CN110795766B - Electronic file data security system and method - Google Patents

Electronic file data security system and method Download PDF

Info

Publication number
CN110795766B
CN110795766B CN201911065982.1A CN201911065982A CN110795766B CN 110795766 B CN110795766 B CN 110795766B CN 201911065982 A CN201911065982 A CN 201911065982A CN 110795766 B CN110795766 B CN 110795766B
Authority
CN
China
Prior art keywords
data
file
archive
security
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911065982.1A
Other languages
Chinese (zh)
Other versions
CN110795766A (en
Inventor
余亚荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Suda Suhang Archives Data Preservation Co ltd
Original Assignee
Suzhou Suda Suhang Archives Data Preservation Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Suda Suhang Archives Data Preservation Co ltd filed Critical Suzhou Suda Suhang Archives Data Preservation Co ltd
Priority to CN201911065982.1A priority Critical patent/CN110795766B/en
Publication of CN110795766A publication Critical patent/CN110795766A/en
Application granted granted Critical
Publication of CN110795766B publication Critical patent/CN110795766B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a system and a method for protecting electronic archive data. The system comprises a file data receiving module, a file data storage module, a file data utilization module and a file data exit module. The archive data receiving module is used for carrying out data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused; the archive data storage module monitors the data state of the warehouse-in security archive data in real time according to a preset independent detection grading rule, and autonomously repairs and preserves the warehouse-in security archive data according to the full-time line state of the data; the file data utilization module provides required warehousing security file data for authorized users and stores corresponding data utilization records; the file data quitting module is used for automatically executing the quitting procedure handling operation of the file data when the approved file is checked to be correct and the file data ex-warehouse requester is an authorized user; therefore, the safety, integrity, authenticity and usability of the data content of the electronic archive can be effectively ensured.

Description

Electronic file data security system and method
Technical Field
The invention relates to the technical field of electronic document management, in particular to a system and a method for protecting electronic archive data.
Background
With the rapid development of cloud computing and big data, data in daily work and life are increased explosively, the increasing data enables the technical field of document management to be correspondingly developed, and electronic files gradually replace paper files to become the mainstream file recording form.
However, the informatization brings convenience and also brings certain hidden dangers, for example, the data state of the electronic archive data cannot be known in the process of storage, the lost data cannot be recovered, the data tampering cannot be traced, and the value of the owner of the electronic archive data is brought into play.
In view of this, how to effectively ensure the security of the electronic file content and the exertion of evidentiary value, avoid causing economic property loss to the data owner and influence the exertion of the mechanism function is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The present disclosure provides a system and a method for protecting electronic archive data, which effectively ensure the security, integrity, authenticity and availability of the data content of the electronic archive.
In order to solve the above technical problems, embodiments of the present invention provide the following technical solutions:
the embodiment of the invention provides an electronic archive data security system on one hand, which comprises an archive data receiving module, an archive data storage module, an archive data utilization module and an archive data exit module;
the archive data receiving module is used for carrying out data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused;
the archive data storage module is used for monitoring the data state of the warehouse-in security archive data in real time according to a preset independent detection grading rule and performing autonomous restoration and security on the warehouse-in security archive data according to the full-time line state of the data;
the archive data utilization module is used for providing required warehousing security archive data for authorized users and storing corresponding data utilization records;
and the archive data quitting module is used for automatically executing quitting procedures for the required warehousing security archive data when the approved file is checked to be correct and the archive data ex-warehouse requester is an authorized user.
Optionally, the archive data receiving module includes a trusted warehousing partition processing sub-module, and the trusted warehousing partition processing sub-module includes:
the partition setting unit is used for carrying out partition setting on the trusted storage platform according to different authority mechanisms to generate a plurality of independent trusted storage partitions and establishing the corresponding relation between each independent trusted storage partition and the corresponding authority mechanism;
the serialization processing unit is used for carrying out serialization processing on the to-be-warehoused security archive data to generate batch flow data;
the storage unit is used for storing the batch flow data into a subarea corresponding to the affiliated right organization according to batches to generate credible warehousing information data which is used as storage relation information of the to-be-warehoused security archive data in the credible warehousing platform;
and the backup unit is used for carrying out backup processing on the data stored in each partition.
Optionally, the archival data receiving module includes a data solidifying sub-module, where the data solidifying sub-module includes:
the first digital abstract file generating unit is used for generating a first digital abstract file with a fixed length from the archive data to be warehoused by a hash algorithm;
the data association unit is used for establishing an association relationship between the archive data to be warehoused and the digital abstract file and generating association sequence data, and the association sequence data is used as directory data to be independently stored for future reference;
the second digital abstract file generating unit is used for generating a second digital abstract file with a fixed length from the trusted warehouse information data by using a hash algorithm;
and the data curing unit is used for merging the first digital abstract file and the second digital abstract file to generate a digital abstract file as curing data.
Optionally, the archive data receiving module includes a data security sub-module, and the data security sub-module includes:
the fusion unit is used for fusing the curing data and the corresponding timestamp digital fingerprint data to generate fused curing data;
and the storage unit is used for storing the solidified data and the fused solidified data into a trusted storage data authentication area and performing backup storage.
Optionally, the archive data receiving module is configured to perform data cleaning and sorting on the archive data to be warehoused and kept, verify authenticity, integrity, availability and safety, perform trusted warehouse partition processing, perform data curing processing, and perform data keeping processing by adopting a screen recording mode and performing full-process operation recording based on three digital video recording devices by adopting a triangulation positioning mode; the data recording submodule of the archival data receiving module comprises:
the data merging unit is used for merging the screen recording data and the video recording data to generate initial recording data;
the record data generating module is used for processing the initial record data by adopting a hash algorithm to generate a third digital abstract file with a fixed length to be used as data receiving full-process record real data;
the data fusion unit is used for fusing the third digital abstract file and the corresponding timestamp digital fingerprint data to generate fused digital abstract file data;
and the data storage unit is used for storing the initial record data, the third digital abstract file and the fused digital abstract file data into the trusted storage data authentication area and performing backup storage.
Optionally, the archive data utilization module includes:
the identity authentication submodule is used for verifying whether a data calling instruction sender is an authorized user;
the data calling sub-module is used for calling corresponding target warehousing security archive data, target credible warehousing information data, target curing data and target fusion curing data according to the indexes of the batch flow data and the indexes of the associated sequence data;
the digital digest file merging submodule is used for generating a fourth digital digest file from the target warehousing security archive data through the hash algorithm, generating a fifth digital digest file from the target trusted warehousing information data through the hash algorithm, and merging the fourth digital digest file and the fifth digital digest file to generate a final digital digest file;
the consistency check submodule is used for carrying out consistency check on the final digital abstract file and the target solidification data;
the verification submodule is used for verifying the target curing data and the target fusion curing data to obtain a verification result certificate;
and the data submission submodule is used for feeding the verification result certificate and the target warehousing security archive data back to the data calling instruction sender.
Optionally, the archive data storage module includes:
the monitoring strategy generation submodule is used for generating a corresponding monitoring detection strategy of the archive data to be warehoused according to the data classification rule of each right organization;
the checking submodule is used for generating digital abstract files with fixed length by using a hash algorithm on all embedded security file data stored in the trusted warehouse according to a preset frequency when checking is carried out according to a trigger rule of a monitoring detection strategy each time, comparing the consistency among the digital abstract files of a plurality of sets of file data, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that all sets of file data are trusted data; if the digital summary files of the plurality of sets of the archive data generated at this time are inconsistent with the data summary file generated for the first time during warehousing preservation, the digital summary file of the plurality of sets of the archive data is used for comparing one by one with the data summary file generated for the first time, and the same one of the digital summary files generated for the first time in the plurality of sets of the archive data is selected for data recovery. Optionally, the archive data storage module further includes an early warning sub-module, configured to perform an early warning prompt if the data check codes of all the nested repository security archive data are different.
Optionally, the archive data exit module includes:
the ex-warehouse calling sub-module is used for carrying out ex-warehouse calling on the archive data required by a data quit request instruction sender when receiving a data quit request instruction;
the data destruction submodule is used for performing continuous redundant write operation on a target independent trusted storage partition corresponding to an authority to which the data quit request instruction sender belongs and destroying a data pointer and a data storage sequence of the target independent trusted storage partition;
the resource release submodule is used for releasing the space capacity occupied by the target independent trusted memory partition;
and the report generation module is used for carrying out security detection on the target independent and trusted storage partition and generating a detection report.
Another aspect of the embodiments of the present invention provides a method for saving electronic archive data, including:
when a file data request warehousing instruction is received, performing data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused and saved to generate warehousing and saved file data;
monitoring the data state of the warehousing security file data in real time according to a preset independent detection grading rule, and performing autonomous repair and security on the warehousing security file data according to the full-time line state of the data;
when a data calling instruction sent by an authorized user is received, providing required warehousing security archive data for the authorized user, and storing corresponding data utilization records;
when the data request quitting instruction is received, and the verification permission file is correct and the file data ex-warehouse requester is an authorized user, the quitting procedure handling operation of the required warehousing security file data is automatically executed.
The technical scheme provided by the application has the advantages that before the archive data are put in storage, the archive data receiving module is used for preprocessing, verifying and recording the data, so that the traceability of the data is enhanced on the basis of ensuring the safety, availability and integrity of the data before the data are put in storage; after the archive data are put in storage, the archive data storage module is used for monitoring in real time and performing self-repairing, the data state of the electronic archive data can be known in real time in the storage process, the safety and integrity of the put-in data are ensured, and the phenomena that the lost data cannot be recovered and the like are avoided; the corresponding data utilization records are stored for each calling or utilization of the data to be stored, so that the source tracing can be carried out in time after the data is tampered, and the threat to the value exertion of an electronic archive data owner is avoided; the data put in storage is subjected to identity verification before being taken out of the storage, so that the data put in storage cannot be illegally stolen and destroyed. The method can effectively ensure the safety of the content of the electronic file and the exertion of evidential value, and avoid causing economic property loss to the data owner and influencing the exertion of the functions of the organization.
In addition, the embodiment of the invention also provides a corresponding implementation method for the electronic archive data security system, so that the system is more feasible, and the method has corresponding advantages.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the related art, the drawings required to be used in the description of the embodiments or the related art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a block diagram of an embodiment of a system for securing electronic file data according to the present invention;
fig. 2 is a flowchart illustrating a method for securing electronic file data according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.
Having described the technical solutions of the embodiments of the present invention, various non-limiting embodiments of the present application are described in detail below.
Referring to fig. 1, fig. 1 is a schematic structural framework diagram of an electronic archive data security system according to an embodiment of the present invention, where the embodiment of the present invention includes the following:
the electronic archive data security system can comprise an archive data receiving module 1, an archive data storage module 2, an archive data utilization module 3 and an archive data exit module 4. In the operation process of the electronic archive data security system, a data source right mechanism, a data storage mechanism, a data user, a three-party certification mechanism, a data query system and the like are involved. The data user can be a right organization and other authorized users, and the data query system is used for performing data query in the process of performing data self-repairing or data security by the archive data storage module 2 of the electronic archive data security system. The right mechanism, the data custody mechanism, the data user and the three-party certification mechanism realize data receiving, data custody, data utilization and data exit together through the electronic archive data security system, thereby ensuring the safety of the archive data content and the completeness of evidentiary value maintenance.
The archive data receiving module 1 is used for performing data preprocessing, data verification and data receiving full-process recording on archive data to be warehoused. The data preprocessing can comprise data cleaning and sorting, credible storage partition processing, data curing processing, data preservation processing and the like; the data verification means detecting authenticity, integrity, usability and safety of the archive data to be warehoused. After the archive data receiving module 1 executes the above operation on the archive data to be warehoused, the archive data to be warehoused is stored in a certain area of the electronic archive data security system, and the warehouse-in security archive data is generated.
In the application, the archive data storage module 2 is used for monitoring the data state of the warehouse-in security archive data in real time according to a preset independent detection classification rule. Different data sources or different archival data of the right organization can set corresponding detection rules according to data source types or data types. For archival data of different authority mechanisms, the authority mechanisms can also autonomously provide data detection rules, and can also adopt detection rules preset by the system, which does not affect the implementation of the application. And the self-repairing and the preservation of the warehousing preservation archive data can be carried out according to the full-time line state of the data in the query system, so that the integrity and the availability of the data are further ensured.
The archive data utilization module 3 in the embodiment of the invention is used for providing required storage security archive data for authorized users and storing corresponding data utilization records. The file data utilizing module 3 firstly performs credible identity recognition, can automatically execute data utilizing procedure handling operation after data verification, and utilizes or calls the file data, wherein the file data can be used as an authority to which the file data belongs and can also be used as a third-party data user. For each data utilization, the data user, the utilization time, the archive data before utilization and the archive data after utilization can be packaged and stored, for example, the information can be stored in the entry or batch of the utilized warehousing security archive data, so that the source can be quickly traced.
And finally, the file data quitting module 4 is used for automatically executing quitting procedures of the required warehousing security file data when the verification permission file is correct and the file data ex-warehouse requester is an authorized user. The right organization does not want to store the archive data in the electronic archive data security system, and can send a data request quitting instruction to the electronic archive data security system, and the electronic archive data security system performs credible identity verification on a sender of the data request quitting instruction after receiving the data request quitting instruction, namely, whether the verification permission file is accurate or not, and whether an archive data ex-warehouse requester is an authorized user or not. By checking the permission file and checking the identity of the data authority, the system can process data quit procedures, which can include data warehouse-out and verification, reprocessing of trusted warehouse partitions, processing data quit security detection and issuing detection reports, for example.
In the technical scheme provided by the embodiment of the invention, before the archive data is put in storage, the archive data receiving module is used for preprocessing, verifying and recording the data, so that the traceability of the data is enhanced on the basis of ensuring the safety, availability and integrity of the data before the data is put in storage; after the archive data are put in storage, the archive data storage module is used for monitoring in real time and performing self-repairing, the data state of the electronic archive data can be known in real time in the storage process, the safety and integrity of the put-in data are ensured, and the phenomena that the lost data cannot be recovered and the like are avoided; the corresponding data utilization records are stored for each calling or utilization of the data to be stored, so that the source tracing can be carried out in time after the data is tampered, and the threat to the value exertion of an electronic archive data owner is avoided; the data put in storage is subjected to identity verification before being taken out of the storage, so that the data put in storage cannot be illegally stolen and destroyed. The method can effectively ensure the safety of the content of the electronic file and the exertion of evidential value, and avoid causing economic property loss to the data owner and influencing the exertion of the functions of the organization.
As an alternative embodiment, the archive data receiving module 1 may include a trusted warehousing partition processing submodule for performing trusted warehousing partition processing, and the trusted warehousing partition processing submodule includes:
and the partition setting unit is used for carrying out partition setting on the trusted storage platform according to different authority mechanisms to generate a plurality of independent trusted storage partitions, wherein the nth independent trusted storage partition can be expressed as SDisk (n), for example, and the corresponding relation between each independent trusted storage partition and the corresponding authority mechanism is established.
The serialization processing unit is used for carrying out serialization processing on the Data of the to-be-warehoused security file by adopting any Data serialization algorithm to generate batch pipelining Data, and the batch pipelining Data can be represented as Data _ BOM.
The storage unit is used for storing the batch pipelining Data _ BOM into the subarea corresponding to the affiliated entitlement mechanism according to batches to generate credible warehousing information Data, for example, the credible warehousing information Data can be represented as Data + Data _ BOM + sdisk (n), and the credible warehousing information Data can be used as storage relation information of the to-be-warehoused security file Data in the credible warehousing platform.
And the backup unit is used for carrying out backup processing on the data stored in each partition.
Optionally, based on the above embodiment, the archival Data receiving module 1 may further include a Data solidification sub-module for performing Data solidification processing on Data after storing the archival Data to be warehoused and preserved into the archival Data of the corresponding independent trusted storage partition, where the Data solidification sub-module specifically includes:
a first digital abstract file generation unit for generating a first digital abstract file H with a fixed length from the Data of the to-be-put security archive by using the hash function of the hash algorithmaFor example, a Hash function based on MD5 may be used to computationally parse the data or data set to generate digital digest data.
A Data association unit for associating the Data of the security file to be put in storage with the digital abstract file HaAnd establishing an association relation, and generating association sequence data A _ BOM which can be independently stored as directory data for later reference.
A second digital digest file generation unit for generating a second digital digest file H with a fixed length from the trusted warehouse information Data + Data _ BOM + SDisk (n) by using the hash function of the hash algorithmb
A data solidifying unit for solidifying the first digital abstract file HaAnd a second digital digest file HbMerging to generate a digital abstract file Ha+HbAs curing data Ha+Hb
In addition, the archive data receiving module 1 includes a data security sub-module, and the data security sub-module specifically may include:
a fusion unit for fusing the solidification data Ha+HbFusing the digital fingerprint data with the Timestamp n _ Timestamp to generate fused and solidified data, wherein the fused and solidified data can be represented as (H) for examplea+Hb)+n_Timestamp。
A storage unit for storing the solidification data Ha+HbAnd fusing the curing data (H)a+Hb) And storing the + n _ Timestamp in a trusted storage data authentication area, and performing backup storage.
As another preferred embodiment, the archive data receiving module 1 performs data cleaning and sorting on archive data to be warehoused and preserved, verifies authenticity, integrity, availability and safety, performs trusted storage partition processing, performs data curing processing, and performs full-flow recording in a screen recording mode during data preservation processing to generate screen recording dataVS. The method can also adopt a triangulation positioning mode to record and document based on three digital video recording devices in the whole process, video data can be produced, and the video data can be represented as Va+Vb+Vc. The data recording submodule of the archival data reception module 1 may include:
a data merging unit for merging the screen recording data VSAnd video data V recorded by cameraa+Vb+VcMerging to generate initial record data VS+Va+Vb+Vc
A record data generation module for processing the initial record data V by using hash function of hash algorithmS+Va+Vb+VcGenerating a third digital digest file H of fixed lengthvAnd recording the real data as the data receiving whole process.
A data fusion unit for fusing the third digital abstract file HvFusing with Timestamp m _ Timestamp digital fingerprint data to generate fused digital summary file data Hv+m_Timestamp。
A data storage unit for storing the initial recording data VS+Va+Vb+VcThe third digital abstract file HvAnd fusing digital digest file data HvAnd storing the + m _ Timestamp into a trusted storage data authentication area together, and performing backup storage.
As another optional implementation manner, the archive data storage module 2 may specifically include:
and the monitoring strategy generation submodule is used for generating a corresponding monitoring detection strategy of the archive data to be warehoused according to the data classification rules of all the right mechanisms, namely, the right mechanisms can simultaneously send the data classification rules to the electronic archive data security system when sending data warehousing requests to the system. By differentiating SDisks for independent trusted warehouses(n)The stored multiple sets of warehousing security archive data generate a digital abstract file with a fixed length through a Hash algorithm (Hash function), a data check code is generated, and the data check codes generated by the multiple sets of data for the first time are consistent.
The checking submodule is used for generating digital abstract files with fixed length by using a hash algorithm on each set of embedded security file data stored in the trusted warehouse according to a preset frequency when checking is carried out according to a trigger rule of a monitoring detection strategy each time, comparing the consistency among the digital abstract files of a plurality of sets of file data at the same moment, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that each set of warehousing security file data has no problem and is in a good state and is trusted data; if the check codes are inconsistent after comparison, and at least one check code is different from other check codes, the warehouse-in security file data is threatened, the data state of the warehouse-in security file data with the check code different from other check codes can be extracted, and the data state of the warehouse-in security file data is displayed as early warning. If the data is inconsistent, namely in the early warning state, comparing the digital abstract files of the plurality of sets of archive data generated at this time with the data abstract file generated for the first time during warehousing preservation one by one, selecting the part of the digital abstract files newly generated in the plurality of sets of archive data, which is the same as the data abstract file generated for the first time, for data recovery, namely performing data recovery and preservation on the warehousing preservation archive data, and when performing data recovery and preservation, firstly performing data recovery and preservation by inquiring the full time line state of the warehousing preservation archive data in the system.
In addition, based on the above embodiment, the archive data storage module 2 may further include an early warning sub-module, configured to perform an early warning prompt if the data check codes of all the nested repository security archive data are different.
Optionally, the archive data utilization module 3 may specifically include:
and the identity verification sub-module is used for verifying whether the sender of the data calling instruction is an authorized user or not, and can be verified by a third-party certification authority for example.
And the Data calling sub-module is used for calling corresponding target warehousing security archive Data, target trusted warehousing information Data, target solidification Data and target fusion solidification Data according to the index of the batch pipelining Data _ BOM and the index of the associated sequence Data A _ BOM.
A digital abstract file merging submodule for generating a fourth digital abstract file H from the target storage security archive data through a hash algorithmuGenerating a fifth digital digest file H by the target credible warehousing information data through a hash algorithmzAnd a fourth digital abstract file HuAnd a fifth digital digest file HzMerging to generate final digital abstract file Hu+Hz
A consistency check submodule for checking the final digital abstract file Hu+HzAnd performing consistency check on the target solidification data.
And the verification sub-module is used for verifying the target curing data and the target fusion curing data, and for example, the verification sub-module can be uploaded to a timestamp service system for verification to obtain a verification result certificate.
And the data submission submodule is used for feeding back the verification result certificate and the target warehousing security archive data to the data calling instruction sender for data calling and utilization.
As a preferred embodiment, the archive data exit module 4 may include:
and the ex-warehouse calling submodule is used for carrying out ex-warehouse calling on the archive data required by the data quit request instruction sender when receiving the data quit request instruction. The implementation process of the data retrieval can adopt the implementation process of the archive data utilization module 3, and is not described herein again. That is, whether a sender of the Data quit request instruction is an authorized user can be verified through a third-party certification authority, and if the sender is the authorized user, corresponding target warehousing security archive Data, target trusted warehousing information Data, target solidified Data and target fusion solidified Data are retrieved according to the index of the batch pipelining Data _ BOM and the index of the associated sequence Data A _ BOM; generating a sixth digital digest file by hashing target warehousing security archive data, generating a seventh digital digest file by hashing target trusted warehousing information data, and combining the sixth digital digest file and the seventh digital digest file to generate a final digital digest file; carrying out consistency check on the final digital abstract file and the target solidification data; verifying the target solidified data and the target fused solidified data, for example, uploading the data to a timestamp service system for verification to obtain a verification result certificate; and finally, carrying out ex-warehouse processing on the verification result certificate and the target warehousing security archive data.
And the data destruction submodule is used for performing continuous redundant write operation on the target independent trusted storage partition corresponding to the right mechanism to which the data quit request instruction sender belongs and destroying the data pointer and the data storage sequence of the target independent trusted storage partition so as to achieve the purpose of completely deleting the data.
The resource release submodule is used for releasing the space capacity occupied by the target independent trusted memory partition; and when the file data of the specific authority is completely withdrawn, the independent credible storage partition space can be released and returned to the resource pool, so that the resource waste is avoided.
And the report generation module is used for carrying out security detection on the target independent trusted storage partition by using a security monitoring tool and generating a detection report meeting the requirement.
Therefore, the embodiment of the invention can effectively ensure the safety of the file data content and the completeness of the evidential value maintenance system.
The embodiment of the invention also provides a corresponding method for the electronic archive data security system, so that the system is more selectable. In the following, the electronic archive data preservation method provided by the embodiment of the present invention is introduced, and the electronic archive data preservation method described below and the electronic archive data preservation system described above may be referred to in a corresponding manner.
Referring to fig. 2, fig. 2 is a schematic flow chart of an electronic archive data preservation method according to an embodiment of the present invention, where the embodiment of the present invention includes the following:
s201: and when a file data request warehousing instruction is received, performing data preprocessing, data verification and data receiving full-flow recording on the file data to be warehoused and saved to generate warehousing and saved file data.
Specifically, the electronic archive data security system can be used for performing data cleaning and sorting, "four-character" (authenticity, integrity, availability, security) detection, trusted storage partition processing, data curing processing, data security processing, and data receiving whole-process record keeping and security on the archive data to be stored in a warehouse.
S202: and monitoring the data state of the warehousing security file data in real time according to a preset independent detection grading rule, and performing autonomous repair and security on the warehousing security file data according to the full-time line state of the data.
Specifically, the electronic archive data preservation system can be used for setting an independent detection strategy for warehousing preservation archive data according to a grading rule, monitoring the data state in real time and giving out early warning on error data, and can also be used for autonomously repairing and preserving the data by inquiring the full-time line state of the data in the system.
S203: and when a data calling instruction sent by the authorized user is received, providing the required warehousing security archive data for the authorized user, and storing a corresponding data utilization record.
S204: when the data request quitting instruction is received, and the verification permission file is correct and the file data ex-warehouse requester is an authorized user, the quitting procedure handling operation of the required warehousing security file data is automatically executed.
Taking the example that the authority a stores the archive Data into the electronic archive Data preservation system, the concrete implementation process of warehousing, storing, calling and exporting the archive Data is described, and may include the following contents:
optionally, the trusted warehouse partition processing step in S201 may be:
the credible warehousing platform is independently partitioned according to different authority mechanisms to form { SDisk(n)Establishing association of each partition and a specific authority;
performing sequence processing on the archive Data to form batch pipelining Data _ BOM, storing the batch pipelining Data _ BOM to the subarea where the specific authority mechanism is located according to batches to form Data { Data + Data _ BOM + SDisk(n)}; the data is used as the storage relation information of the archive data in the credible warehouse;
Partitioning archive Data in entitlement organization section { SDisk(n)Two sets of backup are carried out simultaneously.
Optionally, the data curing processing in S201 includes:
generating fixed-length digital abstract file H by using file Data through Hash algorithm (Hash function)a
The Data of the file Data and the digital abstract H are comparedaEstablishing association, generating an association sequence A _ BOM, and independently storing and searching data A _ BOM as directory data;
credible warehousing information Data { Data + Data _ BOM + SDisk(n)Production of a digital digest file H of fixed length by means of a hashing algorithm (Hash function)b
For digital abstract HaAnd a digital summary HbAre combined to form a new digital abstract (H)a+Hb) And taking the digital summary data as solidification data.
Optionally, the data saving processing in S201 includes:
(ii) the curing data (H)a+Hb) Fusing the digital fingerprint with the Timestamp n _ Timestamp to form data { (H)a+Hb)+n_Timestamp};
Data are consolidated into data (H)a+Hb) Time stamp data { (H)a+Hb) And storing the + n _ Timestamp in a trusted storage data authentication area together, and backing up two copies.
Optionally, the step of recording, and keeping the data receiving whole process in S201 may be:
the data cleaning and sorting, the 'quadripler' (authenticity, integrity, availability and safety) detection, the credible storage partition processing, the data curing processing and the data preservation processing all adopt screen recording work to record, and adopt a triangular positioning mode to use three digital video recording devices to carry out whole-process operation and real-time recording to form screen recording data VSAnd video data V recorded by cameraa、Vb、Vc
Data V of opposite recording screenSAnd video data V recorded by cameraa、Vb、VcMerging the data to form data (V)S+Va+Vb+Vc);
For data (V)S+Va+Vb+Vc) Generating a fixed-length digital digest file H by a hashing algorithm (Hash function)vTaking the data as data receiving whole-process recording and real data;
recording and accumulating the data receiving whole process to real data HvFusing the digital fingerprint with the Timestamp m _ Timestamp to form { H }v+m_Timestamp};
Data (V)S+Va+Vb+Vc) Data receiving whole process recording real data HvTime stamp data { HvAnd storing the + m _ Timestamp in a trusted warehouse data recording area together, and backing up two copies.
Optionally, the steps of monitoring, early warning, repairing, and preserving in the archive data storage stage in S202 may be:
setting a monitoring detection strategy of the archival Data according to a Data grading rule provided by an authority organization, and storing the credible storage { SDisk(n)Generating fixed-length digital abstract file by multiple sets of stored Data through Hash algorithm (Hash function), and generating Data check code CtThe data check codes generated by a plurality of sets of data for the first time are consistent;
generating a digital abstract file with a fixed length by a Hash algorithm (Hash function) on a plurality of sets of data periodically and again according to a monitoring detection strategy triggering rule, and generating a new data check code, wherein the generated data check code is C by taking three sets of archival data as an examplea、Cb、Cc
Check code C for dataa、Cb、CcMaking an alignment, e.g. Ca=Cb=CcIndicating that the status of the archival Data is good, e.g. Data check code Ca、Cb、CcIf the Data state of the file Data is inconsistent after comparison, the threat of the Data state of the file Data is represented, the Data state of the file Data is extracted, and the early warning is displayed;
extracting the digital abstract H under the early warning stateaAnd is compared with the data check code Ca、Cb、CcComparing with the digital abstract HaAnd the archival Data corresponding to the Data check codes with the same comparison result is used as credible Data to repair and preserve other sets of inconsistent Data.
Optionally, the step of the archive data utilization stage of S203 may be:
the file Data is subjected to credible identity identification, then the processed Data is utilized and called, and the file Data and credible warehousing information Data { Data + Data _ BOM + SDisk are called through indexes of batch running Data _ BOM and associated sequence A _ BOM(n)}, curing data (H)a+Hb) Time stamp data { (H)a+Hb)+n_Timestamp};
Regenerating the archive Data by means of a Hash algorithm (Hash function) to a fixed-length digital digest file HuThe credible warehousing information Data { Data + Data _ BOM + SDisk(n)Regeneration of a fixed-length digital digest file H by means of a hashing algorithm (Hash function)zAnd (H) is synthesized byu+Hz) Will (H)u+Hz) And (H)a+Hb) Carrying out consistency check;
curing data (H)a+Hb) Time stamp data { (H)a+Hb) + n _ Timestamp } uploading Timestamp service system for true checking;
and submitting the certificate of the verification result and the archival Data for use at the same time.
Optionally, the step of the archive data exit stage in S204 may be:
when the special authority puts forward an exit program to the archive data of the mechanism, the method of the step S203 is adopted to fetch the data out of the warehouse;
independent trusted warehouse partition { SDisk) for specific authority(n)Carrying out continuous redundant write operation, and destroying a data pointer of the partition to destroy a file data storage sequence so as to achieve the aim of completely deleting data;
for specific rightsMechanism archive data completely exited, the independent trusted warehouse partition { SDisk }(n)The space is released and returns to the resource pool;
and detecting the subarea by using a safety monitoring tool and issuing a compliance report.
Since the method embodiment of the present invention and the system embodiment are based on the same concept, the implementation process and the execution sequence of each step of the method embodiment of the present invention may refer to specific contents such as information interaction and execution process among units in the system, and thus, details are not described here.
Therefore, the embodiment of the invention can effectively ensure the safety, integrity, authenticity and availability of the data content of the electronic file.
The embodiment of the invention also provides electronic archive data security equipment, which specifically comprises:
a memory for storing a computer program;
a processor for executing a computer program to implement the steps of the method for saving electronic archive data as described in any of the above embodiments.
The functions of the functional modules of the electronic archive data preservation device according to the embodiment of the present invention can be specifically implemented according to the method in the above method embodiment, and the specific implementation process may refer to the description related to the above method embodiment, which is not described herein again.
Therefore, the embodiment of the invention can effectively ensure the safety, integrity, authenticity and availability of the data content of the electronic file.
The embodiment of the present invention further provides a computer-readable storage medium, in which an electronic archive data security program is stored, and the electronic archive data security program is executed by a processor according to any of the steps of the electronic archive data security method described in any of the above embodiments. The storage medium may be various media capable of storing program codes, such as a U disk, a removable hard disk, a read-only memory, a random access memory, a magnetic disk, or an optical disk.
The functions of the functional modules of the computer-readable storage medium according to the embodiment of the present invention may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the related description of the foregoing method embodiment, which is not described herein again.
Therefore, the embodiment of the invention can effectively ensure the safety, integrity, authenticity and availability of the data content of the electronic file.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The details of the method, apparatus, device and computer readable storage medium for preserving electronic file data provided by the present invention are described above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present disclosure without departing from the principle of the present invention, and such improvements and modifications also fall within the scope of the claims of the present disclosure.

Claims (9)

1. An electronic archive data security system is characterized by comprising an archive data receiving module, an archive data storage module, an archive data utilization module and an archive data exit module;
the archive data receiving module is used for carrying out data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused;
the archive data storage module is used for monitoring the data state of the warehouse-in security archive data in real time according to a preset independent detection grading rule and performing autonomous restoration and security on the warehouse-in security archive data according to the full-time line state of the data;
the archive data utilization module is used for providing required warehousing security archive data for authorized users and storing corresponding data utilization records;
the file data quitting module is used for automatically executing quitting procedures of the required warehousing security file data when the approved file is checked to be correct and the file data ex-warehouse requester is an authorized user;
wherein the archive data custody module comprises:
the monitoring strategy generation submodule is used for generating a corresponding monitoring detection strategy of the archive data to be warehoused according to the data classification rule of each right organization;
the checking submodule is used for generating digital abstract files with fixed length by using a hash algorithm on all embedded security file data stored in the trusted warehouse according to a preset frequency when checking is carried out according to a trigger rule of a monitoring detection strategy each time, comparing the consistency among the digital abstract files of a plurality of sets of file data, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that all sets of file data are trusted data; if the digital summary files of the plurality of sets of the archive data generated at this time are inconsistent with the data summary file generated for the first time during warehousing preservation, the digital summary file of the plurality of sets of the archive data is used for comparing one by one with the data summary file generated for the first time, and the same one of the digital summary files generated for the first time in the plurality of sets of the archive data is selected for data recovery.
2. The electronic archival data security system of claim 1, wherein the archival data reception module includes a trusted warehousing partition processing sub-module, the trusted warehousing partition processing sub-module including:
the partition setting unit is used for carrying out partition setting on the trusted storage platform according to different authority mechanisms to generate a plurality of independent trusted storage partitions and establishing the corresponding relation between each independent trusted storage partition and the corresponding authority mechanism;
the serialization processing unit is used for carrying out serialization processing on the to-be-warehoused security archive data to generate batch flow data;
the storage unit is used for storing the batch flow data into a subarea corresponding to the affiliated right organization according to batches to generate credible warehousing information data which is used as storage relation information of the to-be-warehoused security archive data in the credible warehousing platform;
and the backup unit is used for carrying out backup processing on the data stored in each partition.
3. The electronic archival data security system of claim 2, wherein the archival data reception module includes a data solidification sub-module, the data solidification sub-module including:
the first digital abstract file generating unit is used for generating a first digital abstract file with a fixed length from the archive data to be warehoused by a hash algorithm;
the data association unit is used for establishing an association relationship between the archive data to be warehoused and the digital abstract file and generating association sequence data, and the association sequence data is used as directory data to be independently stored for future reference;
the second digital abstract file generating unit is used for generating a second digital abstract file with a fixed length from the trusted warehouse information data by using a hash algorithm;
and the data curing unit is used for merging the first digital abstract file and the second digital abstract file to generate a digital abstract file as curing data.
4. The electronic archival data security system of claim 3, wherein the archival data reception module includes a data security sub-module, the data security sub-module including:
the fusion unit is used for fusing the curing data and the corresponding timestamp digital fingerprint data to generate fused curing data;
and the storage unit is used for storing the solidified data and the fused solidified data into a trusted storage data authentication area and performing backup storage.
5. The electronic archive data preservation system according to claim 4, wherein the archive data receiving module is configured to perform data cleaning and sorting on the archive data to be stored, verify authenticity, integrity, availability and security, perform trusted storage partition processing, perform data solidification processing, and perform recording in a screen recording manner and perform full-process operation recording based on three digital cameras in a triangulation positioning manner during data preservation processing; the data recording submodule of the archival data receiving module comprises:
the data merging unit is used for merging the screen recording data and the video recording data to generate initial recording data;
the record data generating module is used for processing the initial record data by adopting a hash algorithm to generate a third digital abstract file with a fixed length to be used as data receiving full-process record real data;
the data fusion unit is used for fusing the third digital abstract file and the corresponding timestamp digital fingerprint data to generate fused digital abstract file data;
and the data storage unit is used for storing the initial record data, the third digital abstract file and the fused digital abstract file data into the trusted storage data authentication area and performing backup storage.
6. The electronic archival data security system of claim 5, wherein the archival data utilization module includes:
the identity authentication submodule is used for verifying whether a data calling instruction sender is an authorized user;
the data calling sub-module is used for calling corresponding target warehousing security archive data, target credible warehousing information data, target curing data and target fusion curing data according to the indexes of the batch flow data and the indexes of the associated sequence data;
the digital digest file merging submodule is used for generating a fourth digital digest file from the target warehousing security archive data through the hash algorithm, generating a fifth digital digest file from the target trusted warehousing information data through the hash algorithm, and merging the fourth digital digest file and the fifth digital digest file to generate a final digital digest file;
the consistency check submodule is used for carrying out consistency check on the final digital abstract file and the target solidification data;
the verification submodule is used for verifying the target curing data and the target fusion curing data to obtain a verification result certificate;
and the data submission submodule is used for feeding the verification result certificate and the target warehousing security archive data back to the data calling instruction sender.
7. The system of claim 1, wherein the archive data retention module further comprises an early warning sub-module configured to perform an early warning prompt if the data check codes of the archive data set into the repository are different.
8. An electronic archival data security system as claimed in any one of claims 1-6, wherein the archival data exit module comprises:
the ex-warehouse calling sub-module is used for carrying out ex-warehouse calling on the archive data required by a data quit request instruction sender when receiving a data quit request instruction;
the data destruction submodule is used for performing continuous redundant write operation on a target independent trusted storage partition corresponding to an authority to which the data quit request instruction sender belongs and destroying a data pointer and a data storage sequence of the target independent trusted storage partition;
the resource release submodule is used for releasing the space capacity occupied by the target independent trusted memory partition;
and the report generation module is used for carrying out security detection on the target independent and trusted storage partition and generating a detection report.
9. An electronic archive data preservation method is characterized by comprising the following steps:
when a file data request warehousing instruction is received, performing data preprocessing, data verification and data receiving full-flow recording on archive data to be warehoused and saved to generate warehousing and saved file data;
monitoring the data state of the warehousing security file data in real time according to a preset independent detection grading rule, and performing autonomous repair and security on the warehousing security file data according to the full-time line state of the data;
when a data calling instruction sent by an authorized user is received, providing required warehousing security archive data for the authorized user, and storing corresponding data utilization records;
when a data request quitting instruction is received, and the verification permission file is correct and the file data ex-warehouse requester is an authorized user, automatically executing quitting procedure handling operation of required warehousing security file data;
the real-time monitoring of the data state of the warehousing security archive data according to a preset independent detection grading rule and the autonomous repairing and security of the warehousing security archive data according to the full-time line state of the data comprise:
generating a corresponding monitoring detection strategy of the archive data to be warehoused according to the data classification rule of each authority;
when checking is carried out according to a trigger rule of a monitoring detection strategy each time, generating a digital abstract file with a fixed length by using a hash algorithm on each set of embedded repository security file data stored in a trusted repository according to a preset frequency, comparing the consistency among the digital abstract files of a plurality of sets of file data, and if the digital abstract files of the plurality of sets of file data are consistent, indicating that each set of file data is trusted data; if the digital summary files of the plurality of sets of the archive data generated at this time are inconsistent with the data summary file generated for the first time during warehousing preservation, the digital summary file of the plurality of sets of the archive data is used for comparing one by one with the data summary file generated for the first time, and the same one of the digital summary files generated for the first time in the plurality of sets of the archive data is selected for data recovery.
CN201911065982.1A 2019-11-04 2019-11-04 Electronic file data security system and method Active CN110795766B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911065982.1A CN110795766B (en) 2019-11-04 2019-11-04 Electronic file data security system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911065982.1A CN110795766B (en) 2019-11-04 2019-11-04 Electronic file data security system and method

Publications (2)

Publication Number Publication Date
CN110795766A CN110795766A (en) 2020-02-14
CN110795766B true CN110795766B (en) 2022-04-08

Family

ID=69442535

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911065982.1A Active CN110795766B (en) 2019-11-04 2019-11-04 Electronic file data security system and method

Country Status (1)

Country Link
CN (1) CN110795766B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122981A (en) * 2007-08-14 2008-02-13 杜至波 Public security document management system
CN102339370B (en) * 2011-09-14 2016-04-13 福建伊时代信息科技股份有限公司 The security method of electronic document, safety system and verification system
CN103530570B (en) * 2013-09-24 2016-08-17 国家电网公司 A kind of electronic document safety management system and method
EP3183680B1 (en) * 2014-08-18 2018-03-21 Csík, Balázs Methods for digitally signing an electronic file, and authenticating method
CN104331762B (en) * 2014-10-22 2018-01-19 刘品新 A kind of anti-tamper archives food safety trace back system
CN105023372B (en) * 2015-06-29 2019-05-31 上海新建设工程咨询有限公司 Archive management method

Also Published As

Publication number Publication date
CN110795766A (en) 2020-02-14

Similar Documents

Publication Publication Date Title
CN110826111B (en) Test supervision method, device, equipment and storage medium
US20200012806A1 (en) Atomic capture of a set of related files, using a distributed ledger, for proof of authenticity
US10354348B2 (en) Digital evidence management
CN110197085B (en) Document anti-tampering method based on fabric alliance chain
CN111581659B (en) Method and device for calling electronic evidence
CN114707043B (en) File management method and system based on meta-universe block chain technology
US20200234375A1 (en) Protecting against data loss
CN112084474A (en) Enterprise archive management method, system, storage medium and electronic equipment
US20200278948A1 (en) Method, apparatus and system for managing electronic fingerprint of electronic file
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application
CN110795766B (en) Electronic file data security system and method
US20200134215A1 (en) Object storage for guaranteed content for backup and retention
CN113919006A (en) Method, equipment and computer storage medium for protecting data integrity
EP3742367A1 (en) Method for determining information integrity and computer system using the same
CN117874809A (en) File security early warning method and system
CN114462998A (en) Log tamper-proofing method, system and storage medium
CN112395476A (en) Engineering data management method
CN113378239B (en) Data content right confirming method and system
CN115795565A (en) Log tamper-proofing method, device, equipment and storage medium
CN106656865A (en) Method and system for managing linked list resource
KR102357482B1 (en) Method for transmission of integrity guarantee traffic accident information based on blockchain
CN111385511B (en) Video data processing method and device and video recording equipment
CN115860696B (en) Electronic job ticket management method and system based on block chain
CN116382596B (en) Space-time big data storage method and system based on distributed technology
CN113724080B (en) Structured data right-determining method for electric power system trading platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant