CN106650492B - A kind of multiple device file guard method and device based on security catalog - Google Patents
A kind of multiple device file guard method and device based on security catalog Download PDFInfo
- Publication number
- CN106650492B CN106650492B CN201611152430.0A CN201611152430A CN106650492B CN 106650492 B CN106650492 B CN 106650492B CN 201611152430 A CN201611152430 A CN 201611152430A CN 106650492 B CN106650492 B CN 106650492B
- Authority
- CN
- China
- Prior art keywords
- file
- key
- user
- equipment
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000004224 protection Effects 0.000 claims abstract description 59
- 230000001681 protective effect Effects 0.000 claims abstract description 56
- 238000011897 real-time detection Methods 0.000 claims abstract 2
- 238000013475 authorization Methods 0.000 claims description 13
- 150000003839 salts Chemical class 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 11
- 238000005538 encapsulation Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 2
- 238000012360 testing method Methods 0.000 claims description 2
- 238000012806 monitoring device Methods 0.000 abstract description 15
- 238000012795 verification Methods 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000007812 deficiency Effects 0.000 description 4
- 230000007547 defect Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
- Document Processing Apparatus (AREA)
Abstract
The invention discloses a kind of efficiently the multiple device file guard method based on security catalog and devices, including device management module, file monitor and file protective module;User is verified using customized user ticket, can guarantee user password safety conditions under correct verification user identity;Original sensitive document is encapsulated in unified formatted file by a kind of customized new file format, so that the file of arbitrary format can be encrypted protection under the device;Using facility information by way of device keys a part, efficiently portable striding equipment file protection is provided for user and is supported;Continued by file monitoring device and real-time detection user behavior carries out file protection;The present invention can provide the sensitive document protection of safety transparent for user, automatic to detect the real-time automatic protection file of user behavior, additionally it is possible to provide efficiently portable striding equipment file protection for user and support.
Description
Technical field
The invention belongs to information technology field, it is related to digital document content protection technology, in particular to one kind can be across setting
The standby document protection method and device based on security catalog for using and protecting the file information.
Background technique
With the fast development of information technology, file digitization has been become more and more popular, and consequent is also deposited
Store up the safety problem of information hereof.Big companies and mechanism often buy dedicated file protecting system and come to company
Classified papers are managed and protect, however, such file protecting system is because of its expensive price and deployment requirements etc.
Reason is not particularly suited for the protection of personal information.In addition, various files protect work other than special file protecting system
Tool is also developed and is used more and more, however, these file protection tool defaults being widely used are currently installed on tool
Equipment be unique protected information carrier.It is this to manage as unit of non-user by equipment and protect the method for file not
Support user that file is shared and protected in multiple equipment.In fact, with the development of science and technology with the raising of user demand, it is mobile
Equipment such as plate, mobile phone etc. also becomes the platform that user uses its sensitive information.It is existing with the increase for the equipment that user possesses
Various single machine files protection tool be no longer satisfied the demand of user.For the user for possessing multiple equipment, more need
Want one kind can be as unit of user, the file protection device of the multiple equipment suitable for same user.And existing file is protected
Shield technology can only be in the enterprising style of writing part protection of an equipment of user, it is difficult to meet the file protection for possessing the user of multiple equipment
Demand can not provide efficiently portable striding equipment file protection for user and support.
Summary of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of efficiently more equipment text based on security catalog
Part guard method and device provide the sensitive document protection of safety transparent for user, can automatically detect user behavior and reach real
When automatic protection file purpose, additionally it is possible to provide efficiently portable striding equipment file protection for user and support.
The principle of the present invention is: security catalog is a storage sensitive document and provides the catalogue of automatic protection functions.This
Invention devises a kind of efficiently more collaborative share document protection methods and device based on security catalog, and existing file is overcome to protect
Technology can only be embodied as user and provide the sensitive document of safety transparent in the deficiency of the enterprising style of writing part protection of an equipment of user
Defencive function, and can automatically detect user behavior and make real-time automatic protection file, additionally it is possible to it is provided efficiently for user
Portable striding equipment file, which is protected, to be supported.Meanwhile in order to overcome existing file protection software that can only protect the file of specific format
This defect, invention defines a kind of new unified secure file structures, the protection scope of file are extended, so that arbitrarily
The file of format can be packed according to the structure and be protected, and provides a kind of text of striding equipment to hold the user of more equipment
Part protected mode allows users to transparent advantageously operate protected file.In order to guarantee the safety of file, Ren He
File in security catalog can be protected dynamically in real time, prevent from encrypting and bring file since user forgets
The file information leakage.
Present invention provide the technical scheme that
A kind of multiple device file guard method based on security catalog, creation device management module, file monitor and
File protective module, by defining new unified security file structure and creation security catalog, so that the file of arbitrary format is all
Can be packed according to the secure file structure, then it is based on security catalog, realize more collaborative share file protections;Including as follows
Step:
A more facility informations, including management equipment information table, generating device key, generation) are managed by device management module
Device authentication code, returning equipment key etc.;
B) by file protective module, unified secure file structure is defined, by original according to secure file structure weight
New encapsulation, generating new file is safeguard construction file;It specifically includes:
B1 file encryption key) is generated
Generating file encryption key is specifically: file protective module traverses encrypted file-encryption using each device keys
After ciphering key EK (Content Encryption Key), the file encryption key ciphertext with authorisation device binding is generated, system is used
Key of uniting generates key authentication code, so according to device keys quantity, with the file key ciphertext of each apparatus bound and corresponding
The information such as device authentication code generate the file key ciphertext item of agent-protected file;
B2 safeguard construction file) is generated
After receiving file encryption key, the content information of sensitive document is encrypted and (is calculated using symmetric cryptography
Method), and using information such as file encryption key, raw filenames as file header, it is encapsulated as secure file structure;
In the present invention, unified security file structure includes file header and file content;File content is after original encrypts
Ciphertext, file header includes file total length, filename length, random salt R, file key for preventing text guessing attack
The eap-message digest of ciphertext, the message authentication code of original document, original document length and file header;Wherein, file key ciphertext
Including ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication code;Ciphertext total length records file
The total length of key ciphertext;The cipher-text information that cipher-text information total item record is bound with each authorisation device it is total (with currently always award
Weigh equipment number) it is consistent;Key authentication code is by formulaIt generates, for verifying equipment during file decryption
The correctness of the file key of recovery;
C sensitive document) is stored by security catalog, authorized user can enter security catalog and carry out file operation;
D) when user, which enters security catalog, carries out file operation, by calling the intrinsic function of file monitoring device, in real time
Monitor the user behavior in security catalog;It is based on security catalog again, carries out more collaborative share file protections;
D1) when user carries out Document Editing operation (for example, opening a protected file), file monitoring device is detected
The opening operation of user issues file protective module and implements decryption to file with request for users to use;
D2 after) Fileview that file protective module receives the transmission of file monitoring device is requested, first verify that request is opened
The integrality of file, specifically: obtaining the content of file header;It generates the eap-message digest of current file head content and and is stored in text
File header abstract in part head compares;To verify the integrality of the information stored in file header, guarantee to store in file header
Relevant information be not tampered with;Reproducing device decruption key, specifically: reading the salt R recorded in agent-protected file head, hair
Give device management module;
D3) device management module obtains the hardware information Dev of this equipmentinfo, use encryption function Ga, with system key Ks
It is the device keys K that parameter generates the equipment with salt RD=Ga({Devinfo,R,Ks), while generating hardware information DevinfoList
To hash value, it is sent to file protective module together;
D4) file protective module generates file decryption key and examines its integrality, specifically: reading the text in file header
Part key ciphertext traverses All Files key cipher-text information item < ECKi,HDi>, and read out the device authentication code in each single item
HDi, the unidirectional hash value of the local equipment hardware information generated with device management module is compared one by one, if a certain item is numbered
Device authentication code for the file key cipher-text information of i is identical with the unidirectional hash value of the hardware information of current device, says
Bright this cipher-text information corresponds to the equipment and illustrates that the equipment is illegal or deleted if can match without one, terminates
Fileview process;For the file key cipher-text information item matched, decrypted in the cipher-text information item using device keys
File key ciphertextFile content ciphering key EK is obtained, is examinedWith file key
Whether the key authentication code stored in ciphertext is equal, unequal, decrypts and fails, and terminates Fileview process;
D5) file protective module restores protected file, specifically: file protective module uses file content ciphering key EK
It is decrypted to by the file of the protection, and reverts to original document, for users to use.
When the file operation that user carries out is modification file, after user has modified a sensitive document, the abstract of file
Information is changed, and file monitoring device detects the act of revision of user, and circular document protective module carries out again file
Encryption encapsulation.File protective module generates new file encryption key to the content of original from newly encrypting and be packaged into new
Secure file structure is stored in security catalog.
The present invention also provides a kind of multiple device files based on security catalog for realizing above-mentioned multiple device file guard method
Protective device, including device management module, file monitor and file protective module;
Device management module: device management module includes user's registration and authentication unit, device management unit and equipment
Key generating unit;Wherein, user's registration and verifying for realizing to the user for requesting access to security catalog access control with
Security catalog information initializing;Equipment management is used to manage all registration equipment of a legitimate user, the addition including equipment
And deletion;In view of the changeability for the equipment that user possesses, defining the equipment that user creates protected sensitive document is this article
The source device of part, protected sensitive document can be shared with other equipment by source device, by the user of sharing protected file
Equipment (such as notebook, plate) is shared device;Present invention uses customized user ticket to carry out user identity
Verifying, user ticket is transparent for user;Device keys generation unit uses system key KsEquipment is generated with salt R
Device keys;
File monitor: the process that file monitor is run always as a backstage, the safe mesh of lasting detection
User's operation in record simultaneously makes a response, the interaction bridge as user and agent-protected file in real time;Once user is in safety
The operation of file security is carried out influencing in catalogue, file monitoring device can real-time detect these operations and circular document is protected
Shield module protects file;For user without carrying out cryptographic operation to file manually, all encryption encapsulation process all can be
It is automatically performed after user's creation or modification file;
File protective module: file protective module is the nucleus module of the present apparatus, is responsible for providing safeguard protection to file;This
Invention does not consider original format of file, but extracts file content and carry out encrypting it during providing protection service
After be re-packaged into secure file structure;Secure file structure includes file header and file content two large divisions, and file content is
The encrypted ciphertext of original, file header include file total length, filename length, for preventing the random of text guessing attack
Salt R, file key ciphertext, the eap-message digest of the message authentication code of original document, original document length and file header;Wherein,
File key ciphertext (see Fig. 4) includes ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication
Code;The total length of ciphertext total length record file key ciphertext;Cipher-text information total item record is bound close with each authorisation device
Literary information sum (consistent with current total authorisation device number);Key authentication code is by formulaIt generates, for testing
The correctness for the file key that equipment is restored during card file decryption;And provide a kind of file protection side of striding equipment
Formula enables file to share between the security catalog of legitimate device.A kind of such file protection unrelated with file format
Device can meet user demand to the greatest extent, rather than can only encrypt to specific file, increase the invention
Practicability.
