CN105975877B - A kind of sensitive document secure storage method - Google Patents
A kind of sensitive document secure storage method Download PDFInfo
- Publication number
- CN105975877B CN105975877B CN201610505109.XA CN201610505109A CN105975877B CN 105975877 B CN105975877 B CN 105975877B CN 201610505109 A CN201610505109 A CN 201610505109A CN 105975877 B CN105975877 B CN 105975877B
- Authority
- CN
- China
- Prior art keywords
- file
- user
- access
- data
- data block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of sensitive document secure storage methods, comprising the following steps: S1, carries out data segmentation to file;The Random Discrete of data block after S2, segmentation;Data block carries out secure storage according to discrete address after S3, segmentation;S4, user access file application authentication.The present invention can be in O&M active procedure, and to effectively being supervised across applications exchange and interface behavior for some important sensitive datas, the circulation for preventing sensitive data unordered is out of control.
Description
Technical field
The present invention relates to information securities, and in particular to a kind of sensitive document secure storage method.
Background technique
It for the storage mode of sensitive document is realized using encipherment protection technology at present, which lacks
Point has: 1) the safeguard protection difficulty of key is big, and the insecurity factor in key transfer process can cause file to be divulged a secret;2) number of files
It is stored according to body itself or the file system memory mechanism for relying on operating system, and the safety of the file system of operating system
Salvo lacks the depth Preservation tactics of complete refinement, and the access entrance of file system and technological means all standards are opened
It puts, security risk is more.
Summary of the invention
In view of the above drawbacks of the prior art and problem, the technical problem to be solved by the present invention is to existing file systems
Access entrance and technological means all standard opens, security risk are more.
In order to achieve the above object, the invention provides the following technical scheme:
A kind of sensitive document secure storage method, comprising the following steps: data segmentation S1, is carried out to file: according to file
Size and configurable data block number are split file data body, form the data block of predetermined quantity, and File header information is made
For first data block, label is carried out to the data block after segmentation, passes through each data block of unique flowing water ID label this document;
The Random Discrete of data block after S2, segmentation: hash calculating is carried out according to hash algorithm to the data block of segmentation, obtains all segmentations
Hash address of the random hash numerical value of data block as the data block creates the hash address of segmentation data block to sensitive document
Table, sequence number including hash address and hereof, hash address table pass through encrypting storing;Data block foundation after S3, segmentation
Discrete address carries out secure storage: in addition to the segmentation data block of first sequence number, encrypting, adds to remaining segmentation data block
Key uses the File header information of this document, according to hash address table, arrives data block storage is divided after the encryption of each sequence
In recording mechanism guided by corresponding hash address;S4, user access file application authentication: the file access Shen submitted to user
Please, authentication module carries out user identity verification first, secondly carries out the time rule verification of user access activity, is finally used
The target file attributes rule verification of family access mentions if the authentication is passed by file data is executed for the access request of the user
Function is taken, file data is obtained by extracting, submits to access user.
In above-mentioned technical proposal, in step s 4, the user identity verification includes verification user account and identity information
Reliable and verification user department and post whether meet authorization rule, the time rule of the user access activity verifies packet
Include the access time section rule for verifying whether current access time meet license, the target file attributes rule school of user's access
Test whether the file size including verification user's access, creation time, essential attribute, document source access in the regular of license
It is interior.
In above-mentioned technical proposal, in step s 4, the file data extracting method is as follows: after authentication verification, being
System returns to hash address subtabulation key;Pass through the key decrypted hash address table of hash address table;Pass through hash address table
Obtain the storage hash address of each sequences segmentation packet of this document;The storage address of first sequence is obtained according to hash address, is obtained
First ray is taken to divide data block, i.e. File header information;The segmentation of the second sequence sequence to the end is successively obtained according to sequence number
Block number evidence, and File header information is used to be decrypted to form original plaintext block data as key;Each sequence block data is pressed
It is merged according to sequence order, forms sensitive document data.
The present invention provides a kind of sensitive document method for secure storing of discrete secure storage.The sensitivity text that this method proposes
Part storage method be by the way that sensitive document is split, is discrete after, encryption storage is carried out again to discrete data slice, to do
To the storage safety of file.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art
To obtain other drawings based on these drawings.
