CN114091049A - File viewing method and device - Google Patents

File viewing method and device Download PDF

Info

Publication number
CN114091049A
CN114091049A CN202111175871.3A CN202111175871A CN114091049A CN 114091049 A CN114091049 A CN 114091049A CN 202111175871 A CN202111175871 A CN 202111175871A CN 114091049 A CN114091049 A CN 114091049A
Authority
CN
China
Prior art keywords
target
file
application
secret
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111175871.3A
Other languages
Chinese (zh)
Inventor
武增顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vivo Mobile Communication Co Ltd
Original Assignee
Vivo Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vivo Mobile Communication Co Ltd filed Critical Vivo Mobile Communication Co Ltd
Priority to CN202111175871.3A priority Critical patent/CN114091049A/en
Publication of CN114091049A publication Critical patent/CN114091049A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The application discloses a file viewing method and a file viewing device, and belongs to the technical field of electronics. The file viewing method provided by the embodiment of the application comprises the following steps: under the condition that a target application accesses a target secret file in a secret file management application, if the target application has a target authority, acquiring a secret key of the target secret file; decrypting the target secret file based on the secret key to obtain a decrypted file; wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to a target secure file in a secure file management application.

Description

File viewing method and device
Technical Field
The application belongs to the technical field of electronics, and particularly relates to a file viewing method and a file viewing device.
Background
At present, most electronic devices are provided with a "file privacy cabinet", which is essentially a security file management application for storing and managing security files, and the security files stored in the "file privacy cabinet" are encrypted privacy files.
In the related art, if a user wants to view confidential files stored in a "file confidential cabinet", the user needs to access the "file confidential cabinet" by using a third-party application, however, when the third-party application accesses the "file confidential cabinet", data leakage may be caused by actions of reading the files, caching data and the like, and the overall security is poor.
Disclosure of Invention
The embodiment of the application aims to provide a file viewing method and a file viewing device, and the problem of data leakage existing when a third-party application is adopted to access a file secrecy cabinet in the related art can be solved.
In a first aspect, an embodiment of the present application provides a file viewing method, where the method includes: under the condition that a target application accesses a target secret file in a secret file management application, if the target application has a target authority, acquiring a secret key of the target secret file; decrypting the target secret file based on the secret key to obtain a decrypted file; wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to the target secure file in the secure file management application.
In a second aspect, an embodiment of the present application provides a file viewing apparatus, where the apparatus includes: the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a secret key of a target secret file if the target application has a target authority under the condition that the target application accesses the target secret file in a secret file management application; the execution module is used for decrypting the target secret file based on the secret key acquired by the acquisition module to obtain a decrypted file; wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to the target secure file in the secure file management application.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a processor, a memory, and a program or instructions stored on the memory and executable on the processor, and when executed by the processor, the program or instructions implement the steps of the method according to the first aspect.
In a fourth aspect, embodiments of the present application provide a readable storage medium, on which a program or instructions are stored, which when executed by a processor implement the steps of the method according to the first aspect.
In a fifth aspect, an embodiment of the present application provides a chip, where the chip includes a processor and a communication interface, where the communication interface is coupled to the processor, and the processor is configured to execute a program or instructions to implement the method according to the first aspect.
In the embodiment of the present application, when a target application accesses a target secure file in a secure file management application, if the target application has a target authority (that is, an access authority to access the target secure file in the secure file management application), a key of the target secure file can be acquired, so that the target secure file can be decrypted based on the key to obtain a decrypted file. Therefore, the access authority of the confidential file management application is limited, so that only authorized applications are allowed to check the plaintext of the confidential file in the confidential file management application, and the security of the confidential file in the confidential file management application is further ensured.
Drawings
FIG. 1 is a schematic diagram of a system architecture to which a file viewing method provided in an embodiment of the present application is applied;
FIG. 2 is a flowchart illustrating a file viewing method according to an embodiment of the present disclosure;
FIG. 3 is a second flowchart of a document viewing method according to an embodiment of the present application;
FIG. 4 is a third flowchart of a document viewing method according to an embodiment of the present application;
FIG. 5 is a fourth flowchart of a document viewing method according to an embodiment of the present application;
FIG. 6 is a fifth flowchart illustrating a document viewing method according to an embodiment of the present application;
FIG. 7 is a schematic structural diagram of a document viewing apparatus provided in an embodiment of the present application;
FIG. 8 is a second schematic structural diagram of a document viewing apparatus according to an embodiment of the present application;
fig. 9 is a second schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 10 is a second schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present disclosure.
The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that embodiments of the application may be practiced in sequences other than those illustrated or described herein, and that the terms "first," "second," and the like are generally used herein in a generic sense and do not limit the number of terms, e.g., the first term can be one or more than one. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.
The confidential document management application related to the embodiment of the application can be called a file confidential cabinet. The secure file management application is for storing and managing secure files,
referring to fig. 1, fig. 1 is a schematic diagram illustrating a system architecture to which the technical solution provided by the embodiment of the present application is applied. Illustratively, the system architecture includes the following parts:
a file manager: the file storing cabinet is used for storing files of a user and providing an entrance for the user so that the user can move the files into the file secrecy cabinet;
document lockers (i.e. secure document management applications in this application): the system comprises a file cabinet, a control module, a storage module, a data processing module and a data processing module, wherein the file cabinet is used for storing and managing a user secret file, controlling file encryption and decryption and authorizing a specified application (such as APP) to access a specified secret file in the file cabinet;
sandbox (i.e., target storage space in this application): the APP used for operating the APP or accessing the file lockers needs to operate in a corresponding sandbox, and all the operating data and permission data of the APP are stored in the sandbox, so that the APP and the file lockers are isolated (network and file access permission). When a sandbox of an APP is authorized by the file lockers, the APP can access specific confidential files in the file lockers. After this "sandbox" is cancelled the authorization, all data of "sandbox" UNICOM APP are directly destroyed, avoid the APP to take away the data of file secrecy cabinet to cause the privacy to reveal.
The data encryption and decryption engine: and the file security cabinet is positioned at the bottom system layer and is controlled by the file security cabinet to provide a secret key, and the file can be encrypted and decrypted based on the secret key. Typically, the data encryption/decryption engine has access to the sandbox, the file lockers, and the file manager described above.
And the memory is used for storing the files and the related data.
Exemplarily, referring to fig. 1, it can be seen that the system architecture diagram shown in fig. 1 at least relates to 5 processes of the technical solution provided by the present application:
procedure 1 (security request):
1) the user moves the file from the file manager into the file secrecy cabinet, and the file is encrypted and stored;
2) and the user decrypts the encrypted file in the file secrecy cabinet and then moves the file out of the file manager for storage.
Procedure 1 (key management):
1) after obtaining the authorization of the user, the file secrecy cabinet provides the encrypted secret key and the authorization information of the file to the data encryption and decryption engine;
2) after the user cancels the authorization, the file secrecy cabinet cancels the secret key and the authorization information provided for the data encryption and decryption engine.
Flow 3 (file encryption and decryption):
1) when the file is moved into the file secrecy cabinet, the data can be encrypted by the data encryption and decryption engine and then synchronized to the memory;
2) when the file is moved out of the file secrecy cabinet, the data can be synchronized to the memory after being decrypted by the data encryption and decryption engine;
flow 4 (authorization control):
1) when a user needs to use a file of the file secrecy cabinet, if the app accessing the file secrecy cabinet is the app with the access right, an isolated sandbox is created for the app at the same time, the app is operated, authorization information is registered to the data encryption and decryption engine at the same time, when the data encryption and decryption engine identifies that the app in the sandbox accesses an authorized encrypted file, the file is automatically decrypted, and the decrypted file is returned to the app;
2) when the user cancels the authorization or the authorization policy does not authorize the app to access the encrypted file any more, the file locker can log out the key and the authorization information which are registered to the data encryption and decryption engine before, and meanwhile, all data related to the sandbox and the app can be destroyed.
The following describes in detail a file viewing method and a file viewing apparatus provided in the embodiments of the present application with reference to the accompanying drawings.
An embodiment of the present application provides a file viewing method, as shown in fig. 2, the file viewing method may include the following steps 201 and 202:
step 201: when the target application accesses the target security file in the security file management application, if the target application has the target authority, the secret key of the target security file is obtained.
Step 202: and decrypting the target secret file based on the secret key to obtain a decrypted file.
In an embodiment of the present application, the secure file management application is used for storing and managing a secure file.
In this embodiment of the present application, the security files in the security file management application are all encrypted privacy files.
In the embodiment of the present application, the target security document may be one or more security documents in the security document management application, and the present application does not limit the number of the security documents to be viewed.
In the embodiment of the present application, the target authority is: access rights to a target secure file in the secure file management application. In other words, in the present embodiment, only an application authorized by the secure file management application can access a specific secure file in the secure file management application. For example, if an application has access rights to access a secure file a in a secure file management application, it cannot access other secure files in the secure file management application except the secure file a.
In the embodiment of the present application, the target application may be any application in an electronic device.
Optionally, in this embodiment of the present application, the step 202 may include the following steps: and decrypting the target secret file on the system layer based on the secret key to obtain a decrypted file.
In some possible embodiments, when an access operation that a user views a target secure file is received, in response to the access operation, if the target application has a target authority, obtaining a key and an encryption policy of the target secure file, then registering the key and the encryption policy to an underlying data encryption and decryption engine, so that the data encryption and decryption engine can decrypt the target secure file by using the key, and finally, synchronizing the decrypted data to a memory for storage.
So, compare in the correlation technique and use the third party to use the application layer to encrypt the decryption to secret file, this application can avoid revealing of data, the security of reinforcing file through encrypting the decryption to secret file at bottom system layer.
Optionally, in this embodiment of the present application, when a user accesses a target secure file in a secure file management application using a target application, the file viewing apparatus may determine whether the secure file management application grants an access right to the target secure file for the target application, and if so, obtain a key and an encryption policy of the target secure file, and then decrypt the target secure file based on the key and the encryption policy, so as to obtain a decrypted plaintext, so that the user can view the plaintext of the target secure file through the target file. On the contrary, if the secure file management application does not grant the access right of the target application to access the target secure file, the secret key and the encryption policy cannot be acquired.
In some possible embodiments, in the case that the target application accesses the target secure file in the secure file management application, the file viewing method provided in the embodiment of the present application may further include step 203:
step 203: and if the target application does not have the target authority, feeding back the target secret file to the target application, or not performing any operation.
Optionally, in this embodiment of the application, in a process that a target application accesses a secure file management application, a corresponding target storage space may be created for the target application to isolate the target application, so as to avoid data leakage.
For example, in a case where a target application accesses a target secure file in a secure file management application, the file viewing method provided by the embodiment of the present application may further include the following step 301:
step 301: a target storage space for a target application is created.
Illustratively, the target storage space is used for storing: and in the access process of the target application accessing the confidential file management application, all process data of the running process. In other words, the target application will run in the target storage space, thereby isolating the target application from the "file lockers". In addition, the target storage space in this application may be referred to as a "sandbox".
For example, the process data and the cache data of all processes generated by the target application are stored in the "sandbox" during the running process of the target application, and furthermore, the information about the authority authorized by the "file locker" for the target application can also be stored in the "sandbox".
It should be noted that, in the present application, a "sandbox" may be created for each application accessing the "file locker," and a "sandbox" may also be created for multiple applications, which is not limited in the embodiment of the present application.
Further optionally, in this embodiment of the present application, the file viewing method provided in this embodiment of the present application may further include the following step 302:
step 302: and deleting all data of the target storage space and the target application under the condition that the target authority of the target application is authorized to be finished.
In some possible embodiments, in the event that the target authority authorization of the target application ends, since the target application has no authority to access the target secure file in the "file locker", in order to avoid data loss, the "sandbox" may be destroyed and all data cached by the target application (i.e., data related to the target application other than the data stored in the "sandbox") may be deleted.
In some possible embodiments, the ending of the target authority authorization of the target application may include at least one of:
the authorization time of the target authority of the target application is reached;
the target application is finished running;
and receiving an authorization ending instruction, wherein the authorization ending instruction is used for indicating the authorization of canceling the target authority of the target application.
For example, the authorization time of the target authority may be set by a user, or may be set according to an application level, or may be a predetermined time, which is not limited in this embodiment of the application.
In addition, the authorization time of the target authority may be a fixed time, or may be flexibly set according to an actual application scenario (for example, it can be determined that the authorization time arrives when a certain condition is satisfied).
For example, the authorization receiving instruction may be an instruction triggered by a user, or may be automatically generated by a "file privacy cabinet" when the authorization time of the target authority arrives, which is not limited in the embodiment of the present application.
For example, in the case that the target authority authorization of the target application is finished, the Policy registered to the data encryption and decryption engine may be deleted or modified, and then the authorization information of the target application and the corresponding "sandbox" of the target application is deleted, or the Policy is directly logged out and deleted from the data encryption and decryption engine. In one example, Policy is de-registered from the data encryption/decryption engine in the absence of authorization for any application.
In the file viewing method provided in the embodiment of the present application, when a target application accesses a target secure file in a secure file management application, if the target application has a target authority (that is, an access authority to access the target secure file in the secure file management application), a key of the target secure file can be obtained, so that the target secure file can be decrypted based on the key to obtain a decrypted file. Therefore, the access authority of the confidential file management application is limited, so that only authorized applications are allowed to check the plaintext of the confidential file in the confidential file management application, and the security of the confidential file in the confidential file management application is further ensured.
Optionally, in an embodiment of the present application, an embodiment of the present application further provides a file encryption method.
For example, before the step 201, the file viewing method provided in the embodiment of the present application may further include the following steps 401 and 402:
step 401: an encryption operation is received for a first file.
Step 402: in response to the encryption operation, the first file is encrypted at the system level based on the key, a target secure file is generated, and the target secure file is moved into the secure file management application.
Illustratively, after receiving an encryption operation of a first file by a user, in response to the encryption operation, moving a 'file locker' from a file manager, acquiring a key and an encryption policy of the first file, then setting the encryption policy to a file system extended attribute of the first file, then registering the key and the encryption policy to an underlying data encryption and decryption engine, so that the data encryption and decryption engine can acquire the encryption policy from the file system extended attribute of the first file, then finding the key registered to the data encryption and decryption engine based on the encryption policy, and encrypting the first file based on the key to obtain a target secret file, and storing the target secret file in a memory.
So, compare in the correlation technique and use the third party to encrypt secret file at the application layer, this application is through encrypting the file that needs keep secret at bottom system layer, can avoid revealing of data, the security of reinforcing file.
The following will take "file secrecy cabinet" and "sandbox" as examples to illustrate the 4 processes involved in the embodiments of the present application:
specifically, the 4 processes are respectively as follows: flow 1) the file is moved into the flow of 'file secrecy cabinet' encryption; flow 2) file move out "file secrecy cabinet" decipher flow; flow 3) "File lockers" authorize the app to use the decrypted file flow of the file; flow 4) "File lockers" cancel the flow of authorizing apps to access files.
First scheme (i.e., scheme 1):
as shown in fig. 3:
step 001: and clicking the icon corresponding to the file manager by the user to trigger the operation of moving the file A into the file secrecy cabinet.
Step 002: the file secrecy cabinet generates an encryption key and an encryption Policy of the file A, and the encryption Policy records the ID and the encryption algorithm of the key. And stores the key and Policy information in a secure manner (not described herein, but in a secure scheme).
Step 003: the Policy information generated in step 002 is recorded in the extended attribute of the file a (the file system already supports that the file has the extended attribute).
Step 004: and adding a data encryption instruction in the data of Policy by using the key generated in the step 002 and Policy, and registering the data encryption instruction and the Policy in the data encryption and decryption engine of the kernel.
Step 005: the file A is copied from the original position to the position designated by the file secrecy cabinet, and the original file A is safely erased after the copying is finished (namely, the file A is deleted after the content is erased firstly).
Step 006: during the copying of data at step 005, the data encryption/decryption engine at the file system level retrieves whether encryption Policy exists for the file extension attribute. If not, the data encryption and decryption engine does not process the data and directly transmits the data to the next stage; if Policy exists, then the next encryption flow is continued.
Step 007: according to encrypted Policy retrieved from file a at step 006, the data encryption/decryption engine looks up whether the Policy and key have been registered.
Step 008: if the engine finds that Policy and the key are registered, the engine encrypts data by using the key and then transmits the encrypted data to the next stage; otherwise, the data is not processed and is directly transmitted to the next stage.
Step 009: and synchronizing the ciphertext data obtained from the data encryption and decryption engine to the physical memory.
Second scheme (i.e., scheme 2):
as shown in fig. 4:
step 001: and clicking the icon of the file secrecy cabinet by the user to trigger the ciphertext file A to be moved out of the file secrecy cabinet.
Step 002: the "file privacy cabinet" finds the key and Policy of the ciphertext file a stored previously (operation of step 002 in the previous flow) according to the encrypted Policy recorded in the file extension attribute.
Step 003: adding a data decryption instruction to the Policy data and registering them to the data encryption and decryption engine of the kernel, wherein the Policy and the key are obtained in the step 002.
Step 004: and copying the ciphertext file A from the storage position of the file secrecy cabinet to the original position, and deleting the ciphertext file positioned in the file secrecy cabinet after the copying is finished.
Step 005: during the copy of data in step 004, the file system layer data encryption/decryption engine retrieves whether encryption Policy exists for the file extension attribute. If not, the data encryption and decryption engine does not process the data and directly transmits the data to the next stage; if Policy exists, then continue the next flow;
step 006: according to the encrypted Policy retrieved from ciphertext file a at step 005, the data encryption/decryption engine looks up whether the Policy and key have been registered.
Step 007: if the data encryption and decryption engine finds that Policy and the secret key are registered, the data are decrypted by using the secret key and then transmitted to the next stage; otherwise, the data is not processed and is directly transmitted to the next stage.
Step 008: the decrypted data (i.e., file a), obtained from the data encryption/decryption engine, is synchronized to physical storage.
Third scheme (i.e., scheme 3):
as shown in fig. 5:
step 001: the user clicks on the button at the "file locker" and uses a certain file and selects which App to use to open.
Step 002: the file secrecy cabinet finds the key and Policy of the ciphertext file A stored previously according to the encrypted Policy recorded in the file extension attribute.
Step 003: the "file locker" triggers the creation of a "sandbox" and populates the encrypted Policy obtained at step 002 with the "sandbox" information and the information of the app process as authorization information.
Step 004: policy is obtained using the key obtained in step 002 and step 003, and they are registered with the data encryption and decryption engine of the kernel.
Step 005: APP within "sandbox" opens file and uses (views or edits);
step 006: when the APP reads the file in step 005, the data encryption and decryption engine at the file system layer retrieves whether the file extension attribute has encryption Policy. If not, the engine does not process the data and directly returns the data to the App; if the Policy exists, continuing the next encryption and decryption process;
step 007: according to the encrypted Policy retrieved from ciphertext file a at step 006, the data encryption/decryption engine looks up whether the Policy and key have been registered.
Step 008: if the engine finds that Policy and the key are registered, and whether the process context information of the current read-write ciphertext file A is matched with the 'sandbox' recorded in the Policy and the App authorization information is judged.
Step 009: if the information in the step 008 is matched, the file secrecy cabinet indicates that the file secrecy cabinet authorizes the sandbox and the App to access the file, and the data is encrypted (write operation) or decrypted (read operation) by using the secret key and then transmitted to the next stage; otherwise, the data is not processed and is directly transmitted to the next stage.
Fourth scheme (i.e., scheme 3):
as shown in fig. 6:
step 001: the user clicks a button on the "file lockers" to cancel access authorization of a certain file to the App or to stop authorization by a defined authorization policy (e.g., expiration of an authorization time, or one-time authorization, etc.).
Step 002: all policies that have registered with the data encryption and decryption engine are queried.
Step 003: according to step 002, it is determined whether the policy and the key of the file for which the authorization is cancelled have been registered with the data encryption/decryption engine.
Step 004: according to the result of step 003, if it has already registered, then modify the corresponding Policy registered to the engine for this file, delete the authorization information for the specified "sandbox" and App, or, directly log out Policy, delete it from the data encryption/decryption engine (i.e., log out Policy, delete it from the data encryption/decryption engine when there has not been authorization for any App).
Step 005: all data of the sandbox and the App are destroyed, and the risk that the user data are leaked can be avoided.
In summary, compared with the related art, the technical solution provided by the embodiment of the present application has the following beneficial effects:
1) from the dimension of the file data encryption strategy:
in the related technology, only partial data of a large file is encrypted, and theoretically, a security hole exists, and the security is greatly enhanced because all files can be encrypted in full.
2) From the file access dimension:
the first point is as follows: in the related art, the file needs to be decrypted before being used, and the decrypted file can be checked or edited after being decrypted to obtain a complete file, so that the user experience is poor, and meanwhile, the decrypted file has the problem of leakage. The data can be decrypted or encrypted in the bottom kernel when the data are read and written, and the App is not sensed and does not need to be decrypted or encrypted in advance. The problem that the decrypted file is possibly leaked is solved.
And a second point: in the related technology, after the file is decrypted, only the authority group is used for protecting the decrypted file, the APP with the authority can access the file, meanwhile, authority limitation cannot be performed on a certain App, and the App can possibly carry out privilege lifting and data stealing through a vulnerability. In the application, the file is always in an encrypted state, only the authorized App access is to obtain a plaintext, the unauthorized App access is to obtain a ciphertext, data are checked in the bottom layer to be processed, and the App cannot bypass authorization.
And a third point: when the App is used for access in the related art, malicious access of the App or data caching may occur, so that data leakage is caused. In the application, the authorized App only runs in the sandbox, and after the authorization is cancelled, all data of the sandbox and the App can be destroyed, so that malicious caching of the App or data leakage through a network is avoided.
3) From the authorized access dimension:
the user can only decrypt the file first and then perform other operations for accessing the file, and the user and the App need to maintain the security of the decrypted file. In the application, a user can define a very flexible authorization strategy to authorize the App to support various file access scenes, the security of the file is maintained by the defined strategy, and the App and the user do not need to intervene.
Therefore, the technical scheme provided by the embodiment of the application can completely encrypt the whole confidential document, can encrypt and decrypt the document while checking the document, does not need to encrypt or decrypt in advance, greatly improves user experience, and can safely access the confidential document through the authorized App without data leakage. Therefore, the security and the user experience of the confidential file of the user can be greatly improved.
It should be noted that, in the file viewing method provided in the embodiment of the present application, the execution subject may be a file viewing apparatus, or a control module in the file viewing apparatus for executing the file viewing method. In the embodiment of the present application, a file viewing apparatus executes a file viewing method as an example, and the file viewing apparatus provided in the embodiment of the present application is described.
An embodiment of the present application provides a file viewing apparatus, as shown in fig. 7, the apparatus 500 includes: an obtaining module 501 and an executing module 502, wherein:
an obtaining module 501, configured to, when a target application accesses a target secure file in a secure file management application, if the target application has a target permission, obtain a key of the target secure file; an executing module 502, configured to decrypt the target secure file based on the secret key acquired by the acquiring module 501, so as to obtain a decrypted file; wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to the target secure file in the secure file management application.
In some possible embodiments, as shown in fig. 8 in conjunction with fig. 7, the apparatus 500 further includes: a sending module 503, wherein: a sending module 503, configured to, when the target application accesses the target secure file in the secure file management application, if the target application does not have the target permission, feed back the target secure file to the target application.
In some possible embodiments, the execution module 502 is further configured to: creating a target storage space of the target application in case the target application accesses the target secure file in the secure file management application; wherein the target storage space is used for storing: and in the access process of the target application accessing the confidential file management application, all process data of the running process.
In some possible embodiments, the execution module 502 is further configured to: and deleting all data of the target storage space and the target application under the condition that the target authority of the target application is authorized to be finished.
In some possible embodiments, the target permission authorization of the target application to end comprises at least one of:
an authorization time of the target permission of the target application is reached;
the target application is finished running;
receiving an authorization ending instruction;
wherein the authorization ending instruction is used for indicating the authorization of canceling the target authority of the target application.
In some possible embodiments, as shown in fig. 8 in combination with fig. 7, the apparatus 500 further includes: a receiving module 504, wherein: a receiving module 504, further configured to receive an encryption operation for the first file; the execution module 502 is further configured to: and in response to the encryption operation received by the receiving module, encrypting the first file based on the secret key at a system layer to generate the target secret file, and moving the target secret file into the secret file management application.
In some possible embodiments, the execution module 502 is specifically configured to: and decrypting the target secret file on the basis of the secret key at the system layer to obtain a decrypted file.
In the file viewing apparatus provided in the embodiment of the present application, when the target application accesses the target secure file in the secure file management application, if the target application has the target authority (that is, the access authority to access the target secure file in the secure file management application), the key of the target secure file can be acquired, so that the target secure file can be decrypted based on the key to obtain the decrypted file. Therefore, the access authority of the confidential file management application is limited, so that only authorized applications are allowed to check the plaintext of the confidential file in the confidential file management application, and the security of the confidential file in the confidential file management application is further ensured.
The document viewing apparatus in the embodiment of the present application may be an apparatus, and may also be a component, an integrated circuit, or a chip in a terminal. The device can be mobile electronic equipment or non-mobile electronic equipment. By way of example, the mobile electronic device may be a mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic device, a wearable device, an ultra-mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like, and the non-mobile electronic device may be a server, a Network Attached Storage (NAS), a Personal Computer (PC), a Television (TV), a teller machine or a self-service machine, and the like, and the embodiments of the present application are not particularly limited.
The file viewing device in the embodiment of the present application may be a device having an operating system. The operating system may be an Android (Android) operating system, an ios operating system, or other possible operating systems, and embodiments of the present application are not limited specifically.
The file viewing device provided in the embodiment of the present application can implement each process implemented by the method embodiments of fig. 1 to fig. 6, and is not described here again to avoid repetition.
Optionally, as shown in fig. 9, an electronic device 600 is further provided in this embodiment of the present application, and includes a processor 601, a memory 602, and a program or an instruction stored in the memory 602 and executable on the processor 601, where the program or the instruction is executed by the processor 601 to implement each process of the method embodiment of the file viewing method, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
It should be noted that the electronic device in the embodiment of the present application includes the mobile electronic device and the non-mobile electronic device described above.
Fig. 10 is a schematic diagram of a hardware structure of an electronic device implementing an embodiment of the present application.
The electronic device 100 includes, but is not limited to: a radio frequency unit 101, a network module 102, an audio output unit 103, an input unit 104, a sensor 105, a display unit 106, a user input unit 107, an interface unit 108, a memory 109, and a processor 110.
Those skilled in the art will appreciate that the electronic device 100 may further comprise a power source (e.g., a battery) for supplying power to various components, and the power source may be logically connected to the processor 110 through a power management system, so as to implement functions of managing charging, discharging, and power consumption through the power management system. The electronic device structure shown in fig. 10 does not constitute a limitation of the electronic device, and the electronic device may include more or less components than those shown, or combine some components, or arrange different components, and thus, the description is not repeated here.
A processor 110, configured to, when a target application accesses a target secure file in a secure file management application, if the target application has a target authority, obtain a key of the target secure file; the processor 110 is further configured to decrypt the target secure file based on the secret key to obtain a decrypted file; wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to the target secure file in the secure file management application.
In some possible embodiments, the processor 110 is configured to, in a case where the target application accesses the target secure file in the secure file management application, if the target application does not have the target authority, feed back the target secure file to the target application.
In some possible embodiments, the processor 110 is further configured to: creating a target storage space of the target application in case the target application accesses the target secure file in the secure file management application; wherein the target storage space is used for storing: and in the access process of the target application accessing the confidential file management application, all process data of the running process.
In some possible embodiments, the processor 110 is further configured to: and deleting all data of the target storage space and the target application under the condition that the target authority of the target application is authorized to be finished.
In some possible embodiments, the target permission authorization of the target application to end comprises at least one of:
an authorization time of the target permission of the target application is reached;
the target application is finished running;
receiving an authorization ending instruction;
wherein the authorization ending instruction is used for indicating the authorization of canceling the target authority of the target application.
In some possible embodiments, the user input unit 107 is configured to receive an encryption operation for a first file; processor 110, further configured to: and in response to the encryption operation received by the receiving module, encrypting the first file based on the secret key at a system layer to generate the target secret file, and moving the target secret file into the secret file management application.
In some possible embodiments, the processor 110 is specifically configured to: and decrypting the target secret file on the basis of the secret key at the system layer to obtain a decrypted file.
In the electronic device provided in the embodiment of the present application, when a target application accesses a target secure file in a secure file management application, if the target application has a target authority (that is, an access authority to access the target secure file in the secure file management application), a key of the target secure file can be acquired, so that the target secure file can be decrypted based on the key to obtain a decrypted file. Therefore, the access authority of the confidential file management application is limited, so that only authorized applications are allowed to check the plaintext of the confidential file in the confidential file management application, and the security of the confidential file in the confidential file management application is further ensured.
It should be understood that, in the embodiment of the present application, the input Unit 104 may include a Graphics Processing Unit (GPU) 1041 and a microphone 1042, and the Graphics Processing Unit 1041 processes image data of a still picture or a video obtained by an image capturing device (such as a camera) in a video capturing mode or an image capturing mode. The display unit 106 may include a display panel 1061, and the display panel 1061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 107 includes a touch panel 1071 and other input devices 1072. The touch panel 1071 is also referred to as a touch screen. The touch panel 1071 may include two parts of a touch detection device and a touch controller. Other input devices 1072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described in detail herein. The memory 109 may be used to store software programs as well as various data including, but not limited to, application programs and an operating system. The processor 110 may integrate an application processor, which primarily handles operating systems, user interfaces, applications, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 110.
The embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the method embodiment of the file viewing method, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The processor is the processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and so on.
The embodiment of the present application further provides a chip, where the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is configured to run a program or an instruction to implement each process of the method embodiment of the above file viewing method, and can achieve the same technical effect, and in order to avoid repetition, the details are not repeated here.
It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as system-on-chip, system-on-chip or system-on-chip, etc.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Further, it should be noted that the scope of the methods and apparatus of the embodiments of the present application is not limited to performing the functions in the order illustrated or discussed, but may include performing the functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a computer software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
While the present embodiments have been described with reference to the accompanying drawings, it is to be understood that the invention is not limited to the precise embodiments described above, which are meant to be illustrative and not restrictive, and that various changes may be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A method of viewing a file, the method comprising:
under the condition that a target application accesses a target secret file in a secret file management application, if the target application has a target authority, acquiring a secret key of the target secret file;
decrypting the target secret file based on the secret key to obtain a decrypted file;
wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to the target secure file in the secure file management application.
2. The method of claim 1, wherein in the case where the target application accesses the target secure file in the secure file management application, the method further comprises:
creating a target storage space of the target application;
wherein the target storage space is used for storing: and in the access process of the target application accessing the confidential file management application, all process data of the running process.
3. The method of claim 2, further comprising:
deleting all data of the target storage space and the target application under the condition that the target authority of the target application is authorized to be ended;
the target permission authorization of the target application to end comprises at least one of:
an authorization time of the target permission of the target application is reached;
the target application is finished running;
receiving an authorization ending instruction;
wherein the authorization ending instruction is used for indicating the authorization of canceling the target authority of the target application.
4. The method of claim 1, wherein prior to obtaining the key of the target secure file, the method further comprises:
receiving an encryption operation for a first file;
and responding to the encryption operation, encrypting the first file based on the secret key at a system layer, generating the target secret file, and moving the target secret file into the secret file management application.
5. The method of claim 1, wherein decrypting the target secure file based on the key to obtain a decrypted file comprises:
and decrypting the target secret file on the basis of the secret key at the system layer to obtain a decrypted file.
6. A document viewing apparatus, the apparatus comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a secret key of a target secret file if the target application has a target authority under the condition that the target application accesses the target secret file in a secret file management application;
the execution module is used for decrypting the target secret file based on the secret key acquired by the acquisition module to obtain a decrypted file;
wherein the secure file management application is used for storing and managing secure files; the target authority is as follows: access rights to the target secure file in the secure file management application.
7. The apparatus of claim 6, wherein the execution module is further configured to: creating a target storage space of the target application in case the target application accesses the target secure file in the secure file management application;
wherein the target storage space is used for storing: and in the access process of the target application accessing the confidential file management application, all process data of the running process.
8. The apparatus of claim 7, wherein the execution module is further configured to: deleting all data of the target storage space and the target application under the condition that the target authority of the target application is authorized to be ended;
the target permission authorization of the target application to end comprises at least one of:
an authorization time of the target permission of the target application is reached;
the target application is finished running;
receiving an authorization ending instruction;
wherein the authorization ending instruction is used for indicating the authorization of canceling the target authority of the target application.
9. The apparatus of claim 6, further comprising:
the receiving module is also used for receiving the encryption operation aiming at the first file;
the execution module is further configured to: and in response to the encryption operation received by the receiving module, encrypting the first file based on the secret key at a system layer to generate the target secret file, and moving the target secret file into the secret file management application.
10. The apparatus of claim 6, wherein the execution module is specifically configured to: and decrypting the target secret file on the basis of the secret key at the system layer to obtain a decrypted file.
CN202111175871.3A 2021-10-09 2021-10-09 File viewing method and device Pending CN114091049A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111175871.3A CN114091049A (en) 2021-10-09 2021-10-09 File viewing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111175871.3A CN114091049A (en) 2021-10-09 2021-10-09 File viewing method and device

Publications (1)

Publication Number Publication Date
CN114091049A true CN114091049A (en) 2022-02-25

Family

ID=80296631

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111175871.3A Pending CN114091049A (en) 2021-10-09 2021-10-09 File viewing method and device

Country Status (1)

Country Link
CN (1) CN114091049A (en)

Similar Documents

Publication Publication Date Title
US11263020B2 (en) System and method for wiping encrypted data on a device having file-level content protection
CN106462718B (en) Store the rapid data protection of equipment
JP6061171B1 (en) Computer program, secret management method and system
US8918633B2 (en) Information processing device, information processing system, and program
JP6046829B2 (en) Screen unlocking method, apparatus, terminal, program, and recording medium
CN108140097A (en) Organize the passive encryption of data
US20170185790A1 (en) Dynamic management of protected file access
CN103154965B (en) Manage the method, apparatus and system that the user to file system accesses safely
WO2017112640A1 (en) Obtaining a decryption key from a mobile device
US10133873B2 (en) Temporary concealment of a subset of displayed confidential data
JP4471129B2 (en) Document management system, document management method, document management server, work terminal, and program
JP2007188445A (en) Information leakage prevention system and information leakage prevention method
CN116594567A (en) Information management method and device and electronic equipment
US10013578B2 (en) Apparatus for processing with a secure system manager
US9733852B2 (en) Encrypted synchronization
WO2023046104A1 (en) Object moving method and device
CN108696355B (en) Method and system for preventing head portrait of user from being embezzled
CN114091049A (en) File viewing method and device
US8677122B1 (en) Method for processing a secure system manager
US11340801B2 (en) Data protection method and electronic device implementing data protection method
CN116933321A (en) Database processing method, device, equipment and medium
CN116956308A (en) Database processing method, device, equipment and medium
JP2006139475A (en) Secret information protection system for existing application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination