CN106650492B - A kind of multiple device file guard method and device based on security catalog - Google Patents

A kind of multiple device file guard method and device based on security catalog Download PDF

Info

Publication number
CN106650492B
CN106650492B CN201611152430.0A CN201611152430A CN106650492B CN 106650492 B CN106650492 B CN 106650492B CN 201611152430 A CN201611152430 A CN 201611152430A CN 106650492 B CN106650492 B CN 106650492B
Authority
CN
China
Prior art keywords
file
key
user
equipment
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611152430.0A
Other languages
Chinese (zh)
Other versions
CN106650492A (en
Inventor
沈熳婷
俞银燕
汤帜
崔晓瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peking University
Original Assignee
Peking University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University filed Critical Peking University
Priority to CN201611152430.0A priority Critical patent/CN106650492B/en
Publication of CN106650492A publication Critical patent/CN106650492A/en
Application granted granted Critical
Publication of CN106650492B publication Critical patent/CN106650492B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/16Program or content traceability, e.g. by watermarking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)
  • Document Processing Apparatus (AREA)

Abstract

The invention discloses a kind of efficiently the multiple device file guard method based on security catalog and devices, including device management module, file monitor and file protective module;User is verified using customized user ticket, can guarantee user password safety conditions under correct verification user identity;Original sensitive document is encapsulated in unified formatted file by a kind of customized new file format, so that the file of arbitrary format can be encrypted protection under the device;Using facility information by way of device keys a part, efficiently portable striding equipment file protection is provided for user and is supported;Continued by file monitoring device and real-time detection user behavior carries out file protection;The present invention can provide the sensitive document protection of safety transparent for user, automatic to detect the real-time automatic protection file of user behavior, additionally it is possible to provide efficiently portable striding equipment file protection for user and support.

Description

A kind of multiple device file guard method and device based on security catalog
Technical field
The invention belongs to information technology field, it is related to digital document content protection technology, in particular to one kind can be across setting The standby document protection method and device based on security catalog for using and protecting the file information.
Background technique
With the fast development of information technology, file digitization has been become more and more popular, and consequent is also deposited Store up the safety problem of information hereof.Big companies and mechanism often buy dedicated file protecting system and come to company Classified papers are managed and protect, however, such file protecting system is because of its expensive price and deployment requirements etc. Reason is not particularly suited for the protection of personal information.In addition, various files protect work other than special file protecting system Tool is also developed and is used more and more, however, these file protection tool defaults being widely used are currently installed on tool Equipment be unique protected information carrier.It is this to manage as unit of non-user by equipment and protect the method for file not Support user that file is shared and protected in multiple equipment.In fact, with the development of science and technology with the raising of user demand, it is mobile Equipment such as plate, mobile phone etc. also becomes the platform that user uses its sensitive information.It is existing with the increase for the equipment that user possesses Various single machine files protection tool be no longer satisfied the demand of user.For the user for possessing multiple equipment, more need Want one kind can be as unit of user, the file protection device of the multiple equipment suitable for same user.And existing file is protected Shield technology can only be in the enterprising style of writing part protection of an equipment of user, it is difficult to meet the file protection for possessing the user of multiple equipment Demand can not provide efficiently portable striding equipment file protection for user and support.
Summary of the invention
In order to overcome the above-mentioned deficiencies of the prior art, the present invention provides a kind of efficiently more equipment text based on security catalog Part guard method and device provide the sensitive document protection of safety transparent for user, can automatically detect user behavior and reach real When automatic protection file purpose, additionally it is possible to provide efficiently portable striding equipment file protection for user and support.
The principle of the present invention is: security catalog is a storage sensitive document and provides the catalogue of automatic protection functions.This Invention devises a kind of efficiently more collaborative share document protection methods and device based on security catalog, and existing file is overcome to protect Technology can only be embodied as user and provide the sensitive document of safety transparent in the deficiency of the enterprising style of writing part protection of an equipment of user Defencive function, and can automatically detect user behavior and make real-time automatic protection file, additionally it is possible to it is provided efficiently for user Portable striding equipment file, which is protected, to be supported.Meanwhile in order to overcome existing file protection software that can only protect the file of specific format This defect, invention defines a kind of new unified secure file structures, the protection scope of file are extended, so that arbitrarily The file of format can be packed according to the structure and be protected, and provides a kind of text of striding equipment to hold the user of more equipment Part protected mode allows users to transparent advantageously operate protected file.In order to guarantee the safety of file, Ren He File in security catalog can be protected dynamically in real time, prevent from encrypting and bring file since user forgets The file information leakage.
Present invention provide the technical scheme that
A kind of multiple device file guard method based on security catalog, creation device management module, file monitor and File protective module, by defining new unified security file structure and creation security catalog, so that the file of arbitrary format is all Can be packed according to the secure file structure, then it is based on security catalog, realize more collaborative share file protections;Including as follows Step:
A more facility informations, including management equipment information table, generating device key, generation) are managed by device management module Device authentication code, returning equipment key etc.;
B) by file protective module, unified secure file structure is defined, by original according to secure file structure weight New encapsulation, generating new file is safeguard construction file;It specifically includes:
B1 file encryption key) is generated
Generating file encryption key is specifically: file protective module traverses encrypted file-encryption using each device keys After ciphering key EK (Content Encryption Key), the file encryption key ciphertext with authorisation device binding is generated, system is used Key of uniting generates key authentication code, so according to device keys quantity, with the file key ciphertext of each apparatus bound and corresponding The information such as device authentication code generate the file key ciphertext item of agent-protected file;
B2 safeguard construction file) is generated
After receiving file encryption key, the content information of sensitive document is encrypted and (is calculated using symmetric cryptography Method), and using information such as file encryption key, raw filenames as file header, it is encapsulated as secure file structure;
In the present invention, unified security file structure includes file header and file content;File content is after original encrypts Ciphertext, file header includes file total length, filename length, random salt R, file key for preventing text guessing attack The eap-message digest of ciphertext, the message authentication code of original document, original document length and file header;Wherein, file key ciphertext Including ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication code;Ciphertext total length records file The total length of key ciphertext;The cipher-text information that cipher-text information total item record is bound with each authorisation device it is total (with currently always award Weigh equipment number) it is consistent;Key authentication code is by formulaIt generates, for verifying equipment during file decryption The correctness of the file key of recovery;
C sensitive document) is stored by security catalog, authorized user can enter security catalog and carry out file operation;
D) when user, which enters security catalog, carries out file operation, by calling the intrinsic function of file monitoring device, in real time Monitor the user behavior in security catalog;It is based on security catalog again, carries out more collaborative share file protections;
D1) when user carries out Document Editing operation (for example, opening a protected file), file monitoring device is detected The opening operation of user issues file protective module and implements decryption to file with request for users to use;
D2 after) Fileview that file protective module receives the transmission of file monitoring device is requested, first verify that request is opened The integrality of file, specifically: obtaining the content of file header;It generates the eap-message digest of current file head content and and is stored in text File header abstract in part head compares;To verify the integrality of the information stored in file header, guarantee to store in file header Relevant information be not tampered with;Reproducing device decruption key, specifically: reading the salt R recorded in agent-protected file head, hair Give device management module;
D3) device management module obtains the hardware information Dev of this equipmentinfo, use encryption function Ga, with system key Ks It is the device keys K that parameter generates the equipment with salt RD=Ga({Devinfo,R,Ks), while generating hardware information DevinfoList To hash value, it is sent to file protective module together;
D4) file protective module generates file decryption key and examines its integrality, specifically: reading the text in file header Part key ciphertext traverses All Files key cipher-text information item < ECKi,HDi>, and read out the device authentication code in each single item HDi, the unidirectional hash value of the local equipment hardware information generated with device management module is compared one by one, if a certain item is numbered Device authentication code for the file key cipher-text information of i is identical with the unidirectional hash value of the hardware information of current device, says Bright this cipher-text information corresponds to the equipment and illustrates that the equipment is illegal or deleted if can match without one, terminates Fileview process;For the file key cipher-text information item matched, decrypted in the cipher-text information item using device keys File key ciphertextFile content ciphering key EK is obtained, is examinedWith file key Whether the key authentication code stored in ciphertext is equal, unequal, decrypts and fails, and terminates Fileview process;
D5) file protective module restores protected file, specifically: file protective module uses file content ciphering key EK It is decrypted to by the file of the protection, and reverts to original document, for users to use.
When the file operation that user carries out is modification file, after user has modified a sensitive document, the abstract of file Information is changed, and file monitoring device detects the act of revision of user, and circular document protective module carries out again file Encryption encapsulation.File protective module generates new file encryption key to the content of original from newly encrypting and be packaged into new Secure file structure is stored in security catalog.
The present invention also provides a kind of multiple device files based on security catalog for realizing above-mentioned multiple device file guard method Protective device, including device management module, file monitor and file protective module;
Device management module: device management module includes user's registration and authentication unit, device management unit and equipment Key generating unit;Wherein, user's registration and verifying for realizing to the user for requesting access to security catalog access control with Security catalog information initializing;Equipment management is used to manage all registration equipment of a legitimate user, the addition including equipment And deletion;In view of the changeability for the equipment that user possesses, defining the equipment that user creates protected sensitive document is this article The source device of part, protected sensitive document can be shared with other equipment by source device, by the user of sharing protected file Equipment (such as notebook, plate) is shared device;Present invention uses customized user ticket to carry out user identity Verifying, user ticket is transparent for user;Device keys generation unit uses system key KsEquipment is generated with salt R Device keys;
File monitor: the process that file monitor is run always as a backstage, the safe mesh of lasting detection User's operation in record simultaneously makes a response, the interaction bridge as user and agent-protected file in real time;Once user is in safety The operation of file security is carried out influencing in catalogue, file monitoring device can real-time detect these operations and circular document is protected Shield module protects file;For user without carrying out cryptographic operation to file manually, all encryption encapsulation process all can be It is automatically performed after user's creation or modification file;
File protective module: file protective module is the nucleus module of the present apparatus, is responsible for providing safeguard protection to file;This Invention does not consider original format of file, but extracts file content and carry out encrypting it during providing protection service After be re-packaged into secure file structure;Secure file structure includes file header and file content two large divisions, and file content is The encrypted ciphertext of original, file header include file total length, filename length, for preventing the random of text guessing attack Salt R, file key ciphertext, the eap-message digest of the message authentication code of original document, original document length and file header;Wherein, File key ciphertext (see Fig. 4) includes ciphertext total length, cipher-text information total item, file key cipher-text information and key authentication Code;The total length of ciphertext total length record file key ciphertext;Cipher-text information total item record is bound close with each authorisation device Literary information sum (consistent with current total authorisation device number);Key authentication code is by formulaIt generates, for testing The correctness for the file key that equipment is restored during card file decryption;And provide a kind of file protection side of striding equipment Formula enables file to share between the security catalog of legitimate device.A kind of such file protection unrelated with file format Device can meet user demand to the greatest extent, rather than can only encrypt to specific file, increase the invention Practicability.
Compared with prior art, the beneficial effects of the present invention are:
The present invention provides a kind of efficiently the multiple device file guard method based on security catalog and device, provides for user The sensitive document of safety transparent is protected, and can automatically be detected user behavior and be achieved the purpose that real-time automatic protection file, additionally it is possible to Efficiently portable striding equipment file protection is provided for user to support.Specifically, the invention has the following advantages that
Firstly, user can according to need in extent of competence operation file.For any user into security catalog Speech using the customized user ticket of the present apparatus rather than is directly verified user using the password that user inputs, The identity of user can be correctly verified in the case where guaranteeing the safety conditions of password of user;
Secondly, considering the ease of use of user, while realizing and sensitive document is comprehensively protected in real time, the invention Devise a file monitoring device.Monitor monitors always the file operation behavior of security catalog as backstage finger daemon, when User creates a file in security catalog, or presss from both sides copy catalogue into security catalog from alternative document, file monitoring device energy Enough detections immediately and circular document management assembly progress encrypting and protecting files.After user modifies to sensitive document, file Monitor can also monitor the behavior and circular document management assembly carries out re-encrypted to modified file.File monitoring Device enables the behavior of user persistently and in real time to be detected, user is without particularly selecting certain files to encrypt, energy The case where enough effectivelying prevent user to forget encryption due to carelessness after newly-built sensitive document;
Again, original sensitive document is encapsulated in unified formatted file by the customized a kind of new file format of the invention, So that the file of arbitrary format can be encrypted protection under the device.Finally, for existing file protection tool can only with The deficiency of the enterprising style of writing part protection of one equipment at family, the invention is also by using facility information as the side of device keys a part Formula provides efficiently portable striding equipment file protection for user and supports.
Detailed description of the invention
Fig. 1 is the system structure diagram of multiple device file protective device provided by the invention.
Fig. 2 is the flow diagram of multiple device file guard method provided by the invention.
Fig. 3 is the flow diagram of user access control in the embodiment of the present invention.
Fig. 4 is the composite structural diagram for the file key ciphertext for including in secure file structure of the present invention.
Specific embodiment
With reference to the accompanying drawing, the present invention, the model of but do not limit the invention in any way are further described by embodiment It encloses.
The present invention provides a kind of efficiently the multiple device file guard method based on security catalog and device, provides for user The sensitive document of safety transparent is protected, and can automatically be detected user behavior and be achieved the purpose that real-time automatic protection file, additionally it is possible to Efficiently portable striding equipment file protection is provided for user to support.
Fig. 1 is the system structure diagram of multiple device file protective device provided by the invention, including device management module, text Part presss from both sides monitor and file protective module;Realize the multiple device file protection based on security catalog.
Fig. 2 is the flow diagram of multiple device file guard method provided by the invention.In following embodiment, user is in its peace The equipment end for having filled file protection device creates a shared security catalog, is realized on this basis based on security catalog Multiple device file protection, specifically includes the following steps:
1) user creates security catalog
User enters the equipment for being mounted with file protection device, selects an installation path in equipment end, protects to file Device application creates a security catalog.
The security catalog path of user's selection will be processed and stored in device, while user management module is receiving Its ID and ticket can be generated after user information, user ticket is by formula (1) generation:
Wherein, passworduIt is user password, user name that ID refers to the user and the user are in a device Unique identification.H () represents one-way Hash function, it is ensured that even if ticket is leaked, attacker also can not by ticket come Retrospectively calculate goes out the information such as user password.
2) user's registration and verifying
User is in any equipment end for being mounted with file protection device before the file of safe operation catalogue, it is necessary first to It inputs account number cipher and carries out authentication.Device does not verify the account number cipher of user directly, it is therefore an objective to not disclose user password In the case where verify user identity legitimacy.The detailed process of user authentication is shown in Fig. 2, when a user inputs user name password When being logged in, device management module can generate interim ticket automatically for him, while decrypting and obtaining the user corresponding to the peace The correct ticket of full catalogue is simultaneously compared, when the two is completely the same user be just authenticated to be it is legal and allow into Enter security catalog and carries out file operation.
3) legitimate user's new files
Legitimate user creates a file using the invention in security catalog.File monitoring device designed by the invention will Intrinsic function can be called to monitor the user behavior in security catalog in real time, when this " new files " for detecting user operate When, circular document protective module protects file to file monitoring device immediately.File protective module receives file monitoring device File protection request.
4) file protective module requests device keys
Device management module obtains the device hardware information of this equipment, and decryption device information table examines facility information table After integrality, the equipment unique identification of all associated authorization equipment, facility information abstract, facility information triplet information collection are obtained It closesAccording to device keys generation method KD=Ga({Devinfo,R, Ks) generate the device keys of each authorisation deviceGenerating device key.
5) returning equipment key
The device keys of generation and corresponding device authentication code are returned to file protective module by device management module.
6) file encryption key is generated
It is close that file protective module generates the file bound with the authorisation device using each device keys traversal encryption CEK Key (file encryption key) generates key authentication code using system key, and then according to device keys quantity and each apparatus bound File key ciphertext and the information such as corresponding device authentication code, generate the file key ciphertext item of agent-protected file.
7) safeguard construction file is generated
File protective module is after receiving file encryption key, using symmetric encipherment algorithm to the content of sensitive document Information is encrypted, and by file encryption key, the information such as raw filename are encapsulated as a kind of secure file knot as file header Structure.
8) user opens a protected file
User, which opens, reads a protected file.File monitoring device detects the opening operation of user, circular document Protective module implements decryption to file with for users to use.
9) file integrality is opened in verifying
After file protective module receives the Fileview request of file monitoring device transmission, the content of file header is obtained, it is raw It compares at the eap-message digest of current file head content and with the file header abstract being stored in file header, to verify file header The integrality of the information of middle storage guarantees that the relevant information stored in file header is not tampered with
10) generating device decruption key
File protective module reads the salt R recorded in agent-protected file head, is sent to device management module.Equipment management mould Block obtains the hardware information Dev of this equipmentinfo, use system key KsThe equipment decruption key K of the equipment is generated with salt RD=Ga ({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, be sent to file protective module together.
Due to using symmetric cryptography, encryption key and decruption key are a keys.
11) it generates file decryption key and examines its integrality
File key ciphertext in file protective module reading file header, traversal All Files key cipher-text information item < ECKi,HDi>, and read out the device authentication code HD in each single itemi, with device management module generate local equipment hardware information Unidirectional hash value compared one by one, if a certain item number be i cipher-text information device authentication code and current device it is hard The unidirectional hash value of part information is identical, illustrates that this cipher-text information corresponds to the equipment and says if can match without one The bright equipment is illegal or deleted, terminates Fileview process.For the file key cipher-text information item matched, use Device keys decrypt the file key ciphertext in the cipher-text information itemFile content ciphering key EK is obtained, It examinesIt is whether equal with the key authentication code stored in file key ciphertext, it is unequal, it decrypts and fails, eventually Only Fileview process.
12) file protective module restores protected file
File protective module is decrypted using file content ciphering key EK to by the file of the protection, and is reverted to original File, for users to use.
13) user modifies file
After user has modified a sensitive document, the summary info of file is changed, and file monitoring device detects use The act of revision at family, circular document protective module carry out re-encrypted encapsulation to file.File protective module generates new file Encryption key is stored in security catalog the content of original from newly encrypting and be packaged into new secure file structure.
As can be seen that the present invention has the effect that from above-described embodiment
Popular file protection software is all based on specific format for the protection of file.Some non-software are referred to Fixed format is not available software to be protected.And reality small business when managing sensitive document, the type of file is past Toward very more and be difficult to predict, in this case, it is complete that file protects software that cannot provide enterprise's sensitive document The reliable safeguard measure in face.The invention propose file protection device be a kind of device that file format is unrelated, no matter original text What the format of part is, can all be encrypted be encapsulated as a kind of unified format, and overcoming existing file encryption software can only add The defect of the file of close specific format;
For big companies, the safety of the file information is generally protected using some expensive dedicated system Property.However for the personal user for equally possessing file protection demand, some local file systems based on equipment are more Suitable selection.In recent years, the various protecting data encryption technologies for computer file system continue to develop perfect, wherein Encrypted file system (EFS) is with its higher ease for use and safety by extensive concern.User account of the EFS based on operating system And rights management, it is integrated with file system, it is fully transparent to user.EFS thinks that equipment room is mutually indepedent, even if to not Same equipment uses identical administrator's password, and the safety that can not carry out classified papers in equipment room is shared.Particularly, only EFS encryption technology just can be used in the windows subregion of NTFS format.Also, by sensitive document from the text with cryptographic attributes It is copied in part folder in non-encrypted file folder, file can be decrypted automatically, it is meant that transmitting sensitive document in distinct device will Meeting is so that file is decrypted and exposed automatically, therefore EFS is not able to satisfy the demand of the management of user's striding equipment, protection sensitive document, And the present invention exactly compensates for this defect, it can only be in the enterprising style of writing part of an equipment of user for existing file protection tool The deficiency of protection, the present invention can also provide efficiently portable striding equipment file protection for user and support.
It should be noted that the purpose for publicizing and implementing example is to help to further understand the present invention, but the skill of this field Art personnel, which are understood that, not to be departed from the present invention and spirit and scope of the appended claims, and various substitutions and modifications are all It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim Subject to the range that book defines.

Claims (10)

1. a kind of multiple device file guard method based on security catalog, by creating device management module, file monitor With file protective module, unified secure file structure and creation security catalog are defined, so that the file of arbitrary format can It is packed according to the secure file structure, then it is based on security catalog, realize more collaborative share file protections;Including walking as follows It is rapid:
A more facility informations, including management equipment information table, generating device key, generating device) are managed by device management module Identifying code and returning equipment key;
B) by file protective module, unified secure file structure is defined, by original according to the secure file structure weight New encapsulation, generating new file is safeguard construction file;Specifically include B1)~B2):
B1) generate file encryption key: file protective module uses each device keys traversal encryption file content key CEK, generates the file key ciphertext item with the binding of corresponding authorisation device, generates key authentication code, Jin Ersheng using system key At the file key ciphertext item of agent-protected file, content includes device keys quantity, the file key ciphertext with each apparatus bound With corresponding device authentication code;
B2) generate safeguard construction file: file protective module is after receiving file key, to the content information of sensitive document It is encrypted, and using file key and raw filename information as file header, is encapsulated as secure file structure;The safety text Part structure includes file header and file content;File content is the encrypted ciphertext of original;File header include file total length, Filename length, the random salt R for preventing text guessing attack, file key ciphertext, original document message authentication code, just The eap-message digest of beginning file size and file header;The file key ciphertext includes ciphertext total length, cipher-text information total item, text Part key cipher-text information and key authentication code;The total length of the ciphertext total length record file key ciphertext;The ciphertext letter It is consistent with the cipher-text information sum of each authorisation device binding to cease total item record;The key authentication code is by formulaIt generates, for verifying the correctness for the file key that equipment is restored during file decryption;
C sensitive document) is stored by security catalog, authorized user can enter security catalog and carry out file operation;
D it) when user, which enters security catalog, carries out file operation, by calling the intrinsic function of file monitor, supervises in real time Control the user behavior in security catalog;It is based on security catalog again, carries out more collaborative share file protections;Including D1)~D5):
D1) when user carries out Document Editing operation, file monitor detects user's operation, issues to file protective module Decryption is implemented with request for users to use to file;
D2 after) file protective module receives the file operation requests that file monitor is sent, first verify that text is opened in request The integrality of part;Reproducing device decruption key, is sent to device management module;
D3) device management module obtains the hardware information Dev of equipmentinfo, use system key KsThe equipment is generated with random salt R Device keys KD=Ga({Devinfo,R,Ks), GaFor encryption function;The hardware information Dev of generating device simultaneouslyinfoIt is unidirectional Hash value is sent to file protective module together;
D4) file protective module generates file decryption key and check continuity: the letter first in identification file key ciphertext item Whether breath matches with current device;For matched file key cipher-text information item, obtains file content ciphering key EK and examined It tests;
D5) file protective module restores protected file: file protective module is using file content ciphering key EK to protected text Part is decrypted, and reverts to original document, for users to use.
2. multiple device file guard method as described in claim 1, characterized in that the use of for user is transparent customized User ticket carries out the authentication vs. authorization of user identity;The user ticket is generated by formula (1):
Wherein, passworduIt is user password;ID is the user name of the user and the unique identification of the user;H () is single To hash function.
3. multiple device file guard method as described in claim 1, characterized in that step A) the generating device key is specific Be: device management module obtains the device hardware information of equipment, and decryption device information table examines the integrality of facility information table Afterwards, equipment unique identification, the facility information abstract, facility information triplet information set of all associated authorization equipment are obtained Generate the device keys of each authorisation device Wherein, KsFor system key, R is random salt, GaFor encryption function.
4. multiple device file guard method as described in claim 1, characterized in that step B2) use symmetric encipherment algorithm to quick The content information of sense file is encrypted.
5. multiple device file guard method as described in claim 1, characterized in that step D) when user carry out file operation be When modifying file, after user modifies a sensitive document, the summary info of file changes, and file monitor detects The act of revision of user, circular document protective module carry out re-encrypted encapsulation to file;File protective module generates new text Part encryption key is packaged into new secure file structure and is stored in security catalog to the content re-encrypted of original.
6. multiple device file guard method as described in claim 1, characterized in that step D2) file protective module receives text After part presss from both sides the file operation requests that monitor is sent, checking request opens the integrality of file, especially by acquisition file header Content generates the eap-message digest of current file head content and compares with the file header abstract being stored in file header, thus The integrality of the information stored in file header is verified.
7. multiple device file guard method as described in claim 1, characterized in that step D2) the generating device decruption key, Specifically: file protective module reads the random salt R recorded in agent-protected file head, is sent to device management module;Equipment pipe Manage the hardware information Dev that module obtains equipmentinfo, use system key KsThe equipment decruption key of the equipment is generated with random salt R KD=Ga({Devinfo,R,Ks), while generating DevinfoUnidirectional hash value, be sent to file protective module.
8. multiple device file guard method as described in claim 1, characterized in that step D4) the file protective module generates File decryption key simultaneously examines its integrality, specifically includes: reading the file key ciphertext in file header, traversal All Files are close Key cipher-text information item < ECKi,HDi>, and read out the device authentication code HD in each single itemi, with device management module generate sheet The unidirectional hash value of machine equipment hardware information is compared one by one, when the device authentication code for numbering the cipher-text information for being i and currently When the unidirectional hash value of the hardware information of equipment is identical, this cipher-text information corresponds to the equipment;When one can not When matching, file operation process is terminated;For the file key cipher-text information item matched, the ciphertext is decrypted using device keys File key ciphertext in item of informationFile content ciphering key EK is obtained, is examined It is whether equal with the key authentication code stored in file key ciphertext, it decrypts and fails if unequal, terminate file operation process.
9. a kind of multiple device file protective device based on security catalog, including device management module, file monitor and text Part protective module, the file for providing striding equipment are protected, and file is shared between the security catalog of legitimate device;Its It is characterized in:
The device management module includes user's registration and authentication unit, device management unit and device keys generation unit;Institute User's registration and authentication unit are stated for realizing the access control and security catalog information to the user for requesting access to security catalog Initialization;The device management unit is used to manage all registration equipment of legitimate user;The device keys generation unit is used In generating device key;
The file monitor is the process of running background, for constantly detecting the user's operation in security catalog and real-time Response;Once user has carried out influencing in security catalog the operation of file security, the real-time detection of file monitor is simultaneously led to Know that the file protective module protects file;
The file protective module is used to provide safeguard protection to file;Extracting first needs file content to be protected to be added It is close, it is re-packaged into secure file structure later;File protective module receives the file that the file monitor is sent and asks After asking, the integrality of the file of request is first verified that;Reproducing device decruption key generates text according to the device keys of equipment Part decruption key simultaneously examines its integrality;It is finally decrypted to by the file of the protection, and reverts to original document, for user It uses.
10. multiple device file protective device as claimed in claim 9, characterized in that the secure file structure includes file header With file content two large divisions, file content is the encrypted ciphertext of original, and file header includes that file total length, filename are long Degree, the random salt R for preventing text guessing attack, file key ciphertext, the message authentication code of original document, original document are long The eap-message digest of degree and file header;File key ciphertext includes ciphertext total length, cipher-text information total item, file key ciphertext letter Breath and key authentication code;The total length of ciphertext total length record file key ciphertext;Cipher-text information total item record and each authorization The cipher-text information sum of apparatus bound;Key authentication code is by formulaIt generates, for verifying file decryption process The correctness for the file key that middle equipment is restored.
CN201611152430.0A 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog Active CN106650492B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611152430.0A CN106650492B (en) 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611152430.0A CN106650492B (en) 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog

Publications (2)

Publication Number Publication Date
CN106650492A CN106650492A (en) 2017-05-10
CN106650492B true CN106650492B (en) 2019-06-07

Family

ID=58822519

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611152430.0A Active CN106650492B (en) 2016-12-14 2016-12-14 A kind of multiple device file guard method and device based on security catalog

Country Status (1)

Country Link
CN (1) CN106650492B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110362984B (en) * 2019-06-28 2021-04-30 北京思源理想控股集团有限公司 Method and device for operating service system by multiple devices
CN111967059A (en) * 2020-08-11 2020-11-20 广东堡塔安全技术有限公司 Website tamper-proofing method and system and computer readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125069A (en) * 2014-07-07 2014-10-29 武汉理工大学 Secure file catalogue file encryption system towards sharing
CN105740725A (en) * 2016-01-29 2016-07-06 北京大学 File protection method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7921284B1 (en) * 2001-12-12 2011-04-05 Gary Mark Kinghorn Method and system for protecting electronic data in enterprise environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125069A (en) * 2014-07-07 2014-10-29 武汉理工大学 Secure file catalogue file encryption system towards sharing
CN105740725A (en) * 2016-01-29 2016-07-06 北京大学 File protection method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
An Efficient Safe Directory Based File Protection Mechanism;Manting Shen, Yinyan Yu, 等;《2016 IEEE 40th Annual Computer Software and Applications Conference》;20160614;第416-422页
The UCONABC Usage Control Model;JAEHONG PARK, RAVI SANDHU;《ACM Transactions on Information and System Security》;20040229;第7卷(第1期);第128-174页

Also Published As

Publication number Publication date
CN106650492A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
CN103530570B (en) A kind of electronic document safety management system and method
US7210043B2 (en) Trusted computer system
CN105740725B (en) A kind of document protection method and system
CN101547199B (en) Electronic document safety guarantee system and method
CN109923548A (en) Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process
CN101311950A (en) Electronic stamp realization method and device
JP2015504222A (en) Data protection method and system
JP4662138B2 (en) Information leakage prevention method and system
US20090287942A1 (en) Clock roll forward detection
US20180307855A1 (en) Access management system, file access system, encrypting apparatus and program
CN106533693B (en) Access method and device of railway vehicle monitoring and overhauling system
US10754979B2 (en) Information management terminal device
CN106650492B (en) A kind of multiple device file guard method and device based on security catalog
JP4471129B2 (en) Document management system, document management method, document management server, work terminal, and program
US10726104B2 (en) Secure document management
CN103488948A (en) Method and device for achieving data security of operation system
US8321915B1 (en) Control of access to mass storage system
KR101497067B1 (en) Electric document transfer method and apparatus based digital forensic
US8296826B1 (en) Secure transfer of files
KR101315482B1 (en) Secret information reading service system using by a writer authentication and the control method thereof
CN110445804A (en) A kind of safe handling protection system about outgoing document
JP3809495B1 (en) Software management system
CN100525176C (en) Preventing system for information leakage under cooperative work environment and its realizing method
TWI444849B (en) System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof
KR20170053459A (en) Encryption and decryption method for protecting information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant