CN109711181B - File content fine-grained protection method based on trusted format data - Google Patents
File content fine-grained protection method based on trusted format data Download PDFInfo
- Publication number
- CN109711181B CN109711181B CN201811606448.2A CN201811606448A CN109711181B CN 109711181 B CN109711181 B CN 109711181B CN 201811606448 A CN201811606448 A CN 201811606448A CN 109711181 B CN109711181 B CN 109711181B
- Authority
- CN
- China
- Prior art keywords
- trusted
- user
- key
- authority
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to the technical field of file protection, and discloses a file content fine-grained protection method based on trusted format data. The method comprises the following steps: the encrypted document content is converted into a trusted data format, the trusted data format is packaged and then is integrally embedded into an OpenXML document structure, and meanwhile, the original content is replaced by meaningless content; and setting access authority for the encrypted content in the trusted data format, and accessing the encrypted content in the trusted data format by the user according to the authority of the user. The data file sender can manually or automatically set the reading authority of each part of the shared document according to the industry specification; the data file receiver can complete the recovery of the encryption key in the file under the coordination of the authority system according to the authority of the data file receiver, and can not check the encrypted content of which the authority is not matched; the data file sender controls and sets the authority of the shared file, thereby ensuring the effective sharing of information and simultaneously limiting the diffusion of sensitive content.
Description
Technical Field
The invention relates to the technical field of file protection, in particular to a file content fine-grained protection method based on trusted format data.
Background
At present, most of file protection schemes are carried out in a mode of integrally encrypting a file, and a receiver cannot acquire any information of the file without knowing a decryption key; knowing the key, all information of the file is obtained. The existing file encryption scheme is simple to operate on the protection level of the file, cannot realize classified protection aiming at the content of the file, and is not beneficial to information exchange and sharing.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the existing problems, a method for protecting the fine granularity of the file content based on the trusted format data is provided.
The technical scheme adopted by the invention is as follows: a method for protecting the fine granularity of the file content based on the trusted format data comprises the following steps:
the encrypted document content is converted into a trusted data format, the trusted data format is packaged and then is integrally embedded into an OpenXML document structure, and meanwhile, the original content is replaced by meaningless content;
and setting access authority for the encrypted content in the trusted data format, and accessing the encrypted content in the trusted data format by the user according to the authority of the user.
Further, the trusted data format is generated by:
step 1, a user logs in, and a program verifies the identity of the user and acquires a signature private key of the user;
step 2, a user edits the Office document, selects paragraphs or texts to be protected and generates a symmetric key;
step 3, according to the symmetric key generated in the step 2, encrypting the selected text by using a symmetric algorithm, and storing the encrypted ciphertext in the load of the trusted data node;
step 4, replacing the original data in the Office document with meaningless prompt information;
step 5, storing the authority information in the assertion according to the access mode of the key;
and 6, signing the trusted data by using the private key of the current user.
Further, in the step 2,
if the selected paragraph or text is protected in a password mode, the user inputs a protection password; a digest is computed over the cipher and the digest value is used as a key for the symmetric cipher to encrypt the data.
Further, in the step 2,
if the selected paragraph or text is protected according to the user authority, a symmetric algorithm key is randomly generated, the key is encrypted according to an encryption public key of a user with decryption authority, and a key ciphertext is added into the trusted data node.
Further, in the step 2,
if the selected paragraph or text is protected by the remote key, a key generation interface of the remote key is called, and a key access address is obtained and added to the trusted data node.
Further, the access process of the encrypted content in the trusted data format is as follows:
(A) accessing a user login, verifying the user identity and acquiring a signature private key of the user;
(B) opening a document containing a trusted data format, and verifying the integrity and the credibility of the trusted data;
(C) and selecting the text content needing to be decrypted and checked, verifying the encryption mode of the section of text, and decrypting by the access user according to the corresponding encryption mode.
Further, in the (A),
if the document is protected in a password mode, the user is accessed to input the password, the input password is calculated to obtain the symmetric key after being abstracted, and decryption is carried out.
Further, in the (A),
if the user identity authority protection is carried out, whether the current user has the authority is verified, if the user has the authority, the symmetric password is decrypted by using the own encryption private key, and the plaintext of the text is obtained through decryption.
Further, in the (A),
and if the remote key protection is used, the key information is requested, and the user with the authority acquires the remote key for decryption.
Further, the OpenXML document includes a trusted data set, where one trusted data set includes a plurality of trusted data objects, and each trusted data object is an encrypted document content and a protection mode statement thereof.
Compared with the prior art, the beneficial effects of adopting the technical scheme are as follows:
(1) before a data file sender releases a shared document, the reading authority of each part of the content of the shared document can be manually or automatically set according to the industry specification.
(2) The data file receiver of the invention can complete the recovery of the encryption key in the file under the cooperation of the authority system according to the authority of the data file receiver, and decrypt the received data, and the encrypted content which is not matched with the authority of the data file receiver can not be decrypted.
(3) The data file sender of the invention ensures effective sharing of information and simultaneously limits diffusion of sensitive contents by controlling and setting fine-grained authority of the shared document.
Drawings
Fig. 1 is a schematic flow chart of a file content fine-grained protection method based on trusted format data according to the present invention.
FIG. 2 is a schematic diagram of the structure and relationship of the inventive collectible data set and trusted data objects.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 1, a method for protecting file content fine granularity based on trusted format data includes the following steps:
the encrypted document content is converted into a trusted data format, the trusted data format is packaged and then is integrally embedded into an OpenXML document structure, and meanwhile, the original content is replaced by meaningless content; and setting access authority for the encrypted content in the trusted data format, and accessing the encrypted content in the trusted data format by the user according to the authority of the user. In the above scheme, the trusted data format is encapsulated and embedded into an OpenXML document structure, and in combination with the support of current general Office software to OpenXML, a file publisher can perform fractional encryption on the content of a published file, and a receiver can obtain a plaintext of data conforming to the self authority or unprotected in the published file.
Example 1: the trusted data format generation method comprises the following steps:
step 1, a user logs in, and a program verifies the identity of the user and acquires a signature private key of the user;
step 2, a user edits the Office document, selects paragraphs or texts to be protected and generates a symmetric key;
(1) if the selected paragraph or text is protected in a password mode, the user inputs a protection password; a digest is computed over the cipher and the digest value is used as a key for the symmetric cipher to encrypt the data.
(2) If the selected paragraph or text is protected according to the user authority, a symmetric algorithm key is randomly generated, the key is encrypted according to an encryption public key of a user with decryption authority, and a key ciphertext is added into the trusted data node.
(3) If the selected paragraph or text is protected by the remote key, a key generation interface of the remote key is called, and a key access address is obtained and added to the trusted data node.
Step 3, according to the symmetric key generated in the step 2, encrypting the selected text by using a symmetric algorithm, and storing the encrypted ciphertext in the load of the trusted data node;
step 4, replacing the original data in the Office document with meaningless prompt information;
step 5, storing the authority information in the assertion according to the access mode of the key;
and 6, signing the trusted data by using the private key of the current user.
Example 2: the access process of the encrypted content in the trusted data format comprises the following steps:
(A) accessing a user login, verifying the user identity and acquiring a signature private key of the user;
(B) opening a document containing a trusted data format, and verifying the integrity and the credibility of the trusted data;
(C) and selecting the text content needing to be decrypted and checked, verifying the encryption mode of the section of text, and decrypting by the access user according to the corresponding encryption mode.
If the document is protected in a password mode, the user is accessed to input the password, the input password is calculated to obtain the symmetric key after being abstracted, and decryption is carried out.
If the user identity authority protection is carried out, whether the current user has the authority is verified, if the user has the authority, the symmetric password is decrypted by using the own encryption private key, and the plaintext of the text is obtained through decryption.
And if the remote key protection is used, the key information is requested, and the user with the authority acquires the remote key for decryption.
The public key signature algorithm used in the process adopts SM2 signature algorithm (GM/T0003), the encryption algorithm used adopts SM4 encryption algorithm (GM/T0002), the integrity protection of data is realized by using hash algorithm, the hash algorithm adopts SM3 hash algorithm (GM/T0004), and meanwhile, the universal international public algorithm and unpublished algorithm are supported.
The entity of the trusted data format is a trusted data set, each OpenXML-format document comprises a trusted data set, one trusted data set comprises a plurality of trusted format objects TDO, and each trusted format object is encrypted document content and a protection mode statement thereof.
As shown in FIG. 2, the format of the trusted data set includes assertions, statement metadata, statements, bindings, and a set of trusted data objects, which have the following meanings:
(1) assertion: describing processing instructions for a data set;
(2) binding relationship: describing a signature algorithm, signature value, on a data set;
(3) set of trusted data objects: a plurality of sets of trusted data objects;
the format of the trusted data object comprises assertion, statement metadata, statements, binding relations and data load, and the meanings of the assertion, the statement metadata, the statements, the binding relations and the data load are as follows:
(1) assertion: describing processing instructions for the data object;
(2) binding relationship: describing a signature algorithm, signature value, for a data object;
(3) data payload: and (4) encrypting the encrypted data ciphertext.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed. Those skilled in the art to which the invention pertains will appreciate that insubstantial changes or modifications can be made without departing from the spirit of the invention as defined by the appended claims.
Claims (9)
1. A method for protecting the fine granularity of the file content based on the trusted format data is characterized by comprising the following processes:
the encrypted document content is converted into a trusted data format, the trusted data format is packaged and then is integrally embedded into an OpenXML document structure, and meanwhile, the original content is replaced by meaningless content;
setting access authority for the encrypted content in the trusted data format, and accessing the encrypted content in the trusted data format by a user according to the authority of the user;
the trusted data format generation method comprises the following steps:
step 1, a user logs in, and a program verifies the identity of the user and acquires a signature private key of the user;
step 2, a user edits the Office document, selects paragraphs or texts to be protected and generates a symmetric key;
step 3, according to the symmetric key generated in the step 2, encrypting the selected text by using a symmetric algorithm, and storing the encrypted ciphertext in the load of the trusted data node;
step 4, replacing the original data in the Office document with meaningless prompt information;
step 5, storing the authority information in the assertion according to the access mode of the key;
and 6, signing the trusted data by using the private key of the current user.
2. The method for fine-grained protection of file contents based on trusted formatted data according to claim 1, wherein in the step 2,
if the selected paragraph or text is protected in a password mode, the user inputs a protection password; a digest is computed over the cipher and the digest value is used as a key for the symmetric cipher to encrypt the data.
3. The method for fine-grained protection of file contents based on trusted formatted data according to claim 1, wherein in the step 2,
if the selected paragraph or text is protected according to the user authority, a symmetric algorithm key is randomly generated, the key is encrypted according to an encryption public key of a user with decryption authority, and a key ciphertext is added into the trusted data node.
4. The method for fine-grained protection of file contents based on trusted formatted data according to claim 1, wherein in the step 2,
if the selected paragraph or text is protected by the remote key, a key generation interface of the remote key is called, and a key access address is obtained and added to the trusted data node.
5. The method for protecting the fine granularity of the file contents based on the trusted data format as claimed in any one of claims 1 to 4, wherein the access process of the encrypted contents in the trusted data format is as follows:
(A) accessing a user login, verifying the user identity and acquiring a signature private key of the user;
(B) opening a document containing a trusted data format, and verifying the integrity and the credibility of the trusted data;
(C) and selecting the text content needing to be decrypted and checked, verifying the encryption mode of the section of text, and decrypting by the access user according to the corresponding encryption mode.
6. The fine-grained protection method for file content based on trusted formatted data as claimed in claim 5, wherein in (A),
if the document is protected in a password mode, the user is accessed to input the password, the input password is calculated to obtain the symmetric key after being abstracted, and decryption is carried out.
7. The fine-grained protection method for file content based on trusted formatted data as claimed in claim 5, wherein in (A),
if the user identity authority protection is carried out, whether the current user has the authority is verified, if the user has the authority, the symmetric password is decrypted by using the own encryption private key, and the plaintext of the text is obtained through decryption.
8. The fine-grained protection method for file content based on trusted formatted data as claimed in claim 5, wherein in (A),
and if the remote key protection is used, the key information is requested, and the user with the authority acquires the remote key for decryption.
9. The method for fine-grained protection of file content based on trusted formatted data according to claim 1, wherein the OpenXML document comprises a trusted data set, and a trusted data set comprises a plurality of trusted data objects, and each trusted data object is an encrypted document content and a protection mode declaration thereof.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811606448.2A CN109711181B (en) | 2018-12-27 | 2018-12-27 | File content fine-grained protection method based on trusted format data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811606448.2A CN109711181B (en) | 2018-12-27 | 2018-12-27 | File content fine-grained protection method based on trusted format data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109711181A CN109711181A (en) | 2019-05-03 |
| CN109711181B true CN109711181B (en) | 2020-12-29 |
Family
ID=66258639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811606448.2A Active CN109711181B (en) | 2018-12-27 | 2018-12-27 | File content fine-grained protection method based on trusted format data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109711181B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547199A (en) * | 2009-05-05 | 2009-09-30 | 北京神舟航天软件技术有限公司 | Electronic document safety guarantee system and method |
| CN103262109A (en) * | 2010-12-14 | 2013-08-21 | 惠普发展公司,有限责任合伙企业 | Selecting web page content based on user permission for collecting user-elected content |
| CN108664803A (en) * | 2018-04-04 | 2018-10-16 | 中国电子科技集团公司第三十研究所 | A kind of document content fine granularity access control system based on password |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105071936B (en) * | 2010-09-20 | 2018-10-12 | 安全第一公司 | The system and method shared for secure data |
-
2018
- 2018-12-27 CN CN201811606448.2A patent/CN109711181B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547199A (en) * | 2009-05-05 | 2009-09-30 | 北京神舟航天软件技术有限公司 | Electronic document safety guarantee system and method |
| CN103262109A (en) * | 2010-12-14 | 2013-08-21 | 惠普发展公司,有限责任合伙企业 | Selecting web page content based on user permission for collecting user-elected content |
| CN108664803A (en) * | 2018-04-04 | 2018-10-16 | 中国电子科技集团公司第三十研究所 | A kind of document content fine granularity access control system based on password |
Non-Patent Citations (1)
| Title |
|---|
| 细粒度安全中XML数字签名原始语义保护研究;杨威;《中国优秀硕士学位论文全文数据库 信息科技辑》;20170215;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109711181A (en) | 2019-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10652015B2 (en) | Confidential communication management | |
| US9842201B2 (en) | Privacy preserving electronic document signature service | |
| WO2019233204A1 (en) | Method, apparatus and system for key management, storage medium, and computer device | |
| US8825999B2 (en) | Extending encrypting web service | |
| US7320076B2 (en) | Method and apparatus for a transaction-based secure storage file system | |
| KR101010040B1 (en) | File encryption/decryption method, device, program, and computer-readable recording medium containing the program | |
| US11329962B2 (en) | Pluggable cipher suite negotiation | |
| US8694467B2 (en) | Random number based data integrity verification method and system for distributed cloud storage | |
| US9973481B1 (en) | Envelope-based encryption method | |
| CN107317677B (en) | Secret key storage and equipment identity authentication method and device | |
| US20140164774A1 (en) | Encryption-Based Data Access Management | |
| US20100005318A1 (en) | Process for securing data in a storage unit | |
| US7634816B2 (en) | Revocation information management | |
| WO2006109307A2 (en) | Method, device, and system of selectively accessing data | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| US8312431B1 (en) | System and computer readable medium for verifying access to signed ELF objects | |
| US8732481B2 (en) | Object with identity based encryption | |
| US20150143107A1 (en) | Data security tools for shared data | |
| US20140059341A1 (en) | Creating and accessing encrypted web based content in hybrid applications | |
| WO2023226308A1 (en) | File sharing methods, file sharing system, electronic device and readable storage medium | |
| Lai et al. | Secure file storage on cloud using hybrid cryptography | |
| CN112528309A (en) | Data storage encryption and decryption method and device | |
| CN109711181B (en) | File content fine-grained protection method based on trusted format data | |
| CN106250727A (en) | A kind of method for protecting software and device | |
| CN110263553B (en) | Database access control method and device based on public key verification and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |