CN110795766A

CN110795766A - Electronic file data security system and method

Info

Publication number: CN110795766A
Application number: CN201911065982.1A
Authority: CN
Inventors: 余亚荣
Original assignee: Suzhou Suda Suhang Archives Data Preservation Co Ltd
Current assignee: Suzhou Suda Suhang Archives Data Preservation Co Ltd
Priority date: 2019-11-04
Filing date: 2019-11-04
Publication date: 2020-02-14
Anticipated expiration: 2039-11-04
Also published as: CN110795766B

Abstract

The invention discloses a system and a method for protecting electronic archive data. The system comprises a file data receiving module, a file data storage module, a file data utilization module and a file data exit module. The archive data receiving module is used for carrying out data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused; the archive data storage module monitors the data state of the warehouse-in security archive data in real time according to a preset independent detection grading rule, and autonomously repairs and preserves the warehouse-in security archive data according to the full-time line state of the data; the file data utilization module provides required warehousing security file data for authorized users and stores corresponding data utilization records; the file data quitting module is used for automatically executing the quitting procedure handling operation of the file data when the approved file is checked to be correct and the file data ex-warehouse requester is an authorized user; therefore, the safety, integrity, authenticity and usability of the data content of the electronic archive can be effectively ensured.

Description

Electronic file data security system and method

Technical Field

The invention relates to the technical field of electronic document management, in particular to a system and a method for protecting electronic archive data.

Background

With the rapid development of cloud computing and big data, data in daily work and life are increased explosively, the increasing data enables the technical field of document management to be correspondingly developed, and electronic files gradually replace paper files to become the mainstream file recording form.

However, the informatization brings convenience and also brings certain hidden dangers, for example, the data state of the electronic archive data cannot be known in the process of storage, the lost data cannot be recovered, the data tampering cannot be traced, and the value of the owner of the electronic archive data is brought into play.

In view of this, how to effectively ensure the security of the electronic file content and the exertion of evidentiary value, avoid causing economic property loss to the data owner and influence the exertion of the mechanism function is a technical problem to be solved by those skilled in the art.

Disclosure of Invention

The present disclosure provides a system and a method for protecting electronic archive data, which effectively ensure the security, integrity, authenticity and availability of the data content of the electronic archive.

In order to solve the above technical problems, embodiments of the present invention provide the following technical solutions:

the embodiment of the invention provides an electronic archive data security system on one hand, which comprises an archive data receiving module, an archive data storage module, an archive data utilization module and an archive data exit module;

the archive data receiving module is used for carrying out data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused;

the archive data storage module is used for monitoring the data state of the warehouse-in security archive data in real time according to a preset independent detection grading rule and performing autonomous restoration and security on the warehouse-in security archive data according to the full-time line state of the data;

the archive data utilization module is used for providing required warehousing security archive data for authorized users and storing corresponding data utilization records;

and the archive data quitting module is used for automatically executing quitting procedures for the required warehousing security archive data when the approved file is checked to be correct and the archive data ex-warehouse requester is an authorized user.

Optionally, the archive data receiving module includes a trusted warehousing partition processing sub-module, and the trusted warehousing partition processing sub-module includes:

the partition setting unit is used for carrying out partition setting on the trusted storage platform according to different authority mechanisms to generate a plurality of independent trusted storage partitions and establishing the corresponding relation between each independent trusted storage partition and the corresponding authority mechanism;

the serialization processing unit is used for carrying out serialization processing on the to-be-warehoused security archive data to generate batch flow data;

the storage unit is used for storing the batch flow data into a subarea corresponding to the affiliated right organization according to batches to generate credible warehousing information data which is used as storage relation information of the to-be-warehoused security archive data in the credible warehousing platform;

and the backup unit is used for carrying out backup processing on the data stored in each partition.

Optionally, the archival data receiving module includes a data solidifying sub-module, where the data solidifying sub-module includes:

the first digital abstract file generating unit is used for generating a first digital abstract file with a fixed length from the archive data to be warehoused by a hash algorithm;

the data association unit is used for establishing an association relationship between the archive data to be warehoused and the digital abstract file and generating association sequence data, and the association sequence data is used as directory data to be independently stored for future reference;

the second digital abstract file generating unit is used for generating a second digital abstract file with a fixed length from the trusted warehouse information data by using a hash algorithm;

and the data curing unit is used for merging the first digital abstract file and the second digital abstract file to generate a digital abstract file as curing data.

Optionally, the archive data receiving module includes a data security sub-module, and the data security sub-module includes:

the fusion unit is used for fusing the curing data and the corresponding timestamp digital fingerprint data to generate fused curing data;

and the storage unit is used for storing the solidified data and the fused solidified data into a trusted storage data authentication area and performing backup storage.

Optionally, the archive data receiving module is configured to perform data cleaning and sorting on the archive data to be warehoused and kept, verify authenticity, integrity, availability and safety, perform trusted warehouse partition processing, perform data curing processing, and perform data keeping processing by adopting a screen recording mode and performing full-process operation recording based on three digital video recording devices by adopting a triangulation positioning mode; the data recording submodule of the archival data receiving module comprises:

the data merging unit is used for merging the screen recording data and the video recording data to generate initial recording data;

the record data generating module is used for processing the initial record data by adopting a hash algorithm to generate a third digital abstract file with a fixed length to be used as data receiving full-process record real data;

the data fusion unit is used for fusing the third digital abstract file and the corresponding timestamp digital fingerprint data to generate fused digital abstract file data;

and the data storage unit is used for storing the initial record data, the third digital abstract file and the fused digital abstract file data into the trusted storage data authentication area and performing backup storage.

Optionally, the archive data utilization module includes:

the identity authentication submodule is used for verifying whether a data calling instruction sender is an authorized user;

the data calling sub-module is used for calling corresponding target warehousing security archive data, target credible warehousing information data, target curing data and target fusion curing data according to the indexes of the batch flow data and the indexes of the associated sequence data;

the digital digest file merging submodule is used for generating a fourth digital digest file from the target warehousing security archive data through the hash algorithm, generating a fifth digital digest file from the target trusted warehousing information data through the hash algorithm, and merging the fourth digital digest file and the fifth digital digest file to generate a final digital digest file;

the consistency check submodule is used for carrying out consistency check on the final digital abstract file and the target solidification data;

the verification submodule is used for verifying the target curing data and the target fusion curing data to obtain a verification result certificate;

and the data submission submodule is used for feeding the verification result certificate and the target warehousing security archive data back to the data calling instruction sender.

Optionally, the archive data storage module includes:

the monitoring strategy generation submodule is used for generating a corresponding monitoring detection strategy of the archive data to be warehoused according to the data classification rule of each right organization;

the checking submodule is used for generating digital abstract files with fixed length by using a hash algorithm on all embedded security file data stored in the trusted warehouse according to a preset frequency when checking is carried out according to a trigger rule of a monitoring detection strategy each time, comparing the consistency among the digital abstract files of a plurality of sets of file data, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that all sets of file data are trusted data; if the digital summary files of the plurality of sets of the archive data generated at this time are inconsistent with the data summary file generated for the first time during warehousing preservation, the digital summary file of the plurality of sets of the archive data is used for comparing one by one with the data summary file generated for the first time, and the same one of the digital summary files generated for the first time in the plurality of sets of the archive data is selected for data recovery. Optionally, the archive data storage module further includes an early warning sub-module, configured to perform an early warning prompt if the data check codes of all the nested repository security archive data are different.

Optionally, the archive data exit module includes:

the ex-warehouse calling sub-module is used for carrying out ex-warehouse calling on the archive data required by a data quit request instruction sender when receiving a data quit request instruction;

the data destruction submodule is used for performing continuous redundant write operation on a target independent trusted storage partition corresponding to an authority to which the data quit request instruction sender belongs and destroying a data pointer and a data storage sequence of the target independent trusted storage partition;

the resource release submodule is used for releasing the space capacity occupied by the target independent trusted memory partition;

and the report generation module is used for carrying out security detection on the target independent and trusted storage partition and generating a detection report.

Another aspect of the embodiments of the present invention provides a method for saving electronic archive data, including:

when a file data request warehousing instruction is received, performing data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused and saved to generate warehousing and saved file data;

monitoring the data state of the warehousing security file data in real time according to a preset independent detection grading rule, and performing autonomous repair and security on the warehousing security file data according to the full-time line state of the data;

when a data calling instruction sent by an authorized user is received, providing required warehousing security archive data for the authorized user, and storing corresponding data utilization records;

when the data request quitting instruction is received, and the verification permission file is correct and the file data ex-warehouse requester is an authorized user, the quitting procedure handling operation of the required warehousing security file data is automatically executed.

The technical scheme provided by the application has the advantages that before the archive data are put in storage, the archive data receiving module is used for preprocessing, verifying and recording the data, so that the traceability of the data is enhanced on the basis of ensuring the safety, availability and integrity of the data before the data are put in storage; after the archive data are put in storage, the archive data storage module is used for monitoring in real time and performing self-repairing, the data state of the electronic archive data can be known in real time in the storage process, the safety and integrity of the put-in data are ensured, and the phenomena that the lost data cannot be recovered and the like are avoided; the corresponding data utilization records are stored for each calling or utilization of the data to be stored, so that the source tracing can be carried out in time after the data is tampered, and the threat to the value exertion of an electronic archive data owner is avoided; the data put in storage is subjected to identity verification before being taken out of the storage, so that the data put in storage cannot be illegally stolen and destroyed. The method can effectively ensure the safety of the content of the electronic file and the exertion of evidential value, and avoid causing economic property loss to the data owner and influencing the exertion of the functions of the organization.

In addition, the embodiment of the invention also provides a corresponding implementation method for the electronic archive data security system, so that the system is more feasible, and the method has corresponding advantages.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the related art, the drawings required to be used in the description of the embodiments or the related art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

FIG. 1 is a block diagram of an embodiment of a system for securing electronic file data according to the present invention;

fig. 2 is a flowchart illustrating a method for securing electronic file data according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.

Having described the technical solutions of the embodiments of the present invention, various non-limiting embodiments of the present application are described in detail below.

Referring to fig. 1, fig. 1 is a schematic structural framework diagram of an electronic archive data security system according to an embodiment of the present invention, where the embodiment of the present invention includes the following:

the electronic archive data security system can comprise an archive data receiving module 1, an archive data storage module 2, an archive data utilization module 3 and an archive data exit module 4. In the operation process of the electronic archive data security system, a data source right mechanism, a data storage mechanism, a data user, a three-party certification mechanism, a data query system and the like are involved. The data user can be a right organization and other authorized users, and the data query system is used for performing data query in the process of performing data self-repairing or data security by the archive data storage module 2 of the electronic archive data security system. The right mechanism, the data custody mechanism, the data user and the three-party certification mechanism realize data receiving, data custody, data utilization and data exit together through the electronic archive data security system, thereby ensuring the safety of the archive data content and the completeness of evidentiary value maintenance.

The archive data receiving module 1 is used for performing data preprocessing, data verification and data receiving full-process recording on archive data to be warehoused. The data preprocessing can comprise data cleaning and sorting, credible storage partition processing, data curing processing, data preservation processing and the like; the data verification means detecting authenticity, integrity, usability and safety of the archive data to be warehoused. After the archive data receiving module 1 executes the above operation on the archive data to be warehoused, the archive data to be warehoused is stored in a certain area of the electronic archive data security system, and the warehouse-in security archive data is generated.

In the application, the archive data storage module 2 is used for monitoring the data state of the warehouse-in security archive data in real time according to a preset independent detection classification rule. Different data sources or different archival data of the right organization can set corresponding detection rules according to data source types or data types. For archival data of different authority mechanisms, the authority mechanisms can also autonomously provide data detection rules, and can also adopt detection rules preset by the system, which does not affect the implementation of the application. And the self-repairing and the preservation of the warehousing preservation archive data can be carried out according to the full-time line state of the data in the query system, so that the integrity and the availability of the data are further ensured.

The archive data utilization module 3 in the embodiment of the invention is used for providing required storage security archive data for authorized users and storing corresponding data utilization records. The file data utilizing module 3 firstly performs credible identity recognition, can automatically execute data utilizing procedure handling operation after data verification, and utilizes or calls the file data, wherein the file data can be used as an authority to which the file data belongs and can also be used as a third-party data user. For each data utilization, the data user, the utilization time, the archive data before utilization and the archive data after utilization can be packaged and stored, for example, the information can be stored in the entry or batch of the utilized warehousing security archive data, so that the source can be quickly traced.

And finally, the file data quitting module 4 is used for automatically executing quitting procedures of the required warehousing security file data when the verification permission file is correct and the file data ex-warehouse requester is an authorized user. The right organization does not want to store the archive data in the electronic archive data security system, and can send a data request quitting instruction to the electronic archive data security system, and the electronic archive data security system performs credible identity verification on a sender of the data request quitting instruction after receiving the data request quitting instruction, namely, whether the verification permission file is accurate or not, and whether an archive data ex-warehouse requester is an authorized user or not. By checking the permission file and checking the identity of the data authority, the system can process data quit procedures, which can include data warehouse-out and verification, reprocessing of trusted warehouse partitions, processing data quit security detection and issuing detection reports, for example.

In the technical scheme provided by the embodiment of the invention, before the archive data is put in storage, the archive data receiving module is used for preprocessing, verifying and recording the data, so that the traceability of the data is enhanced on the basis of ensuring the safety, availability and integrity of the data before the data is put in storage; after the archive data are put in storage, the archive data storage module is used for monitoring in real time and performing self-repairing, the data state of the electronic archive data can be known in real time in the storage process, the safety and integrity of the put-in data are ensured, and the phenomena that the lost data cannot be recovered and the like are avoided; the corresponding data utilization records are stored for each calling or utilization of the data to be stored, so that the source tracing can be carried out in time after the data is tampered, and the threat to the value exertion of an electronic archive data owner is avoided; the data put in storage is subjected to identity verification before being taken out of the storage, so that the data put in storage cannot be illegally stolen and destroyed. The method can effectively ensure the safety of the content of the electronic file and the exertion of evidential value, and avoid causing economic property loss to the data owner and influencing the exertion of the functions of the organization.

As an alternative embodiment, the archive data receiving module 1 may include a trusted warehousing partition processing submodule for performing trusted warehousing partition processing, and the trusted warehousing partition processing submodule includes:

and the partition setting unit is used for carrying out partition setting on the trusted storage platform according to different authority mechanisms to generate a plurality of independent trusted storage partitions, wherein the nth independent trusted storage partition can be expressed as SDisk (n), for example, and the corresponding relation between each independent trusted storage partition and the corresponding authority mechanism is established.

The serialization processing unit is used for carrying out serialization processing on the Data of the to-be-warehoused security file by adopting any Data serialization algorithm to generate batch pipelining Data, and the batch pipelining Data can be represented as Data _ BOM.

The storage unit is used for storing the batch pipelining Data _ BOM into the subarea corresponding to the affiliated entitlement mechanism according to batches to generate credible warehousing information Data, for example, the credible warehousing information Data can be represented as Data + Data _ BOM + sdisk (n), and the credible warehousing information Data can be used as storage relation information of the to-be-warehoused security file Data in the credible warehousing platform.

Optionally, based on the above embodiment, the archival Data receiving module 1 may further include a Data solidification sub-module for performing Data solidification processing on Data after storing the archival Data to be warehoused and preserved into the archival Data of the corresponding independent trusted storage partition, where the Data solidification sub-module specifically includes:

a first digital abstract file generation unit for generating a first digital abstract file H with a fixed length from the Data of the to-be-put security archive by using the hash function of the hash algorithm^aFor example, a Hash function based on MD5 may be used to computationally parse the data or data set to generate digital digest data.

A Data association unit for associating the Data of the security file to be put in storage with the digital abstract file H^aAnd establishing an association relation, and generating association sequence data A _ BOM which can be independently stored as directory data for later reference.

A second digital digest file generation unit for generating a second digital digest file H with a fixed length from the trusted warehouse information Data + Data _ BOM + SDisk (n) by using the hash function of the hash algorithm^b。

A data solidifying unit for solidifying the first digital abstract file H^aAnd a second digital digest file H^bMerging to generate a digital abstract file H^a+H^bTo do so byAs curing data H^a+H^b。

In addition, the archive data receiving module 1 includes a data security sub-module, and the data security sub-module specifically may include:

a fusion unit for fusing the solidification data H^a+H^bFusing the digital fingerprint data with the Timestamp n _ Timestamp to generate fused and solidified data, wherein the fused and solidified data can be represented as (H) for example^a+H^b)+n_Timestamp。

A storage unit for storing the solidification data H^a+H^bAnd fusing the curing data (H)^a+H^b) And storing the + n _ Timestamp in a trusted storage data authentication area, and performing backup storage.

As another preferred embodiment, the archive data receiving module 1 performs data cleaning and sorting on archive data to be warehoused and preserved, verifies authenticity, integrity, availability and safety, performs trusted storage partition processing, performs data curing processing, and performs full-flow recording in a screen recording mode during data preservation processing to generate screen recording data V^S. The method can also adopt a triangulation positioning mode to record and document based on three digital video recording devices in the whole process, video data can be produced, and the video data can be represented as V^a+V^b+V^c. The data recording submodule of the archival data reception module 1 may include:

a data merging unit for merging the screen recording data V^SAnd video data V recorded by camera^a+V^b+V^cMerging to generate initial record data V^S+V^a+V^b+V^c。

A record data generation module for processing the initial record data V by using hash function of hash algorithm^S+V^a+V^b+V^cGenerating a third digital digest file H of fixed length^vAnd recording the real data as the data receiving whole process.

A data fusion unit for fusing the third digital abstract file H^vFusing with Timestamp m _ Timestamp digital fingerprint data to generate fused digital summary file data H^v+m_Timestamp。

A data storage unit for storing the initial recording data V^S+V^a+V^b+V^cThe third digital abstract file H^vAnd fusing digital digest file data H^vAnd storing the + m _ Timestamp into a trusted storage data authentication area together, and performing backup storage.

As another optional implementation manner, the archive data storage module 2 may specifically include:

and the monitoring strategy generation submodule is used for generating a corresponding monitoring detection strategy of the archive data to be warehoused according to the data classification rules of all the right mechanisms, namely, the right mechanisms can simultaneously send the data classification rules to the electronic archive data security system when sending data warehousing requests to the system. By differentiating SDisks for independent trusted warehouses_(n)The stored multiple sets of warehousing security archive data generate a digital abstract file with a fixed length through a Hash algorithm (Hash function), a data check code is generated, and the data check codes generated by the multiple sets of data for the first time are consistent.

The checking submodule is used for generating digital abstract files with fixed length by using a hash algorithm on each set of embedded security file data stored in the trusted warehouse according to a preset frequency when checking is carried out according to a trigger rule of a monitoring detection strategy each time, comparing the consistency among the digital abstract files of a plurality of sets of file data at the same moment, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that each set of warehousing security file data has no problem and is in a good state and is trusted data; if the check codes are inconsistent after comparison, and at least one check code is different from other check codes, the warehouse-in security file data is threatened, the data state of the warehouse-in security file data with the check code different from other check codes can be extracted, and the data state of the warehouse-in security file data is displayed as early warning. If the data is inconsistent, namely in the early warning state, comparing the digital abstract files of the plurality of sets of archive data generated at this time with the data abstract file generated for the first time during warehousing preservation one by one, selecting the part of the digital abstract files newly generated in the plurality of sets of archive data, which is the same as the data abstract file generated for the first time, for data recovery, namely performing data recovery and preservation on the warehousing preservation archive data, and when performing data recovery and preservation, firstly performing data recovery and preservation by inquiring the full time line state of the warehousing preservation archive data in the system.

In addition, based on the above embodiment, the archive data storage module 2 may further include an early warning sub-module, configured to perform an early warning prompt if the data check codes of all the nested repository security archive data are different.

Optionally, the archive data utilization module 3 may specifically include:

and the identity verification sub-module is used for verifying whether the sender of the data calling instruction is an authorized user or not, and can be verified by a third-party certification authority for example.

And the Data calling sub-module is used for calling corresponding target warehousing security archive Data, target trusted warehousing information Data, target solidification Data and target fusion solidification Data according to the index of the batch pipelining Data _ BOM and the index of the associated sequence Data A _ BOM.

A digital abstract file merging submodule for generating a fourth digital abstract file H from the target storage security archive data through a hash algorithm^uGenerating a fifth digital digest file H by the target credible warehousing information data through a hash algorithm^zAnd a fourth digital abstract file H^uAnd a fifth digital digest file H^zMerging to generate final digital abstract file H^u+H^z；

A consistency check submodule for checking the final digital abstract file H^u+H^zAnd performing consistency check on the target solidification data.

And the verification sub-module is used for verifying the target curing data and the target fusion curing data, and for example, the verification sub-module can be uploaded to a timestamp service system for verification to obtain a verification result certificate.

And the data submission submodule is used for feeding back the verification result certificate and the target warehousing security archive data to the data calling instruction sender for data calling and utilization.

As a preferred embodiment, the archive data exit module 4 may include:

and the ex-warehouse calling submodule is used for carrying out ex-warehouse calling on the archive data required by the data quit request instruction sender when receiving the data quit request instruction. The implementation process of the data retrieval can adopt the implementation process of the archive data utilization module 3, and is not described herein again. That is, whether a sender of the Data quit request instruction is an authorized user can be verified through a third-party certification authority, and if the sender is the authorized user, corresponding target warehousing security archive Data, target trusted warehousing information Data, target solidified Data and target fusion solidified Data are retrieved according to the index of the batch pipelining Data _ BOM and the index of the associated sequence Data A _ BOM; generating a sixth digital digest file by hashing target warehousing security archive data, generating a seventh digital digest file by hashing target trusted warehousing information data, and combining the sixth digital digest file and the seventh digital digest file to generate a final digital digest file; carrying out consistency check on the final digital abstract file and the target solidification data; verifying the target solidified data and the target fused solidified data, for example, uploading the data to a timestamp service system for verification to obtain a verification result certificate; and finally, carrying out ex-warehouse processing on the verification result certificate and the target warehousing security archive data.

And the data destruction submodule is used for performing continuous redundant write operation on the target independent trusted storage partition corresponding to the right mechanism to which the data quit request instruction sender belongs and destroying the data pointer and the data storage sequence of the target independent trusted storage partition so as to achieve the purpose of completely deleting the data.

The resource release submodule is used for releasing the space capacity occupied by the target independent trusted memory partition; and when the file data of the specific authority is completely withdrawn, the independent credible storage partition space can be released and returned to the resource pool, so that the resource waste is avoided.

And the report generation module is used for carrying out security detection on the target independent trusted storage partition by using a security monitoring tool and generating a detection report meeting the requirement.

Therefore, the embodiment of the invention can effectively ensure the safety of the file data content and the completeness of the evidential value maintenance system.

The embodiment of the invention also provides a corresponding method for the electronic archive data security system, so that the system is more selectable. In the following, the electronic archive data preservation method provided by the embodiment of the present invention is introduced, and the electronic archive data preservation method described below and the electronic archive data preservation system described above may be referred to in a corresponding manner.

Referring to fig. 2, fig. 2 is a schematic flow chart of an electronic archive data preservation method according to an embodiment of the present invention, where the embodiment of the present invention includes the following:

s201: and when a file data request warehousing instruction is received, performing data preprocessing, data verification and data receiving full-flow recording on the file data to be warehoused and saved to generate warehousing and saved file data.

Specifically, the electronic archive data security system can be used for performing data cleaning and sorting, "four-character" (authenticity, integrity, availability, security) detection, trusted storage partition processing, data curing processing, data security processing, and data receiving whole-process record keeping and security on the archive data to be stored in a warehouse.

S202: and monitoring the data state of the warehousing security file data in real time according to a preset independent detection grading rule, and performing autonomous repair and security on the warehousing security file data according to the full-time line state of the data.

Specifically, the electronic archive data preservation system can be used for setting an independent detection strategy for warehousing preservation archive data according to a grading rule, monitoring the data state in real time and giving out early warning on error data, and can also be used for autonomously repairing and preserving the data by inquiring the full-time line state of the data in the system.

S203: and when a data calling instruction sent by the authorized user is received, providing the required warehousing security archive data for the authorized user, and storing a corresponding data utilization record.

S204: when the data request quitting instruction is received, and the verification permission file is correct and the file data ex-warehouse requester is an authorized user, the quitting procedure handling operation of the required warehousing security file data is automatically executed.

Taking the example that the authority a stores the archive Data into the electronic archive Data preservation system, the concrete implementation process of warehousing, storing, calling and exporting the archive Data is described, and may include the following contents:

optionally, the trusted warehouse partition processing step in S201 may be:

the credible warehousing platform is independently partitioned according to different authority mechanisms to form { SDisk_(n)Establishing association of each partition and a specific authority;

performing sequence processing on the archive Data to form batch pipelining Data _ BOM, storing the batch pipelining Data _ BOM to the subarea where the specific authority mechanism is located according to batches to form Data { Data + Data _ BOM + SDisk_(n)}; the data is used as the storage relation information of the archive data in the trusted warehouse;

partitioning archive Data in entitlement organization section { SDisk_(n)Two sets of backup are carried out simultaneously.

Optionally, the data curing processing in S201 includes:

generating fixed-length digital abstract file H by using file Data through Hash algorithm (Hash function)^a；

The Data of the file Data and the digital abstract H are compared^aEstablishing association, generating an association sequence A _ BOM, and independently storing and searching data A _ BOM as directory data;

credible warehousing information Data { Data + Data _ BOM + SDisk_(n)Production of a digital digest file H of fixed length by means of a hashing algorithm (Hash function)^b；

For digital abstract H^aAnd a digital summary H^bAre combined to form a new digital abstract (H)^a+H^b) And taking the digital summary data as solidification data.

Optionally, the data saving processing in S201 includes:

(ii) the curing data (H)^a+H^b) Fusing the digital fingerprint with the Timestamp n _ Timestamp to form data { (H)^a+H^b)+n_Timestamp}；

Data are consolidated into data (H)^a+H^b) Time stamp data { (H)^a+H^b) And storing the + n _ Timestamp in a trusted storage data authentication area together, and backing up two copies.

Optionally, the step of recording, and keeping the data receiving whole process in S201 may be:

the data cleaning and sorting, the 'quadripler' (authenticity, integrity, availability and safety) detection, the credible storage partition processing, the data curing processing and the data preservation processing all adopt screen recording work to record, and adopt a triangular positioning mode to use three digital video recording devices to carry out whole-process operation and real-time recording to form screen recording data V^SAnd video data V recorded by camera^a、V^b、V^c；

Data V of opposite recording screen^SAnd video data V recorded by camera^a、V^b、V^cMerging the data to form data (V)^S+V^a+V^b+V^c)；

For data (V)^S+V^a+V^b+V^c) Generating a fixed-length digital digest file H by a hashing algorithm (Hash function)^vTaking the data as data receiving whole-process recording and real data;

recording and accumulating the data receiving whole process to real data H^vFusing the digital fingerprint with the Timestamp m _ Timestamp to form { H }^v+m_Timestamp}；

Data (V)^S+V^a+V^b+V^c) Data receiving whole process recording real data H^vTime stamp data { H^vAnd storing the + m _ Timestamp in a trusted warehouse data recording area together, and backing up two copies.

Optionally, the steps of monitoring, early warning, repairing, and preserving in the archive data storage stage in S202 may be:

according to the right machineConstructing a proposed Data grading rule, setting a monitoring detection strategy of archival Data, and storing the credible storage { SDisk_(n)Generating fixed-length digital abstract file by multiple sets of stored Data through Hash algorithm (Hash function), and generating Data check code C^tThe data check codes generated by a plurality of sets of data for the first time are consistent;

generating a digital abstract file with a fixed length by a Hash algorithm (Hash function) on a plurality of sets of data periodically and again according to a monitoring detection strategy triggering rule, and generating a new data check code, wherein the generated data check code is C by taking three sets of archival data as an example^a、C^b、C^c；

Check code C for data^a、C^b、C^cMaking an alignment, e.g. C^a＝C^b＝C^cIndicating that the status of the archival Data is good, e.g. Data check code C^a、C^b、C^cIf the Data state of the file Data is inconsistent after comparison, the threat of the Data state of the file Data is represented, the Data state of the file Data is extracted, and the early warning is displayed;

extracting the digital abstract H under the early warning state^aAnd is compared with the data check code C^a、C^b、C^cComparing with the digital abstract H^aAnd the archival Data corresponding to the Data check codes with the same comparison result is used as credible Data to repair and preserve other sets of inconsistent Data.

Optionally, the step of the archive data utilization stage of S203 may be:

the file Data is subjected to credible identity identification, then the processed Data is utilized and called, and the file Data and credible warehousing information Data { Data + Data _ BOM + SDisk are called through indexes of batch running Data _ BOM and associated sequence A _ BOM_(n)}, curing data (H)^a+H^b) Time stamp data { (H)^a+H^b)+n_Timestamp}；

Regenerating the archive Data by means of a Hash algorithm (Hash function) to a fixed-length digital digest file H^uThe credible warehousing information Data { Data + Data _ BOM + SDisk_(n)Get through the Hash algorithm (Hash function) againGenerating fixed-length digital digest files H^zAnd (H) is synthesized by^u+H^z) Will (H)^u+H^z) And (H)^a+H^b) Carrying out consistency check;

curing data (H)^a+H^b) Time stamp data { (H)^a+H^b) + n _ Timestamp } uploading Timestamp service system for true checking;

and submitting the certificate of the verification result and the archival Data for use at the same time.

Optionally, the step of the archive data exit stage in S204 may be:

when the special authority puts forward an exit program to the archive data of the mechanism, the method of the step S203 is adopted to fetch the data out of the warehouse;

independent trusted warehouse partition { SDisk) for specific authority_(n)Carrying out continuous redundant write operation, and destroying a data pointer of the partition to destroy a file data storage sequence so as to achieve the aim of completely deleting data;

complete exit of the archive data for a particular authority, for the independent trusted warehouse partition { SDisk_(n)The space is released and returns to the resource pool;

and detecting the subarea by using a safety monitoring tool and issuing a compliance report.

Since the method embodiment of the present invention and the system embodiment are based on the same concept, the implementation process and the execution sequence of each step of the method embodiment of the present invention may refer to specific contents such as information interaction and execution process among units in the system, and thus, details are not described here.

Therefore, the embodiment of the invention can effectively ensure the safety, integrity, authenticity and availability of the data content of the electronic file.

The embodiment of the invention also provides electronic archive data security equipment, which specifically comprises:

a memory for storing a computer program;

a processor for executing a computer program to implement the steps of the method for saving electronic archive data as described in any of the above embodiments.

The functions of the functional modules of the electronic archive data preservation device according to the embodiment of the present invention can be specifically implemented according to the method in the above method embodiment, and the specific implementation process may refer to the description related to the above method embodiment, which is not described herein again.

The embodiment of the present invention further provides a computer-readable storage medium, in which an electronic archive data security program is stored, and the electronic archive data security program is executed by a processor according to any of the steps of the electronic archive data security method described in any of the above embodiments. The storage medium may be various media capable of storing program codes, such as a U disk, a removable hard disk, a read-only memory, a random access memory, a magnetic disk, or an optical disk.

The functions of the functional modules of the computer-readable storage medium according to the embodiment of the present invention may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.

The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

The details of the method, apparatus, device and computer readable storage medium for preserving electronic file data provided by the present invention are described above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present disclosure without departing from the principle of the present invention, and such improvements and modifications also fall within the scope of the claims of the present disclosure.

Claims

1. An electronic archive data security system is characterized by comprising an archive data receiving module, an archive data storage module, an archive data utilization module and an archive data exit module;

2. The electronic archival data security system of claim 1, wherein the archival data reception module includes a trusted warehousing partition processing sub-module, the trusted warehousing partition processing sub-module including:

3. The electronic archival data security system of claim 2, wherein the archival data reception module includes a data solidification sub-module, the data solidification sub-module including:

4. The electronic archival data security system of claim 3, wherein the archival data reception module includes a data security sub-module, the data security sub-module including:

5. The electronic archive data preservation system according to claim 4, wherein the archive data receiving module is configured to perform data cleaning and sorting on the archive data to be stored, verify authenticity, integrity, availability and security, perform trusted storage partition processing, perform data solidification processing, and perform recording in a screen recording manner and perform full-process operation recording based on three digital cameras in a triangulation positioning manner during data preservation processing; the data recording submodule of the archival data receiving module comprises:

6. The electronic archival data security system of claim 5, wherein the archival data utilization module includes:

7. An electronic archive data preservation system according to any of claims 1-6, wherein said archive data custody module comprises:

the checking submodule is used for generating digital abstract files with fixed length by using a hash algorithm on all embedded security file data stored in the trusted warehouse according to a preset frequency when checking is carried out according to a trigger rule of a monitoring detection strategy each time, comparing the consistency among the digital abstract files of a plurality of sets of file data, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that all sets of file data are trusted data; if the digital summary files of the plurality of sets of the archive data generated at this time are inconsistent with the data summary file generated for the first time during warehousing preservation, the digital summary file of the plurality of sets of the archive data is used for comparing one by one with the data summary file generated for the first time, and the same one of the digital summary files generated for the first time in the plurality of sets of the archive data is selected for data recovery.

8. The system of claim 7, wherein the archive data storage module further comprises an early warning sub-module for performing an early warning prompt if the data check codes of the archive data stored in the repositories are different.

9. An electronic archival data security system as claimed in any one of claims 1-6, wherein the archival data exit module comprises:

10. An electronic archive data preservation method is characterized by comprising the following steps: