CN107145793B - A kind of method and device of the file permission management based on file Double buffer - Google Patents
A kind of method and device of the file permission management based on file Double buffer Download PDFInfo
- Publication number
- CN107145793B CN107145793B CN201710226267.6A CN201710226267A CN107145793B CN 107145793 B CN107145793 B CN 107145793B CN 201710226267 A CN201710226267 A CN 201710226267A CN 107145793 B CN107145793 B CN 107145793B
- Authority
- CN
- China
- Prior art keywords
- file
- document
- control block
- temporary
- header
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a kind of method and devices of file permission management based on file Double buffer, this method comprises: intercepting and capturing the opening action of file;File header is read, encrypted document is judged whether it is, if it is issues encryption policy to filter Driver on FSD;Filter Driver on FSD judges to open whether the process of file is crypto process, if it is, matching above-mentioned encryption policy;For the open document creation file control block (FCB), there is this document control block and cached in plain text with ciphertext two;The key and document permission of this document are recorded in the file control block.The invention also discloses a kind of file editing methods based on file Double buffer and file saving method and device.Scheme through the invention can preferably control document malice and divulge a secret;Enable document in the case where controlled, easily checks editor for employee.
Description
Technical field
The present invention relates to computer fields, and in particular to a kind of method of the file permission management based on file Double buffer and
Device.
Background technique
The mode of file permission management at this stage based on file encryption driving are as follows: security firm's file encryption product is to text
The implementation of one realizing one secrete key for one file of shelves, but document permission can only accomplish the same permission of same process, can not accomplish the more permissions of same process.
DLP (Data leakage prevention) the product documentation encryption of safe producer and rights management stream at this stage
Journey is as follows:
1) crypto process opens document;
2) application layer program issues key and right related information to driving;
3) crypto process opens document using key, and does corresponding control according to permission.
Single crypto process can only be opened and edit an encrypted document, if opening multiple documents will lead to document permission
It is chaotic.
The present invention utilizes Twin Cache Architecture in filter Driver on FSD, and the permission for opening multiple documents to same process carries out
Label tracking, and is recorded in self-built caching, solves rights management when same process opens multiple files and cryptography issue.
Summary of the invention
In order to solve the above technical problems, the present invention provides a kind of File Open rights management sides based on file Double buffer
Method, comprising the following steps:
1) intercepts and captures the opening action of file;
2) reads file header, judges whether it is encrypted document, if it is issues encryption policy to filter Driver on FSD;
3) filter Driver on FSD judges to open whether the process of file is crypto process, if it is, matching above-mentioned encryption
Strategy;
4) is the document creation file control block (FCB) opened, and this document control block is made to have plaintext and ciphertext two
A caching;
5) records the key and document permission of this document in the file control block.
In order to solve the above technical problems, the present invention provides a kind of new files methods based on file Double buffer, including
Following steps:
1) judges the type of new files, and is labeled as temporary file or original document to it;
2) is newly-built temporary file or original document creation file control block (FCB), has this document control block bright
Text and ciphertext two cachings;
3) encryption and decryption processing is carried out when is written and read the new files.
Preferably, the new files are saved after step 3):
4.1) judges the type that file saves;
4.2) is renamed if not file and is operated, then jumps to step 4.6), is renamed and is operated if it is file, then
Jump to step 4.3);
4.3) judges whether the file saved is temporary file, if it is jumps to step 4.4), otherwise jumps to step
It is rapid 4.5);
4.4) whether finds the filename of preservation in residence data table, if it is found, then alternate file control block Chinese
The corresponding data of part permission bits, alternate file head jump to step 4.7), otherwise jump to step 4.6);
4.5) filename of renaming is added in residence data table, jumps to step 4.7);
4.6) keeps file header constant;
4.7) terminates.
Preferably, whether the step 4.3) is temporary file by the marker for judgment file.
In order to solve the above technical problems, the present invention provides a kind of File Open rights managements based on file Double buffer
Device, comprising:
File device is obtained, the opening action of file is intercepted and captured;
Judgment means read file header, judge whether it is encrypted document, if it is issue encryption to filter Driver on FSD
Strategy;
Coalignment, filter Driver on FSD judges to open whether the process of file is crypto process, if it is, matching
State encryption policy;
File control block creating device makes this document control block for the open document creation file control block (FCB)
With plaintext and ciphertext two cachings;
Recording device records the key and document permission of this document in the file control block.
In order to solve the above technical problems, the present invention provides a kind of device of new files based on file Double buffer, packet
It includes:
Kind judging device judges the type of new files, and is labeled as temporary file or original document to it;
File control block creating device creates file control block (FCB) for newly-built temporary file or original document, makes this
File control block has to be cached with ciphertext two in plain text;
File read-write device carries out encryption and decryption processing when being written and read to the new files.
It preferably, further include the save set that the new files are saved, which includes:
Judge the device for the type that file saves;
Judge whether it is the device of file renaming operation;
Judge save file whether be temporary file device;
The device of locating file name in residence data table;
The corresponding data of file permission bits in alternate file control block, the device of alternate file head;
The device in residence data table is added in the filename of renaming;
The device for keeping file header constant.
Preferably, it is described judge save file whether be temporary file device by the marker for judgment file whether
For temporary file.
In order to solve the above technical problems, the present invention provides a kind of computer equipments comprising memory and processor, institute
It states memory and is stored with computer instruction, when the processor executes the computer instruction, execute one of above method.
In order to solve the above technical problems, the present invention provides a kind of computer storage medium, the computer storage medium
It is stored with computer program, when loaded and executed, executes one of above method.
Following technical effect is achieved according to the technical solution of the present invention:
(1) document malice can be preferably controlled to divulge a secret;
(2) enable document in the case where controlled, easily check editor for employee.
Detailed description of the invention
Fig. 1 is prior art implementation flow chart
Fig. 2 is File Open flow chart of the present invention
Fig. 3 is Document Editing flow chart of the present invention
Fig. 4 is that file of the present invention saves flow chart
Fig. 5 is a specific embodiment flow chart of the invention
Specific embodiment
The present invention utilizes Twin Cache Architecture in filter Driver on FSD, and the permission for opening multiple documents to same process carries out
Label tracking, and is recorded in self-built caching, solves rights management when same process opens multiple files and cryptography issue.
As shown in Fig. 2, document opening process of the invention is as follows:
(1) it double-clicks and opens document, intercept and capture double click procedure.
(2) document head is read, encrypted document is judged whether it is, if it is issues encryption policy to filter Driver on FSD
(including encryption key and document access authority).
(3) filter Driver on FSD judges to open whether document process is crypto process, if it is matching encryption policy.
(4) it is document creation FCB, is had using the document and cached in plain text with ciphertext two.Wherein, the FCB of the creation
It is actually responsible for managing self-built plaintext caching, caching only has crypto process to be able to access that in plain text for this, rather than crypto process can only
Access is cached by the ciphertext that system voluntarily creates, and ciphertext caching is because when encrypted document is opened by non-encrypted process, and driving is
It is not decrypted to it, therefore system directly reads the encrypted content on disk in caching, so namely ciphertext.Wherein,
File header is located in FCB.
(5) key and document permission of the document, the attributes such as document size are recorded in self-built FCB.
Such as Fig. 3, documents editing process of the invention is as follows:
(1) if document is newly-built document, illustrate that the document is temporary file, during saving documents editing
Ephemeral data.
(2) FCB is created, generates and is cached in plain text with ciphertext two.
(3) to file read-write encryption and decryption processing is carried out when.
Such as Fig. 4, document storing in fact only there are two types of situation, it is a kind of as notepad that, the content of edit-modify is direct
It is operated in original, therefore the data in such case file header are exactly the data in original, authority keys all do not have
There is change, there is no need to change file heads.And second situation, most typical is exactly OFFICE document, such as WORD, when editor it
A temporary file can be created, as: the content of edit-modify is all put into this interim text by file 35dad6.tmp
In part, when we save document, original can be changed to other names by WORD, then temporary file is changed to the name of original
Word, therefore, when original is changed to other names, driving needs the authority information in this original and file header to remember
Firmly, it is put into residence data table, and when temporary file changes back into original, it is matched by inquiring residence data table, by table
The original authority information of middle record writes back in temporary file head, ensures that the succession of file permission in this way.
Document storing process of the invention is as follows:
(1) if there is renaming operate, then illustrate document be with temporary file rename mode save document, if
Non- file renaming operation, keeps file header constant.
(2) judge whether the FCB in the source document of renaming is labeled as temporary file, if it is not, this document head is added
Enter residence data table.Residence data table is to drive the data structure chained list voluntarily safeguarded, for saving the file header of original document
Data.
(3) if it is temporary file, file name is searched in residence data table.
(4) after finding filename, the data of the file permission part in alternate file head.
(5) if do not found, keep file header constant.It include file permission position in file header.
The present invention also provides a kind of devices of File Open rights management based on file Double buffer, comprising:
File device is obtained, the opening action of file is intercepted and captured;
Judgment means read file header, judge whether it is encrypted document, if it is issue encryption to filter Driver on FSD
Strategy;
Coalignment, filter Driver on FSD judges to open whether the process of file is crypto process, if it is, matching
State encryption policy;
File control block creating device makes this document control block for the open document creation file control block (FCB)
With plaintext and ciphertext two cachings;
Recording device records the key and document permission of this document in the file control block.
The present invention also provides a kind of devices of new files based on file Double buffer, comprising:
Kind judging device judges the type of new files, and is labeled as temporary file or original document to it;
File control block creating device creates file control block (FCB) for newly-built temporary file or original document, makes this
File control block has to be cached with ciphertext two in plain text;
File read-write device carries out encryption and decryption processing when being written and read to the new files.
Above-mentioned apparatus, further includes the save set saved to the new files, which includes:
Judge the device for the type that file saves;
Judge whether it is the device of file renaming operation;
Judge save file whether be temporary file device;
The device of locating file name in residence data table;
The corresponding data of file permission bits in alternate file control block, the device of alternate file head;
The device in residence data table is added in the filename of renaming;
The device for keeping file header constant.
It is described to judge whether the file saved whether be the device of temporary file by the marker for judgment file is interim
File.
The present invention also provides a kind of computer equipments comprising memory and processor, the memory are stored with meter
The instruction of calculation machine executes and one of above-mentioned method when the processor executes the computer instruction.
The present invention also provides a kind of computer storage medium, the computer storage medium is stored with computer program,
When loaded and executed, it executes and one of described method.
Such as Fig. 5, a certain specific embodiment of the invention is as follows:
(1) server configures and level of confidentiality strategy of issuing the documents (can have multiple).
(2) terminal receives file level of confidentiality strategy.
(3) when there is user to open document, know according to document leader, issue corresponding file level of confidentiality strategy and driven to file
It is dynamic to carry out document permission and control extension.
Document on all PC of the project demand office requires to encrypt and configure phase when circulating between different departments
Answer permission, after being mounted with this function, this demand of very good solution so that certain departments can only read-only opening document, can not
Editor, can not decrypt, and a process opens the document of multiple and different permissions, is greatly reduced because being mounted with document control
Inconvenience caused by system.
The scheme provided through the invention can preferably control document malice and divulge a secret;Enable document controlled
In the case of, easily editor is checked for employee.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, made any modification, equivalent replacement and improvement etc. should all be protected in guarantor of the invention
Within the scope of shield.
Claims (10)
1. a kind of File Open right management method based on file Double buffer, comprising the following steps:
1) intercepts and captures the opening action of file;
2) reads file header, judges whether it is encrypted document, if it is issues encryption policy to filter Driver on FSD;
3) filter Driver on FSD judges to open whether the process of file is crypto process, if it is, matching above-mentioned encryption plan
Slightly;
4) is the document creation file control block (FCB) opened, and has this document control block and delays in plain text with ciphertext two
It deposits;
Wherein, caching only has crypto process to be able to access that in plain text, rather than crypto process can only access ciphertext caching;
5) records the key and document permission of this document in the file control block,
The preservation of the file includes the following steps:
If there is renaming operates, then illustrate that document is that the mode renamed with temporary file saves document, if non-file weight
Naming operation keeps file header constant;
Judge whether the FCB in the source document of renaming is labeled as temporary file, if it is not, by the file header of the source document
Residence data table is added;
Residence data table is to drive the data structure chained list voluntarily safeguarded, for saving the file header data of original document;
If it is temporary file, the filename of the source document is searched in residence data table;
After finding filename, the data of the file permission part in alternate file head;
If do not found, keep file header constant, wherein to include file permission position in file header.
2. a kind of new files method based on file Double buffer, comprising the following steps:
1) judges the type of new files, and is labeled as temporary file or original document to it;
2) is newly-built temporary file or original document creation file control block (FCB), make this document control block have in plain text and
Ciphertext two cachings;
Wherein, caching only has crypto process to be able to access that in plain text, rather than crypto process can only access ciphertext caching;
3) encryption and decryption processing is carried out when is written and read the new files,
The preservation of the file includes the following steps:
If there is renaming operates, then illustrate that document is that the mode renamed with temporary file saves document, if non-file weight
Naming operation keeps file header constant;
Judge whether the FCB in the source document of renaming is labeled as temporary file, if it is not, by the file header of the source document
Residence data table is added;
Residence data table is to drive the data structure chained list voluntarily safeguarded, for saving the file header data of original document;
If it is temporary file, the filename of the source document is searched in residence data table;
After finding filename, the data of the file permission part in alternate file head;
If do not found, keep file header constant, wherein to include file permission position in file header.
3. according to the method described in claim 2, being saved after step 3) to the new files:
4.1) judges the type that file saves;
4.2) is renamed if not file and is operated, then jumps to step 4.6), is renamed and is operated if it is file, then jumps
To step 4.3);
4.3) judges whether the file saved is temporary file, if it is jumps to step 4.4), otherwise jumps to step
4.5);
4.4) whether finds the filename of preservation in residence data table, if it is found, then file is weighed in alternate file control block
The corresponding data of limit, alternate file head jump to step 4.7), otherwise jump to step 4.6);
4.5) filename of renaming is added in residence data table, jumps to step 4.7);
4.6) keeps file header constant;
4.7) terminates.
4. according to the method described in claim 3, whether the step 4.3) is temporary file by the marker for judgment file.
5. a kind of device of the File Open rights management based on file Double buffer, comprising:
File device is obtained, the opening action of file is intercepted and captured;
Judgment means read file header, judge whether it is encrypted document, if it is issue encryption plan to filter Driver on FSD
Slightly;
Coalignment, filter Driver on FSD judge to open whether the process of file is crypto process, add if it is, matching is above-mentioned
Close strategy;
File control block creating device has this document control block for the open document creation file control block (FCB)
It is cached in plain text with ciphertext two, the plaintext caching only has crypto process to be able to access that, rather than crypto process can only access ciphertext
Caching;
Recording device records the key and document permission of this document in the file control block;
File save set can be realized following function:
If there is renaming operates, then illustrate that document is that the mode renamed with temporary file saves document, if non-file weight
Naming operation keeps file header constant;
Judge whether the FCB in the source document of renaming is labeled as temporary file, if it is not, by the file header of the source document
Residence data table is added;
Residence data table is to drive the data structure chained list voluntarily safeguarded, for saving the file header data of original document;
If it is temporary file, the filename of the source document is searched in residence data table;
After finding filename, the data of the file permission part in alternate file head;
If do not found, keep file header constant, wherein to include file permission position in file header.
6. a kind of device of the new files based on file Double buffer, comprising:
Kind judging device judges the type of new files, and is labeled as temporary file or original document to it;
File control block creating device creates file control block (FCB) for newly-built temporary file or original document, makes this document
Control block has to be cached with ciphertext two in plain text, and the plaintext caching only has crypto process to be able to access that, rather than crypto process is only
Ciphertext caching can be accessed;
File read-write device carries out encryption and decryption processing when being written and read to the new files;
File save set can be realized following function:
If there is renaming operates, then illustrate that document is that the mode renamed with temporary file saves document, if non-file weight
Naming operation keeps file header constant;
Judge whether the FCB in the source document of renaming is labeled as temporary file, if it is not, by the file header of the source document
Residence data table is added;
Residence data table is to drive the data structure chained list voluntarily safeguarded, for saving the file header data of original document;
If it is temporary file, the filename of the source document is searched in residence data table;
After finding filename, the data of the file permission part in alternate file head;
If do not found, keep file header constant, wherein to include file permission position in file header.
7. device according to claim 6 further includes the save set saved to the new files, preservation dress
It sets and includes:
Judge the device for the type that file saves;
Judge whether it is the device of file renaming operation;
Judge save file whether be temporary file device;
The device of locating file name in residence data table;
The corresponding data of file permission bits in alternate file control block, the device of alternate file head;
The device in residence data table is added in the filename of renaming;
The device for keeping file header constant.
8. device according to claim 7, described to judge whether the file saved is the device of temporary file described in
Whether marker for judgment file is temporary file.
9. a kind of computer equipment comprising memory and processor, the memory are stored with computer instruction, when the place
When managing the device execution computer instruction, the corresponding method of any one of execution and the claim 1-4.
10. a kind of computer storage medium, the computer storage medium is stored with computer program, when the execution computer
When program, execute and any one of the claim 1-4 corresponding method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710226267.6A CN107145793B (en) | 2017-04-08 | 2017-04-08 | A kind of method and device of the file permission management based on file Double buffer |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710226267.6A CN107145793B (en) | 2017-04-08 | 2017-04-08 | A kind of method and device of the file permission management based on file Double buffer |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107145793A CN107145793A (en) | 2017-09-08 |
CN107145793B true CN107145793B (en) | 2019-05-21 |
Family
ID=59774275
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710226267.6A Active CN107145793B (en) | 2017-04-08 | 2017-04-08 | A kind of method and device of the file permission management based on file Double buffer |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107145793B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111259431A (en) * | 2020-02-18 | 2020-06-09 | 上海迅软信息科技有限公司 | Computer software data encryption system and encryption method thereof |
CN113934697B (en) * | 2021-10-21 | 2022-04-08 | 中孚安全技术有限公司 | Method and system for improving IO performance based on kernel file filtering driver |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104123371A (en) * | 2014-07-25 | 2014-10-29 | 上海交通大学 | Transparent Windows kernel file filtering method based on hierarchical file system |
CN105224882A (en) * | 2015-09-23 | 2016-01-06 | 武汉理工大学 | A kind of file encryption system based on bridge file system |
CN105426766A (en) * | 2015-10-27 | 2016-03-23 | 武汉理工大学 | File encryption system based on shadow file |
-
2017
- 2017-04-08 CN CN201710226267.6A patent/CN107145793B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104123371A (en) * | 2014-07-25 | 2014-10-29 | 上海交通大学 | Transparent Windows kernel file filtering method based on hierarchical file system |
CN105224882A (en) * | 2015-09-23 | 2016-01-06 | 武汉理工大学 | A kind of file encryption system based on bridge file system |
CN105426766A (en) * | 2015-10-27 | 2016-03-23 | 武汉理工大学 | File encryption system based on shadow file |
Also Published As
Publication number | Publication date |
---|---|
CN107145793A (en) | 2017-09-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7590868B2 (en) | Method and apparatus for managing encrypted data on a computer readable medium | |
JP4759513B2 (en) | Data object management in dynamic, distributed and collaborative environments | |
CN101729550B (en) | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof | |
US9767322B2 (en) | Data transcription in a data storage device | |
US7155745B1 (en) | Data storage device provided with function for user's access right | |
US7360057B2 (en) | Encryption of data in a range of logical block addresses | |
US7778417B2 (en) | System and method for managing encrypted content using logical partitions | |
US8352751B2 (en) | Encryption program operation management system and program | |
CN108133151B (en) | File encryption device, file processing method and mobile terminal equipment | |
US20060265338A1 (en) | System and method for usage based key management rebinding using logical partitions | |
RU2007147760A (en) | METHOD FOR PROTECTING CONTENT ON THE RECORDING MEDIA AND RECORDING MEDIA STORING THE CONTENT PROTECTED BY THIS METHOD | |
KR950029930A (en) | Method and device for securing file access | |
CN101847184A (en) | Method for encrypting files by adopting encryption sandbox | |
CN103218575A (en) | Host file security monitoring method | |
CN105373744A (en) | Method for encrypting extended file system based on Linux | |
CN107145793B (en) | A kind of method and device of the file permission management based on file Double buffer | |
US8086873B2 (en) | Method for controlling file access on computer systems | |
US9697372B2 (en) | Methods and apparatuses for securing tethered data | |
Chandersekaran et al. | Assured content delivery in the enterprise | |
Foltz et al. | Simplified key management for digital access control of information objects | |
CN107368749A (en) | Document handling method, device, equipment and computer-readable storage medium | |
KR100879212B1 (en) | Method of making duplication file backup | |
US20090220089A1 (en) | Method and apparatus for mapping encrypted and decrypted data via a multiple key management system | |
US7814552B2 (en) | Method and apparatus for an encryption system | |
Liu et al. | A file protection scheme based on the transparent encryption technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |