CN112016130A - Terminal data leakage protection method - Google Patents

Terminal data leakage protection method Download PDF

Info

Publication number
CN112016130A
CN112016130A CN202010842278.9A CN202010842278A CN112016130A CN 112016130 A CN112016130 A CN 112016130A CN 202010842278 A CN202010842278 A CN 202010842278A CN 112016130 A CN112016130 A CN 112016130A
Authority
CN
China
Prior art keywords
file
terminal
encryption
data leakage
files
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010842278.9A
Other languages
Chinese (zh)
Inventor
郭希红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yinhe Storage Blockchain Co ltd
Original Assignee
Hangzhou Yinhe Storage Blockchain Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yinhe Storage Blockchain Co ltd filed Critical Hangzhou Yinhe Storage Blockchain Co ltd
Priority to CN202010842278.9A priority Critical patent/CN112016130A/en
Publication of CN112016130A publication Critical patent/CN112016130A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a terminal data leakage protection method, which is characterized in that a UUID identification code is installed on a terminal, an installation path is hidden, and installation directory access and tampering are limited; opening a file at a terminal provided with the UUID identification code, and decrypting the file; encrypting the function of the file generated in operation automatically in real time; when the file in the terminal is opened by separating from the terminal environment, the opening is invalid, and if a malicious program is used for forcibly opening the file, the file is immediately and automatically destroyed or opened or is messy code. The method can implement automatic encryption protection on the whole process of the file, has the characteristics of forced encryption, automatic encryption, real-time encryption, dynamic encryption, invisible encryption and lossless encryption, and can automatically encrypt and decrypt the file without user intervention in the editing and using processes of the file.

Description

一种终端数据泄漏防护方法A method for preventing data leakage of terminal

技术领域technical field

本发明涉及数据防护领域,尤其涉及一种终端数据泄漏防护方法。The invention relates to the field of data protection, in particular to a terminal data leakage protection method.

背景技术Background technique

通常,信息安全防护体系是由服务器、网络和终端三个环节组成,Usually, the information security protection system is composed of three links: server, network and terminal.

任何一个环节的安全缺失都会使安全防护形同虚设。也就是说,服务端、网络和终端三个环节必须形成安全闭环。The lack of security in any link will make the security protection useless. That is to say, the three links of server, network and terminal must form a security closed loop.

然而,在信息安全体系中,最薄弱环节是终端安全防护。目前,终端安全防护的技术手段极为有限,终端存在诸多安全隐患,其中最大的问题是终端普遍存在数据泄露风险。However, in the information security system, the weakest link is the terminal security protection. At present, the technical means of terminal security protection are extremely limited, and there are many security risks in the terminal. The biggest problem is that the terminal generally has the risk of data leakage.

近些年来,在所有的的泄密事件中,大部分是“内部泄密”,而不是“外部窃密”。据统计,80%以上的信息泄露事件是由内部员工数据泄露导致的。In recent years, most of the leaks are "internal leaks" rather than "external thefts". According to statistics, more than 80% of information leakage incidents are caused by internal employee data leakage.

由此可见,防内部人员数据泄漏才是信息安全解决方案的重中之重,也就是说,如果信息安全体系中缺失终端数据泄漏防护,尤其是内部人员的数据泄漏防护,那就是不完整的方案,存在极大安全隐患。It can be seen that preventing data leakage of internal personnel is the top priority of information security solutions. That is to say, if the information security system lacks terminal data leakage protection, especially the data leakage protection of internal personnel, it is incomplete. There are great security risks.

发明内容SUMMARY OF THE INVENTION

本发明的目的是针对现有技术的缺陷,提供了一种终端数据泄漏防护方法。The purpose of the present invention is to provide a terminal data leakage protection method aiming at the defects of the prior art.

为了实现以上目的,本发明采用以下技术方案:In order to achieve the above purpose, the present invention adopts the following technical solutions:

一种终端数据泄漏防护方法,包括以下步骤:A terminal data leakage prevention method, comprising the following steps:

S1、在终端安装UUID识别码,并隐藏安装路径,限制安装目录访问并限制篡改;S1. Install the UUID identification code on the terminal, hide the installation path, restrict access to the installation directory and restrict tampering;

S2、在已安装UUID识别码的终端打开文件,对文件解密;S2. Open the file in the terminal where the UUID identification code has been installed, and decrypt the file;

S3、对运行中产生的文件实时自动的函数加密;S3. Real-time automatic function encryption for files generated during operation;

S4、当终端内的文件脱离终端环境打开时,显示打开无效,S4. When the file in the terminal is opened out of the terminal environment, it is displayed that the opening is invalid.

S5、若步骤S4中使用恶意程序强制打开文件即立即自动销毁或者打开或为乱码。S5. If a malicious program is used in step S4 to forcibly open the file, it will be automatically destroyed immediately or opened or garbled.

进一步的,所述步骤S3中操作文件包括临时文件、随机文件、导出文件和保存后文件。Further, the operation files in the step S3 include temporary files, random files, export files and saved files.

进一步的,所述终端还包括设置权限白名单以及文档分组白名单。Further, the terminal further includes setting a permission whitelist and a document grouping whitelist.

进一步的,所述权限白名单包括根据行政级别划分不同的等级组名单。高级别组可审阅低级别组密文,低级别组不能打开高级别组的密文。Further, the authority whitelist includes a list of different level groups divided according to administrative levels. The high-level group can review the ciphertext of the low-level group, and the low-level group cannot open the ciphertext of the high-level group.

进一步的,所述文档分组白名单包括最高级别管理组、部门组及即时项目组。Further, the document grouping whitelist includes the highest-level management group, department group and instant project group.

进一步的,所述终端内的文件还包括指定文件外发管理步骤,包括设置文档在终端外的打开密码、打开次数、过期时间。Further, the file in the terminal also includes a designated file outsourcing management step, including setting the opening password, opening times, and expiration time of the document outside the terminal.

进一步的,所述终端中的UUID识别码对应有唯一解码秘钥。Further, the UUID identification code in the terminal corresponds to a unique decoding key.

采用本发明技术方案,本发明的有益效果为:本发明方法能够对文件全过程实施自动加密保护,具有强制加密、自动加密、实时加密、动态加密、隐形加密和无损加密的特点,在文件编辑和使用过程中,加密和解密是自动进行的,无需用户干预。本方法通过各种权限的设置方便不同权限对终端文件的操作。同时本方法还使得终端具有防文件外泄的功能,进一步避免了文件的泄露。By adopting the technical scheme of the present invention, the beneficial effects of the present invention are: the method of the present invention can implement automatic encryption protection for the whole process of the file, and has the characteristics of forced encryption, automatic encryption, real-time encryption, dynamic encryption, invisible encryption and lossless encryption. And during use, encryption and decryption are performed automatically without user intervention. The method facilitates the operation of terminal files with different permissions through the setting of various permissions. At the same time, the method also enables the terminal to have the function of preventing file leakage, thereby further avoiding the leakage of files.

附图说明Description of drawings

图1是本发明提供的一种终端数据泄漏防护方法流程图。FIG. 1 is a flowchart of a method for preventing data leakage of a terminal provided by the present invention.

具体实施方式Detailed ways

以下通过特定的具体实例说明本发明的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本发明的其他优点与功效。本发明还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本发明的精神下进行各种修饰或改变。需说明的是,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。The embodiments of the present invention are described below through specific specific examples, and those skilled in the art can easily understand other advantages and effects of the present invention from the contents disclosed in this specification. The present invention can also be implemented or applied through other different specific embodiments, and various details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present invention. It should be noted that the following embodiments and features in the embodiments may be combined with each other under the condition of no conflict.

需要说明的是,以下实施例中所提供的图示仅以示意方式说明本发明的基本构想,遂图式中仅显示与本发明中有关的组件而非按照实际实施时的组件数目、形状及尺寸绘制,其实际实施时各组件的型态、数量及比例可为一种随意的改变,且其组件布局型态也可能更为复杂。It should be noted that the drawings provided in the following embodiments are only used to illustrate the basic concept of the present invention in a schematic way, so the drawings only show the components related to the present invention rather than the number, shape and number of components in actual implementation. For dimension drawing, the type, quantity and proportion of each component can be changed at will in actual implementation, and the component layout may also be more complicated.

实施例一、Embodiment 1.

如图所示,一种终端数据泄漏防护方法,包括以下步骤:As shown in the figure, a terminal data leakage prevention method includes the following steps:

S1、在终端安装UUID识别码,并隐藏安装路径,限制安装目录访问并限制篡改;S1. Install the UUID identification code on the terminal, hide the installation path, restrict access to the installation directory and restrict tampering;

S2、在已安装UUID识别码的终端打开文件,对文件解密;S2. Open the file in the terminal where the UUID identification code has been installed, and decrypt the file;

S3、对运行中产生的文件实时自动的函数加密;所述步骤S3中操作文件包括临时文件、随机文件、导出文件和保存后文件。S3. Real-time automatic function encryption of the files generated during the operation; in the step S3, the operation files include temporary files, random files, export files and saved files.

S4、当终端内的文件脱离终端环境打开时,显示打开无效,S4. When the file in the terminal is opened out of the terminal environment, it is displayed that the opening is invalid.

S5、若步骤S4中使用恶意程序强制打开文件即立即自动销毁或者打开或为乱码。S5. If a malicious program is used in step S4 to forcibly open the file, it will be automatically destroyed immediately or opened or garbled.

该方法无论另存为什么样的文件名称,转换为什么样的文件格式,都会受到严格的加密保护,即使使用某些文件恢复工具也无法得到加密文档的明文内容。未经授权,即使文档作者本人也无法获取文档内容。No matter what file name is saved in this method or what file format is converted, it will be protected by strict encryption, and even if some file recovery tools are used, the plaintext content of the encrypted document cannot be obtained. Without authorization, even the author of the document cannot access the content of the document.

本方法文档在终端经权限许可后如常使用,无需手工加解密,在外无法使用,从根本上防止资料外泄,加密的文件在环境内正常使用,离开环境即失效。This method document is used as usual after the terminal is authorized by the authority, without manual encryption and decryption, and cannot be used outside. It fundamentally prevents data leakage. The encrypted file is used normally in the environment, and it will be invalid when it leaves the environment.

本方法有效的防内部人员数据泄漏,尤其是防止内部人员的数据泄漏防护,避免了涉密文件的存在的安全隐患。特别适用于例如,软件公司的程序源代码、工程设计公司的图纸文件、制造企业的工 艺和配方、军工企业涉及的军事秘密等 ,一旦流失到企业外部、竞争 对手或敌对势力手里,将造成无法估量的损失。The method can effectively prevent the data leakage of internal personnel, especially the data leakage protection of internal personnel, and avoid the potential security risks of the existence of confidential documents. It is especially suitable for, for example, the program source code of a software company, the drawing files of an engineering design company, the process and formula of a manufacturing company, and the military secrets involved in a military industrial enterprise. Once lost to the outside of the company, competitors or hostile forces, it will cause Immeasurable loss.

并且本方法实现了无感自动加密功能,能够将文件全过程实施自动加密保护,具有强制加密、自动加密、实时加密、动态加密、隐形加密和无损加密的特点,在文件编辑和使用过程中,加密和解密是自动进行的,无需用户干预,用户实际上是无知觉的。无感解密不需要明文过渡,在磁盘上不生成明文。加密的文件一旦离开使用环境,无法打开或打开是乱码。 无感加密从根源上解决文档安全问题。And the method realizes the function of non-sensing automatic encryption, can implement automatic encryption protection for the whole process of the file, and has the characteristics of forced encryption, automatic encryption, real-time encryption, dynamic encryption, invisible encryption and lossless encryption. Encryption and decryption are performed automatically without user intervention, and the user is virtually unaware. Senseless decryption does not require transition of plaintext and does not generate plaintext on disk. Once the encrypted file leaves the environment, it cannot be opened or it is garbled. Senseless encryption solves document security problems from the root.

UUID 是 通用唯一识别码(Universally Unique Identifier)的缩写,是一种软件建构的标准,亦为开放软件基金会组织在分布式计算环境领域的一部分。其目的,是让分布式系统中的所有元素,都能有唯一的辨识信息,而不需要通过中央控制端来做辨识信息的指定。如此一来,每个人都可以创建不与其它人冲突的UUID。在这样的情况下,就不需考虑数据库创建时的名称重复问题。所述终端中的UUID识别码对应有唯一解码秘钥。UUID is the abbreviation of Universally Unique Identifier, a standard for software construction and a part of the Open Software Foundation in the field of distributed computing environments. The purpose is to allow all elements in the distributed system to have unique identification information, without the need to specify identification information through the central control terminal. This way, everyone can create UUIDs that don't conflict with everyone else. In such a case, there is no need to consider the problem of duplication of names when the database is created. The UUID identification code in the terminal corresponds to a unique decoding key.

实施例二、Embodiment two,

在终端安装UUID识别码,并隐藏安装路径,限制安装目录访问并限制篡改后,再再终端设置权限白名单以及文档分组白名单。Install the UUID identifier on the terminal, hide the installation path, restrict access to the installation directory and restrict tampering, and then set the permission whitelist and document grouping whitelist on the terminal.

优选的是两者同时设置,不仅便于日常操作,也更便于文档管理,以及操作员直接的分级协调。It is preferable to set both at the same time, which is not only convenient for daily operation, but also more convenient for document management and direct hierarchical coordination of operators.

所述权限白名单包括根据行政级别划分不同的等级组名单。例如,高级别组可审阅低级别组密文,低级别组不能打开高级别组的密文。并且还可设置不同级别的修改权限、是否允许外带文件权限,等等不同种类操作之间的权限。根据文档本身的性质,可一对一的设置各种不同等级的不同操作。The authority whitelist includes a list of different level groups divided according to administrative levels. For example, the high-level group can review the ciphertext of the low-level group, but the low-level group cannot open the ciphertext of the high-level group. And you can also set different levels of modification permissions, whether to allow external file permissions, and other permissions between different types of operations. Depending on the nature of the document itself, various operations at different levels can be set on a one-to-one basis.

其中,所述文档分组白名单包括最高级别管理组、部门组及即时项目组。例如按部门划分,可设置组内密文互通或不通不同工作组,密文不能相互访问。再例如,最高级别管理组用于不同工作组之间进行受控的密文交换,有参与该交流组的人员,才能访问该交流组的文件,交流组可随需创建,使得跨部门的项目工作可以非常方便的进行开展。Wherein, the document grouping whitelist includes the highest-level management group, department group and instant project group. For example, according to the division, it is possible to set the ciphertext in the group to communicate or not to communicate with different work groups, and the ciphertext cannot access each other. For another example, the highest-level management group is used for controlled ciphertext exchange between different working groups. Only those who participate in the exchange group can access the files of the exchange group. The exchange group can be created on demand, enabling cross-departmental projects. Work can be carried out very easily.

实施例三、Embodiment three,

在上述实施例一或实施例二的基础上,所述终端内的文件还包括指定文件外发管理步骤,包括设置文档在终端外的打开密码、打开次数、过期时间。非常方便密文的外出办公所需,可携带文档外出工作,时刻保证文档只存于受保护密盘上。On the basis of the above Embodiment 1 or Embodiment 2, the file in the terminal further includes a designated file outgoing management step, including setting the opening password, opening times, and expiration time of the document outside the terminal. It is very convenient for ciphertext to go out to work, and can carry documents to work, and always ensure that the documents are only stored on the protected secret disk.

注意,上述仅为本发明的较佳实施例及所运用技术原理。本领域技术人员会理解,本发明不限于这里所述的特定实施例,对本领域技术人员来说能够进行各种明显的变化、重新调整和替代而不会脱离本发明的保护范围。因此,虽然通过以上实施例对本发明进行了较为详细的说明,但是本发明不仅仅限于以上实施例,在不脱离本发明构思的情况下,还可以包括更多其他等效实施例, 而本发明的范围由所附的权利要求范围决定。Note that the above are only preferred embodiments of the present invention and applied technical principles. Those skilled in the art will understand that the present invention is not limited to the specific embodiments described herein, and various obvious changes, readjustments and substitutions can be made by those skilled in the art without departing from the protection scope of the present invention. Therefore, although the present invention has been described in detail through the above embodiments, the present invention is not limited to the above embodiments, and can also include more other equivalent embodiments without departing from the concept of the present invention. The scope is determined by the scope of the appended claims.

Claims (7)

1. A terminal data leakage protection method is characterized by comprising the following steps:
s1, installing a UUID identification code at the terminal, hiding the installation path, limiting the access of the installation directory and limiting the tampering;
s2, opening the file at the terminal with the UUID identification code installed, and decrypting the file;
s3, encrypting the function of the file generated in the operation automatically in real time;
s4, when the file in the terminal is opened out of the terminal environment, displaying the opening invalidity,
s5, if the file is forced to be opened by the malicious program in the step S4, the file is immediately and automatically destroyed or opened or is messy code.
2. The method for protecting terminal data leakage according to claim 1, wherein the operation files in step S3 include temporary files, random files, export files and saved files.
3. The method for protecting data leakage of a terminal according to claim 1, wherein the terminal further comprises a set authority white list and a document grouping white list.
4. The method as claimed in claim 3, wherein the permission white list includes different hierarchical group lists according to administrative levels.
5. The method as claimed in claim 3, wherein the document grouping white list includes a top management group, a department group and an instant project group.
6. The method for protecting data leakage of a terminal according to claim 1, wherein the file in the terminal further comprises a step of specifying file outgoing management, which comprises setting an open password, open times and expiration time of the file outside the terminal.
7. The method as claimed in claim 1, wherein the UUID id of the terminal is associated with a unique decoding key.
CN202010842278.9A 2020-08-20 2020-08-20 Terminal data leakage protection method Pending CN112016130A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010842278.9A CN112016130A (en) 2020-08-20 2020-08-20 Terminal data leakage protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010842278.9A CN112016130A (en) 2020-08-20 2020-08-20 Terminal data leakage protection method

Publications (1)

Publication Number Publication Date
CN112016130A true CN112016130A (en) 2020-12-01

Family

ID=73505300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010842278.9A Pending CN112016130A (en) 2020-08-20 2020-08-20 Terminal data leakage protection method

Country Status (1)

Country Link
CN (1) CN112016130A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103716354A (en) * 2012-10-09 2014-04-09 苏州慧盾信息安全科技有限公司 Security protection system and method for information system
CN103778384A (en) * 2014-02-24 2014-05-07 北京明朝万达科技有限公司 Identity authentication based virtual terminal safety environment protection method and system
CN105631357A (en) * 2015-12-22 2016-06-01 洛阳师范学院 System and method for protecting information security of mobile terminals
CN110896400A (en) * 2019-12-03 2020-03-20 厦门一通灵信息科技有限公司 Data anti-disclosure access system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103716354A (en) * 2012-10-09 2014-04-09 苏州慧盾信息安全科技有限公司 Security protection system and method for information system
CN103778384A (en) * 2014-02-24 2014-05-07 北京明朝万达科技有限公司 Identity authentication based virtual terminal safety environment protection method and system
CN105631357A (en) * 2015-12-22 2016-06-01 洛阳师范学院 System and method for protecting information security of mobile terminals
CN110896400A (en) * 2019-12-03 2020-03-20 厦门一通灵信息科技有限公司 Data anti-disclosure access system

Similar Documents

Publication Publication Date Title
JP3640338B2 (en) Secure electronic data storage and retrieval system and method
TWI532355B (en) Trustworthy extensible markup language for trustworthy computing and data services
CN101710380B (en) Electronic file security protection method
JP4759513B2 (en) Data object management in dynamic, distributed and collaborative environments
CN101944168B (en) Electronic file authority control and management system
US20140156991A1 (en) Method and system for securing electronic data
CN103268456B (en) Method and device for file safety control
KR20000047643A (en) System for electronic repository of data enforcing access control on data search and retrieval
CN101098224B (en) Method for encrypting/deciphering dynamically data file
CN102156844A (en) Implementation method of electronic document on-line/off-line safety management system
KR20010088917A (en) Method of protecting digital information and system thereof
CN101848207A (en) Information-leakage prevention system based on integrated control management
CN105740725A (en) File protection method and system
CN112822178A (en) Business cooperative data sharing and privacy protection method based on block chain
CN116232704B (en) A data controlled access method and system based on XACML and smart contract
CN1819590A (en) Enciphering method of computer electronic documents
CN104376270A (en) File protection method and system
CN100596056C (en) A method for realizing safe access to digital information
CN111083135A (en) Method for processing data by gateway and security gateway
CN100543762C (en) Computer Aided Design Data Encryption Protection Method Based on Hardware Environment
CN101339589B (en) Method for implementing information safety by dummy machine technology
CN105516056B (en) encrypted file protection system and protection method thereof
CN112016130A (en) Terminal data leakage protection method
CN109033872A (en) A kind of secure operating environment building method of identity-based
JP4192738B2 (en) Electronic document editing device, electronic document editing program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201201

RJ01 Rejection of invention patent application after publication