Fig. 1 is that user of the invention accesses file application authorizing procedure figure;
Fig. 2 is the functional structure chart that sensitive document security management and control of the invention realizes example.
Specific embodiment
Below in conjunction with attached drawing of the invention, technical solution of the present invention is clearly and completely described, it is clear that institute
The embodiment of description is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention,
Every other embodiment obtained by those of ordinary skill in the art without making creative efforts, belongs to this hair
The range of bright protection.
As a kind of sensitive document secure storage method shown in embodiment the following steps are included:
S1, data segmentation is carried out to file: file data body is carried out according to file size and configurable data block number
Segmentation, forms the data block of predetermined quantity, File header information marks the data block after segmentation as first data block
Label, pass through each data block of unique flowing water ID label this document;
The Random Discrete of data block after S2, segmentation: hash calculating is carried out according to hash algorithm to the data block of segmentation, is obtained
Hash address of the random hash numerical value of all segmentation data blocks as the data block, creates segmentation data block to sensitive document
Hash address table, sequence number including hash address and hereof, hash address table pass through encrypting storing;
Data block carries out secure storage according to discrete address after S3, segmentation: in addition to the segmentation data block of first sequence number,
Remaining segmentation data block is encrypted, encryption key uses the File header information of this document, according to hash address table, by each sequence
Divide in recording mechanism guided by data block storage to corresponding hash address after the encryption of column;
S4, user access file application authentication: the file access application submitted to user, authentication module carry out user first
Secondly proof of identity carries out the time rule verification of user access activity, finally carry out the target file attributes rule of user's access
It then verifies, if the authentication is passed, file data abstraction function will be executed for the access request of the user, obtain file by extracting
Data submit to access user.
In step s 4, user identity verification includes that the Ministry of Revenue is used in the reliable and verification of verification user account and identity information
Whether door and post meet authorization rule, and the time rule verification of user access activity includes whether verifying current access time
Meet the access time section rule of license, the target file attributes rule verification of user's access includes the file of verification user's access
Whether size, creation time, essential attribute, document source are in the rule access of license.
As shown in Figure 1, in step s 4, file data extracting method is as follows: after authentication verification, system returns to hash
The encryption key of address table;Pass through the key decrypted hash address table of hash address table;This document is obtained by hash address table
The storage hash address of each sequences segmentation packet;The storage address of first sequence is obtained according to hash address, obtains First ray
Divide data block, i.e. File header information;The segmentation block number evidence that the second sequence sequence to the end is successively obtained according to sequence number, is used in combination
File header information is decrypted to form original plaintext block data as key;By each sequence block data according to sequence order into
Row merges, and forms sensitive document data.
The sensitive document security management and control application example that the present invention realizes is implemented as follows Fig. 2:
File interface module receives the file for needing to be included in security management and control, and the file of file is obtained by file interface module
Attribute information and file volume data.
File attribute information, including filename, file type, file size, creation time, the owner, by file identification
Information management function module realizes management.
File identification information in file identification information management accesses portal opening by file identification, visits for user
Ask access, user checks the essential attribute of which file and file by the access portal, and can initiate by the portal
File content checks application.
File data segmentation module and file data memory module provide the number of files realized according to the method for the present invention respectively
The function of discrete encryption storage is carried out according to the storage address of discrete address table according to segmentation and to the database of segmentation.
File data storage center realizes that the All Files data to segmentation storage are managed collectively, one including data
The maintenance of cause property, the security maintenance of data, the functions such as extraction access authentication of data.
File hash table administrative center is responsible for managing the hash address table of each file, and hash address table carries out asymmetric encryption
Storage, for encryption key by file hash table management center module dynamic creation, it is discrete close that the encryption key of creation submits to file
Key management module is managed collectively.
The file hash table encryption key of file hash table administrative center creation it is unified by Hash table keys management module into
Row management, key management module carry out abstract meter by the secret algorithm of inside modules to the hash table encryption key of file
It calculates, the summary data being calculated is submitted into the key that file hash table administrative center encrypts as hash table.And it creates simultaneously
The decruption key with encryption key pairing is built, decruption key is split storage in key management module.It generates and works as user couple
The data volume of some file checks that application obtains after the authentication is passed, and file hash table key management module can be by the hash of this document
Table decruption key passes to safely file extraction module and carries out file data extraction.
User is accessed portal and checked to the data of sensitive document by file identification to need to initiate data application, data first
File access authentication module is submitted in application, and access authentication module is awarded according to the user file configured in file authorizing management module
Power rule authenticate to user's access legitimacy, including user identity legitimacy verifies, the power of user department and post
Limit is examined, the authorization rule verification of user's access time section and access file essential attribute information.
By the file data application of authentication, file data extraction module will be submitted to and carry out corresponding file data extraction
It realizes.The Hash table keys that data extraction module obtains this document first carry out hash table decryption, obtain the hash table of this document,
File header information is obtained according to hash table again, then extracts segmentation database from hash table and is decrypted, then according to data block
Sequence order carries out file data assembling reduction and obtains complete file data.
Complete file data after assembling need to carry out file security control, including text before returning to access user
The validity period of part, the access of file and operating right, the network circulation permission of file etc..The authority configuration of security management and control is by file
Security management and control policy management module is configured, and file security manages module according to predetermined in file security control policy module
Control strategy carries out security management and control.
The present invention provides a kind of sensitive document method for secure storing of discrete secure storage.The sensitivity text that this method proposes
Part storage method be by the way that sensitive document is split, is discrete after, encryption storage is carried out again to discrete data slice, to do
To the storage safety of file;The sensitive document access method that this method proposes is by carrying out proof of identity and permission to visitor
After authentication, the discrete index sequence of file is obtained by the access tunnel of secret, and carry out fragment extraction according to discrete series and go back
Original, then visitor's reading is given after carrying out data assembling.Sensitive document method for secure storing proposed by the present invention has following spy
Sign:
Sensitive document method for secure storing proposed by the present invention, have to sensitive document be supplied to one and store path without
The Fileview identification information management method of pass.Concrete implementation method is as follows:
One Fileview identification information management function is supplied to sensitive document, provides Fileview mark for each file
The basic information management of knowledge, including filename, attribute, size, creation time, founder, file source information.
Fileview identification information externally passes through the offer of file identification catalogue portal and checks access, and catalogue portal provides can be certainly
By creating and combined logical directories, to realize the logical combination management to file.
Fileview identification information includes Documents Logical catalogue, does not all include the storage address of file data body.Number of files
According to storage address and access mode all can not include by file identification information Documents Logical directory information obtain.
Sensitive document method for secure storing proposed by the present invention has a disengaging Fileview identification information and logic mesh
The file data of record information stores and accesses method.It specifically shows as, user is by checking that identification information checks the base of file
This attribute can not directly obtain file data content, only check that application could be existed by system by data content of presenting a paper
Special extract obtains the data content of this document after authentication.
The method proposed by the present invention that secure storage is carried out to sensitive data file, compared to current file encrypting method,
It has the advantages that:
1, the identification information of file check with logical directories management, obtained with the storage location and file data of file data
It is kept completely separate, so that the access of sensitive document data is safer, access process is more controllable.
2, the storage of file data be by Hash it is discrete after encryption storage, rather than according to the normative document of operating system
System model carries out file data storage and management, so that the storage mode of sensitive data more secret safety.
3, the sensitive document storage method proposed through the invention, so that sensitive document can only relevant text through the invention
Part access tool carries out file data acquisition and prevents to own so as to effectively manage the access behavior of all pairs of sensitive documents
Other non-access approach by the relevant file access tool of the present invention are complete so as to further expand on this basis
The safety control measures and file of sensitive document access process spread control measure.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (3)
1. a kind of sensitive document method for secure storing, which comprises the following steps:
S1, data segmentation is carried out to file: file data body is split according to file size and configurable data block number,
The data block of predetermined quantity is formed, File header information carries out label as first data block, to the data block after segmentation, passes through
Each data block of natural numerical order row number label this document since 1;
The Random Discrete of data block after S2, segmentation: hash calculating is carried out according to hash algorithm to the data block of segmentation, is owned
Divide hash address of the random hash numerical value of data block as the data block, the hash of segmentation data block is created to sensitive document
Address table, natural numerical order row number including hash address and hereof, hash address table pass through encrypting storing;
Data block carries out secure storage according to discrete address after S3, segmentation: in addition to the segmentation data block of first sequence number, to it
Remaining segmentation data block is encrypted, and encryption key will be encrypted according to hash address table using the File header information of this document
Divide data block and is stored with hash address corresponding relationship to record guided by corresponding hash address by natural numerical order row number in S2
In;
S4, user access file application authentication: the file access application submitted to user, authentication module carry out user identity first
Verification, the user identity verification include account, password, affiliated function, post grade, the post property of verification user, secondly
The time rule verification of user access activity is carried out, the time rule verification of the user access activity, which refers to, verifies the user's
Whether access-hours meet the regulation of management strategy, finally carry out the target file attributes rule verification of user's access, the use
The target file attributes rule verification of family access, which refers to, verifies whether the user meets access this document management strategy regulation, user
Whether post grade or property have the right to check the class file, if the authentication is passed, will execute file for the access request of the user
Data extraction function obtains file data by extracting, submits to access user.
2. a kind of sensitive document method for secure storing according to claim 1, which is characterized in that in step s 4, described
Whether reliable and verification user department and post of the user identity verification including verification user account and identity information, which meet, is awarded
Power rule, the time rule verification of the user access activity include the access for verification current access time whether meeting license
Period rule, user access target file attributes rule verification include verification user access file size, creation time,
Whether essential attribute, document source are in the rule access of license.
3. a kind of sensitive document method for secure storing according to claim 1, which is characterized in that in step s 4, described
File data extracting method is as follows: after authentication verification, system returns to hash address subtabulation key;Pass through hash address
The key decrypted hash address table of table;The storage hash address of each sequences segmentation packet of this document is obtained by hash address table;According to
The storage address of first sequence is obtained according to hash address, First ray is obtained and divides data block, i.e. File header information;According to sequence
Row number successively obtains the segmentation block number evidence of the second sequence sequence to the end, and File header information is used to be decrypted to be formed as key
Original plaintext block data;Each sequence block data is merged according to sequence order, forms sensitive document data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610505109.XA CN105975877B (en) | 2016-07-01 | 2016-07-01 | A kind of sensitive document secure storage method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610505109.XA CN105975877B (en) | 2016-07-01 | 2016-07-01 | A kind of sensitive document secure storage method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105975877A CN105975877A (en) | 2016-09-28 |
CN105975877B true CN105975877B (en) | 2019-06-21 |
Family
ID=56953526
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610505109.XA Expired - Fee Related CN105975877B (en) | 2016-07-01 | 2016-07-01 | A kind of sensitive document secure storage method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105975877B (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106789950B (en) * | 2016-11-30 | 2020-04-10 | Oppo广东移动通信有限公司 | Information protection method, device and terminal |
CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
CN107729766B (en) * | 2017-09-30 | 2020-02-07 | 中国联合网络通信集团有限公司 | Data storage method, data reading method and system thereof |
CN107908980B (en) * | 2017-10-10 | 2021-11-23 | 芯海科技(深圳)股份有限公司 | Method for realizing encryption protection of memory data |
CN108777685B (en) * | 2018-06-05 | 2020-06-23 | 京东数字科技控股有限公司 | Method and apparatus for processing information |
CN109271800A (en) * | 2018-09-19 | 2019-01-25 | 中国银联股份有限公司 | A kind of document handling method and device |
CN109450633B (en) * | 2018-09-25 | 2022-10-21 | 平安科技(深圳)有限公司 | Information encryption transmission method and device, electronic equipment and storage medium |
CN109815710A (en) * | 2018-12-14 | 2019-05-28 | 开放智能机器(上海)有限公司 | A kind of guard method of intelligent algorithm model file |
CN110287716B (en) * | 2019-06-25 | 2021-09-14 | 北京邮电大学 | Data storage method and device |
CN111709040A (en) * | 2020-06-04 | 2020-09-25 | 江苏智先生信息科技有限公司 | Sensitive data oriented secure discrete storage method |
CN111950027A (en) * | 2020-08-21 | 2020-11-17 | 安徽高山科技有限公司 | File sharing method based on block chain intelligent contracts |
CN112016110B (en) * | 2020-09-01 | 2023-02-28 | 三星电子(中国)研发中心 | Method, device, equipment and storage medium for storing data |
CN112214778A (en) * | 2020-10-21 | 2021-01-12 | 上海英方软件股份有限公司 | Method and system for realizing discrete encryption of local file through virtual file |
CN113486374A (en) * | 2021-07-14 | 2021-10-08 | 郑州轻工业大学 | Computer data storage and reading method and system based on cloud computing |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103279694A (en) * | 2013-05-31 | 2013-09-04 | 华为技术有限公司 | Loading method, protecting method, loading device and protecting device for file system |
CN103455764A (en) * | 2013-08-27 | 2013-12-18 | 无锡华御信息技术有限公司 | File segmentation and merging technology-based file encryption and decryption systems |
CN103607393A (en) * | 2013-11-21 | 2014-02-26 | 浪潮电子信息产业股份有限公司 | Data safety protection method based on data partitioning |
CN104615954A (en) * | 2014-06-30 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Password storage method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
BRPI0618725A2 (en) * | 2005-11-18 | 2011-09-06 | Rick L Orsini | secure data analyzer method and system |
-
2016
- 2016-07-01 CN CN201610505109.XA patent/CN105975877B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103279694A (en) * | 2013-05-31 | 2013-09-04 | 华为技术有限公司 | Loading method, protecting method, loading device and protecting device for file system |
CN103455764A (en) * | 2013-08-27 | 2013-12-18 | 无锡华御信息技术有限公司 | File segmentation and merging technology-based file encryption and decryption systems |
CN103607393A (en) * | 2013-11-21 | 2014-02-26 | 浪潮电子信息产业股份有限公司 | Data safety protection method based on data partitioning |
CN104615954A (en) * | 2014-06-30 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Password storage method and device |
Also Published As
Publication number | Publication date |
---|---|
CN105975877A (en) | 2016-09-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105975877B (en) | A kind of sensitive document secure storage method | |
KR102255287B1 (en) | Physical identity management system using One-time-password on Blockchain | |
CN101710380B (en) | Electronic document safety protection method | |
DK2272021T3 (en) | SECURE DATACACHE | |
EP3547203A1 (en) | Method and system for managing access to personal data by means of an intelligent contract | |
ES2835780T3 (en) | Procedure to issue a virtual version of a document | |
EP2110975A1 (en) | Method and system for digital signatures | |
CN106055993A (en) | Encryption storage system for block chains and method for applying encryption storage system | |
Liu et al. | Enabling secure and privacy preserving identity management via smart contract | |
CN106776904A (en) | The fuzzy query encryption method of dynamic authentication is supported in a kind of insincere cloud computing environment | |
CN104216907A (en) | Method, device and system for providing database access control | |
CN102084313A (en) | Systems and method for data security | |
US8700909B2 (en) | Revocation of a biometric reference template | |
AU2018256929B2 (en) | Systems and methods for identity atomization and usage | |
CN101321063A (en) | System user access management system and method based on digital certificate technique | |
CN113344222A (en) | Safe and credible federal learning mechanism based on block chain | |
CN111460420A (en) | Method, device and medium for using electronic seal based on block chain | |
CN101655893B (en) | Manufacture method of intelligent blog lock, Blog access control method and system thereof | |
CN108574578A (en) | A kind of black box data protection system and method | |
CN110430207A (en) | A kind of smart grid multi-point remote inter-network interaction collaboration authentication method | |
Singhal | Security analysis of aadhaar authentication process and way forward | |
CN111815821B (en) | IC card security algorithm applied to intelligent door lock | |
CN111523141B (en) | Personal privacy protection-based identity identification and verification system | |
CN110445756B (en) | Method for realizing searchable encryption audit logs in cloud storage | |
JP2005165738A (en) | Electronic content management system, electronic content management method, and its program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190621 Termination date: 20200701 |