CN110602075A - File stream processing method, device and system for encryption access control - Google Patents
File stream processing method, device and system for encryption access control Download PDFInfo
- Publication number
- CN110602075A CN110602075A CN201910823417.0A CN201910823417A CN110602075A CN 110602075 A CN110602075 A CN 110602075A CN 201910823417 A CN201910823417 A CN 201910823417A CN 110602075 A CN110602075 A CN 110602075A
- Authority
- CN
- China
- Prior art keywords
- file
- user
- credential information
- identifier
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title description 2
- 238000000034 method Methods 0.000 claims abstract description 70
- 238000013475 authorization Methods 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 abstract description 16
- 238000012545 processing Methods 0.000 abstract description 9
- 230000008569 process Effects 0.000 description 24
- 238000010586 diagram Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 201000009032 substance abuse Diseases 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, a device and a system for processing a file stream of encryption access control, and relates to the technical field of computers. One specific implementation mode of the method comprises the steps of receiving a file uploading request sent by a first user; uploading the file to a file storage system to generate file credential information for the first user; encrypting the file credential information using a first user public key of the first user; generating a file credential information identifier for the file for the first user; correspondingly storing the encrypted file credential information and the encrypted file credential information identifier for the first user; and sending the file credential information identifier to the first user corresponding to the file credential information identifier. The implementation mode reduces the frequency of file transmission or circulation and improves the security of the file.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for processing a file stream for encryption access control.
Background
With the development of internet technology, more and more information is transmitted, shared and the like in a file form, so that inconvenience in information transmission caused by regions, distances and the like is greatly reduced. In the actual process of file circulation, the processing of the file is realized in the form of a file stream (i.e. a binary stream of the file), including file uploading, file downloading, etc., for example, a file provider can upload the file to a file public platform in the form of a file stream for storage, and a file user can acquire the file in the form of downloading the file stream on the public platform, thereby realizing the transmission and sharing of the file among different users.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: since most network users operate in an anonymous mode, the legality of downloading or using a file by the users and the reliability of the file cannot be guaranteed in the process of uploading and downloading the file for many times, and potential safety hazards of the file exist.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a system for processing a file stream under encrypted access control, which can generate file credential information and a file credential information identifier for a corresponding user while uploading a file, so that a user can only obtain corresponding file credential information through the file credential information identifier belonging to the user when subsequently downloading the file, and then perform a file downloading operation, thereby avoiding a possibility that an illegal user abuses and steals the file, and improving the security of the file.
To achieve the above object, according to a first aspect of the embodiments of the present invention, there is provided an encrypted file uploading method, including: receiving a file uploading request sent by a first user, wherein the file uploading request indicates the file and corresponding file information, and the file information comprises a first user identifier of the first user; uploading the file to a file storage system to obtain a file identifier of the file in the file storage system; generating file credential information for the first user, the file credential information including the file identification; encrypting the file credential information using a first user public key of the first user; generating a file credential information identifier for the file for the first user, the file credential information identifier indicating the first user to which the file credential information belongs; correspondingly storing the encrypted file credential information and the file credential information identifier for the first user; and sending the file credential information identifier to the first user corresponding to the file credential information identifier.
Optionally, the file information further includes: an authorized user identification list, wherein the authorized user identification list comprises authorized user identifications of authorized users having operation authority on the file; respectively generating file credential information for the authorized users; encrypting the file certificate information by using the authorized user public keys of the authorized users respectively; generating authorized file credential information identifiers for the files for the authorized users, respectively, the authorized file credential information identifiers indicating the authorized users to which the file credential information belongs; correspondingly storing the encrypted file credential information and the authorized file credential information identification for the authorized user; and sending the certificate information identifier of the authorization file to the corresponding authorization user.
Optionally, the file information further includes: and the authorized user has the operation authority for the file, and the validity period of the operation authority.
Optionally, the file credential information identifier further indicates an operation right of the first user for the file corresponding to the file credential information identifier, and a validity period of the operation right; the authorized file credential information identifier further indicates the operation authority of the authorized user corresponding to the authorized file credential information identifier for the file, and the validity period of the operation authority.
Optionally, the first user identifier is the first user public key; the authorized user identification list is the authorized user public key list, and the authorized user identification is the authorized user public key of the authorized user having the operation authority for the file.
Optionally, the uploading the file to a file storage system includes: encrypting the file, and uploading the encrypted file to the file storage system; the file credential information also includes a file key used to encrypt the file.
Optionally, the file identifier of the file in the file storage system is a hash value of the file.
Optionally, the file upload request further indicates a first user digest signed using the first user private key; and decrypting the received first user digest according to the first user public key so as to verify the first user identity.
Optionally, the method further comprises: saving file related information to a database, the file related information comprising one or more of: the file identifier, the file credential information, the encrypted file credential information, the first user identifier, the first user public key, the authorized user identifier list, the authorized user public key list, the authorized file credential information identifier, the operation authority of the authorized user for the file, and the validity period of the operation authority.
To achieve the above object, according to a second aspect of the embodiments of the present invention, there is provided an encrypted file downloading method, including: receiving a file credential information acquisition request sent by a second user, wherein the file credential information acquisition request indicates a file credential information identifier for identifying that the file belongs to the second user; acquiring file credential information encrypted by a second user public key of the second user according to the file credential information identifier, and sending the file credential information encrypted by the second user public key to the second user, wherein the file credential information is used for the second user to operate the file; receiving a file downloading request sent by a second user, wherein the file downloading request indicates a file identifier for the file, and the file identifier is recorded in the file credential information; acquiring the file from a file storage system according to the file identifier; and sending the file to the second user.
Optionally, the file credential information acquisition request further indicates a second user digest signed with a second user private key; and decrypting the received second user digest according to a second user public key so as to verify the second user identity.
Optionally, the file credential information identifier further has a validity period; and determining whether the current date is within the validity period according to the validity period of the file certificate information identifier so as to determine whether the file certificate information encrypted by the public key of the second user is sent to the second user.
Optionally, the file identification is a hash value of the file.
Optionally, the file credential information further includes: a file key; the file key is used for the user to decrypt the received file.
To achieve the above object, according to a third aspect of embodiments of the present invention, there is provided an encrypted file management system including: the system comprises a file management server, a file storage system and a database; wherein,
the file management server is used for receiving a file uploading request sent by a first user, wherein the file uploading request indicates the file and corresponding file information, and the file information comprises a first user identifier of the first user; uploading the file to a file storage system to obtain a file identifier of the file in the file storage system; generating file credential information for the first user, the file credential information including the file identification; encrypting the file credential information using a first user public key of the first user; generating a file credential information identifier for the file for the first user, the file credential information identifier indicating the first user to which the file credential information belongs; correspondingly storing the encrypted file credential information and the file credential information identifier for the first user; sending the file credential information identifier to the first user corresponding to the file credential information identifier;
the file storage system is used for storing the file uploaded by the file management system and generating the file identifier;
the database is configured to store file-related information, which includes one or more of the following: the file identifier, the first user public key, file credential information for the first user, and a file credential information identifier.
Optionally, the file management server is further configured to receive a file credential information acquisition request sent by a second user, where the file credential information acquisition request indicates a file credential information identifier for identifying that the file belongs to the second user; acquiring file credential information encrypted by a second user public key of the second user according to the file credential information identifier, and sending the file credential information encrypted by the second user public key to the second user, wherein the file credential information is used for the second user to operate the file; receiving a file downloading request sent by a second user, wherein the file downloading request indicates a file identifier for the file, and the file identifier is recorded in the file credential information; acquiring the file from a file storage system according to the file identifier; and sending the file to the second user.
In order to achieve the above object, according to a fourth aspect of the embodiments of the present invention, there is provided a file upload server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method of any of the above-described methods of encrypted file upload.
To achieve the above object, according to a fifth aspect of the embodiments of the present invention, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements any one of the methods of encrypted file upload described above.
In order to achieve the above object, according to a sixth aspect of the embodiments of the present invention, there is provided a file upload server, including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out the method of any of the methods of encrypted file downloading described above.
To achieve the above object, according to a seventh aspect of the embodiments of the present invention, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements any one of the methods of encrypted file downloading described above.
One embodiment of the above invention has the following advantages or benefits: when the file is uploaded, the file is encrypted, so that the security of the file is ensured; meanwhile, the file certificate information and the file certificate information identification which are encrypted by using the user public key are generated and stored correspondingly, so that only an owner of the file certificate information, namely a user with a user private key corresponding to the user public key can acquire the corresponding file certificate information and further download the corresponding file, the possibility that an illegal user steals the file is avoided, and the file security is improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of a method of encrypted file upload according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the main flow of another encrypted file upload method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the main flow of a further method of encrypted file upload according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of the main flow of a method of encrypted file download according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the main flow of another method of encrypted file download according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of the main structure of an encrypted file management system according to an embodiment of the present invention;
FIG. 7 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 8 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Referring to fig. 1, an embodiment of the present invention provides a method for uploading an encrypted file, which may specifically include the following steps:
step S101, receiving a file uploading request sent by a first user, wherein the file uploading request indicates the file and corresponding file information, and the file information comprises a first user identifier of the first user.
The first user identifier may be any identifier representing the first user and distinct from other users, such as a first user ID, a first user name, etc., and the first user may be any user registered on the document management system, including an organization, an enterprise, an organization, a unit of authority, etc. In one embodiment, the first user identification is the first user public key, i.e. the first user public key of the first user is used to identify the first user. It is understood that the file uploading request may further include a file name, file remark information, and any information related to the file that needs to be uploaded.
In an optional embodiment, the file upload request further indicates a first user digest signed using the first user private key; and decrypting the received first user digest according to the first user public key so as to verify the first user identity. By verifying the validity of the first user identity, the illegal user is prevented from uploading unreliable, unreal or distorted files and the like, and the security of uploading the files is further improved.
And step S102, uploading the file to a file storage system, and obtaining a file identifier of the file in the file storage system.
The file identification corresponds to the file one by one, and the corresponding file can be acquired in the file storage system only through the file identification. In one embodiment, the file identifier of the file in the file storage system is a HASH value of the file, that is, the corresponding file is obtained in the file storage system by the file HASH generated when the file is stored.
In an optional implementation manner, in order to further improve the security of storing the file, the file is encrypted, and the encrypted file is uploaded to the file storage system. Specifically, the file may be encrypted and stored by generating a random file key, or the file may be encrypted and stored by generating a file key according to a specified rule.
Step S103, generating file credential information for the first user, where the file credential information includes the file identifier.
It can be understood that, because the file credential information includes the file identifier, after the file is uploaded, the first user can obtain the corresponding file in the file storage system according to the file credential information, thereby implementing subsequent operations on the file, such as downloading the file, authorizing the file to be viewed, downloaded, and the like by other users. It should be noted that the document voucher information corresponds to the documents and the users one to one, that is, after the same first user uploads different documents, the document voucher information is correspondingly generated for each uploaded document; different first users correspondingly generate different file voucher information for each first user after uploading the same file.
It can be understood that, if the uploaded file is a ciphertext file, the corresponding file credential information further includes a file key for encrypting the file, that is, a key for decrypting the file, so that an owner of the file credential information can obtain the corresponding ciphertext file according to the file credential information and then decrypt the corresponding ciphertext file according to the corresponding file key to obtain the file.
Step S104, encrypting the file credential information by using the first user public key of the first user.
Because the file credential information is encrypted using the first user public key of the first user, only the first user private key corresponding to the first user public key can decrypt the encrypted file credential information. That is to say, the file credential information belonging to the first user can be used only by the first user, so that the one-to-one correspondence between the file credential information and the first user is further ensured, the possibility of stealing the file credential information is reduced, and the security of the file is improved.
Step S105, generating a file credential information identifier for the file for the first user, where the file credential information identifier indicates the first user to which the file credential information belongs.
Because the file credential information identifier (such as the file credential information ID) indicates the first user to which the file credential information belongs, the file credential information identifier can be sent to the corresponding first user, so that the first user can obtain the corresponding file credential information according to the file credential information identifier, thereby avoiding problems such as information leakage or information interception and the like which may be caused when the file credential information is directly sent to the first user, and further reducing the possibility of stealing the file credential information.
Step S106, correspondingly storing the encrypted file credential information and the file credential information identifier for the first user.
It can be understood that after the corresponding storage, the corresponding file credential information can be obtained according to the stored corresponding relationship on the basis of obtaining the file credential information identifier; or acquiring the corresponding first user identification and the first user public key, and further acquiring the corresponding file credential information.
And step S107, sending the file credential information identifier to the first user corresponding to the file credential information identifier.
And sending the file voucher information identification of the first user to the first user, so that after the file is uploaded, the first user can obtain the file voucher information by virtue of the corresponding file voucher identification information, and further realize the operation on the file.
It should be noted that, in order to cope with an attack or a crash of the file storage system, so that information related to file uploading is lost or tampered, and the like, and guarantee disaster tolerance capability of the file uploading related system, it is considered that file related information is saved in a database, where the file related information includes one or more of the following: the file identifier, the file credential information, the encrypted file credential information, the first user identifier, the first user public key, the authorized user identifier list, the authorized user public key list, the authorized file credential information identifier, the operation authority of the authorized user for the file, and the validity period of the operation authority.
Based on the file uploading method provided by the embodiment, the validity of the identity of the first user is ensured by verifying the signature information of the first user before the file is uploaded, and the possibility that the file is illegally uploaded is avoided; meanwhile, the file is encrypted before uploading, so that the safety of file storage is improved; in addition, the file voucher information identification and the file voucher information identification are used for replacing the transmission of the file in the subsequent operation process, so that the file transmission frequency is greatly reduced, and the file safety is improved; in addition, due to the adoption of the file certificate information encrypted by the user public key, only the owner of the file certificate information, namely the user with the user private key corresponding to the user public key, can acquire the corresponding file certificate information, so that the possibility that the file certificate information is stolen by an unauthorized user is avoided, and the security of the file is further improved.
Referring to fig. 2, on the basis of the foregoing embodiment, an embodiment of the present invention provides an encrypted file uploading method, which not only can implement uploading of a file, but also can authorize the uploaded file to the authority of other users to operate the file, and specifically includes the following steps:
step S201, the file information further includes: and the authorized user identification list comprises authorized user identifications of authorized users having operation authority on the file.
In order to realize authorization of other users in the uploading process, the file information indicated by the file uploading request also comprises an authorized user identifier list, so that the file management system can receive the authority of operating the file by the corresponding authorized user according to the authorized user identifier in the authorized user identifier list.
In an optional implementation manner, the authorized user identifier list is the authorized user public key list, and the authorized user identifier is an authorized user public key of an authorized user having an operation right on the file. It can be understood that, since the first user requesting to upload the file may also need to perform an operation on the uploaded file subsequently, the first user identifier of the first user with authorization or the first user public key may also be included in the authorized user identifier list.
Further, the file information further includes: and the authorized user has the operation authority for the file, and the validity period of the operation authority. The operation authority of different authorized users to the same file may be different, and the specific operation authority may include: downloading, viewing, browsing and authorizing the file to be used by others; the validity period of the operation authority can be set according to actual needs, and can be specified to year, month, day, hour and the like, and can be a time node, a time period or an indefinite validity period.
Step S202, respectively generating file credential information for the authorized users.
The file credential information has a one-to-one correspondence relationship with the file and the authorized user, that is, all the file credential information for different files of the same authorized user is different, and all the file credential information for the same file of different authorized users is also different. It is understood that the document credential information includes a document identification corresponding to the document, such as a document HASH; under the condition that the uploaded and stored file is an encrypted file, the corresponding file certificate information also comprises a file key, so that an authorized user can decrypt the file by using the corresponding file key when acquiring the encrypted file; the file credential information also indicates the authorized user to whom it belongs. Besides, the file credential information also has a validity period and an operation authority of an authorized user on the file within the validity period.
Step S203, encrypting the file credential information respectively by using the authorized user public keys of the authorized users.
Due to the fact that the corresponding file can be obtained according to the file identification by using the file certificate information, the file certificate information is considered to be encrypted in order to guarantee the safety of the file certificate information. It is to be understood that the file credential information may be encrypted using a symmetric encryption algorithm or may be encrypted using an asymmetric algorithm. In this embodiment, the encryption is performed by using the public key of the authorized user, and since the encryption is performed by using the public key of the authorized user, correspondingly, the encrypted file credential information can be decrypted only by using the private key of the authorized user corresponding to the public key of the authorized user. That is to say, the file credential information belonging to the authorized user can be used only by the authorized user, so that the one-to-one correspondence between the file credential information and the authorized user is further ensured, the possibility of stealing the file credential information is reduced, and the security of the file is improved.
Step S204, generating authorization file credential information identifiers for the files for the authorized users respectively, wherein the authorization file credential information identifiers indicate the authorized users to which the file credential information belongs.
In order to further improve the security of the file credential information corresponding to the authorized user and avoid the problems of information leakage or information interception and the like in the process of sending the file credential information to the authorized user, the file credential information identifier corresponding to the file credential information is used for replacing the file credential information to be transmitted and circulated in the network.
In an optional embodiment, the file credential information identifier further indicates the operation authority of the first user corresponding to the file credential information identifier for the file, and a validity period of the operation authority; the authorized file credential information identifier further indicates the operation authority of the authorized user corresponding to the authorized file credential information identifier for the file, and the validity period of the operation authority. It is understood that the operation rights and the validity periods of the operation rights for the same file may be completely different for different authorized users. That is, all the file credential information of different authorized users have valid periods, and the authorized users have different permissions for operating the file using the file credential information, for example, some authorized users may download the file, some authorized users may only view the file, and some authorized users may authorize the file to other users for use, and the like. Therefore, when the file certificate information identifier indicates the authorized user to which the file certificate information belongs, the file certificate information identifier indicates the authority and the validity period of the authorized user for operating the file by using the file certificate information, so that the authorized user can reasonably operate the file within the operation authority range within the validity period in time by using the file certificate information identifier.
Step S205, correspondingly storing the encrypted file credential information and the authorized file credential information identifier for the authorized user.
Because the file credential information is used for replacing the file for transmission and streaming, and the file credential information identifier is further used for replacing the file credential information for transmission and streaming, the file credential information and the authorized file credential information identifier are stored, for example, in the form of information strips, in order to ensure that a user can acquire the corresponding file credential information based on all the file credential information identifiers and further realize the operation on the file according to the file credential information. In addition, the authorized user identifier or the authorized user public key can be correspondingly stored with the file credential information and the authorized file credential information identifier, so that the user can acquire the corresponding file credential information according to the authorized user identifier or the authorized user public key.
Step S206, the certificate information identifier of the authorization file is sent to the corresponding authorization user.
Specifically, after the authorization file credential information identifier is sent to the corresponding authorization user, the authorization user can obtain the corresponding file credential information according to all the authorization file credential information identifiers, thereby implementing the operation on the file. It can be understood that the authorization file credential information identifier can be directly sent to the authorized user to which the file is attached through the file management system performing file authorization, or the authorization file credential information identifier can be sent to the first user requesting to upload the file first, so that the first user can send the authorization file credential information identifier to the authorized user by using any communication mode agreed with the authorized user, and the security in the transmission process of the authorization file credential information identifier is further improved.
Referring to fig. 3, on the basis of the foregoing embodiment, an embodiment of the present invention provides an encrypted file uploading method, which may specifically include the following steps:
step S301, a file upload request sent by a first user is received.
The file uploading request indicates a file to be uploaded and corresponding file information, the file information comprises a first user identifier of a first user and an authorized user identifier list, and the authorized user identifier list comprises authorized user identifiers of authorized users having operation authority on the file; the file upload request also indicates a first user digest signed using the first user private key. It is understood that the file uploading request may further include a file name, file remark information, and any information related to the file that needs to be uploaded. Under the condition that the first user identifier is the first user public key of the first user, the authorized user public key of the authorized user can be used as the authorized user identifier, and the authorized user identifier can contain the first user identifier of the first user, so that the first user after authorization can continue to perform subsequent operations on the uploaded file.
Further, the file information further includes: the operation authority of the authorized user for the file and the valid period of the operation authority enable the authorized user to operate the file only in the specified valid period and the specified operation authority, and the possibility that the user illegally or abuses the file is avoided.
Step S302, determining whether the second user identity authentication passes, if not, ending the file uploading process, and if so, continuing to execute the following steps S303 to S309.
And decrypting the received first user digest according to the first user public key so as to verify the first user identity. Specifically, while receiving a file uploading request, a first user digest signed by a first user private key of a first user and a corresponding digest plaintext are also received; and decrypting the private key signature of the first user abstract by adopting the first user public key to obtain the first user abstract, and comparing the first user abstract with the first abstract plaintext: if the first user identity is consistent with the second user identity, the first user identity passes verification, namely the first user identity is legal, and subsequent file uploading and authorization operations are continuously executed; if the first user identity is inconsistent with the second user identity, the identity authentication is failed, namely the first user identity is illegal, the current process is ended, so that the first user with the illegal identity cannot upload the file, the situation that an illegal user uploads the file which is unreliable, unreal or falsified and authorizes other people to use the file is prevented, and the safety of uploading the file is further improved.
And step S303, encrypting the file and uploading the encrypted file to a file storage system.
In order to further improve the security of the file and prevent the confidential file from being stolen or tampered by others, the file is encrypted and then uploaded, so that only a user with a corresponding file key can really use the corresponding file. It can be understood that the file may be encrypted by using a symmetric encryption algorithm, or may be encrypted by using an asymmetric encryption algorithm, and in this embodiment, the symmetric encryption algorithm is only used as an example for description. After the encrypted file binary stream is uploaded to the file storage system, in order to further ensure the security of file storage, the file system can store the encrypted file binary stream in a plurality of positions in the file system in a fragmentized manner and generate corresponding file identifiers such as file HASH, so that corresponding files can be obtained in the file storage system only according to the file HASH.
Step S304, generating document voucher information.
In order to further prevent the files from being intercepted or leaked in the transmission or circulation process, file certificate information corresponding to the files and users with operation authority in a one-to-one mode is used for replacing the files to carry out transmission and circulation, the transmission frequency of the files in a network is greatly reduced, and the safety of the files is improved. The document certificate information includes document identification, document key, etc. It should be noted that the generated document credential information may be the document credential information generated for the first user, or the document credential information generated for the authorized user. That is, the authorization of the file may be performed while the file is being uploaded. Besides, the file credential information has a validity period and indicates the belonged first user or authorized user, the operation authority of the first user or authorized user on the file, and the like.
In step S305, the file credential information is encrypted.
The file credential information is encrypted by adopting the first user to which the file credential information belongs or the user public key corresponding to the authorized user, so that the file credential information can be decrypted only by the user private key corresponding to the encrypted user public key, that is, only the user to which the file credential information belongs can use the corresponding credential information, thereby further ensuring the security of the file credential information and the specificity of the user on the file credential information.
Step S306, generating a file voucher information identifier.
The file voucher information identification corresponding to the file voucher information is used for replacing the file voucher information to transmit and circulate in the network, so that the safety of the file voucher information can be improved. It is understood that the file credential information identifier corresponds to the file credential information one-to-one, and the file credential information identifier indicates a user to which the file credential information belongs, such as a first user or an authorized user, and also indicates a validity period of the file credential information, and a right of the user to operate the file according to the file credential information.
Step S307, correspondingly stores the file credential information and the file credential information identifier.
After the file credential information, the file credential information identifier and the user identifier or the user public key are correspondingly stored, the first user or the authorized user can acquire the file credential information through the file credential information identifier only on the basis of having the file credential information identifier, so that the operation on the file is realized, the transmission or circulation of the file in a network by using the file credential information identifier and the file credential information to replace the file per se becomes possible, the file transmission frequency is reduced, and the file security is improved.
Step S308, sending the file credential information identifier to the corresponding user.
It can be understood that the file credential information identifier can be directly sent to the authorized user or the first user to which the file credential information identifier belongs through the file management system, or the file credential information identifier can be sent to the first user requesting to upload the file first, so that the first user can send the file credential information identifier for authorization to the corresponding authorized user by using any communication mode agreed with the authorized user, and the security in the transmission process of the authorized file credential information identifier is further improved.
Step S309, save the file-related information to the database.
Similarly, information related to file uploading and file authorization can be saved to a database for backup.
Referring to fig. 4, on the basis of the foregoing embodiment, an embodiment of the present invention provides a method for downloading an encrypted file, which may specifically include the following steps:
step S401, receiving a file credential information obtaining request sent by a second user, where the file credential information obtaining request indicates a file credential information identifier for identifying that the file belongs to the second user.
In an optional embodiment, the file credential information acquisition request further indicates a second user digest signed with a second user private key; and decrypting the received second user digest according to a second user public key so as to verify the second user identity. Specifically, the file credential information acquisition request further indicates a digest plaintext corresponding to the second user digest, the second user public key is used for decryption to acquire the second user digest, whether the second user digest is consistent with the digest plaintext is judged, if so, the identity authentication is passed, and the subsequent file downloading process can be continued; if the first user identity is inconsistent with the second user identity, the second user identity is illegal, and the file downloading process is ended, so that the illegal second user cannot download the file, and the file security is further ensured.
Step S402, obtaining the file certificate information encrypted by the second user public key of the second user according to the file certificate information identification, and sending the file certificate information encrypted by the second user public key to the second user, wherein the file certificate information is used for the second user to operate the file.
In an alternative embodiment, the file credential information identifier further has a validity period; and determining whether the current date is within the validity period according to the validity period of the file certificate information identifier so as to determine whether the file certificate information encrypted by the public key of the second user is sent to the second user. It can be understood that when the current date is not within the validity period of the file credential information, the file credential information encrypted by the public key of the second user is not sent to the second user, and the second user cannot download the file using the file credential information; and when the current date is within the validity period of the file certificate information, sending the file certificate information encrypted by the public key of the second user to the second user, and enabling the second user to download the file by using the file certificate information.
Step S403, receiving a file download request sent by the second user, where the file download request indicates a file identifier for the file, where the file identifier is recorded in the file credential information.
And after receiving the file certificate information encrypted by using the user public key, the second user decrypts by using the corresponding second user private key, otherwise, the second user cannot acquire information such as the file identifier contained in the file certificate information, so that the file certificate information is prevented from being abused, and the safety of the file certificate information is further ensured.
Furthermore, after the file credential information is decrypted, in order to further ensure the security of the file identifier in the file downloading request sending process, the file identifier may be encrypted by using a public key of the file management system and then transmitted, or any file management system and a second user agree with an encrypted transmission mode to transmit, so that the file management system decrypts by using a corresponding private key or decryption key after receiving the encrypted file identifier to obtain the file identifier.
In an optional embodiment, the document credential information further comprises: a file key; the file key is used for the user to decrypt the received file.
And S404, acquiring the file from a file storage system according to the file identifier.
The file identifier is an identifier that can be used to uniquely identify the file and obtain the corresponding file in the file storage system, such as a HASH value (file HASH) of the file, when the file is stored in the file storage system. That is, the corresponding file can be retrieved in the file storage system only by using the file identifier.
Step S405, sending the file to the second user.
If the file is encrypted by the file key when the file is uploaded, the file acquired from the file storage system is the encrypted file, and the second user can decrypt the encrypted file only by using the file key contained in the file certificate information, so that the possibility of tampering or embezzlement in the file downloading process is prevented, and the security of the file in the file downloading process is further improved.
On the basis of the embodiment, in the process that the second user downloads the file by using the file certificate information identifier, the safety of file downloading is ensured through multiple verification on the legality of the identity of the second user and the validity period of the file certificate information; meanwhile, the file certificate information is decrypted to decrypt the file, so that the legality of a second user downloading the file is further ensured, and the safety of the file is improved.
Referring to fig. 5, on the basis of the foregoing embodiment, an embodiment of the present invention provides a method for downloading an encrypted file, which may specifically include the following steps:
step S501, receiving a file credential information obtaining request sent by a second user.
The file credential information acquisition request indicates all file credential information identifiers of the second user, a second user digest signed by using a second user private key, a digest plaintext, and the like.
Step S502, judging whether the second user identity passes the verification; if not, the file downloading process is ended, and if the file downloading process passes, the subsequent steps are continuously executed.
Specifically, the second user public key is used for decrypting the received second user digest, the digest cleartext is compared, and if the second user public key is consistent with the digest cleartext, the following steps S503-S507 are continuously executed if the second user identity authentication is passed; if the first user identity authentication is inconsistent with the second user identity authentication, the second user identity authentication is not passed, the file downloading process is ended, and the illegal user is prevented from downloading the file.
Step S503, determining whether the validity period of the document credential information passes verification; if not, the file downloading process is ended, and if the file downloading process passes, the subsequent steps are continuously executed.
And determining whether the current date is within the validity period according to the validity period identified by the file certificate information so as to determine whether the file certificate information encrypted by the public key of the second user is sent to the second user. If the previous date is within the validity period, namely the second user can download the file currently, the file certificate information encrypted by the public key of the second user is sent to the second user; if the previous date is not within the validity period, namely the second user can download the file currently, the file certificate information encrypted by the public key of the second user is not sent to the second user, the file downloading process is terminated, and the file is prevented from being downloaded by the user without downloading authority currently.
And step S504, acquiring the encrypted file certificate information and sending the encrypted file certificate information to the second user.
And acquiring the encrypted file certificate information according to the correspondingly stored file certificate information identifier and the encrypted file certificate information by using the received file certificate information identifier. The encrypted file certificate information is the file certificate information encrypted by using the second user public key, and the file certificate information can be obtained by decrypting only by using the second user private key. The decrypted file credential information includes: a file key and a file identifier; the file key is an encryption or decryption key of a file corresponding to the file credential information, the file identifier is a unique identifier of the corresponding file acquired from the file storage system, such as a file HASH, and the file identifier also indicates a file that the second user needs to download.
Step S505, a file download request sent by a second user is received.
Specifically, the file downloading request indicates a file identifier that the second user needs to download, that is, a file identifier obtained after the second user successfully decrypts the file credential information. It can be understood that, in order to ensure the security during the transmission of the file identifier, the second user may transmit the file identifier in an encrypted manner, for example, after encrypting by using a public key of the file management system.
Step S506, a file is acquired from the file storage system.
And under the condition that the file identifier is encrypted by using a public key of the file management system, decrypting by using a private key of the file management system to obtain the file identifier, and then obtaining the corresponding file from the file storage system by using the file identifier.
Step S507, the file is sent to the second user.
It can be understood that, if the file is an encrypted file, the file credential information corresponding to the file includes the corresponding file key, so that the second user can decrypt the received file by using the file key after decrypting the file credential information, thereby completing the downloading of the whole file, and simultaneously ensuring the security in the file downloading process.
Referring to fig. 6, an embodiment of the present invention provides an encrypted file management system 600, including: a file management server 601, a file storage system 602, a database 603; wherein,
the file management server 601 is configured to receive a file upload request sent by a first user, where the file upload request indicates the file and corresponding file information, and the file information includes a first user identifier of the first user; uploading the file to a file storage system to obtain a file identifier of the file in the file storage system; generating file credential information for the first user, the file credential information including the file identification; encrypting the file credential information using a first user public key of the first user; generating a file credential information identifier for the file for the first user, the file credential information identifier indicating the first user to which the file credential information belongs; correspondingly storing the encrypted file credential information and the encrypted file credential information identifier for the first user; sending the file credential information identifier to the first user corresponding to the file credential information identifier;
the file storage system 602 is configured to store the file uploaded by the file management system, and generate the file identifier;
the database 603 is configured to store file-related information, where the file-related information includes one or more of the following: the file identifier, the first user public key, file credential information for the authorized user, and a file credential information identifier.
Optionally, the file management server 601 is further configured to receive a file credential information obtaining request sent by a second user, where the file credential information obtaining request indicates a file credential information identifier for identifying that the file belongs to the second user; acquiring file credential information encrypted by a second user public key of the second user according to the file credential information identifier, and sending the file credential information encrypted by the second user public key to the second user, wherein the file credential information is used for the second user to operate the file; receiving a file downloading request sent by a second user, wherein the file downloading request indicates a file identifier for the file, and the file identifier is recorded in the file credential information; acquiring the file from a file storage system according to the file identifier; and sending the file to the second user.
Fig. 7 illustrates an exemplary system architecture 700 to which the encrypted file upload method or encrypted file download of embodiments of the present invention may be applied.
As shown in fig. 7, the system architecture 700 may include terminal devices 701, 702, 703, a network 704, and a server 705. The network 704 serves to provide a medium for communication links between the terminal devices 701, 702, 703 and the server 705. Network 704 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 701, 702, 703 to interact with a server 705 over a network 704, to receive or send messages or the like. Various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like, may be installed on the terminal devices 701, 702, and 703.
The terminal devices 701, 702, 703 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 705 may be a server that provides various services, such as a background management server that supports shopping websites browsed by users using the terminal devices 701, 702, and 703. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the encrypted centralized file uploading and the encrypted file downloading methods provided by the embodiments of the present invention are generally executed by the server 705.
It should be understood that the number of terminal devices, networks, and servers in fig. 7 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program executes the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving a file uploading request sent by a first user, wherein the file uploading request indicates the file and corresponding file information, and the file information comprises a first user identifier of the first user; uploading the file to a file storage system to obtain a file identifier of the file in the file storage system; generating file credential information for the first user, the file credential information including the file identification; encrypting the file credential information using a first user public key of the first user; generating a file credential information identifier for the file for the first user, the file credential information identifier indicating the first user to which the file credential information belongs; correspondingly storing the encrypted file credential information and the file credential information identifier for the first user; and sending the file credential information identifier to the first user corresponding to the file credential information identifier.
According to the technical scheme of the embodiment of the invention, because the file is encrypted when being uploaded, the security of the file is ensured; meanwhile, the file certificate information and the file certificate information identification which are encrypted by using the user public key are generated and stored correspondingly, so that only an owner of the file certificate information, namely a user with a user private key corresponding to the user public key can acquire the corresponding file certificate information and further download the corresponding file, the possibility that an illegal user steals the file is avoided, and the file security is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (20)
1. A method of encrypted file upload, comprising:
receiving a file uploading request sent by a first user, wherein the file uploading request indicates the file and corresponding file information, and the file information comprises a first user identifier of the first user;
uploading the file to a file storage system to obtain a file identifier of the file in the file storage system;
generating file credential information for the first user, the file credential information including the file identification;
encrypting the file credential information using a first user public key of the first user;
generating a file credential information identifier for the file for the first user, the file credential information identifier indicating the first user to which the file credential information belongs;
correspondingly storing the encrypted file credential information and the file credential information identifier for the first user;
and sending the file credential information identifier to the first user corresponding to the file credential information identifier.
2. The encrypted file uploading method according to claim 1,
the file information further includes: an authorized user identification list, wherein the authorized user identification list comprises authorized user identifications of authorized users having operation authority on the file;
respectively generating file credential information for the authorized users;
encrypting the file certificate information by using the authorized user public keys of the authorized users respectively;
generating authorized file credential information identifiers for the files for the authorized users, respectively, the authorized file credential information identifiers indicating the authorized users to which the file credential information belongs;
correspondingly storing the encrypted file credential information and the authorized file credential information identification for the authorized user;
and sending the certificate information identifier of the authorization file to the corresponding authorization user.
3. The encrypted file uploading method according to claim 2, wherein the file information further includes: and the authorized user has the operation authority for the file, and the validity period of the operation authority.
4. The encrypted file uploading method according to claim 3,
the file credential information identifier further indicates the operation authority of the first user corresponding to the file credential information identifier for the file, and the validity period of the operation authority;
the authorized file credential information identifier further indicates the operation authority of the authorized user corresponding to the authorized file credential information identifier for the file, and the validity period of the operation authority.
5. The encrypted file uploading method according to claim 2,
the first user identification is the first user public key;
the authorized user identification list is the authorized user public key list, and the authorized user identification is the authorized user public key of the authorized user having the operation authority for the file.
6. The encrypted file uploading method according to claim 1, wherein uploading the file to a file storage system comprises:
encrypting the file, and uploading the encrypted file to the file storage system;
the file credential information also includes a file key used to encrypt the file.
7. The encrypted file uploading method according to claim 1,
and the file identifier of the file in the file storage system is the hash value of the file.
8. The encrypted file uploading method according to claim 1,
the file upload request further indicates a first user digest signed using the first user private key;
and decrypting the received first user digest according to the first user public key so as to verify the first user identity.
9. The encrypted file uploading method according to claim 3, further comprising:
saving file related information to a database, the file related information comprising one or more of: the file identifier, the first user public key, the authorized user identifier list, the authorized user public key list, file credential information respectively corresponding to the first user and the authorized user, encrypted file credential information respectively corresponding to the first user and the authorization, file credential information identifier corresponding to the first user and authorized file credential information identifier for the authorized user, operation authority of the authorized user and the first user on the file, and validity period of the operation authority.
10. An encrypted file download method, comprising:
receiving a file credential information acquisition request sent by a second user, wherein the file credential information acquisition request indicates a file credential information identifier for identifying that the file belongs to the second user;
acquiring file credential information encrypted by a second user public key of the second user according to the file credential information identifier, and sending the file credential information encrypted by the second user public key to the second user, wherein the file credential information is used for the second user to operate the file;
receiving a file downloading request sent by a second user, wherein the file downloading request indicates a file identifier for the file, and the file identifier is recorded in the file credential information;
acquiring the file from a file storage system according to the file identifier;
and sending the file to the second user.
11. The encrypted file download method according to claim 10,
the file credential information acquisition request further indicates a second user digest signed using a second user private key;
and decrypting the received second user digest according to a second user public key so as to verify the second user identity.
12. The encrypted file download method according to claim 10,
the file voucher information identification also has a validity period;
and determining whether the current date is within the validity period according to the validity period of the file certificate information identifier so as to determine whether the file certificate information encrypted by the public key of the second user is sent to the second user.
13. The method of encrypted file download according to claim 10,
the file identification is a hash value of the file.
14. The method of encrypted file download according to claim 10,
the file credential information further comprises: a file key;
the file key is used for the user to decrypt the received file.
15. An encrypted file management system, comprising: the system comprises a file management server, a file storage system and a database; wherein,
the file management server is used for
Receiving a file uploading request sent by a first user, wherein the file uploading request indicates the file and corresponding file information, and the file information comprises a first user identifier of the first user;
uploading the file to a file storage system to obtain a file identifier of the file in the file storage system;
generating file credential information for the first user, the file credential information including the file identification;
encrypting the file credential information using a first user public key of the first user;
generating a file credential information identifier for the file for the first user, the file credential information identifier indicating the first user to which the file credential information belongs;
correspondingly storing the encrypted file credential information and the encrypted file credential information identifier for the first user;
sending the file credential information identifier to the first user corresponding to the file credential information identifier;
the file storage system is used for storing the file uploaded by the file management system and generating the file identifier;
the database is configured to store file-related information, which includes one or more of the following: the file identifier, the first user public key, file credential information for the authorized user, and a file credential information identifier.
16. The encrypted management file system according to claim 15,
the file management server is also used for
Receiving a file credential information acquisition request sent by a second user, wherein the file credential information acquisition request indicates a file credential information identifier for identifying that the file belongs to the second user;
acquiring file credential information encrypted by a second user public key of the second user according to the file credential information identifier, and sending the file credential information encrypted by the second user public key to the second user, wherein the file credential information is used for the second user to operate the file;
receiving a file downloading request sent by a second user, wherein the file downloading request indicates a file identifier for the file, and the file identifier is recorded in the file credential information;
acquiring the file from a file storage system according to the file identifier;
and sending the file to the second user.
17. A server, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-9.
18. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-9.
19. A server, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 10-14.
20. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 10-14.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910753304 | 2019-08-15 | ||
| CN2019107533048 | 2019-08-15 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110602075A true CN110602075A (en) | 2019-12-20 |
Family
ID=68856967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910823417.0A Pending CN110602075A (en) | 2019-08-15 | 2019-09-02 | File stream processing method, device and system for encryption access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602075A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112350824A (en) * | 2020-10-27 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Key distribution method, system and computer equipment in data sharing exchange |
| CN114745372A (en) * | 2022-05-10 | 2022-07-12 | 南京酷派软件技术有限公司 | File sending method and related equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
| CN108462568A (en) * | 2018-02-11 | 2018-08-28 | 西安电子科技大学 | A kind of secure file storage and sharing method based on block chain |
| CN109684867A (en) * | 2018-11-20 | 2019-04-26 | 深圳供电局有限公司 | Method, device and system for controlling network disk file cooperation and access |
| CN109766322A (en) * | 2018-12-30 | 2019-05-17 | 三盟科技股份有限公司 | A kind of data share exchange method and system |
| CN109768987A (en) * | 2019-02-26 | 2019-05-17 | 重庆邮电大学 | A kind of storage of data file security privacy and sharing method based on block chain |
| US20190205556A1 (en) * | 2017-12-28 | 2019-07-04 | Dropbox, Inc. | Traversal rights |
-
2019
- 2019-09-02 CN CN201910823417.0A patent/CN110602075A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
| US20190205556A1 (en) * | 2017-12-28 | 2019-07-04 | Dropbox, Inc. | Traversal rights |
| CN108462568A (en) * | 2018-02-11 | 2018-08-28 | 西安电子科技大学 | A kind of secure file storage and sharing method based on block chain |
| CN109684867A (en) * | 2018-11-20 | 2019-04-26 | 深圳供电局有限公司 | Method, device and system for controlling network disk file cooperation and access |
| CN109766322A (en) * | 2018-12-30 | 2019-05-17 | 三盟科技股份有限公司 | A kind of data share exchange method and system |
| CN109768987A (en) * | 2019-02-26 | 2019-05-17 | 重庆邮电大学 | A kind of storage of data file security privacy and sharing method based on block chain |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112350824A (en) * | 2020-10-27 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Key distribution method, system and computer equipment in data sharing exchange |
| CN114745372A (en) * | 2022-05-10 | 2022-07-12 | 南京酷派软件技术有限公司 | File sending method and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12093419B2 (en) | Methods and devices for managing user identity authentication data | |
| US20210367795A1 (en) | Identity-Linked Authentication Through A User Certificate System | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| CN110636043A (en) | File authorization access method, device and system based on block chain | |
| CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
| US10084790B2 (en) | Peer to peer enterprise file sharing | |
| US10554406B1 (en) | Authorized data sharing using smart contracts | |
| US11200334B2 (en) | Data sharing via distributed ledgers | |
| US20150143107A1 (en) | Data security tools for shared data | |
| CN108923925B (en) | Data storage method and device applied to block chain | |
| KR101648364B1 (en) | Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption | |
| CN109936546B (en) | Data encryption storage method and device and computing equipment | |
| CN113438205B (en) | Block chain data access control method, node and system | |
| CN112966287B (en) | Method, system, device and computer readable medium for acquiring user data | |
| US20230376941A1 (en) | Methods, Devices, and Systems for Creating and Managing Web3 App Credentials | |
| CN115374405A (en) | Software authorization method, license authorization method, device, equipment and storage medium | |
| CN112995144A (en) | File processing method and system, readable storage medium and electronic device | |
| CN110737905B (en) | Data authorization method, data authorization device and computer storage medium | |
| CN112560003A (en) | User authority management method and device | |
| CN110602075A (en) | File stream processing method, device and system for encryption access control | |
| CN114584299A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113886793A (en) | Device login method, device, electronic device, system and storage medium | |
| CN108848094B (en) | Data security verification method, device, system, computer equipment and storage medium | |
| CN116346486A (en) | Combined login method, device, equipment and storage medium | |
| CN116049802A (en) | Application single sign-on method, system, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191220 |