CN108494734A - A kind of safety moving office procedure based on SDK - Google Patents

A kind of safety moving office procedure based on SDK Download PDF

Info

Publication number
CN108494734A
CN108494734A CN201810148496.5A CN201810148496A CN108494734A CN 108494734 A CN108494734 A CN 108494734A CN 201810148496 A CN201810148496 A CN 201810148496A CN 108494734 A CN108494734 A CN 108494734A
Authority
CN
China
Prior art keywords
app
byoa
sdk
key
enterprise
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810148496.5A
Other languages
Chinese (zh)
Other versions
CN108494734B (en
Inventor
吕秋云
俞祥祥
王秋华
祁伊祯
欧阳萧琴
詹佳程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Qiangua Information Technology Co ltd
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN201810148496.5A priority Critical patent/CN108494734B/en
Publication of CN108494734A publication Critical patent/CN108494734A/en
Application granted granted Critical
Publication of CN108494734B publication Critical patent/CN108494734B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

The invention discloses a kind of safety moving office procedure based on SDK.The present invention allows user that third party App is freely used to carry out secure composition to enterprise document by way of the embedded SDK in App.Illustrate S BYOA overall architectures and operational process first, then introduces thirdly big major function is:S BYOA Implementation of File Transfer flows, S BYOA detect enterprise document malice remote backup, and S BYOA prevent enterprise document malice is local from preserving.The present invention makes security protection to most common enterprise document editor, it is proposed the enterprise document edit scenario based on SDK, under conditions of not changing original undertaking's file system, it realizes third party App and obtains enterprise document safely, it prevents from revealing enterprise document in editor, and App malice save files are prevented, achieve the purpose that safety moving is handled official business.

Description

A kind of safety moving office procedure based on SDK
Technical field
The invention belongs to BYOA (Bring Your Own Apps) mobile office technical fields, specially a kind of to be based on SDK Safety moving office procedure, a kind of arbitrary App of realization based on SDK edits the safety moving office procedure of enterprise document.
Technical background
2014, Earley was put forward for the first time the concept of Bring Your Own Apps (BYOA):Enterprise staff can make Enterprise document is browsed with personal favorite arbitrary application, is edited;While ensureing that business data is not revealed, user is protected Personal privacy information, realizes safe mobile office.Existing BYOA implementation methods mainly have following two:(1) BYOA is established The shops App, united analysis manage App safety;This method can prevent the attack of malice App, but its analysis method category In static code analysis, for dynamic operation system (such as iOS), call malicious code can be with by script when malice App operations Around the judgement of static analysis.(2) by improving App sandbox structures, sandbox structure is divided into navigation, is stored, three portions are set Point, malice App can not find the local file of specified App, thus the safety of effective protection local manufacturing enterprises data, but the party The data of sandbox are not encrypted in method, and when device losses or when being stolen, attacker can be obtained by way of data backup Data in taking equipment.In addition, from the experimental results, modification sandbox structure causes the collapse rate of App to increase.
Invention content
In view of the deficiencies of the prior art, it is an object of the present invention to provide a kind of safety moving office procedure based on SDK.
BYOA mobile offices include enterprise document editor, employee's communication, file-sharing, staff's benefits etc..The present invention passes through The mode of embedded SDK, allows user that third party App is freely used to carry out secure composition to enterprise document in App.
To achieve the goals above, the present invention is to realize by the following technical solutions:
The premise that the present invention implements is structure S-BYOA frameworks, and S-BYOA frameworks include:
(1)E-Server:Enterprise has server by oneself, is managed and preserves to file, is responsible for worker's certification and life At, management and distributing user key.
(2)S-BYOA-App:Mounted on the mobile security office App of user terminal, it is responsible for secure storage part key, enterprise File security browses, and malice preserves detection.
(3)S-BYOA-SDK:It is embedded in the safety moving office SDK of third party App, for convenience of describing, hereinafter referred SDK, cooperation S-BYOA-App realize that enterprise document monitoring and safe transmission, malice preserve detection and delete.
(4)Third-Party-App:The third party App of integrated SDK, can edit enterprise document.
(5) third party App servers:The server of the original original business of third party App is provided, it is unrelated with enterprise document, under Literary abbreviation App servers.
(6)S-BYOA-Server:Safety moving Office Service device, it is remote in conjunction with S-BYOA-SDK detection third party App malice Journey backup file, notice enterprise timely processing.
Its operational process is as follows:User selects enterprise document to be edited in S-BYOA-App, and selects to use third Square App is edited.Third party App obtains enterprise document by S-BYOA-SDK from enterprise servers, carries out file decryption and complete Integrity verification, and file is opened into edlin.S-BYOA servers detect in real time third party App when editing enterprise document whether Enterprise document content is leaked in the presence of malice, is had, notice enterprise is intercepted, nothing then forwards proper network data.It is literary when having edited enterprise After part, whether the sandbox that S-BYOA-App detects third party App by S-BYOA-SDK maliciously preserves enterprise document.It is compiled in App When collecting enterprise document, it is responsible for that the network request of App will be sent to guiding BS.
A kind of safety moving office procedure based on SDK, includes the following steps:
Implementation of File Transfer in step 1.S-BYOA:Transmission file is encrypted using AES, using hash algorithm to text Part integrality is verified;It is implemented as follows:
1-1. employee logins corporate authentication system by S-BYOA-App, and S-BYOA is secret from E-Server request PHE users Key generates parameter, and generates employee corresponding pk and sk;When employee initiates the request of editing files F, S-BYOA-App will be literary The F_id and employee UserId of part F is sent to E-Server;
1-2.E-Server generates the download link url of file F, and enterprise document, should by malice repetitive requests in order to prevent Link can only be requested once, then randomly generate the key key of an AES encryption, and use the PHE encryption keys of server Pk encrypts to obtain keys(formula 1), then by key, keys, url carry out a hash algorithm obtain Hcontrol(formula 2), most E-Server is by key afterwardss、url、HcontrolIt is sent to S-BYOA-App;
keys=PHEpk(key) (1)
Hcontrol=H (url, key, keyS) (2)
After 1-3.S-BYOA-App receives the data of E-Server returns, decrypt to obtain key (formula 3) using employee sk, Then by key, keys, url carry out a hash algorithm again, whether verify data is tampered in transmission process;
Key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App://key+url } arouse target Third-Party- App, and key and url are transmitted to SDK;
1-5.SDK initiates the request that file F is downloaded according to url to E-Server, and adds and obtained when SDK starts It after Token, E-Server receive request, first verifies that whether SDK normally starts, is then come using the key generated in step 1-2 File F (formula 4) is encrypted, file F, which is then carried out hash algorithm, obtains HF(formula 5), finally by FSAnd HFIt is sent to SDK;
FS=AESkey(F) (4)
HF=H (F) (5)
1-6.SDK receives FSAfter, it decrypts to obtain file F using key is obtained in step 1-3, and to the file F after decryption A Hash is carried out again, judges whether file is tampered in transmission process;If it find that distorting, SDK passes through URL Scheme Mechanism jumps to S-BYOA-App, informs that user file is damaged, re-request file;
After the completion of 1-7. works as Document Editing, the process that file uploads is similar with acquisition, and SDK randomly generates a key to add Ciphertext part, and encrypted file is sent to E-Server, SDK deletes enterprise in Third-Party-App after the completion of transmission File, and pass through URL Scheme mechanism { S-BYOA-App://key } key is sent to S-BYOA-App, S-BYOA-App is used The public key E of serverpkKey is encrypted, encrypted key is then sent to E-Server;
Step 2.S-BYOA detects enterprise document malice remote backup
App network flows when editing enterprise document are oriented to S- by characteristic when being run by SDK combination mobile systems BYOA servers detect whether to have the case where leakage, then notify enterprise if there is leakage, instead by S-BYOA servers It, carries out data forwarding;
S-BYOA- is revised as in the addresses host that App all-networks are asked by 2-1.SDK by NSURLProtocol The address of Server, while employee userId and enterprise id are enclosed, realize network flow monitoring;
In the network request packet that 2-2.S-BYOA-Server is sent to its server according to Third-Party-App The Non-control information for whether including Third-Party-App, to judge whether malice remote backup, if including non-controlling Then there is malice remote backup in information;
2-3. navigates to corresponding enterprise and employee if there is malice remote backup, using userId and enterprise id;
Step 3.S-BYOA prevents enterprise document malice is local from preserving
The local threat for preserving enterprise document of App malice in order to prevent monitors by SDK and manages the function of sandbox, When editor completes backed off after random, notifies user to delete the enterprise document in Third-Party-A pp, be implemented as follows:
3-1. sandbox Fileviews:S-BYOA-App passes through { Third-Party-App://searc h } to Third- Party-App initiates Fileview request, and SDK traverses All Files information in the App sandboxs, and filename is spliced into character String, then pass through { S-BYOA-App:// filename character string } again readjustment arrive the interfaces S-BYOA-App, while by filename character String is transmitted to S-BYOA-App;S-BYOA-App is split filename character string after receiving and is shown to user;
3-2. deleting:S-BYOA-App passes through { Third-Party-App://delete/ filenames } to Third- Party-App initiates removal request, and Third-Party-App receives removal request, and segmentation filename character string, which obtains, to need to delete The filename removed, SDK, which is called, deletes interface deletion specified file, and { S-BYOA-App is recalled after deleting successfully://success Or error the result of deletion returned into S-BYOA-App.
The present invention has the beneficial effect that:
The present invention has researched and analysed safety most outstanding in existing Bring Your Own Apps (BYOA) method and has asked A kind of topic, it is proposed that safety moving office procedure based on SDK.The invention allows to use by way of the embedded SDK in App Family freely uses third party App to carry out secure composition to enterprise document;It is not necessary to modify original file system, Maintenance free App for enterprise Safety moving office can be realized in white list, and S-BYOA has the characteristics that deployment and maintenance cost is low.
Safety moving office proposed by the present invention is protected mainly for enterprise document, and is obtained from App, editor, this Ground preserves enterprise document three phases and is protected.Major function includes:
(1) App obtains safely enterprise document
(2) detection App whether malice remote backup enterprise document
(3) whether malice locally preserves enterprise document to detection App
The present invention makes security protection to most common enterprise document editor, proposes the enterprise document editing side based on SDK Case realizes third party App and obtains enterprise document safely, prevent from editing under conditions of not changing original undertaking's file system When reveal enterprise document, and prevent App malice save files, achieve the purpose that safety moving is handled official business.
Description of the drawings
Fig. 1 S-BYOA Organization Charts;
Fig. 2 enterprise document transfer process;
Fig. 3 App network traffic securities monitor flow chart;
Process is checked and deleted to Fig. 4 App sandboxs;
Specific implementation mode
To make the technical means, the creative features, the aims and the efficiencies achieved by the present invention be easy to understand, with reference to The present invention is further illustrated for attached drawing.
S-BYOA frameworks content is as shown in Figure 1, the overall architecture of S-BYOA includes by enterprise servers Enterprise Server (E-Server), S-BYOA servers (S-BYOA-Server), safety moving office auxiliary App (S-BYOA-App), Arbitrary third party App (Third-Party-App), S-BYOA-SDK (SDK), have for each section below third party's App servers Body function:
(1)E-Server:Enterprise has server by oneself, is managed and preserves to file, is responsible for worker's certification and life At, management and distributing user key.
(2)S-BYOA-App:Mounted on the mobile security office App of user terminal, it is responsible for secure storage part key, enterprise File security browses and malice preserves detection.
(3)S-BYOA-SDK:It is embedded in the safety moving office SDK of third party App, for convenience of describing, hereinafter referred SDK, cooperation S-BYOA-App realize that enterprise document monitoring and safe transmission, malice preserve detection and delete.
(4)Third-Party-App:The third party App of integrated SDK, can edit enterprise document.
(5) third party App servers:The server of the original original business of third party App is provided, it is unrelated with enterprise document, under Literary abbreviation App servers.
(6)S-BYOA-Server:Safety moving Office Service device, it is remote in conjunction with S-BYOA-SDK detection third party App malice Journey backup file, notice enterprise timely processing.
The operational process of this framework:
User selects enterprise document to be edited in S-BYOA-App, and selects to edit using third party App.2. the Tripartite App obtains enterprise document by S-BYOA-SDK from enterprise servers, carries out file decryption and integrity verification, and beat Open file is into edlin.3. S-BYOA servers detect third party App and are let out with the presence or absence of malice when editing enterprise document in real time Enterprise document content is leaked, is had, notice enterprise (process is 4.) is intercepted, without then forwarding proper network data (i.e. process 5.).6. working as volume After having collected enterprise document, whether the sandbox that S-BYOA-App detects third party App by S-BYOA-SDK maliciously preserves enterprise's text Part.When App edits enterprise document, it is responsible for that the network request of App will be sent to guiding BS.
The flow of Implementation of File Transfer in step 1.S-BYOA
As shown in Fig. 2, in order to ensure that enterprise document can be safely from E-Server to App, the present invention is using AES to passing Defeated file is encrypted, and is verified to file integrality using hash algorithm.
1-1. employee logins corporate authentication system by S-BYOA-App, and S-BYOA is secret from E-Server request PHE users Key generates parameter, and generates employee corresponding pk and sk.When employee initiates the request of editing files F, S-BYOA-App will be literary The F_id and employee UserId of part F is sent to E-Server.
1-2.E-Server generates the download link url of file F, and enterprise document, should by malice repetitive requests in order to prevent Link can only be requested once, then randomly generate the key key of an AES encryption, and use the PHE encryption keys of server Pk encrypts to obtain keys(formula 1), then by key, keys, url carry out a hash algorithm obtain Hcontrol(formula 2), most E-Server is by key afterwardss、url、HcontrolIt is sent to S-BYOA-App.
keys=PHEpk(key) (1)
Hcontrol=H (url, key, keyS) (2)
After 1-3.S-BYOA-App receives the data of E-Server returns, decrypt to obtain key (formula 3) using employee sk, Then by key, keys, url carry out a hash algorithm again, whether verify data is tampered in transmission process.
Key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App://key+url } arouse target Third-Party- App, and key and url are transmitted to SDK.
1-5.SDK initiates the request that file F is downloaded according to url to E-Server, and adds and obtained when SDK starts It after Token, E-Server receive request, first verifies that whether SDK normally starts, is then come using the key generated in step 1-2 File F (formula 4) is encrypted, file F, which is then carried out hash algorithm, obtains HF(formula 5), finally by FSAnd HFIt is sent to SDK.
FS=AESkey(F) (4)
HF=H (F) (5)
1-6.SDK receives FSAfter, it decrypts to obtain file F using key is obtained in step 1-3, and to the file F after decryption A Hash is carried out again, judges whether file is tampered in transmission process.If it find that distorting, SDK passes through URL Scheme Mechanism jumps to S-BYOA-App, informs that user file is damaged, re-request file.
After the completion of 1-7. works as Document Editing, the process that file uploads is similar with acquisition, and SDK randomly generates a key to add Ciphertext part, and encrypted file is sent to E-Server, SDK deletes enterprise in Third-Party-App after the completion of transmission File, and pass through URL Scheme mechanism { S-BYOA-App://key } key is sent to S-BYOA-App, S-BYOA-App With the public key E of serverpkKey is encrypted, encrypted key is then sent to E-Server.
Step 2.S-BYOA detects enterprise document malice remote backup
As shown in figure 3, characteristic when being run by SDK combination mobile systems, App network flows when by editor's enterprise document Amount is oriented to S-BYOA servers, detects whether to have the case where leakage by S-BYOA servers, then lead to if there is leakage Enterprise is known, conversely, carrying out data forwarding, as shown in Figure 3;The App refers to the arbitrary App for capableing of editing files, and its State is when editing enterprise document.
S-BYOA- is revised as in the addresses host that App all-networks are asked by 2-1.SDK by NSURLProtocol The address of Server, while employee userId and enterprise id are enclosed, realize network flow monitoring.
In the network request packet that 2-2.S-BYOA-Server is sent to its server according to Third-Party-App Whether comprising Third-Party-App Non-control information (such as big data upload, file, picture upload etc. contents), to sentence It is disconnected to whether there is malice remote backup, if including Non-control information, there are malice remote backups;
2-3. navigates to corresponding enterprise and employee if there is malice remote backup, using userId and enterprise id.
Step 3.S-BYOA prevents enterprise document malice is local from preserving
As shown in figure 4, the local threat for preserving enterprise document of App malice in order to prevent.It is monitored and is managed by SDK and is husky The function of box when completing backed off after random, notifies user to delete the enterprise document in Third-P arty-App.Detailed process such as Fig. 4 It is shown:
3-1. sandbox Fileviews:S-BYOA-App passes through { Third-Party-App://searc h } to Third- Party-App initiates Fileview request, and SDK traverses All Files information in the App sandboxs, and filename is spliced into character String, then pass through { S-BYOA-App:// filename character string } again readjustment arrive the interfaces S-BYOA-App, while by filename character String is transmitted to S-BYOA-App.S-BYOA-App is split filename character string after receiving and is shown to user;Described App refers to the arbitrary App for capableing of editing files.
The filename is spliced into character string, and splicing is as follows:
It is that identification marks with additional character, filename is spliced, such as:Filename A* filename B* filename C, with " * " splices filename.
The filename character string is split, and cutting procedure is as follows:Additional character when splicing is that identification is marked Note, is split filename, such as:Filename A* filename B* filename C, are split filename with " * ".
3-2. deleting:S-BYOA-App passes through { Third-Party-App://delete/ filenames } to Third- Party-App initiates removal request, and Third-Party-App receives removal request, and segmentation filename character string, which obtains, to need to delete The filename removed, SDK, which is called, deletes interface deletion specified file, and { S-BYOA-App is recalled after deleting successfully://success Or error the result of deletion returned into S-BYOA-App.
S-BYOA parameter lookup tables.

Claims (3)

1. a kind of safety moving office procedure based on SDK, it is characterised in that include the following steps:
Implementation of File Transfer in step 1.S-BYOA:Transmission file is encrypted using AES, it is complete to file using hash algorithm Whole property is verified;It is implemented as follows:
1-1. employee logins corporate authentication system by S-BYOA-App, and S-BYOA gives birth to from E-Server request PHE user's secret keys At parameter, and generate employee corresponding pk and sk;When employee initiates the request of editing files F, S-BYOA-App is by file F's F_id and employee UserId are sent to E-Server;
1-2.E-Server generates the download link url of file F, and enterprise document is by malice repetitive requests, the link in order to prevent It can only be requested once, then randomly generate the key key of an AES encryption, and add using the PHE encryption keys pk of server It is close to obtain keys(formula 1), then by key, keys, url carry out a hash algorithm obtain Hcontrol(formula 2), last E- Server is by keys、url、HcontrolIt is sent to S-BYOA-App;
keys=PHEpk(key) (1)
Hcontrol=H (url, key, keyS) (2)
After 1-3.S-BYOA-App receives the data of E-Server returns, decrypt to obtain key (formula 3) using employee sk, then By key, keys, url carry out a hash algorithm again, whether verify data is tampered in transmission process;
Key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App://key+url } arouse target Third-Party-App, and will Key and url are transmitted to SDK;
1-5.SDK initiates the request that file F is downloaded according to url to E-Server, and adds the Token obtained when SDK starts, It after E-Server receives request, first verifies that whether SDK normally starts, then encrypts text using the key generated in step 1-2 Then file F is carried out hash algorithm and obtains H by part F (formula 4)F(formula 5), finally by FSAnd HFIt is sent to SDK;
FS=AESkey(F) (4)
HF=H (F) (5)
1-6.SDK receives FSAfter, decrypt to obtain file F using key is obtained in step 1-3, and to the file F after decryption again into Hash of row, judges whether file is tampered in transmission process;If it find that distorting, SDK passes through URL Scheme mechanism S-BYOA-App is jumped to, informs that user file is damaged, re-request file;
After the completion of 1-7. works as Document Editing, the process that file uploads is similar with acquisition, and SDK randomly generates a key to encrypt text Part, and encrypted file is sent to E-Server, SDK deletes enterprise document in Third-Party-App after the completion of transmission, And pass through URL Scheme mechanism { S-BYOA-App://key } key is sent to S-BYOA-App, S-BYOA-App services The public key E of devicepkKey is encrypted, encrypted key is then sent to E-Server;
Step 2.S-BYOA detects enterprise document malice remote backup
App network flows when editing enterprise document are oriented to S-BYOA clothes by characteristic when being run by SDK combination mobile systems Business device detects whether to have the case where leakage, enterprise is then notified if there is leakage by S-BYOA servers, conversely, into Row data forwarding;
S-BYOA-Server's is revised as in the addresses host that App all-networks are asked by 2-1.SDK by NSURLProtocol Address, while employee userId and enterprise id are enclosed, realize network flow monitoring;
In the network request packet that 2-2.S-BYOA-Server is sent to its server according to Third-Party-App whether The Non-control information for including Third-Party-App, to judge whether malice remote backup, if including non-controlling is believed , then there is malice remote backup in breath;
2-3. navigates to corresponding enterprise and employee if there is malice remote backup, using userId and enterprise id;
Step 3.S-BYOA prevents enterprise document malice is local from preserving
The local threat for preserving enterprise document of App malice in order to prevent is monitored and is managed by SDK the function of sandbox, editing When completing backed off after random, notifies user to delete the enterprise document in Third-Party-App, be implemented as follows:
3-1. sandbox Fileviews:S-BYOA-App passes through { Third-Party-App://search } to Third-Party- App initiates Fileview request, and SDK traverses All Files information in the App sandboxs, and filename is spliced into character string, then Pass through { S-BYOA-App:// filename character string } readjustment arrives the interfaces S-BYOA-App again, while filename character string being passed To S-BYOA-App;S-BYOA-App is split filename character string after receiving and is shown to user;
3-2. deleting:S-BYOA-App passes through { Third-Party-App://delete/ filenames } to Third-Party-App Removal request is initiated, Third-Party-App receives removal request, and segmentation filename character string obtains the file for needing to delete Name, SDK, which is called, deletes interface deletion specified file, and { S-BYOA-App is recalled after deleting successfully://success or error } The result of deletion is returned into S-BYOA-App.
2. a kind of safety moving office procedure based on SDK according to claim 1, it is characterised in that this method is based on S- BYOA frameworks, S-BYOA frameworks include by enterprise servers Enterprise Server (E-Server), S-BYOA servers (S-BYOA-Server), safety moving office auxiliary App (S-BYOA-App), arbitrary third party App (Third-Party- App), S-BYOA-SDK (SDK), third party's App servers:
(1)E-Server:Enterprise has server by oneself, is managed and preserves to file, is responsible for worker's certification and generates, manages Reason and distributing user key;
(2)S-BYOA-App:Mounted on the mobile security office App of user terminal, it is responsible for secure storage part key, enterprise document Safety browsing and malice preserve detection;
(3)S-BYOA-SDK:Safety moving the office SDK, cooperation S-BYOA-App for being embedded in third party App realize enterprise's text Part monitors and safe transmission, and malice preserves detection and deletes;
(4)Third-Party-App:The third party App of integrated SDK, can edit enterprise document;
(5) third party App servers:The server of the original original business of third party App is provided;
(6)S-BYOA-Server:Safety moving Office Service device, it is long-range standby in conjunction with S-BYOA-SDK detection third party App malice Part file, notice enterprise timely processing.
3. a kind of safety moving office procedure based on SDK according to claim 2, it is characterised in that S-BYOA frameworks Operational process is as follows:
User selects enterprise document to be edited in S-BYOA-App, and selects to edit using third party App;Third party App Enterprise document is obtained from enterprise servers by S-BYOA-SDK, carries out file decryption and integrity verification, and open file Into edlin;S-BYOA servers detect third party App when editing enterprise document with the presence or absence of malice leakage enterprise text in real time Part content, has, and intercepts notice enterprise, and nothing then forwards proper network data;After having edited enterprise document, S-BYOA-App is logical Whether the sandbox for crossing S-BYOA-SDK detection third parties App maliciously preserves enterprise document;When App edits enterprise document, it is responsible for It is oriented to BS by the network request of App to be sent to.
CN201810148496.5A 2018-02-13 2018-02-13 Safe mobile office method based on SDK Active CN108494734B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810148496.5A CN108494734B (en) 2018-02-13 2018-02-13 Safe mobile office method based on SDK

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810148496.5A CN108494734B (en) 2018-02-13 2018-02-13 Safe mobile office method based on SDK

Publications (2)

Publication Number Publication Date
CN108494734A true CN108494734A (en) 2018-09-04
CN108494734B CN108494734B (en) 2020-11-17

Family

ID=63340594

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810148496.5A Active CN108494734B (en) 2018-02-13 2018-02-13 Safe mobile office method based on SDK

Country Status (1)

Country Link
CN (1) CN108494734B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469767A (en) * 2014-10-28 2015-03-25 杭州电子科技大学 Implementation method for integrated security protection subsystem of mobile office system
US20160269926A1 (en) * 2013-10-08 2016-09-15 Alef Mobitech Inc. Systems and methods for providing mobility aspects to applications in the cloud
CN106446673A (en) * 2016-09-18 2017-02-22 深圳市深信服电子科技有限公司 Application isolation method and terminal device
CN106936686A (en) * 2015-12-31 2017-07-07 北京北信源软件股份有限公司 A kind of immediate communication platform for supporting safety moving to handle official business

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160269926A1 (en) * 2013-10-08 2016-09-15 Alef Mobitech Inc. Systems and methods for providing mobility aspects to applications in the cloud
CN104469767A (en) * 2014-10-28 2015-03-25 杭州电子科技大学 Implementation method for integrated security protection subsystem of mobile office system
CN106936686A (en) * 2015-12-31 2017-07-07 北京北信源软件股份有限公司 A kind of immediate communication platform for supporting safety moving to handle official business
CN106446673A (en) * 2016-09-18 2017-02-22 深圳市深信服电子科技有限公司 Application isolation method and terminal device

Also Published As

Publication number Publication date
CN108494734B (en) 2020-11-17

Similar Documents

Publication Publication Date Title
CN106302449B (en) A kind of storage of ciphertext and the open cloud service method of searching ciphertext and system
US9537864B2 (en) Encryption system using web browsers and untrusted web servers
US9961030B2 (en) Method and system for sender-controlled messaging and content sharing
CN105027493B (en) Safety moving application connection bus
CN103107889B (en) A kind of cloud computing environment data encryption storage system and method that can search for
US9552492B2 (en) Secure application access system
US20160234209A1 (en) Secure user credential access system
US7313823B2 (en) Anti-alternation system for web-content
US9246885B2 (en) System, method, apparatus and computer programs for securely using public services for private or enterprise purposes
US20070101124A1 (en) Secure provisioning of digital content
CN104348914B (en) A kind of tamper resistant systems file syn chronizing system and its method
CN103457733A (en) Data sharing method and system under cloud computing environment
US9665731B2 (en) Preventing content data leak on mobile devices
CN105429962B (en) A kind of general go-between service construction method and system towards encryption data
CN105119928B (en) Data transmission method, device, system and the security server of Android intelligent terminal
CN107463848B (en) Application-oriented ciphertext search method, device, proxy server and system
Meye et al. A secure two-phase data deduplication scheme
Xiong et al. A secure document self-destruction scheme: an ABE approach
CN105072134A (en) Cloud disk system file secure transmission method based on three-level key
US20100169638A1 (en) Communication system having message encryption
CN107094075A (en) A kind of data block dynamic operation method based on convergent encryption
CN111970232A (en) Safe access system of intelligent service robot of electric power business hall
CN113626859A (en) Method, system, device and medium for supporting encryption protection of key escrow personal file
CN105187379B (en) Password based on multi-party mutual mistrust splits management method
CN108494734A (en) A kind of safety moving office procedure based on SDK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230907

Address after: Room 2002, Zone A, Huazhou Business Center, No. 1038 Jiangnan Avenue, Changhe Street, Binjiang District, Hangzhou City, Zhejiang Province, 310051

Patentee after: Zhejiang Qiangua Information Technology Co.,Ltd.

Address before: 310018 No. 2 street, Xiasha Higher Education Zone, Hangzhou, Zhejiang

Patentee before: HANGZHOU DIANZI University

TR01 Transfer of patent right