment of the present invention.Present invention is disclosed a kind of protection system and guard method of encrypt file, this system and the method mainly apply between a server 1 and a client device 2.And as shown in Figure 1, this client device 2 of indication in this case, comprises one or more internal client equipment 21 being connected this server 1 by internal network, and by one or more external client equipment 22 of this server 1 of Internet connection.Specifically, if this server 1 is the management server of an enterprises, then this internal client equipment 2 can be considered as the equipment that this enterprises employee uses, and this external client equipment 2 be considered as the client of this enterprise external or the equipment of supplier's use.As seen from Figure 1, this numerous client device 2 can be comprised in fact in this system, for convenience of description, after this client device 2 with separate unit in specification is illustrated.
Above-mentioned internal network and internet are referred to as a network system 3 by Fig. 2, and this client device 2 is mainly undertaken online by the coded communication pipeline 31 in this network system 3 with this server 1.But, how in this network system 3, to set up this coded communication pipeline 31, belong to the usual knowledge of the art, therefore do not repeat at this.
In the present embodiment, a Client Agent software 20 can be installed in this client device 2, and installation one server end management software 10 can be had in this server 1.This server 1 is online to when a user operates this client device 2, and for uploading the file 11 stored in this server 1, download, share, open, edit, the action such as deletion time, mainly by this Client Agent software 20 and the communication of this server end management software 10, complete above-mentioned action with assisting user.
This server 1 mainly can have a database (not shown), this file 11 a or many parts is stored in this database, those files 11 can be after user edits on this client device 2 and are uploaded in this server 1, also the online editing program (not shown) direct editing that can be user provides via this server 1 forms, but is not limited.
In the present embodiment, when this client device 2, this Client Agent software 20 be installed and after initiating switchup, namely logged in this server 1 by this Client Agent software 20.Such as, and after this Client Agent software 20 completes login, by the log-on message of this Client Agent software 20 in this server 1, an authorization code saves as user's data 12, wherein these user's data 12 correspond to this Client Agent software 20.
It is worth mentioning that, after this Client Agent software 20 logs in first, namely this server end management software 10 according to these user's data 12 (that is, above-mentioned log-on message) of this Client Agent software 20 correspondence, produces the client key 13 that this Client Agent software 20 is exclusive.This client key 13 is stored in this server 1, and simultaneously by this Client Agent software 20 records.When this client device downloads those files 11 by the request of this Client Agent software 20 on 2nd afterwards, this server end management software 10 can use this client key 13 of this Client Agent software 20 correspondence to be encrypted those files 11, and produces an encrypt file 16 that can supply to download.And after this client device 2 has successfully downloaded this encrypt file 16, this client key 13 by this Client Agent software 20 record is decrypted.
In the present embodiment, a Document Editing person or a system operator can propose a file application requests to this server 1, specifically, ask this server 1 to allow those files 11 to be shared, and set the mode be shared.Which which for example, set those files 11 can be shared and to platform client device carry out downloading, can be downloaded/open, can be unlocked several times, whether can be edited, whether can be printed in time.Further, those settings above-mentioned can be recorded as authorization privilege data 14 of those files 11 by this server end management software 10.When this this client device 2 has downloaded one of them of those files 11, only when the operation of this client device 2 meets these authorization privilege data 14 of this article part 11 correspondence, this file 11 just can be unlocked, and this file 11 only can perform the operation meeting these authorization privilege data 14 after being unlocked.
With reference to Fig. 3, it is the Client Agent software schematic diagram of the first specific embodiment of the present invention.As shown in Figure 3, this Client Agent software 20 mainly can divide into authority filtering module 201, file decryption Executive Module 202 and a client encrypt module 203.When this client device 2 has downloaded this encrypt file 16, and when being opened by this Client Agent software 20, need be linked up by this authority filtering module 201 and this server end management software 10, to confirm that whether this client device 2 is can the authorized client of this encrypt file 16 of legal unlatching.For example, this authority filtering module 201 can transmit the information of this client device 2 to this server 1, to carry out confirming (will be described in detail later).If this client device 2 is authorized client really, then this client key 13 recorded with this Client Agent software 20 by this file decryption Executive Module 202 is decrypted for this encrypt file 16, to be reduced to this file 11.Further, this file decryption Executive Module 202 opens this file 11 after successful decryption.
It is worth mentioning that, if this client device 2 is the equipment of enterprises, then this Client Agent software 20 restriction of file protect policy (Policy) that can specify by enterprise further.For example, enterprise can specify that archive files (such as Word file, Excel file, PowerPoint file, pdf document etc.) that inner all devices is edited is uploaded to this server 1, again to guarantee the confidentiality of file after all must encrypting.In this embodiment, if user's Document Editing software operated in this client device 2 carries out the editor of archive files, then after this archive files editor completes, this Client Agent software 20 can automatically by this client encrypt module 203 for this archive files is encrypted (this client key 13 specifically, adopting this Client Agent software 20 to record is encrypted).Further, this archive files after encryption is uploaded to this server 1 again, to save as one of them of those files 11.
In the present embodiment, the application software of this Client Agent software 20 mainly similar driver, the resident bottom being executed in this client device 2, and can link up with every application program of installing in this client device 2.In above-described embodiment, this Client Agent software 20 by linking up, the action that allows or forbid those application programs to carry out this file (such as open, edit, automatically encrypt, upload, print, forwarding etc.).But, above are only preferred embodiments of the present invention, should as limit.
With reference to Fig. 4, it is the server end management software schematic diagram of the first specific embodiment of the present invention.As shown in Figure 4, this server end management software 10 mainly can be divided into Data Control hinge 101, authority and filter administration module 102, key management module 103 and an encryption and decryption control module 104.This Data Control hinge 101 is the software kernels of this server end management software 10, in order to process, integrates and change the data and instruction that this authority filters administration module 102, this key management module 103 and this encryption and decryption control module 104.
This authority filter administration module 102 when proving program and this authority filtering module 201 link up, to confirm that whether this client device 2 will opening this encrypt file 16 is for authorized client.This key management module 103, when this Client Agent software 20 logs in first, according to this client key 13 that this corresponding user's data 12 dynamic making is exclusive, and manages made these client key 13 all.
This encryption and decryption control module 104 mainly comprises a download encrypting module 1041 and and downloads deciphering module 1042.When this client device 2 is for downloading this file 11, this corresponding client key 13 is taken out according to these user's data 12 by this download encrypting module 1041, and use this client key 13 to be encrypted this file 11, after producing this encrypt file 16, download for this client device 2.
It is worth mentioning that, in the present embodiment, this server 1 first carries out replication actions to this file 11 that the request of this client device 2 is downloaded, then is encrypted this multiple files 11.In other words, even if through encryption and download action, still possess this original file 11 in this server 1.
Different and determine according to the file protect policy of enterprise, in this server 1, those files 11 of storage may be the original documents of not encrypted, also may be through the encrypted file of a server key.If it is encrypted that those files 11 have passed through this server key, then this server end management software 10 will produce this encrypt file 16 above-mentioned for before the download of this client device 2, first need obtain this server key by this download decryption module 1042, and use this server key to be decrypted this file 11, after the original document obtaining this file 11, carry out above-mentioned copying to original document again, encryption acts, so just can produce this encrypt file 16 downloaded for this client device 2.
Separately, also can comprise in this encryption and decryption control module 104 and upload deciphering module 1043 and and upload encrypting module 1044.As described in the text, when this client device 2 has been edited an archive files and uploaded, because of the relation of the file protect policy of enterprise, may upload again after first encrypting with this client key 13.In this embodiment, after this server 1 receives this archive files that this client device 2 uploads, first uploaded deciphering module 1043 and taken out this corresponding client key 13 by this according to these user's data 12 of correspondence, and use this client key 13 to be decrypted this archive files uploaded, to produce original document archives.Then, then uploaded encrypting module 1044 taken out this server key by this, and after these original document archives being encrypted with this server key, save as one of them of those files 11 above-mentioned.By above-mentioned module, can reach and make no matter this file 11 is on this client device 2, on this server 1 or in transmitting procedure, the protection all can encrypted.
With reference to Fig. 5, be the register flow path figure of the first specific embodiment of the present invention.To effectively use guard method of the present invention, and add this protection system, first, user need install this Client Agent software 20 (step S10) in this client device 2.Then, after this Client Agent software 20 initiating switchup, this server 1 can be online to carry out logging in (step S12).In the present embodiment, the log-on message of this Client Agent software 20 when this Client Agent software 20 logs in, can be recorded as these user's data 12 of this Client Agent software 20 by this server 1.
After this Client Agent software 20 completes login first, this server end management software 10 is according to these user's data 12 of this Client Agent software 20, dynamic making is specific to this client key 13 (step S14) of this Client Agent software 20, and makes this client key 13 produce with these user's data 12 associating.After this step S14, this server end management software 10 can store this client key 13 (step S16), and makes this client key 13 produce with these user's data 12 associating.Meanwhile, this server end management software 10 provides this client key 13 to this Client Agent software 20, records this client key 13 (step S18) to make this Client Agent software 20.
By upper step S10 to step S18, this Client Agent software 20, namely can to log in this server 1 after initiating switchup in installation.And after login completes, in this server 1 and this Client Agent software 20, all store this exclusive client key 13 of this Client Agent software 20.
With reference to Fig. 6, it is the file-sharing application flow chart of the first specific embodiment of the present invention.As described in the text, download to this file 11 arbitrary in this server 1 be shared to miscellaneous equipment, then user's (as Document Editing person or system operator) can propose above-mentioned this file application requests (step S20) to this server end management software 10.In this file application requests, this file 11 (step S22) that this user mainly needs to select will carry out sharing, this client device 2 (step S24) of setting shared object and set the service regeulations (step S26) of this file 11.Further, after this user completes the setting of above-mentioned steps S20 to step S26, above-mentioned setup parameter is saved as these authorization privilege data 14 (step S28) of this file 11 by this server end management software 10.Above-mentioned this step S20 to step S26 does not have the ordinal relation in execution, therefore is not limited with above-mentioned.
More specifically, select this file 11 that will carry out sharing in this step S22, be the file that this user wishes to allow this client device 2 of shared object download.This shared object set in this step S24, is this user and wishes that this file 11 can be downloaded and the authorized client of opening.In this step S24, this user can set the MAC addresses (MediaAccessControlAddress of this shared object, MACAddress), or these user's data 12 of this Client Agent software 20 installed in this shared object, but be not limited.Whether whether these service regeulations set in this step S26, are this user and wish that this file 11 can by the action operated after being downloaded, such as, the time that can be unlocked, number of times, can be edited, can be printed.But the above is all only preferred embodiments of the present invention, should as limit.
With reference to Fig. 7, for the encrypt file of the first specific embodiment of the present invention downloads flow chart.When this client device 2 will ask to download this file 11, mainly connect by the browser (Browser) on this client device 2 and log in this server 1, and downloading this file 11 (step S30) to the request of this server end management software 10.Then, this server end management software 10 is according to the log-on message (herein means the information of this Client Agent software 20) of this client device 2, in this server 1, take out these corresponding user's data 12, and take out these authorization privilege data 14 (step S32) of this file 11 simultaneously.After this step S32, these user's data 12 are compared with these authorization privilege data 14 by this server end management software 10, to judge whether this client device 2 (that is, this Client Agent software 20) has the download permission (step S34) of this file 11.If this client device 2 does not have the download permission of this file 11, then this server end management software 20 refuses the download request (step S36) of this client device 2 for this file 11.
If this client device 2 has the download permission of this file 11 really, then this server end management software 20 is according to these user's data 12, by taking out this corresponding client key 13 (step S38) in this server 1, and use this client key 13 to be encrypted this file 11, to produce this encrypt file 16 (step S40).After this step S40, this server end management software 20 allows this client device 2 to download this encrypt file 16 (step S42).The download action of indication in this step S42, can be this client device 2 and automatically downloads, or show the download link of this encrypt file 16, to make user click download, be not limited.
It is worth mentioning that, as described in the text, if this file 11 itself carried out encryption by this server key, then before this step S40, this server end management software 20 can first obtain this server key, and after first this file 11 being decrypted to obtain original document with this server key, then perform this step S40.
In aforesaid embodiment, the proving program of the download request of this file 11 and the download permission of this client device 2 is all mainly performed by this Client Agent software 20.But the file of enterprises may need to be supplied to external client or supplier downloads, and the equipment of client or supplier may not install this Client Agent software 20.This protection system of the present invention and this guard method can be applicable to said circumstances simultaneously, are described in detail as follows.
With reference to Fig. 8, for the encrypt file of the second specific embodiment of the present invention downloads flow chart.If this shared object aforesaid be this external client equipment 22 (namely, this Client Agent software 20 is not installed), then this user needs first to propose this file application requests above-mentioned to this server end management software 10 equally, and select this file 11 that will share, set this shared object and this service regeulations (step S50) of this file 11 simultaneously.In the present embodiment, this user need provide an e-mail box of this shared object simultaneously, obtains this encrypt file 16 (will be described in detail later) in order to this shared object.
After this step S50, this server end management software 10 makes one group of specific key (step S52) according to those setup parameters, and uses this specific key to be encrypted for this file 11, to produce this encrypt file 16 (step S54).Finally, this encrypt file 16 is supplied to this shared object (step S56) with this specific key by this server end management software 10 simultaneously.In this step S56, this server end management software 10 mainly can produce the download link of this encrypt file 16, and sends this e-mail box to this shared object together with this specific key, but is not limited.
With reference to Fig. 9, for the encrypt file of the first specific embodiment of the present invention opens flow chart.This client device 2 can carry out local side unlatching (step S60) after obtaining this encrypt file 16 by aforementioned manner.In the present invention, this client device 2 mainly directly opens this encrypt file 16 by this Client Agent software 20, or open this encrypt file 16 by the application program (not shown) of installing in this client device 2, and this application program, by the management of this Client Agent software 20, is not limited.
When this client device 2 will open this encrypt file 16, this Client Agent software 20 obtains the information of this client device 2, and is sent to this server 1 (step S62).In the present embodiment, the information spinner of this client device 2 will be able to be such as the MACAddress of this client device 2, and the authorization code of this Client Agent software 20, but is not limited.
After this server 1 receives the information of this client device 2, judge whether this client device 2 is the authorized client (step S64) being allowed to open this encrypt file 16 by this server end management software 10, that is, judge whether this client device 2 is this shared object that this encrypt file 16 is set.
Specifically, these corresponding with this encrypt file 16 for the information of this client device 2 authorization privilege data 14 can be compared by this server end management software 10, to judge whether this client device 2 is this authorized client.If this server end management software 10 thinks that this client device 2 is not legal authorized client after judging, then this server end management software 10 responds the forbidden message of this breakdown action to this Client Agent software 20 (step S66).After this step S66, this Client Agent software 20 responds this encrypt file 16 of user and cannot be unlocked, or forbids the breakdown action that this application program in this client device 2 performs this encrypt file 16.
If this client device 2 is authorized client really, then then verify whether this client key 13 can be this encrypt file 16 and be decrypted (step S68) by this Client Agent software 20.Specifically, namely this Client Agent software 20 hold this client key 13 after above-mentioned logging program, and this encrypt file 16 adopts this client key 13 being specific to this Client Agent software 20 to be encrypted, if this client device 2 therefore downloading this encrypt file 16 is identical with this client device 2 opening this encrypt file 16, then this encrypt file 16 can be properly decrypt, and vice versa.
But, if this Client Agent software 20 does not have this client key 13, or the client key that tool is held cannot be decrypted this encrypt file 16, then perform this step S66, respond this encrypt file 16 of user by this Client Agent software 20 cannot be unlocked, or forbid the breakdown action that this application program in this client device 2 performs this encrypt file 16.
If this encrypt file 16 can be reduced to this file 11 by this Client Agent software 20 successful decryption, then this Client Agent software 20 proposes inquiry, to confirm whether current breakdown action meets these service regeulations (step S70) of this file 11 to this server 1 further.In this step S70, this server 1 receives the inquiry of this Client Agent software 20 by this server end management software 10, and inquire about these authorization privilege data 14 of this file 11 correspondence, judge these service regeulations whether current breakdown action meets this file 11 and be set whereby.Such as, the opening time whether correct, opening times whether arrive the upper limit etc., but be not limited.When this Client Agent software 20 receives the response of this server 1, and when confirming that current breakdown action meets the service regeulations of this file 11 really, this file 11 can be unlocked (step S72).In the present embodiment, this step S72 directly opens this file 11 by this Client Agent software 20, or allows this application program in this client device 2 to open this file 11 by this Client Agent software 20.
But, if this server end management software 10 thinks that the breakdown action of this client device 2 does not meet the service regeulations of this file 11 after judging, after performing this step S66, respond this encrypt file 16 of user by this Client Agent software 20 cannot be unlocked, or forbid the breakdown action that this application program in this client device 2 performs this encrypt file 16.
In the present embodiment, must confirm this client device 2 be authorized client, this Client Agent software 20 records this client key 13 can successful decryption and current breakdown action meet three conditions such as the service regeulations of file set up simultaneously time, this encrypt file 16 just can be unlocked.But, the ordinal relation that this step S64 above-mentioned, this step S68 and this step S70 do not perform, and can synchronously be performed.
It is worth mentioning that, when this server end management software 10 produces this encrypt file 16, can simultaneously by the partial information (such as device name) of this client device 2, and the information such as this client device 2 request time of downloading adds in this encrypt file 16 simultaneously.After this client device 2 successfully opens this encrypt file 16, those information above-mentioned will be shown in the mode of dynamic watermark on this file 11 after unlatching (step S74).Finally, after this client device 2 successfully opens this file 11, opening information is back to this server 1 (step S76) by this Client Agent software 20, stores and upgrade use record data 15 to make server 1.By these use record data 15, administrative staff can those files 11 in this server 1 of apparent respectively which time open by any platform client device.Whereby, when enterprise finds that file is illegally used, can judge it is which link is out of joint according to these use record data 15.
The foregoing is only preferred embodiments of the present invention, non-ly therefore namely limit to right of the present invention, therefore the equivalence change of such as using content of the present invention to do, be all in like manner all included within the scope of the present invention.
Claims (16)
1. an encrypt file guard method, applies to a client device and a server, and wherein this client device has a Client Agent software, and this server has a server end management software, it is characterized in that, comprising:
A) this Client Agent software obtains an encrypt file and carries out local side unlatching;
B) information of this client device is transmitted to this server;
C) this server end management software is according to this information received, and judges whether this client device is the authorized client can opening this encrypt file;
If d) this client device is this authorized client, this Client Agent software judges whether the client key itself held can be this encrypt file and be decrypted;
If this client key that e) this Client Agent software is held can be the deciphering of this encrypt file, to this server end management software, inquiry is proposed further, to confirm the service regeulations whether current breakdown action of this client device meets this encrypt file and be set; And
If f) this breakdown action meets this service regeulations, deciphering this encrypt file is a file, and opens this file according to these service regeulations.
2. encrypt file guard method according to claim 1; it is characterized in that; also comprise a step g: if this client device is not this authorized client; or this client key that this Client Agent software is held cannot be deciphered for this encrypt file; or this breakdown action does not meet this service regeulations, then respond the forbidden message of this breakdown action.
3. encrypt file guard method according to claim 1, is characterized in that, this information of this client device is the MAC addresses of this client device, and the authorization code of this Client Agent software.
4. encrypt file guard method according to claim 1, is characterized in that, in this step f, allows the application program in this client device to open this file by this Client Agent software.
5. encrypt file guard method according to claim 1; it is characterized in that; in this step c; this information that this server end management software comparison receives; and the authorization privilege data that this encrypt file presets; judging whether this client device is this authorized client, wherein this encrypt file of this authorization privilege data record one shared object that can be shared and this service regeulations.
6. encrypt file guard method according to claim 5, is characterized in that, also comprises the following steps: before this step a
A01) to this server end management software, one file application requests is proposed;
A02) this file that will carry out sharing is selected;
A03) this shared object of this file is set;
A04) these service regeulations of this file are set; And
A05) this shared object and this service regeulations are saved as these authorization privilege data of this file.
7. encrypt file guard method according to claim 6, is characterized in that, also comprises the following steps: before this step a
A11) this Client Agent software proposes the download request of this file to this server end management software;
A12) this server end management software takes out corresponding user's data according to the log-on message of this Client Agent software, and wherein this user's data storing is in this server;
A13) this server end management software obtains these authorization privilege data of this file;
A14) these user's data of comparison and this authorization privilege data, to judge whether this Client Agent software has the download permission of this file;
A15) if this Client Agent software has the download permission of this file, this server end management software obtains this corresponding client key according to these user's data, and wherein this client key is stored in this server;
A16) this client key is used to be encrypted this file, to produce this encrypt file; And
A17) this encrypt file is provided to download for this Client Agent software.
8. encrypt file guard method according to claim 7; it is characterized in that; when this server end management software produces this encrypt file; by the information of this client device with ask time of downloading to put into this encrypt file, and this encrypt file guard method also comprises a step h: the time that the information of this client device and request are downloaded with watermark mode Dynamic Announce on this file that is unlocked.
9. encrypt file guard method according to claim 7, is characterized in that, also comprises the following steps: before this step a
A21) this Client Agent software is installed in this client device;
A22) be connected to this server after this Client Agent software startup to log in first;
A23) log-on message of this Client Agent software is saved as this user's data by this server end management software, and produces this exclusive client key of this Client Agent software according to these user's data;
A24) this this client key of server end management software record, and make this client key produce with these user's data associating; And
A25) this this client key of Client Agent software records.
10. encrypt file guard method according to claim 1, is characterized in that, also comprises a step I: after step f, and this Client Agent software returns an opening information to this server end management software.
11. 1 kinds of encrypt file protection systems, is characterized in that, comprising:
One Client Agent software, is installed on a client device, comprises:
One authority filtering module, transmits information to one server of this client device, to confirm that this client device is the authorized client being allowed to open this encrypt file when this client device is for opening an encrypt file; And
One file decryption Executive Module, after this client device of confirmation is this authorized client, it is a file that the client key adopting this Client Agent software to hold deciphers this encrypt file, and this file is opened when current breakdown action meets the service regeulations that this file is set, wherein these service regeulations are stored in this server;
One server end management software, is installed on this server be connected by network with this client device, comprises:
Whether one authority filters administration module, links up with this authority filtering module, be this authorized client with this client device of this validation of information by receiving;
One key management module, when this Client Agent software logs in this server first, log-on message according to this Client Agent software makes this exclusive client key, and wherein this client key is recorded in this Client Agent software and this server end management software simultaneously;
One encryption and decryption control module, has a download encrypting module, and in time receiving the download request of this Client Agent software to this file, this client key obtaining this Client Agent software corresponding is encrypted this file, to produce this encrypt file; And
One Data Control hinge, in order to process, integrates and changes the data and instruction that this authority filters administration module, this key management module and this encryption and decryption control module.
12. encrypt file protection systems according to claim 11; it is characterized in that; this file is through a server key encryption of this server; this encryption and decryption control module also has a download deciphering module; in time receiving the download request of this Client Agent software to this file; obtain this server key to be decrypted to produce an original document to this file, and make this download encrypting module be encrypted this original document with this client key, to produce this encrypt file.
13. encrypt file protection systems according to claim 11; it is characterized in that; this Client Agent software also comprises a client encrypt module; after this client device editor completes an archive files; this client key adopting this Client Agent software to hold is encrypted this archive files, and this archive files after encryption is uploaded to the storage of this server by this client device.
14. encrypt file protection systems according to claim 13, is characterized in that, this encryption and decryption control module also has:
One uploads deciphering module, and after this archive files of reception, this client key obtaining this client device corresponding is decrypted this archive files, to produce original document archives; And
One uploads encrypting module, and the server key obtaining this server default is encrypted these original document archives, to produce this file.
15. encrypt file protection systems according to claim 11, is characterized in that, this server stores use record data, and this this client device of use record data record is to the opening information of this encrypt file.
16. encrypt file protection systems according to claim 11; it is characterized in that; this server stores authorization privilege data of this file; these service regeulations of this this file of authorization privilege data record and a shared object; wherein this information of this client device and this shared object of this file are compared, to confirm whether this client device is this authorized client by this authority filtration administration module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410493178.4A CN105516056B (en) | 2014-09-24 | 2014-09-24 | Encrypt file protecting system and its guard method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410493178.4A CN105516056B (en) | 2014-09-24 | 2014-09-24 | Encrypt file protecting system and its guard method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105516056A true CN105516056A (en) | 2016-04-20 |
| CN105516056B CN105516056B (en) | 2018-10-26 |
Family
ID=55723704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410493178.4A Active CN105516056B (en) | 2014-09-24 | 2014-09-24 | Encrypt file protecting system and its guard method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105516056B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111314781A (en) * | 2018-12-11 | 2020-06-19 | 青岛海尔多媒体有限公司 | Local file encryption method, device, equipment and storage medium |
| CN112565447A (en) * | 2020-12-17 | 2021-03-26 | 南京维拓科技股份有限公司 | Encryption and decryption method and system matched with uploading and downloading in cloud environment and WEB file manager |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010042046A1 (en) * | 2000-03-01 | 2001-11-15 | Yasuo Fukuda | Data management system, information processing apparatus, authentification management apparatus, method and storage medium |
| CN101174941A (en) * | 2006-11-01 | 2008-05-07 | 北京书生国际信息技术有限公司 | Off-line digital copyright protection method and device for mobile terminal document |
| CN102355463A (en) * | 2011-10-10 | 2012-02-15 | 厦门简帛信息科技有限公司 | Digital document encryption method |
| CN103108245A (en) * | 2011-11-15 | 2013-05-15 | 中国银联股份有限公司 | Smart television payment secret key system and payment method based on smart television |
-
2014
- 2014-09-24 CN CN201410493178.4A patent/CN105516056B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010042046A1 (en) * | 2000-03-01 | 2001-11-15 | Yasuo Fukuda | Data management system, information processing apparatus, authentification management apparatus, method and storage medium |
| CN101174941A (en) * | 2006-11-01 | 2008-05-07 | 北京书生国际信息技术有限公司 | Off-line digital copyright protection method and device for mobile terminal document |
| CN102355463A (en) * | 2011-10-10 | 2012-02-15 | 厦门简帛信息科技有限公司 | Digital document encryption method |
| CN103108245A (en) * | 2011-11-15 | 2013-05-15 | 中国银联股份有限公司 | Smart television payment secret key system and payment method based on smart television |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111314781A (en) * | 2018-12-11 | 2020-06-19 | 青岛海尔多媒体有限公司 | Local file encryption method, device, equipment and storage medium |
| CN112565447A (en) * | 2020-12-17 | 2021-03-26 | 南京维拓科技股份有限公司 | Encryption and decryption method and system matched with uploading and downloading in cloud environment and WEB file manager |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105516056B (en) | 2018-10-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210248260A1 (en) | System and method for data management and security for digital manufacturing | |
| US7302570B2 (en) | Apparatus, system, and method for authorized remote access to a target system | |
| US8719582B2 (en) | Access control using identifiers in links | |
| KR100423797B1 (en) | Method of protecting digital information and system thereof | |
| US6289450B1 (en) | Information security architecture for encrypting documents for remote access while maintaining access control | |
| CN100568251C (en) | The guard method of security files under cooperative working environment | |
| US8909925B2 (en) | System to secure electronic content, enforce usage policies and provide configurable functionalities | |
| US7458102B2 (en) | Information security architecture for remote access control using non-bidirectional protocols | |
| TWI479287B (en) | Control system, program delivery device, authentication server, program protection method, program delivery method and program delivery device | |
| CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
| KR20050053569A (en) | Document preservation authority endowment method | |
| KR101377352B1 (en) | Digital rights management (drm) method and equipment in small and medium enterprise (sme) and method for providing drm service | |
| TWI499931B (en) | File management system and method | |
| US11544354B2 (en) | System for secure provisioning and enforcement of system-on-chip (SOC) features | |
| CN102138145B (en) | Cryptographically controlling access to documents | |
| CN105516056A (en) | Encrypted file protection system and protection method thereof | |
| US8953795B2 (en) | Forensic decryption tools | |
| KR101315482B1 (en) | Secret information reading service system using by a writer authentication and the control method thereof | |
| TWI509458B (en) | Protection system for encrypted document and protection method for using the same | |
| JP2007200229A (en) | Software management system | |
| CN110741371B (en) | Information processing apparatus, protection processing apparatus, and use terminal | |
| TWI669627B (en) | File protection component and its protection method | |
| KR102638374B1 (en) | Method for saving to distribution data employing image value deciding based in CNN and blockchain driving | |
| KR100380929B1 (en) | Method of protecting digital information and system thereof | |
| KR20080022740A (en) | Management system for personal information transfer and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |