CN108093078B - Safe document circulation method - Google Patents
Safe document circulation method Download PDFInfo
- Publication number
- CN108093078B CN108093078B CN201711498605.8A CN201711498605A CN108093078B CN 108093078 B CN108093078 B CN 108093078B CN 201711498605 A CN201711498605 A CN 201711498605A CN 108093078 B CN108093078 B CN 108093078B
- Authority
- CN
- China
- Prior art keywords
- client
- link
- document
- server
- sends
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012550 audit Methods 0.000 claims abstract description 18
- 230000005540 biological transmission Effects 0.000 claims abstract description 8
- 238000004891 communication Methods 0.000 claims description 3
- 238000007726 management method Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a safe document circulation method, which comprises the following steps: a first client sends a transmission request to a server, wherein the request comprises relevant parameters of a document to be transmitted; the first client acquires the first link from the server and sends the first link to the second client; the second client accesses the first link and sends a receiving request to the server; the server audits the received request, and if the received request is qualified, the server sends the document to the second client; and if the file is not qualified, rejecting the second client to download the file. All files needing to be transmitted are uploaded to the server for centralized management and storage, any file transmission needs to be monitored and audited through the server, and a large part of divulgence events can be avoided; even if a secret divulging event occurs, a secret divulging way can be found quickly so as to investigate responsibility and recover loss.
Description
Technical Field
The invention belongs to the technical field of network information security, and particularly relates to a safe document circulation method.
Background
The popularization and application of computers and networks make the production, storage, acquisition, sharing and transmission of information more convenient, and meanwhile, the risk of disclosure of important information in organizations is increased. At present, firewall, intrusion detection or private network is mostly adopted in the related technology, which can effectively prevent external personnel from illegally accessing, but can not prevent internal personnel from sending some sensitive files to other people through e-mails or mobile storage media. Especially, in recent years, the storage capacity of the U disk and the mobile hard disk is rapidly increased, and the notebook computer is more popular, so that the secret disclosure prevention is more important and urgent.
However, the traditional document security solution puts emphasis on the boundary, but ignores the security problem of the internal network to a certain extent. Investigations from Gartner showed that: over 85% of security threats come from within the organization; among the losses caused by various security holes, 30-40% are caused by leakage of electronic files. Although some units make a strict security management system, due to the lack of effective technical means, security policies cannot be effectively implemented, so that security events such as secret information leakage, hacking and worm virus propagation frequently occur, and new challenges are brought to intranet security.
The safety of the intranet is the safety of data. The document is the most main carrier of the network information, and a large amount of confidential information is stored and transmitted in an electronic document form; the safety of documents is well protected, and the safety of an intranet is well protected to a certain extent. Therefore, the safe storage and transmission of the electronic document have great significance for information security construction.
The document circulation in the mechanism usually has a mail mode, an instant messaging mode, a U disk, a file sharing mode and the like, and the modes have the hidden danger of data leakage and cannot audit the circulation condition of the document. A set of complete document safety protection system is established in an intranet, the transmission behavior of the document is directly monitored and audited, and the method is one of the best solutions for preventing the document from being leaked.
Disclosure of Invention
In view of the above, the present invention is directed to overcome the deficiencies of the prior art and to provide a method for securely transferring documents.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for safely circulating documents comprises the following steps:
s1: a first client sends a transmission request to a server, wherein the request comprises relevant parameters of a document to be transmitted;
s2: the first client acquires the first link from the server and sends the first link to the second client;
s3: the second client accesses the first link and sends a receiving request to the server;
s4: the server audits the received request, and if the received request is qualified, the server sends the document to the second client; and if the file is not qualified, rejecting the second client to download the file.
The method is applied to a communication network comprising at least one server and a plurality of clients.
Before step S1, the method further includes the following steps:
and uploading the document to the server by the client, and simultaneously uploading the equipment ID of the client where the document is located.
In step S1, the relevant parameters include the identification sequence of the document to be transmitted and the device ID of the first client.
The identification sequence is a string of data used to validate document consistency, and is equivalent to a "digital fingerprint", which may take the values of MD5, SHA-1, Hash, etc.
The acquiring, by the first client, the first link from the server specifically includes:
the server generates a first link according to the relevant parameters, wherein the parameters of the first link comprise the identification sequence of the document and the time for generating the link; the first link points to a port of the local computer;
the server records a piece of information in a database, wherein fields of the information comprise a first link, a valid starting time, a valid ending time, a device ID of the first client and an identification sequence of the document;
the server returns the first link to the first client.
Note that the first link does not point to the server, but is a link that accesses native 127.0.0.1.
The accessing of the first link by the second client specifically includes:
the second client redirects the first link to generate a new second link for downloading the document; the second link points to a server;
the second client sends the second link to the server.
The parameters of the second link comprise an identification sequence of the document, the generation time of the second link, the first link, and the device ID and the security parameters of the second client; wherein the security parameters comprise Token information for proving the identity of the client.
The step S4 specifically includes:
comparing the parameters of the first link with the information in the database, and judging whether the first link is expired, namely judging whether the generation time of the second link is earlier than the effective end time of the first link;
checking whether the second client has the right to access the document;
if the first link is not expired and has the authority, auditing to be qualified, and allowing the second client to download the document; and if the audit is not qualified in other conditions, the second client side is refused to download the document.
After the step S4, the method further includes:
and under the condition that the audit is unqualified, the server returns an audit result to the second client.
After the step S4, the method further includes:
and the server records the relevant information of each downloading request, and the recorded content comprises the equipment ID of the second client, the identification sequence of the document requested to be downloaded, the downloading result and the downloading time.
By adopting the technical scheme, all files needing to be transmitted are uploaded to the server for centralized management and storage, and any file is transmitted by monitoring and auditing the server, so that a large part of divulgence events can be avoided; even if a secret divulging event occurs, a secret divulging way can be found quickly so as to investigate responsibility and recover loss. Meanwhile, the invention can find security management loopholes for managers through analyzing a large amount of behavior data, and continuously perfect a security management mechanism.
The solution is not limited to intranet or lan, and is feasible as long as the client software mentioned in the present invention is installed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow diagram of a method for secure circulation of documents in accordance with the present invention;
FIG. 2 is a system architecture diagram of a local area network;
FIG. 3 is a flow chart of one embodiment of the present invention;
fig. 4 is a schematic system configuration according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
As shown in fig. 1, the present invention provides a method for securely transferring a document, comprising the following steps:
s1: a first client sends a transmission request to a server, wherein the request comprises relevant parameters of a document to be transmitted;
s2: the first client acquires the first link from the server and sends the first link to the second client;
s3: the second client accesses the first link and sends a receiving request to the server;
s4: the server audits the received request, and if the received request is qualified, the server sends the document to the second client; and if the file is not qualified, rejecting the second client to download the file.
The method of the invention is applied to a communication network comprising at least one server and a plurality of clients. The system is deployed in a manner shown in fig. 2, and the whole system is divided into two parts, namely a server and a client.
Specifically, before step S1, the method further includes the following steps:
and uploading the document to the server by the client, and simultaneously uploading the equipment ID of the client where the document is located.
In step S1, the relevant parameters include the identification sequence of the document to be transmitted and the device ID of the first client.
The identification sequence is a string of data used to validate document consistency, and is equivalent to a "digital fingerprint", which may take the values of MD5, SHA-1, Hash, etc.
The acquiring, by the first client, the first link from the server specifically includes:
the server generates a first link according to the relevant parameters, wherein the parameters of the first link comprise the identification sequence of the document and the time for generating the link; the first link points to a port of the local computer;
the server records a piece of information in a database, wherein fields of the information comprise a first link, a valid starting time, a valid ending time, a device ID of the first client and an identification sequence of the document;
the server returns the first link to the first client.
Note that the first link does not point to the server, but is a link that accesses native 127.0.0.1.
The accessing of the first link by the second client specifically includes:
the second client redirects the first link to generate a new second link for downloading the document; the second link points to a server;
the second client sends the second link to the server.
The parameters of the second link comprise an identification sequence of the document, the generation time of the second link, the first link, and the device ID and the security parameters of the second client; wherein the security parameters comprise Token information for proving the identity of the client.
The step S4 specifically includes:
comparing the parameters of the first link with the information in the database, and judging whether the first link is expired, namely judging whether the generation time of the second link is earlier than the effective end time of the first link;
checking whether the second client has the right to access the document;
if the first link is not expired and has the authority, auditing to be qualified, and allowing the second client to download the document; and if the audit is not qualified in other conditions, the second client side is refused to download the document.
After the step S4, the method further includes:
and under the condition that the audit is unqualified, the server returns an audit result to the second client.
After the step S4, the method further includes:
and the server records the relevant information of each downloading request, and the recorded content comprises the equipment ID of the second client, the identification sequence of the document requested to be downloaded, the downloading result and the downloading time.
For further details of this patent, an expanded description is provided in conjunction with specific embodiments.
As shown in fig. 3, a process in which a client a (first client) sends a document to a client B (second client) is mainly described.
The method of the invention can audit the document circulation condition, wherein the circulation condition refers to a sender of the document, a receiver of the document, sending time, receiving time, the document MD5, sending equipment and receiving equipment.
First, client a needs to obtain a link to send from the server. Client a sends a request to the server with parameters including the MD5 value and the device ID of the document to be transferred, the server generates a link back to client a containing the MD5 value and the current time of the document, and the server database records a message containing the link, the valid start time of the link, the valid end time of the link, the device ID of client a, the user ID, and the MD5 value of the document.
Then, the client a sends the obtained link to the client B by means of mail, instant messaging software, or the like. After the staff of the client B clicks the link, the staff can access a local port, and after the link is analyzed by the service intercepted by the port, a new request can be generated and sent to the server. The parameters included in the new request include the value of the document MD5, the current time, the link from client a, the device ID of client B, the user ID, and so on.
Finally, after receiving the new request, the server judges whether the link is overdue or not, and if the link is overdue, the server refuses to download the file; and then judging whether the client B has the authority to access the document, if so, issuing the document to the client B and performing audit record on the request process, and if not, performing the audit record on the request.
The technical architecture of the present invention is shown in fig. 4, wherein numbers 1 to 6 marked by black lines represent interface numbers between modules, and the specific working principle is described below in the order of the interface numbers.
The interface 1 has a function of uploading a file of a client to a server, and simultaneously uploading equipment ID and employee ID information of a machine where the file is located. Uploading the files to a server for centralized management and storage is the basis of the invention. The uploaded file types can be configured according to needs.
The function of the interface 2 is that the client obtains a first link of a certain file from a document access module of the server, the information that the client needs to upload includes but is not limited to the MD5 value of the document, the device ID of the client and the user ID, and the server generates a link according to the MD5 value of the document and returns the link to the client.
The server generates a link and stores related information of the link, and the stored fields comprise the link, the effective starting time of the link, the effective ending time of the link, the ID of the sender and the equipment ID of the sender.
The function of the interface 3 is to request the redirection module to pass the new second link to the document download module. After receiving the first link of the document, the client cannot use the first link directly, and needs to generate a new document download second link through the processing of a redirection module, wherein the information carried by the link includes but is not limited to the employee ID and the device ID of the document receiver.
In the present invention, the reason why the first link needs to be redirected is:
1. the first link cannot be used directly; the terminal provided with the client is required to download;
2. directly clicking the first link, the information of a downloader cannot be carried, and users or terminals cannot know the downloaded documents;
3. in order to solve the above problem, the present invention provides a redirection method to make the second link contain the information of the requesting party.
The specific method for redirection is as follows:
firstly, a client program monitors a certain port of the local computer, such as 9999; the first link will send a request to the native 9999 port;
then, after the request enters the client program, the client program adds information of the client, such as the device ID, to form a new request, and the new request is sent to the server by the client program, so as to obtain the downloaded document.
The function of the interface 4 is mainly that the document downloading module of the client sends the redirected new second link to the document access module of the server, and the document access module will judge the aging of the second link and also judge whether the client is allowed to access. The returned result is divided into two cases, the first case is that the document is allowed to be downloaded, the returned result is the document itself, and the second case is that the document is not allowed to be downloaded, the returned result is download refusal information.
The function of the interface 5 is that the document access module obtains the authority of the requested document from the document authority module, and judges whether the client is allowed to download the file.
The main function of the interface 6 is that the document access module of the server sends each download information of the document to the access audit module, and the access information includes but is not limited to: client ID downloaded, employee ID, document MD5 downloaded, result of download (success or failure), time of download.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (8)
1. A method for safely circulating documents is characterized by comprising the following steps:
s1: a first client sends a transmission request to a server, wherein the request comprises relevant parameters of a document to be transmitted;
s2: the first client acquires the first link from the server and sends the first link to the second client;
s3: the second client accesses the first link and sends a receiving request to the server;
s4: the server audits the received request, and if the received request is qualified, the server sends the document to the second client; if not, rejecting the second client to download the document;
wherein,
the acquiring, by the first client, the first link from the server specifically includes:
the server generates a first link according to the relevant parameters, wherein the parameters of the first link comprise the identification sequence of the document and the time for generating the link; the first link points to a local loopback address;
the server records a piece of information in a database, wherein fields of the information comprise a first link, a valid starting time, a valid ending time, a device ID of the first client and an identification sequence of the document;
the server returns the first link to the first client;
the accessing, by the second client, the first link specifically includes:
the second client redirects the first link to generate a new second link for downloading the document; the second link points to a server;
the second client sends the second link to the server.
2. The method of claim 1, wherein the method comprises the following steps: the method is applied to a communication network comprising at least one server and a plurality of clients.
3. The method for securely circulating a document according to claim 2, further comprising, before the step S1, the steps of:
and uploading the document to the server by the client, and simultaneously uploading the equipment ID of the client where the document is located.
4. The method of claim 1, wherein the method comprises the following steps: in step S1, the relevant parameters include the identification sequence of the document to be transmitted and the device ID of the first client.
5. The method of claim 1, wherein the method comprises the following steps: the parameters of the second link comprise an identification sequence of the document, the generation time of the second link, the first link, and the device ID and the security parameters of the second client; wherein the security parameters comprise Token information for proving the identity of the client.
6. The method for securely circulating a document according to claim 5, wherein the step S4 specifically includes:
comparing the parameters of the first link with the information in the database, and judging whether the first link is expired, namely judging whether the generation time of the second link is earlier than the effective end time of the first link;
checking whether the second client has the right to access the document;
if the first link is not expired and has the authority, auditing to be qualified, and allowing the second client to download the document; and if the audit is not qualified in other conditions, the second client side is refused to download the document.
7. The method for securely circulating a document according to claim 1, wherein after the step S4, the method further comprises:
and under the condition that the audit is unqualified, the server returns an audit result to the second client.
8. The method for securely circulating a document according to claim 1, wherein after the step S4, the method further comprises:
and the server records the relevant information of each downloading request, and the recorded content comprises the equipment ID of the second client, the identification sequence of the document requested to be downloaded, the downloading result and the downloading time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711498605.8A CN108093078B (en) | 2017-12-29 | 2017-12-29 | Safe document circulation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711498605.8A CN108093078B (en) | 2017-12-29 | 2017-12-29 | Safe document circulation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108093078A CN108093078A (en) | 2018-05-29 |
| CN108093078B true CN108093078B (en) | 2020-10-16 |
Family
ID=62181306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711498605.8A Active CN108093078B (en) | 2017-12-29 | 2017-12-29 | Safe document circulation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108093078B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110737918B (en) * | 2019-10-15 | 2023-08-08 | 重庆远见信息产业集团股份有限公司 | External data sharing management platform |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036924A (en) * | 2011-09-29 | 2013-04-10 | 深圳市快播科技有限公司 | Chaining processing method and chaining processing system |
| CN103581272A (en) * | 2012-08-08 | 2014-02-12 | 腾讯科技(深圳)有限公司 | File transfer method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ES2425626B1 (en) * | 2011-05-12 | 2014-06-05 | Telefónica, S.A. | METHOD FOR DNS RESOLUTION OF CONTENT REQUESTS IN A CDN SERVICE |
-
2017
- 2017-12-29 CN CN201711498605.8A patent/CN108093078B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036924A (en) * | 2011-09-29 | 2013-04-10 | 深圳市快播科技有限公司 | Chaining processing method and chaining processing system |
| CN103581272A (en) * | 2012-08-08 | 2014-02-12 | 腾讯科技(深圳)有限公司 | File transfer method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108093078A (en) | 2018-05-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11323464B2 (en) | Artifact modification and associated abuse detection | |
| AU2019206006B2 (en) | System and method for biometric protocol standards | |
| US20210058395A1 (en) | Protection against phishing of two-factor authentication credentials | |
| CN109460660B (en) | Mobile device safety management system | |
| US8712396B2 (en) | Mobile communication device monitoring systems and methods | |
| US20070220602A1 (en) | Methods and Systems for Comprehensive Management of Internet and Computer Network Security Threats | |
| Patil Madhubala | Survey on security concerns in Cloud computing | |
| FR2954547A1 (en) | METHOD FOR DETECTING A MISUSE OF COMPUTER RESOURCES | |
| CN112653664A (en) | High-safety and reliable data exchange system and method between networks | |
| CN112202773A (en) | Computer network information security monitoring and protection system based on internet | |
| CN108093078B (en) | Safe document circulation method | |
| Hyun et al. | Design and Analysis of Push Notification‐Based Malware on Android | |
| CN111756707A (en) | Back door safety protection device and method applied to global wide area network | |
| Alkaeed et al. | Distributed framework via block-chain smart contracts for smart grid systems against cyber-attacks | |
| Gunadham et al. | Security concerns in cloud computing for knowledge management systems | |
| Dincer et al. | Big data security: Requirements, challenges and preservation of private data inside mobile operators | |
| CN116248405A (en) | Network security access control method based on zero trust and gateway system and storage medium adopting same | |
| Zawoad et al. | Towards a systematic analysis of challenges and issues in secure mobile cloud forensics | |
| Guo et al. | Research on the application risk of computer network security technology | |
| Cai et al. | Data security framework for electric company mobile apps to prevent information leakage | |
| CN114662080A (en) | Data protection method and device and desktop cloud system | |
| Sorge | IT Security measures and their relation to data protection | |
| CN116436668B (en) | Information security control method and device, computer equipment and storage medium | |
| Xu | Research on Security Construction of University Email System Based on Information Security Classified Protection | |
| KR102202109B1 (en) | Questionnaire security system and method by multi-authorization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |