CN105975877B - A kind of sensitive document secure storage method - Google Patents

A kind of sensitive document secure storage method Download PDF

Info

Publication number
CN105975877B
CN105975877B CN201610505109.XA CN201610505109A CN105975877B CN 105975877 B CN105975877 B CN 105975877B CN 201610505109 A CN201610505109 A CN 201610505109A CN 105975877 B CN105975877 B CN 105975877B
Authority
CN
China
Prior art keywords
file
user
access
data
data block
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610505109.XA
Other languages
Chinese (zh)
Other versions
CN105975877A (en
Inventor
王富强
李昕
叶雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing City Branch Co Of China Joint Network Communication Co Ltd
Original Assignee
Chongqing City Branch Co Of China Joint Network Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing City Branch Co Of China Joint Network Communication Co Ltd filed Critical Chongqing City Branch Co Of China Joint Network Communication Co Ltd
Priority to CN201610505109.XA priority Critical patent/CN105975877B/en
Publication of CN105975877A publication Critical patent/CN105975877A/en
Application granted granted Critical
Publication of CN105975877B publication Critical patent/CN105975877B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of sensitive document secure storage methods, comprising the following steps: S1, carries out data segmentation to file;The Random Discrete of data block after S2, segmentation;Data block carries out secure storage according to discrete address after S3, segmentation;S4, user access file application authentication.The present invention can be in O&M active procedure, and to effectively being supervised across applications exchange and interface behavior for some important sensitive datas, the circulation for preventing sensitive data unordered is out of control.

Description

A kind of sensitive document secure storage method
Technical field
The present invention relates to information securities, and in particular to a kind of sensitive document secure storage method.
Background technique
It for the storage mode of sensitive document is realized using encipherment protection technology at present, which lacks Point has: 1) the safeguard protection difficulty of key is big, and the insecurity factor in key transfer process can cause file to be divulged a secret;2) number of files It is stored according to body itself or the file system memory mechanism for relying on operating system, and the safety of the file system of operating system Salvo lacks the depth Preservation tactics of complete refinement, and the access entrance of file system and technological means all standards are opened It puts, security risk is more.
Summary of the invention
In view of the above drawbacks of the prior art and problem, the technical problem to be solved by the present invention is to existing file systems Access entrance and technological means all standard opens, security risk are more.
In order to achieve the above object, the invention provides the following technical scheme:
A kind of sensitive document secure storage method, comprising the following steps: data segmentation S1, is carried out to file: according to file Size and configurable data block number are split file data body, form the data block of predetermined quantity, and File header information is made For first data block, label is carried out to the data block after segmentation, passes through each data block of unique flowing water ID label this document; The Random Discrete of data block after S2, segmentation: hash calculating is carried out according to hash algorithm to the data block of segmentation, obtains all segmentations Hash address of the random hash numerical value of data block as the data block creates the hash address of segmentation data block to sensitive document Table, sequence number including hash address and hereof, hash address table pass through encrypting storing;Data block foundation after S3, segmentation Discrete address carries out secure storage: in addition to the segmentation data block of first sequence number, encrypting, adds to remaining segmentation data block Key uses the File header information of this document, according to hash address table, arrives data block storage is divided after the encryption of each sequence In recording mechanism guided by corresponding hash address;S4, user access file application authentication: the file access Shen submitted to user Please, authentication module carries out user identity verification first, secondly carries out the time rule verification of user access activity, is finally used The target file attributes rule verification of family access mentions if the authentication is passed by file data is executed for the access request of the user Function is taken, file data is obtained by extracting, submits to access user.
In above-mentioned technical proposal, in step s 4, the user identity verification includes verification user account and identity information Reliable and verification user department and post whether meet authorization rule, the time rule of the user access activity verifies packet Include the access time section rule for verifying whether current access time meet license, the target file attributes rule school of user's access Test whether the file size including verification user's access, creation time, essential attribute, document source access in the regular of license It is interior.
In above-mentioned technical proposal, in step s 4, the file data extracting method is as follows: after authentication verification, being System returns to hash address subtabulation key;Pass through the key decrypted hash address table of hash address table;Pass through hash address table Obtain the storage hash address of each sequences segmentation packet of this document;The storage address of first sequence is obtained according to hash address, is obtained First ray is taken to divide data block, i.e. File header information;The segmentation of the second sequence sequence to the end is successively obtained according to sequence number Block number evidence, and File header information is used to be decrypted to form original plaintext block data as key;Each sequence block data is pressed It is merged according to sequence order, forms sensitive document data.
The present invention provides a kind of sensitive document method for secure storing of discrete secure storage.The sensitivity text that this method proposes Part storage method be by the way that sensitive document is split, is discrete after, encryption storage is carried out again to discrete data slice, to do To the storage safety of file.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is that user of the invention accesses file application authorizing procedure figure;
Fig. 2 is the functional structure chart that sensitive document security management and control of the invention realizes example.
Specific embodiment
Below in conjunction with attached drawing of the invention, technical solution of the present invention is clearly and completely described, it is clear that institute The embodiment of description is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, Every other embodiment obtained by those of ordinary skill in the art without making creative efforts, belongs to this hair The range of bright protection.
As a kind of sensitive document secure storage method shown in embodiment the following steps are included:
S1, data segmentation is carried out to file: file data body is carried out according to file size and configurable data block number Segmentation, forms the data block of predetermined quantity, File header information marks the data block after segmentation as first data block Label, pass through each data block of unique flowing water ID label this document;
The Random Discrete of data block after S2, segmentation: hash calculating is carried out according to hash algorithm to the data block of segmentation, is obtained Hash address of the random hash numerical value of all segmentation data blocks as the data block, creates segmentation data block to sensitive document Hash address table, sequence number including hash address and hereof, hash address table pass through encrypting storing;
Data block carries out secure storage according to discrete address after S3, segmentation: in addition to the segmentation data block of first sequence number, Remaining segmentation data block is encrypted, encryption key uses the File header information of this document, according to hash address table, by each sequence Divide in recording mechanism guided by data block storage to corresponding hash address after the encryption of column;
S4, user access file application authentication: the file access application submitted to user, authentication module carry out user first Secondly proof of identity carries out the time rule verification of user access activity, finally carry out the target file attributes rule of user's access It then verifies, if the authentication is passed, file data abstraction function will be executed for the access request of the user, obtain file by extracting Data submit to access user.
In step s 4, user identity verification includes that the Ministry of Revenue is used in the reliable and verification of verification user account and identity information Whether door and post meet authorization rule, and the time rule verification of user access activity includes whether verifying current access time Meet the access time section rule of license, the target file attributes rule verification of user's access includes the file of verification user's access Whether size, creation time, essential attribute, document source are in the rule access of license.
As shown in Figure 1, in step s 4, file data extracting method is as follows: after authentication verification, system returns to hash The encryption key of address table;Pass through the key decrypted hash address table of hash address table;This document is obtained by hash address table The storage hash address of each sequences segmentation packet;The storage address of first sequence is obtained according to hash address, obtains First ray Divide data block, i.e. File header information;The segmentation block number evidence that the second sequence sequence to the end is successively obtained according to sequence number, is used in combination File header information is decrypted to form original plaintext block data as key;By each sequence block data according to sequence order into Row merges, and forms sensitive document data.
The sensitive document security management and control application example that the present invention realizes is implemented as follows Fig. 2:
File interface module receives the file for needing to be included in security management and control, and the file of file is obtained by file interface module Attribute information and file volume data.
File attribute information, including filename, file type, file size, creation time, the owner, by file identification Information management function module realizes management.
File identification information in file identification information management accesses portal opening by file identification, visits for user Ask access, user checks the essential attribute of which file and file by the access portal, and can initiate by the portal File content checks application.
File data segmentation module and file data memory module provide the number of files realized according to the method for the present invention respectively The function of discrete encryption storage is carried out according to the storage address of discrete address table according to segmentation and to the database of segmentation.
File data storage center realizes that the All Files data to segmentation storage are managed collectively, one including data The maintenance of cause property, the security maintenance of data, the functions such as extraction access authentication of data.
File hash table administrative center is responsible for managing the hash address table of each file, and hash address table carries out asymmetric encryption Storage, for encryption key by file hash table management center module dynamic creation, it is discrete close that the encryption key of creation submits to file Key management module is managed collectively.
The file hash table encryption key of file hash table administrative center creation it is unified by Hash table keys management module into Row management, key management module carry out abstract meter by the secret algorithm of inside modules to the hash table encryption key of file It calculates, the summary data being calculated is submitted into the key that file hash table administrative center encrypts as hash table.And it creates simultaneously The decruption key with encryption key pairing is built, decruption key is split storage in key management module.It generates and works as user couple The data volume of some file checks that application obtains after the authentication is passed, and file hash table key management module can be by the hash of this document Table decruption key passes to safely file extraction module and carries out file data extraction.
User is accessed portal and checked to the data of sensitive document by file identification to need to initiate data application, data first File access authentication module is submitted in application, and access authentication module is awarded according to the user file configured in file authorizing management module Power rule authenticate to user's access legitimacy, including user identity legitimacy verifies, the power of user department and post Limit is examined, the authorization rule verification of user's access time section and access file essential attribute information.
By the file data application of authentication, file data extraction module will be submitted to and carry out corresponding file data extraction It realizes.The Hash table keys that data extraction module obtains this document first carry out hash table decryption, obtain the hash table of this document, File header information is obtained according to hash table again, then extracts segmentation database from hash table and is decrypted, then according to data block Sequence order carries out file data assembling reduction and obtains complete file data.
Complete file data after assembling need to carry out file security control, including text before returning to access user The validity period of part, the access of file and operating right, the network circulation permission of file etc..The authority configuration of security management and control is by file Security management and control policy management module is configured, and file security manages module according to predetermined in file security control policy module Control strategy carries out security management and control.
The present invention provides a kind of sensitive document method for secure storing of discrete secure storage.The sensitivity text that this method proposes Part storage method be by the way that sensitive document is split, is discrete after, encryption storage is carried out again to discrete data slice, to do To the storage safety of file;The sensitive document access method that this method proposes is by carrying out proof of identity and permission to visitor After authentication, the discrete index sequence of file is obtained by the access tunnel of secret, and carry out fragment extraction according to discrete series and go back Original, then visitor's reading is given after carrying out data assembling.Sensitive document method for secure storing proposed by the present invention has following spy Sign:
Sensitive document method for secure storing proposed by the present invention, have to sensitive document be supplied to one and store path without The Fileview identification information management method of pass.Concrete implementation method is as follows:
One Fileview identification information management function is supplied to sensitive document, provides Fileview mark for each file The basic information management of knowledge, including filename, attribute, size, creation time, founder, file source information.
Fileview identification information externally passes through the offer of file identification catalogue portal and checks access, and catalogue portal provides can be certainly By creating and combined logical directories, to realize the logical combination management to file.
Fileview identification information includes Documents Logical catalogue, does not all include the storage address of file data body.Number of files According to storage address and access mode all can not include by file identification information Documents Logical directory information obtain.
Sensitive document method for secure storing proposed by the present invention has a disengaging Fileview identification information and logic mesh The file data of record information stores and accesses method.It specifically shows as, user is by checking that identification information checks the base of file This attribute can not directly obtain file data content, only check that application could be existed by system by data content of presenting a paper Special extract obtains the data content of this document after authentication.
The method proposed by the present invention that secure storage is carried out to sensitive data file, compared to current file encrypting method, It has the advantages that:
1, the identification information of file check with logical directories management, obtained with the storage location and file data of file data It is kept completely separate, so that the access of sensitive document data is safer, access process is more controllable.
2, the storage of file data be by Hash it is discrete after encryption storage, rather than according to the normative document of operating system System model carries out file data storage and management, so that the storage mode of sensitive data more secret safety.
3, the sensitive document storage method proposed through the invention, so that sensitive document can only relevant text through the invention Part access tool carries out file data acquisition and prevents to own so as to effectively manage the access behavior of all pairs of sensitive documents Other non-access approach by the relevant file access tool of the present invention are complete so as to further expand on this basis The safety control measures and file of sensitive document access process spread control measure.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (3)

1. a kind of sensitive document method for secure storing, which comprises the following steps:
S1, data segmentation is carried out to file: file data body is split according to file size and configurable data block number, The data block of predetermined quantity is formed, File header information carries out label as first data block, to the data block after segmentation, passes through Each data block of natural numerical order row number label this document since 1;
The Random Discrete of data block after S2, segmentation: hash calculating is carried out according to hash algorithm to the data block of segmentation, is owned Divide hash address of the random hash numerical value of data block as the data block, the hash of segmentation data block is created to sensitive document Address table, natural numerical order row number including hash address and hereof, hash address table pass through encrypting storing;
Data block carries out secure storage according to discrete address after S3, segmentation: in addition to the segmentation data block of first sequence number, to it Remaining segmentation data block is encrypted, and encryption key will be encrypted according to hash address table using the File header information of this document Divide data block and is stored with hash address corresponding relationship to record guided by corresponding hash address by natural numerical order row number in S2 In;
S4, user access file application authentication: the file access application submitted to user, authentication module carry out user identity first Verification, the user identity verification include account, password, affiliated function, post grade, the post property of verification user, secondly The time rule verification of user access activity is carried out, the time rule verification of the user access activity, which refers to, verifies the user's Whether access-hours meet the regulation of management strategy, finally carry out the target file attributes rule verification of user's access, the use The target file attributes rule verification of family access, which refers to, verifies whether the user meets access this document management strategy regulation, user Whether post grade or property have the right to check the class file, if the authentication is passed, will execute file for the access request of the user Data extraction function obtains file data by extracting, submits to access user.
2. a kind of sensitive document method for secure storing according to claim 1, which is characterized in that in step s 4, described Whether reliable and verification user department and post of the user identity verification including verification user account and identity information, which meet, is awarded Power rule, the time rule verification of the user access activity include the access for verification current access time whether meeting license Period rule, user access target file attributes rule verification include verification user access file size, creation time, Whether essential attribute, document source are in the rule access of license.
3. a kind of sensitive document method for secure storing according to claim 1, which is characterized in that in step s 4, described File data extracting method is as follows: after authentication verification, system returns to hash address subtabulation key;Pass through hash address The key decrypted hash address table of table;The storage hash address of each sequences segmentation packet of this document is obtained by hash address table;According to The storage address of first sequence is obtained according to hash address, First ray is obtained and divides data block, i.e. File header information;According to sequence Row number successively obtains the segmentation block number evidence of the second sequence sequence to the end, and File header information is used to be decrypted to be formed as key Original plaintext block data;Each sequence block data is merged according to sequence order, forms sensitive document data.
CN201610505109.XA 2016-07-01 2016-07-01 A kind of sensitive document secure storage method Expired - Fee Related CN105975877B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610505109.XA CN105975877B (en) 2016-07-01 2016-07-01 A kind of sensitive document secure storage method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610505109.XA CN105975877B (en) 2016-07-01 2016-07-01 A kind of sensitive document secure storage method

Publications (2)

Publication Number Publication Date
CN105975877A CN105975877A (en) 2016-09-28
CN105975877B true CN105975877B (en) 2019-06-21

Family

ID=56953526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610505109.XA Expired - Fee Related CN105975877B (en) 2016-07-01 2016-07-01 A kind of sensitive document secure storage method

Country Status (1)

Country Link
CN (1) CN105975877B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789950B (en) * 2016-11-30 2020-04-10 Oppo广东移动通信有限公司 Information protection method, device and terminal
CN107122678A (en) * 2017-04-28 2017-09-01 上海与德科技有限公司 Protect the method and device of product parameters
CN107729766B (en) * 2017-09-30 2020-02-07 中国联合网络通信集团有限公司 Data storage method, data reading method and system thereof
CN107908980B (en) * 2017-10-10 2021-11-23 芯海科技(深圳)股份有限公司 Method for realizing encryption protection of memory data
CN108777685B (en) * 2018-06-05 2020-06-23 京东数字科技控股有限公司 Method and apparatus for processing information
CN109271800A (en) * 2018-09-19 2019-01-25 中国银联股份有限公司 A kind of document handling method and device
CN109450633B (en) * 2018-09-25 2022-10-21 平安科技(深圳)有限公司 Information encryption transmission method and device, electronic equipment and storage medium
CN109815710A (en) * 2018-12-14 2019-05-28 开放智能机器(上海)有限公司 A kind of guard method of intelligent algorithm model file
CN110287716B (en) * 2019-06-25 2021-09-14 北京邮电大学 Data storage method and device
CN111709040A (en) * 2020-06-04 2020-09-25 江苏智先生信息科技有限公司 Sensitive data oriented secure discrete storage method
CN111950027A (en) * 2020-08-21 2020-11-17 安徽高山科技有限公司 File sharing method based on block chain intelligent contracts
CN112016110B (en) * 2020-09-01 2023-02-28 三星电子(中国)研发中心 Method, device, equipment and storage medium for storing data
CN112214778A (en) * 2020-10-21 2021-01-12 上海英方软件股份有限公司 Method and system for realizing discrete encryption of local file through virtual file
CN113486374A (en) * 2021-07-14 2021-10-08 郑州轻工业大学 Computer data storage and reading method and system based on cloud computing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103279694A (en) * 2013-05-31 2013-09-04 华为技术有限公司 Loading method, protecting method, loading device and protecting device for file system
CN103455764A (en) * 2013-08-27 2013-12-18 无锡华御信息技术有限公司 File segmentation and merging technology-based file encryption and decryption systems
CN103607393A (en) * 2013-11-21 2014-02-26 浪潮电子信息产业股份有限公司 Data safety protection method based on data partitioning
CN104615954A (en) * 2014-06-30 2015-05-13 腾讯科技(深圳)有限公司 Password storage method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BRPI0618725A2 (en) * 2005-11-18 2011-09-06 Rick L Orsini secure data analyzer method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103279694A (en) * 2013-05-31 2013-09-04 华为技术有限公司 Loading method, protecting method, loading device and protecting device for file system
CN103455764A (en) * 2013-08-27 2013-12-18 无锡华御信息技术有限公司 File segmentation and merging technology-based file encryption and decryption systems
CN103607393A (en) * 2013-11-21 2014-02-26 浪潮电子信息产业股份有限公司 Data safety protection method based on data partitioning
CN104615954A (en) * 2014-06-30 2015-05-13 腾讯科技(深圳)有限公司 Password storage method and device

Also Published As

Publication number Publication date
CN105975877A (en) 2016-09-28

Similar Documents

Publication Publication Date Title
CN105975877B (en) A kind of sensitive document secure storage method
KR102255287B1 (en) Physical identity management system using One-time-password on Blockchain
CN101710380B (en) Electronic document safety protection method
DK2272021T3 (en) SECURE DATACACHE
EP3547203A1 (en) Method and system for managing access to personal data by means of an intelligent contract
ES2835780T3 (en) Procedure to issue a virtual version of a document
EP2110975A1 (en) Method and system for digital signatures
CN106055993A (en) Encryption storage system for block chains and method for applying encryption storage system
Liu et al. Enabling secure and privacy preserving identity management via smart contract
CN106776904A (en) The fuzzy query encryption method of dynamic authentication is supported in a kind of insincere cloud computing environment
CN104216907A (en) Method, device and system for providing database access control
CN102084313A (en) Systems and method for data security
US8700909B2 (en) Revocation of a biometric reference template
AU2018256929B2 (en) Systems and methods for identity atomization and usage
CN101321063A (en) System user access management system and method based on digital certificate technique
CN113344222A (en) Safe and credible federal learning mechanism based on block chain
CN111460420A (en) Method, device and medium for using electronic seal based on block chain
CN101655893B (en) Manufacture method of intelligent blog lock, Blog access control method and system thereof
CN108574578A (en) A kind of black box data protection system and method
CN110430207A (en) A kind of smart grid multi-point remote inter-network interaction collaboration authentication method
Singhal Security analysis of aadhaar authentication process and way forward
CN111815821B (en) IC card security algorithm applied to intelligent door lock
CN111523141B (en) Personal privacy protection-based identity identification and verification system
CN110445756B (en) Method for realizing searchable encryption audit logs in cloud storage
JP2005165738A (en) Electronic content management system, electronic content management method, and its program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190621

Termination date: 20200701