Compared with prior art, the beneficial effects of the present invention are:
The present invention provides a kind of efficiently the multiple device file guard method based on security catalog and device, provides for user
The sensitive document of safety transparent is protected, and can automatically be detected user behavior and be achieved the purpose that real-time automatic protection file, additionally it is possible to
Efficiently portable striding equipment file protection is provided for user to support.Specifically, the invention has the following advantages that
Firstly, user can according to need in extent of competence operation file.For any user into security catalog
Speech using the customized user ticket of the present apparatus rather than is directly verified user using the password that user inputs,
The identity of user can be correctly verified in the case where guaranteeing the safety conditions of password of user;
Secondly, considering the ease of use of user, while realizing and sensitive document is comprehensively protected in real time, the invention
Devise a file monitoring device.Monitor monitors always the file operation behavior of security catalog as backstage finger daemon, when
User creates a file in security catalog, or presss from both sides copy catalogue into security catalog from alternative document, file monitoring device energy
Enough detections immediately and circular document management assembly progress encrypting and protecting files.After user modifies to sensitive document, file
Monitor can also monitor the behavior and circular document management assembly carries out re-encrypted to modified file.File monitoring
Device enables the behavior of user persistently and in real time to be detected, user is without particularly selecting certain files to encrypt, energy
The case where enough effectivelying prevent user to forget encryption due to carelessness after newly-built sensitive document;
Again, original sensitive document is encapsulated in unified formatted file by the customized a kind of new file format of the invention,
So that the file of arbitrary format can be encrypted protection under the device.Finally, for existing file protection tool can only with
The deficiency of the enterprising style of writing part protection of one equipment at family, the invention is also by using facility information as the side of device keys a part
Formula provides efficiently portable striding equipment file protection for user and supports.
Detailed description of the invention
Fig. 1 is the system structure diagram of multiple device file protective device provided by the invention.
Fig. 2 is the flow diagram of multiple device file guard method provided by the invention.
Fig. 3 is the flow diagram of user access control in the embodiment of the present invention.
Fig. 4 is the composite structural diagram for the file key ciphertext for including in secure file structure of the present invention.
Specific embodiment
With reference to the accompanying drawing, the present invention, the model of but do not limit the invention in any way are further described by embodiment
It encloses.
The present invention provides a kind of efficiently the multiple device file guard method based on security catalog and device, provides for user
The sensitive document of safety transparent is protected, and can automatically be detected user behavior and be achieved the purpose that real-time automatic protection file, additionally it is possible to
Efficiently portable striding equipment file protection is provided for user to support.
Fig. 1 is the system structure diagram of multiple device file protective device provided by the invention, including device management module, text
Part presss from both sides monitor and file protective module;Realize the multiple device file protection based on security catalog.
Fig. 2 is the flow diagram of multiple device file guard method provided by the invention.In following embodiment, user is in its peace
The equipment end for having filled file protection device creates a shared security catalog, is realized on this basis based on security catalog
Multiple device file protection, specifically includes the following steps:
1) user creates security catalog
User enters the equipment for being mounted with file protection device, selects an installation path in equipment end, protects to file
Device application creates a security catalog.
The security catalog path of user's selection will be processed and stored in device, while user management module is receiving
Its ID and ticket can be generated after user information, user ticket is by formula (1) generation:
Wherein, passworduIt is user password, user name that ID refers to the user and the user are in a device
Unique identification.H () represents one-way Hash function, it is ensured that even if ticket is leaked, attacker also can not by ticket come
Retrospectively calculate goes out the information such as user password.
2) user's registration and verifying
User is in any equipment end for being mounted with file protection device before the file of safe operation catalogue, it is necessary first to
It inputs account number cipher and carries out authentication.Device does not verify the account number cipher of user directly, it is therefore an objective to not disclose user password
In the case where verify user identity legitimacy.The detailed process of user authentication is shown in Fig. 2, when a user inputs user name password
When being logged in, device management module can generate interim ticket automatically for him, while decrypting and obtaining the user corresponding to the peace
The correct ticket of full catalogue is simultaneously compared, when the two is completely the same user be just authenticated to be it is legal and allow into
Enter security catalog and carries out file operation.
3) legitimate user's new files
Legitimate user creates a file using the invention in security catalog.File monitoring device designed by the invention will
Intrinsic function can be called to monitor the user behavior in security catalog in real time, when this " new files " for detecting user operate
When, circular document protective module protects file to file monitoring device immediately.File protective module receives file monitoring device
File protection request.
4) file protective module requests device keys
Device management module obtains the device hardware information of this equipment, and decryption device information table examines facility information table
After integrality, the equipment unique identification of all associated authorization equipment, facility information abstract, facility information triplet information collection are obtained
It closesAccording to device keys generation method KD=Ga({Devinfo,R,
Ks) generate the device keys of each authorisation deviceGenerating device key.
5) returning equipment key
The device keys of generation and corresponding device authentication code are returned to file protective module by device management module.
6) file encryption key is generated
It is close that file protective module generates the file bound with the authorisation device using each device keys traversal encryption CEK
Key (file encryption key) generates key authentication code using system key, and then according to device keys quantity and each apparatus bound
File key ciphertext and the information such as corresponding device authentication code, generate the file key ciphertext item of agent-protected file.
7) safeguard construction file is generated
File protective module is after receiving file encryption key, using symmetric encipherment algorithm to the content of sensitive document
Information is encrypted, and by file encryption key, the information such as raw filename are encapsulated as a kind of secure file knot as file header
Structure.
8) user opens a protected file
User, which opens, reads a protected file.File monitoring device detects the opening operation of user, circular document
Protective module implements decryption to file with for users to use.
9) file integrality is opened in verifying
After file protective module receives the Fileview request of file monitoring device transmission, the content of file header is obtained, it is raw
It compares at the eap-message digest of current file head content and with the file header abstract being stored in file header, to verify file header
The integrality of the information of middle storage guarantees that the relevant information stored in file header is not tampered with
10) generating device decruption key
File protective module reads the salt R recorded in agent-protected file head, is sent to device management module.Equipment management mould
Block obtains the hardware information Dev of this equipmentinfo, use system key KsThe equipment decruption key K of the equipment is generated with salt RD=Ga
({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, be sent to file protective module together.
Due to using symmetric cryptography, encryption key and decruption key are a keys.
11) it generates file decryption key and examines its integrality
File key ciphertext in file protective module reading file header, traversal All Files key cipher-text information item <
ECKi,HDi>, and read out the device authentication code HD in each single itemi, with device management module generate local equipment hardware information
Unidirectional hash value compared one by one, if a certain item number be i cipher-text information device authentication code and current device it is hard
The unidirectional hash value of part information is identical, illustrates that this cipher-text information corresponds to the equipment and says if can match without one
The bright equipment is illegal or deleted, terminates Fileview process.For the file key cipher-text information item matched, use
Device keys decrypt the file key ciphertext in the cipher-text information itemFile content ciphering key EK is obtained,
It examinesIt is whether equal with the key authentication code stored in file key ciphertext, it is unequal, it decrypts and fails, eventually
Only Fileview process.
12) file protective module restores protected file
File protective module is decrypted using file content ciphering key EK to by the file of the protection, and is reverted to original
File, for users to use.
13) user modifies file
After user has modified a sensitive document, the summary info of file is changed, and file monitoring device detects use
The act of revision at family, circular document protective module carry out re-encrypted encapsulation to file.File protective module generates new file
Encryption key is stored in security catalog the content of original from newly encrypting and be packaged into new secure file structure.
As can be seen that the present invention has the effect that from above-described embodiment
Popular file protection software is all based on specific format for the protection of file.Some non-software are referred to
Fixed format is not available software to be protected.And reality small business when managing sensitive document, the type of file is past
Toward very more and be difficult to predict, in this case, it is complete that file protects software that cannot provide enterprise's sensitive document
The reliable safeguard measure in face.The invention propose file protection device be a kind of device that file format is unrelated, no matter original text
What the format of part is, can all be encrypted be encapsulated as a kind of unified format, and overcoming existing file encryption software can only add
The defect of the file of close specific format;
For big companies, the safety of the file information is generally protected using some expensive dedicated system
Property.However for the personal user for equally possessing file protection demand, some local file systems based on equipment are more
Suitable selection.In recent years, the various protecting data encryption technologies for computer file system continue to develop perfect, wherein
Encrypted file system (EFS) is with its higher ease for use and safety by extensive concern.User account of the EFS based on operating system
And rights management, it is integrated with file system, it is fully transparent to user.EFS thinks that equipment room is mutually indepedent, even if to not
Same equipment uses identical administrator's password, and the safety that can not carry out classified papers in equipment room is shared.Particularly, only
EFS encryption technology just can be used in the windows subregion of NTFS format.Also, by sensitive document from the text with cryptographic attributes
It is copied in part folder in non-encrypted file folder, file can be decrypted automatically, it is meant that transmitting sensitive document in distinct device will
Meeting is so that file is decrypted and exposed automatically, therefore EFS is not able to satisfy the demand of the management of user's striding equipment, protection sensitive document,
And the present invention exactly compensates for this defect, it can only be in the enterprising style of writing part of an equipment of user for existing file protection tool
The deficiency of protection, the present invention can also provide efficiently portable striding equipment file protection for user and support.
It should be noted that the purpose for publicizing and implementing example is to help to further understand the present invention, but the skill of this field
Art personnel, which are understood that, not to be departed from the present invention and spirit and scope of the appended claims, and various substitutions and modifications are all
It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim
Subject to the range that book defines.
Claims (10)
1. a kind of multiple device file guard method based on security catalog, by creating device management module, file monitor
With file protective module, unified secure file structure and creation security catalog are defined, so that the file of arbitrary format can
It is packed according to the secure file structure, then it is based on security catalog, realize more collaborative share file protections;Including walking as follows
It is rapid:
A more facility informations, including management equipment information table, generating device key, generating device) are managed by device management module
Identifying code and returning equipment key;
B) by file protective module, unified secure file structure is defined, by original according to the secure file structure weight
New encapsulation, generating new file is safeguard construction file;Specifically include B1)~B2):
B1) generate file encryption key: file protective module uses each device keys traversal encryption file content key
CEK, generates the file key ciphertext item with the binding of corresponding authorisation device, generates key authentication code, Jin Ersheng using system key
At the file key ciphertext item of agent-protected file, content includes device keys quantity, the file key ciphertext with each apparatus bound
With corresponding device authentication code;
B2) generate safeguard construction file: file protective module is after receiving file key, to the content information of sensitive document
It is encrypted, and using file key and raw filename information as file header, is encapsulated as secure file structure;The safety text
Part structure includes file header and file content;File content is the encrypted ciphertext of original;File header include file total length,
Filename length, the random salt R for preventing text guessing attack, file key ciphertext, original document message authentication code, just
The eap-message digest of beginning file size and file header;The file key ciphertext includes ciphertext total length, cipher-text information total item, text
Part key cipher-text information and key authentication code;The total length of the ciphertext total length record file key ciphertext;The ciphertext letter
It is consistent with the cipher-text information sum of each authorisation device binding to cease total item record;The key authentication code is by formulaIt generates, for verifying the correctness for the file key that equipment is restored during file decryption;
C sensitive document) is stored by security catalog, authorized user can enter security catalog and carry out file operation;
D it) when user, which enters security catalog, carries out file operation, by calling the intrinsic function of file monitor, supervises in real time
Control the user behavior in security catalog;It is based on security catalog again, carries out more collaborative share file protections;Including D1)~D5):
D1) when user carries out Document Editing operation, file monitor detects user's operation, issues to file protective module
Decryption is implemented with request for users to use to file;
D2 after) file protective module receives the file operation requests that file monitor is sent, first verify that text is opened in request
The integrality of part;Reproducing device decruption key, is sent to device management module;
D3) device management module obtains the hardware information Dev of equipmentinfo, use system key KsThe equipment is generated with random salt R
Device keys KD=Ga({Devinfo,R,Ks), GaFor encryption function;The hardware information Dev of generating device simultaneouslyinfoIt is unidirectional
Hash value is sent to file protective module together;
D4) file protective module generates file decryption key and check continuity: the letter first in identification file key ciphertext item
Whether breath matches with current device;For matched file key cipher-text information item, obtains file content ciphering key EK and examined
It tests;
D5) file protective module restores protected file: file protective module is using file content ciphering key EK to protected text
Part is decrypted, and reverts to original document, for users to use.
2. multiple device file guard method as described in claim 1, characterized in that the use of for user is transparent customized
User ticket carries out the authentication vs. authorization of user identity;The user ticket is generated by formula (1):
Wherein, passworduIt is user password;ID is the user name of the user and the unique identification of the user;H () is single
To hash function.
3. multiple device file guard method as described in claim 1, characterized in that step A) the generating device key is specific
Be: device management module obtains the device hardware information of equipment, and decryption device information table examines the integrality of facility information table
Afterwards, equipment unique identification, the facility information abstract, facility information triplet information set of all associated authorization equipment are obtained Generate the device keys of each authorisation device Wherein, KsFor system key, R is random salt, GaFor encryption function.
4. multiple device file guard method as described in claim 1, characterized in that step B2) use symmetric encipherment algorithm to quick
The content information of sense file is encrypted.
5. multiple device file guard method as described in claim 1, characterized in that step D) when user carry out file operation be
When modifying file, after user modifies a sensitive document, the summary info of file changes, and file monitor detects
The act of revision of user, circular document protective module carry out re-encrypted encapsulation to file;File protective module generates new text
Part encryption key is packaged into new secure file structure and is stored in security catalog to the content re-encrypted of original.
6. multiple device file guard method as described in claim 1, characterized in that step D2) file protective module receives text
After part presss from both sides the file operation requests that monitor is sent, checking request opens the integrality of file, especially by acquisition file header
Content generates the eap-message digest of current file head content and compares with the file header abstract being stored in file header, thus
The integrality of the information stored in file header is verified.
7. multiple device file guard method as described in claim 1, characterized in that step D2) the generating device decruption key,
Specifically: file protective module reads the random salt R recorded in agent-protected file head, is sent to device management module;Equipment pipe
Manage the hardware information Dev that module obtains equipmentinfo, use system key KsThe equipment decruption key of the equipment is generated with random salt R
KD=Ga({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, be sent to file protective module.
8. multiple device file guard method as described in claim 1, characterized in that step D4) the file protective module generates
File decryption key simultaneously examines its integrality, specifically includes: reading the file key ciphertext in file header, traversal All Files are close
Key cipher-text information item < ECKi,HDi>, and read out the device authentication code HD in each single itemi, with device management module generate sheet
The unidirectional hash value of machine equipment hardware information is compared one by one, when the device authentication code for numbering the cipher-text information for being i and currently
When the unidirectional hash value of the hardware information of equipment is identical, this cipher-text information corresponds to the equipment;When one can not
When matching, file operation process is terminated;For the file key cipher-text information item matched, the ciphertext is decrypted using device keys
File key ciphertext in item of informationFile content ciphering key EK is obtained, is examined
It is whether equal with the key authentication code stored in file key ciphertext, it decrypts and fails if unequal, terminate file operation process.
9. a kind of multiple device file protective device based on security catalog, including device management module, file monitor and text
Part protective module, the file for providing striding equipment are protected, and file is shared between the security catalog of legitimate device;Its
It is characterized in:
The device management module includes user's registration and authentication unit, device management unit and device keys generation unit;Institute
User's registration and authentication unit are stated for realizing the access control and security catalog information to the user for requesting access to security catalog
Initialization;The device management unit is used to manage all registration equipment of legitimate user;The device keys generation unit is used
In generating device key;
The file monitor is the process of running background, for constantly detecting the user's operation in security catalog and real-time
Response;Once user has carried out influencing in security catalog the operation of file security, the real-time detection of file monitor is simultaneously led to
Know that the file protective module protects file;
The file protective module is used to provide safeguard protection to file;Extracting first needs file content to be protected to be added
It is close, it is re-packaged into secure file structure later;File protective module receives the file that the file monitor is sent and asks
After asking, the integrality of the file of request is first verified that;Reproducing device decruption key generates text according to the device keys of equipment
Part decruption key simultaneously examines its integrality;It is finally decrypted to by the file of the protection, and reverts to original document, for user
It uses.
10. multiple device file protective device as claimed in claim 9, characterized in that the secure file structure includes file header
With file content two large divisions, file content is the encrypted ciphertext of original, and file header includes that file total length, filename are long
Degree, the random salt R for preventing text guessing attack, file key ciphertext, the message authentication code of original document, original document are long
The eap-message digest of degree and file header;File key ciphertext includes ciphertext total length, cipher-text information total item, file key ciphertext letter
Breath and key authentication code;The total length of ciphertext total length record file key ciphertext;Cipher-text information total item record and each authorization
The cipher-text information sum of apparatus bound;Key authentication code is by formulaIt generates, for verifying file decryption process
The correctness for the file key that middle equipment is restored.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611152430.0A CN106650492B (en) | 2016-12-14 | 2016-12-14 | A kind of multiple device file guard method and device based on security catalog |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611152430.0A CN106650492B (en) | 2016-12-14 | 2016-12-14 | A kind of multiple device file guard method and device based on security catalog |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106650492A CN106650492A (en) | 2017-05-10 |
CN106650492B true CN106650492B (en) | 2019-06-07 |
Family
ID=58822519
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611152430.0A Active CN106650492B (en) | 2016-12-14 | 2016-12-14 | A kind of multiple device file guard method and device based on security catalog |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106650492B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110362984B (en) * | 2019-06-28 | 2021-04-30 | 北京思源理想控股集团有限公司 | Method and device for operating service system by multiple devices |
CN111967059A (en) * | 2020-08-11 | 2020-11-20 | 广东堡塔安全技术有限公司 | Website tamper-proofing method and system and computer readable storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104125069A (en) * | 2014-07-07 | 2014-10-29 | 武汉理工大学 | Secure file catalogue file encryption system towards sharing |
CN105740725A (en) * | 2016-01-29 | 2016-07-06 | 北京大学 | File protection method and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7921284B1 (en) * | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
-
2016
- 2016-12-14 CN CN201611152430.0A patent/CN106650492B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104125069A (en) * | 2014-07-07 | 2014-10-29 | 武汉理工大学 | Secure file catalogue file encryption system towards sharing |
CN105740725A (en) * | 2016-01-29 | 2016-07-06 | 北京大学 | File protection method and system |
Non-Patent Citations (2)
Title |
---|
An Efficient Safe Directory Based File Protection Mechanism;Manting Shen, Yinyan Yu, 等;《2016 IEEE 40th Annual Computer Software and Applications Conference》;20160614;第416-422页 |
The UCONABC Usage Control Model;JAEHONG PARK, RAVI SANDHU;《ACM Transactions on Information and System Security》;20040229;第7卷(第1期);第128-174页 |
Also Published As
Publication number | Publication date |
---|---|
CN106650492A (en) | 2017-05-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103530570B (en) | A kind of electronic document safety management system and method | |
US7210043B2 (en) | Trusted computer system | |
CN105740725B (en) | A kind of document protection method and system | |
CN101547199B (en) | Electronic document safety guarantee system and method | |
CN109923548A (en) | Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process | |
CN101311950A (en) | Electronic stamp realization method and device | |
JP2015504222A (en) | Data protection method and system | |
JP4662138B2 (en) | Information leakage prevention method and system | |
US20090287942A1 (en) | Clock roll forward detection | |
US20180307855A1 (en) | Access management system, file access system, encrypting apparatus and program | |
CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
US10754979B2 (en) | Information management terminal device | |
CN106650492B (en) | A kind of multiple device file guard method and device based on security catalog | |
JP4471129B2 (en) | Document management system, document management method, document management server, work terminal, and program | |
US10726104B2 (en) | Secure document management | |
CN103488948A (en) | Method and device for achieving data security of operation system | |
US8321915B1 (en) | Control of access to mass storage system | |
KR101497067B1 (en) | Electric document transfer method and apparatus based digital forensic | |
US8296826B1 (en) | Secure transfer of files | |
KR101315482B1 (en) | Secret information reading service system using by a writer authentication and the control method thereof | |
CN110445804A (en) | A kind of safe handling protection system about outgoing document | |
JP3809495B1 (en) | Software management system | |
CN100525176C (en) | Preventing system for information leakage under cooperative work environment and its realizing method | |
TWI444849B (en) | System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof | |
KR20170053459A (en) | Encryption and decryption method for protecting information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |