CN114599036A - Multi-user-participated NAS file security operation method and system - Google Patents

Multi-user-participated NAS file security operation method and system Download PDF

Info

Publication number
CN114599036A
CN114599036A CN202210495586.8A CN202210495586A CN114599036A CN 114599036 A CN114599036 A CN 114599036A CN 202210495586 A CN202210495586 A CN 202210495586A CN 114599036 A CN114599036 A CN 114599036A
Authority
CN
China
Prior art keywords
terminal
file
nas
terminals
mac address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210495586.8A
Other languages
Chinese (zh)
Other versions
CN114599036B (en
Inventor
李其伦
李元春
马璐
薄涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Lekai Technology Co ltd
Original Assignee
Beijing Lekai Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Lekai Technology Co ltd filed Critical Beijing Lekai Technology Co ltd
Priority to CN202210495586.8A priority Critical patent/CN114599036B/en
Publication of CN114599036A publication Critical patent/CN114599036A/en
Application granted granted Critical
Publication of CN114599036B publication Critical patent/CN114599036B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/66Trust-dependent, e.g. using trust scores or trust relationships
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for safely operating a multi-user-participated NAS file, wherein the method comprises the following steps: after the network distribution of the NAS equipment is successful, the following file operation steps are executed: configuring corresponding bottom-layer authority for each target data file in the NAS equipment by using a first terminal so as to allow the target data file to be accessed under the condition that the corresponding bottom-layer authority passes verification; splitting the operation function of each target data file in the NAS equipment by using the first terminal, and configuring a corresponding file operation function for each second terminal; and generating secondary authorities corresponding to the second terminals by using the first terminal, and sending the secondary authorities to the corresponding second terminals so that the second terminals access the target data files based on the secondary authorities and execute corresponding file operation functions. The method provided by the embodiment of the application is used for enhancing the authentication mode of the NAS data file and improving the safety of the NAS data file in a multi-user participation scene.

Description

Multi-user-participated NAS file security operation method and system
Technical Field
The invention relates to the technical field of data security, in particular to a method and a system for safely operating an NAS file with participation of multiple users.
Background
NAS (Network Attached Storage) is a device that is literally connected to a Network and has a data Storage function, and is also called a "Network Storage". It is a dedicated data storage server. The data center is used for completely separating the storage equipment from the server and managing the data in a centralized manner, so that the bandwidth is released, the performance is improved, the total cost of ownership is reduced, and the investment is protected.
The authentication mode of the NAS server is generally carried out through a user name and a password mode, and even anonymous login can be carried out, so that hidden danger is hidden for the security of file sharing. In some application scenarios, different files are divided into different protection levels according to the protection degree, such as: non-confidential, internal, confidential, and the like. In a confidential information system, a large amount of file sharing is needed, but the problem can be solved only through a NAS server, and the authentication mode of the NAS server is not safe, and particularly under the condition that a plurality of access users exist, passwords are easy to steal or illegal users give a false name to access. In addition to the network properties of NAS, it is necessary to improve the security of data files stored in NAS.
Disclosure of Invention
The embodiment of the invention provides a method and a system for safely operating an NAS file with participation of multiple users, which are used for enhancing the authentication mode of the NAS data file and improving the safety of the NAS-stored data file.
The embodiment of the invention provides a multi-user-participated NAS file safe operation method, which comprises the following steps:
in the initial state of the NAS device, the following network distribution steps are executed:
the NAS device creates an AP hotspot;
one of the terminals is used as a first terminal, the rest terminals of the terminals are used as second terminals, the first terminal is used for connecting the AP hotspot, and a trusted connection state is established through a challenge-response mode based on the AP hotspot;
the NAS device generates an asymmetric encryption public key and a private key and sends the public key to the first terminal;
the first terminal registers an administrator login account and a password to the NAS device based on the public key, and configures a Wi-Fi SSID and a password of the distribution network connection required by the NAS device based on the registered administrator login account, so that the NAS device is connected with a corresponding Wi-Fi based on the password after configuration;
after the network distribution of the NAS equipment is successful, the following file operation steps are executed:
configuring corresponding bottom-layer authority for each target data file in the NAS equipment by using a first terminal so as to allow the target data file to be accessed under the condition that the corresponding bottom-layer authority passes verification; splitting the operation function of each target data file in the NAS equipment by using the first terminal, and configuring the corresponding file operation function for each second terminal, wherein one second terminal is only configured with one file operation function, and the file operation function comprises file creation, file reading and writing, file copying, file moving, file deletion and file renaming;
and generating secondary authorities corresponding to the second terminals by using the first terminal, and sending the secondary authorities to the corresponding second terminals so that the second terminals access the target data files and execute corresponding file operation functions based on the secondary authorities.
Optionally, the second terminal accessing the target data file based on the secondary right and executing the corresponding file operation function includes:
acquiring a bottom layer authority from the first terminal by using the second terminal;
sending an access request to the NAS device based on the self-configured second authority and the obtained bottom layer authority;
and the NAS device carries out authority verification on the second terminal based on the access request, and opens a file operation function corresponding to the target data file under the condition that the verification is passed.
Optionally, the performing, by the NAS device, the right verification on the second terminal based on the access request includes:
the NAS equipment acquires combined verification information in an access request sent by a current second terminal, wherein the combined verification information comprises a fixed field and a dynamic field, the fixed field is determined by adopting a first encryption algorithm, and the dynamic field is set based on a mac address of the second terminal;
maintaining a plurality of mac address chains based on the mac address of each second terminal in the NAS device, wherein each mac address chain is determined based on the previous and subsequent relations of historical operation;
after the combined verification information sent by the second terminal is obtained, a sliding window with a fixed size is set based on a mac address chain to slide a group of target fields for verification, wherein the size of the sliding window is 6 bytes, the sliding step length is 6 bytes, and the target fields comprise 3-byte mac addresses of the second terminal executing the previous operation and 3-byte mac addresses of the second terminal currently operating;
and matching the target field with the dynamic field of the second terminal, and verifying the fixed field in the combined verification information under the condition that the matching is passed.
Optionally, the secure operation method further includes, in a case that the second terminal is added, updating the mac address chain in the following manner:
judging whether the operation function of the second terminal corresponding to the existing second terminal is repeated or not, and virtually inserting the mac address of the second terminal after the mac address of each second terminal on the existing mac address chain under the condition of no repetition so as to obtain a mac address chain with the mac address of the second terminal as a branch;
based on the mac address chain with the branch, the branch is cut by using a sliding window based on the subsequent file operation to determine the operation sequence of the second terminal, and the mac address of the second terminal is inserted into the existing mac address chain based on the remaining branch to complete the updating.
Optionally, the secure operation method further includes, when any target data file is executed with a corresponding file operation function by the current second terminal, closing the authority verification for other second terminals, so as to allow only a single second terminal to execute an operation on the target data file in the same time period.
Optionally, the method for secure operation further includes, in a case that permission verifications of the at least two second terminals are received at the same time, notifying the at least two second terminals to perform negotiation, where a process of performing negotiation by the at least two second terminals includes:
at least two second terminals send negotiation information to the first terminal;
the first terminal appoints a second terminal to execute authority verification according to each negotiation information; and after the second terminal completes the file operation, the first terminal sends the access requests in other second terminals to the NAS device according to a set sequence and informs the corresponding second terminals.
Optionally, the secure operation method further includes, when a result of any right verification is abnormal, closing all right verification channels.
The embodiment of the application also provides a NAS file security operating system with multi-user participation, which comprises a processor and a memory, wherein the memory stores a computer program, and the computer program realizes the steps of the NAS file security operating method with multi-user participation when being executed by the processor.
The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the foregoing NAS file security operation method with multi-user participation are implemented.
According to the scheme, the file operation functions of the target data files are split, corresponding authority management is achieved, and a single data access entry (bottom authority) is configured for each target data file, so that only double-layer verification is needed for achieving any file operation function, and under the condition that protected information needs to be attacked from the outside, multiple two-layer authorities need to be obtained at the same time, and therefore the safety of the secret-related data files stored in the NAS is greatly improved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a basic flowchart of a NAS file security operation method according to this embodiment;
fig. 2 is a sliding window sliding example of the present embodiment.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention provides a method for safely operating a multi-user-participated NAS file, which comprises the following steps of:
in the initial state of the NAS device, the following network distribution steps are executed:
in step S101, the NAS device creates an AP hotspot, specifically, the AP hotspot may be created through a network card of the NAS device, so that the management device can access the AP hotspot.
In step S102, one of the plurality of terminals is used as a first terminal, and the other terminals of the plurality of terminals are used as second terminals, the first terminal is used to connect to the AP hotspot, and a trusted connection state is established based on the AP hotspot in a challenge-response manner. In this example, the plurality of terminals may be all terminals that may be connected to the NAS device, and one of the terminals is designated as the first terminal, and the first terminal may serve as an administrator terminal to manage the other terminals in a subsequent process.
In step S103, the NAS device generates an asymmetric encrypted public key and a private key, sends the public key to the first terminal, and stores the private key in the NAS device.
In step S104, the first terminal registers an administrator login account and a password with the NAS device based on the public key, and configures a Wi-Fi SSID and a password of a network distribution connection required by the NAS device based on the registered administrator login account, so that the NAS device after configuration connects to a corresponding Wi-Fi based on the password. That is, in this example, the first terminal serving as the administrator completes registration of the administrator account only in the case of local area network connection of the NAS device, thereby ensuring security in the initialization process of the NAS device.
After the network distribution of the NAS equipment is successful, the following file operation steps are executed:
in step S105, the first terminal is used to configure corresponding bottom-layer permissions for each target data file in the NAS device, so that the target data file is allowed to be accessed when the corresponding bottom-layer permissions are verified. In this example, the NAS device may store a plurality of target data files, and the target data file referred to in this example may be a single file, or may be a folder or a combination of multiple files. For a target data file, the first terminal may be configured with a corresponding bottom layer authority in this example, and it is understood that the bottom layer authority is used to wrap and enclose the target data file and only allow access to the target data file if the authority verification passes.
In step S106, the first terminal is used to split the operation functions of each target data file in the NAS device, and configure corresponding file operation functions for each second terminal, where one second terminal is only configured with one file operation function, and the file operation functions include file creation, file reading and writing, file copying, file moving, file deletion, and file renaming. In this example, other terminals in the plurality of terminals may be used as the second terminals, and the first terminal is used to configure corresponding file operation functions for each second terminal. The file operation functions referred to in this example include creation of a file, reading and writing of a file, copying of a file, moving of a file, deletion of a file, renaming of a file, and the like, that is, in this example, the file operation function of the target data file in the NAS device is split, so that each second terminal may be configured with one file operation function, and in some examples, one file operation function may be configured with multiple second terminals, so that each second terminal may be bound to its file operation function.
In step S107, a secondary right corresponding to each second terminal is generated by the first terminal, and the secondary right is sent to the corresponding second terminal, so that the second terminal accesses the target data file and executes the corresponding file operation function based on the secondary right. In this example, the second terminal is associated with the file operation function by configuring the corresponding secondary permission for each second terminal. In any operation scene, if the user passes the verification of the second terminal, the corresponding file operation can be executed. If the external device wants to acquire the complete authority in the NAS device, all secondary authorities and bottom-layer authorities need to be acquired at the same time, so that the difficulty of acquiring the file control authority in the NAS device by the external device is greatly improved, and the security of the file is ensured.
According to the scheme, the file operation function of the target data file is split, corresponding authority management is achieved, and a single data access entry (bottom authority) is configured for each target data file, so that only double-layer verification is needed for achieving any file operation function, and under the condition that protected information needs to be attacked from the outside, multiple two-layer authorities need to be obtained at the same time.
Optionally, the second terminal accessing the target data file based on the secondary right and executing the corresponding file operation function includes:
and acquiring the bottom layer authority from the first terminal by using the second terminal. In this example, the bottom layer right is stored in the first terminal, and the bottom layer right may be obtained from the first terminal before the second terminal needs to access the NAS device according to a set policy, for example, an encryption algorithm that periodically changes the bottom layer right.
After the bottom layer authority is acquired, an access request is sent to the NAS device based on a second authority configured by the NAS device and the acquired bottom layer authority, wherein the access request can combine the second authority and the bottom layer authority according to a specified association relation.
And finally, the NAS device carries out authority verification on the second terminal based on the access request, and opens a file operation function corresponding to the target data file under the condition that the verification is passed. That is, only the file operation function corresponding to the target data file is opened when the NAS device completes the authority verification. For example, the current second terminal desires to perform reading and writing of the specified file, the access request of the second terminal also has two-layer authority corresponding to the reading and writing of the file, and the reading and writing function of the specified file is opened under the condition that the verification is passed. And if the second terminal executes other file operations of the specified file, prohibiting any operation of the specified file by the second terminal. Specifically, if the second terminal executes other non-associated file operations, it may be determined that the second terminal is a suspicious terminal, so that in this example, all operations of the second terminal on the file are directly prohibited, and all verification channels are closed, thereby further ensuring the file security in the NAS device. Optionally, after avoiding that the external terminal acquires the right of a certain second terminal in an extreme case, the performing, by the NAS device, the right verification on the second terminal based on the access request includes:
the NAS device obtains combined verification information in an access request sent by a current second terminal, wherein the combined verification information comprises a fixed field and a dynamic field, the fixed field can be determined by adopting a first encryption algorithm based on a second layer authority, and the dynamic field is set based on a mac address of the second terminal. Specifically, the access request in this example has a combined authentication message, where the combined authentication message includes a fixed field and a dynamic field, where the fixed field may be set corresponding to a file operation function, and specifically may be determined by using a first encryption algorithm, and the specific encryption algorithm may include DES, AES, RSA, MD5, etc., which are not listed here, and where the same file operation function may configure the same fixed field. The dynamic field is set based on the mac address of the second terminal in this example.
And maintaining a plurality of mac address chains on the NAS equipment based on the mac address of each second terminal, wherein each mac address chain is determined based on the front-back relation of the historical operation. Specifically, the mac address chains maintained by the NAS device in this example may be obtained as follows: and in an initial state, carrying out permutation and combination according to at least part of the operation functions of the files of the second terminal, thereby determining a plurality of mac address chains, and executing authority verification and file operation based on the plurality of mac address chains. In the verification and operation process, executed mac address chains in each mac address chain are recorded, and the executed mac address chains are reserved, so that a plurality of mac address chains maintained in the NAS device are obtained. In some examples, the number of times each mac address chain is executed may be counted, and a next file operation and a corresponding probability are predicted based on the number of times each mac address chain is executed, so that in a subsequent verification execution process, a mac address chain with a high probability may be preferentially selected to perform comparison, thereby improving the verification efficiency.
After the combined verification information sent by the second terminal is acquired, a sliding window with a fixed size is set based on a mac address chain to slide a group of target fields for verification, wherein the size of the sliding window is 6 bytes, the sliding step length is 6 bytes, and the target fields comprise 3-byte mac addresses of the second terminal executing the previous operation and 3-byte mac addresses of the second terminal currently operating. In this example, the sliding window is set to be 6 bytes (48 bits) in size, the sliding step is 6 bytes, that is, the length of one mac address is slid each time, and the sliding window is slid to the middle position of the mac address of the next second terminal based on the middle position of the mac address of the current second terminal, that is, the target field of the sliding window simultaneously has the mac address of the previous operation, that is, the mac address of the second terminal, that is, the mac address of the previous operation, that is, the mac address of the second terminal, that is, the 3 bytes of the previous operation.
And matching the target field with the dynamic field of the second terminal, and verifying the fixed field in the combined verification information under the condition that the matching is passed. Through the design, whether the current second terminal is the designated second terminal can be preliminarily verified, whether the sequence of file operation is correct can be verified on the second aspect, and the second-layer authority corresponding to the fixed field of the second terminal is further verified under the condition that the verification is passed.
Optionally, the secure operation method further includes, in a case where the second terminal is added, updating the mac address chain in the following manner:
in some scenarios, where the user configures a new, independent file manipulation function, or not all of the second terminals are combined to obtain the complete mac address chain in the initial process. In this case, the file operation function of the second terminal does not overlap with the previous operation function, and the mac address chain movement needs to be updated. That is, it may be determined whether the operation function of the second terminal corresponding to the existing second terminal is repeated, and if not, the mac address of the second terminal is virtually inserted after the mac address of each second terminal in the existing mac address chain, so as to obtain a mac address chain having the mac address of the second terminal as a branch. The virtual insertion referred to in this example refers to accessing the mac address of the second terminal as a branch between any two mac addresses, so that during the operation of the sliding window, the branch and any two mac addresses in the original sequence can be simultaneously entered.
Based on the mac address chain with the branch, the branch is cut by using a sliding window based on the subsequent file operation to determine the operation sequence of the second terminal, and the mac address of the second terminal is inserted into the existing mac address chain based on the remaining branch to complete the updating.
The specific clipping manner may be based on each obtained mac address chain with a branch, and the mac address of the branch is clipped by using a sliding window according to the subsequent file operation, and if the current file operation is matched with the mac address of the branch, the mac address of the second terminal is inserted into the current position. In this way, the newly added file operation can be quickly updated without repeatedly performing the combining arrangement.
Optionally, in some application scenarios, after receiving an access request of a certain second terminal, the authentication may be performed without immediate authentication, but with a delay of a preset time duration. Thus, at least two second terminals may receive the authority verification at the same time, and the "simultaneous" in this example may be the access requests with different time differences within the set range. In this case, the security operation method further includes that the NAS device notifies the at least two second terminals to perform negotiation, and a process of the at least two second terminals performing negotiation includes:
at least two second terminals send negotiation information to the first terminal. That is, one of the at least two second terminals with conflicting access requests needs to be selected to perform verification, in this example, the at least two second terminals send negotiation information to the first terminal.
The first terminal appoints a second terminal to execute authority verification according to each negotiation information. The specific first terminal can select a second terminal to perform the authority verification according to the user's formulation, and in this case, the user needs to manually operate the second terminal. The corresponding priority can also be configured based on the file operation function, and the specifically configured priority is not sent to the corresponding second terminal, so that the confidentiality of the file operation is improved. Therefore, the first terminal can determine the second terminal for executing the authority verification by comparing the priorities of at least two second terminals.
After the second terminal completes the file operation, the first terminal sends the access requests in other second terminals to the NAS device according to a set sequence and notifies the corresponding second terminals. The access requests in other second terminals are sent to the NAS device through the first terminal according to the set sequence, so that the second terminal does not need to initiate multiple access requests, and the efficiency of file operation is effectively improved.
Optionally, the secure operation method further includes, when any target data file is executed with a corresponding file operation function by the current second terminal, closing the authority verification for other second terminals, so as to allow only a single second terminal to execute an operation on the target data file in the same time period. By the design, the target data file can be ensured to be subjected to file operation only by one second terminal, an illegal terminal can be prevented from performing authority verification during the file operation to obtain the current file operation function, and the safety of the file operation is further improved.
Optionally, the secure operation method further includes, when a result of any right verification is abnormal, closing all right verification channels. Closing all the permission verification channels can further improve the security of the data file stored in the NAS, and in some examples, permission verification may be restarted according to an instruction of the first terminal.
According to the scheme, the file operation functions of the target data files are split, corresponding authority management is achieved, and a single data access entry (bottom authority) is configured for each target data file, so that only double-layer verification is needed for achieving any file operation function, and under the condition that protected information needs to be attacked from the outside, multiple two-layer authorities need to be obtained at the same time, and therefore the safety of the secret-related data files stored in the NAS is greatly improved.
The embodiment of the application also provides a NAS file security operating system with multi-user participation, which comprises a processor and a memory, wherein the memory stores a computer program, and the computer program realizes the steps of the NAS file security operating method with multi-user participation when being executed by the processor.
The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the foregoing NAS file security operation method with multi-user participation are implemented.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the disclosure with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the foregoing detailed description, various features may be grouped together to streamline the disclosure. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, the subject matter of the present disclosure may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the invention should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
The above embodiments are only exemplary embodiments of the present disclosure, and are not intended to limit the present invention, the scope of which is defined by the claims. Various modifications and equivalents may be made thereto by those skilled in the art within the spirit and scope of the present disclosure, and such modifications and equivalents should be considered to be within the scope of the present invention.

Claims (9)

1. A method for safely operating a NAS file with participation of multiple users is characterized by comprising the following steps:
in the initial state of the NAS device, the following network distribution steps are executed:
the NAS device creates an AP hotspot;
one of the terminals is used as a first terminal, the rest terminals of the terminals are used as second terminals, the first terminal is used for connecting the AP hotspot, and a trusted connection state is established through a challenge-response mode based on the AP hotspot;
the NAS device generates an asymmetric encryption public key and a private key and sends the public key to the first terminal;
the first terminal registers an administrator login account and a password to the NAS device based on the public key, and configures a Wi-Fi SSID and a password of the distribution network connection required by the NAS device based on the registered administrator login account, so that the NAS device is connected with a corresponding Wi-Fi based on the password after configuration;
after the network distribution of the NAS equipment is successful, the following file operation steps are executed:
configuring corresponding bottom-layer authority for each target data file in the NAS equipment by using a first terminal so as to allow the target data file to be accessed under the condition that the corresponding bottom-layer authority passes verification; splitting the operation function of each target data file in the NAS equipment by using the first terminal, and configuring the corresponding file operation function for each second terminal, wherein one second terminal is only configured with one file operation function, and the file operation function comprises file creation, file reading and writing, file copying, file moving, file deletion and file renaming;
and generating secondary authorities corresponding to the second terminals by using the first terminal, and sending the secondary authorities to the corresponding second terminals so that the second terminals access the target data files based on the secondary authorities and execute corresponding file operation functions.
2. The method for securely operating the NAS file with the participation of multiple users according to claim 1, wherein the accessing of the target data file and the performing of the corresponding file operation function by the second terminal based on the secondary authority of the second terminal comprises:
acquiring a bottom layer authority from the first terminal by using the second terminal;
sending an access request to the NAS device based on the self-configured second authority and the obtained bottom layer authority;
and the NAS device carries out authority verification on the second terminal based on the access request, and opens a file operation function corresponding to the target data file under the condition that the verification is passed.
3. The method for securely operating the NAS file with multi-user participation according to claim 2, wherein the NAS device performing the authority verification on the second terminal based on the access request comprises:
the NAS equipment acquires combined verification information in an access request sent by a current second terminal, wherein the combined verification information comprises a fixed field and a dynamic field, the fixed field is determined by adopting a first encryption algorithm, and the dynamic field is set based on a mac address of the second terminal;
maintaining a plurality of mac address chains based on the mac address of each second terminal in the NAS device, wherein each mac address chain is determined based on the previous and subsequent relations of historical operation;
after the combined verification information sent by the second terminal is obtained, a sliding window with a fixed size is set based on a mac address chain to slide a group of target fields for verification, wherein the size of the sliding window is 6 bytes, the sliding step length is 6 bytes, and the target fields comprise 3-byte mac addresses of the second terminal executing the previous operation and 3-byte mac addresses of the second terminal currently operating;
and matching the target field with the dynamic field of the second terminal, and verifying the fixed field in the combined verification information under the condition that the matching is passed.
4. The method for safely operating the NAS file with participation of multiple users according to claim 3, wherein the method for safely operating the NAS file further comprises, in case of adding the second terminal, updating the mac address chain in the following manner:
judging whether the operation functions of the second terminal corresponding to the existing second terminal are repeated, and virtually inserting the mac address of the second terminal after the mac address of each second terminal in the existing mac address chain under the condition of no repetition so as to obtain a mac address chain with the mac address of the second terminal as a branch;
based on the mac address chain with the branch, the branch is cut by using a sliding window based on the subsequent file operation to determine the operation sequence of the second terminal, and the mac address of the second terminal is inserted into the existing mac address chain based on the remaining branch to complete the updating.
5. The method for safely operating the NAS file with the participation of multiple users according to claim 1, wherein the method for safely operating the NAS file further comprises, in case that any target data file is executed with the corresponding file operation function by the current second terminal, closing the authority verification for other second terminals, so as to allow only a single second terminal to execute the operation on the target data file in the same time period.
6. The NAS file security operation method of claim 5, wherein the security operation method further comprises, in case of receiving authentication of at least two second terminals at the same time, notifying the at least two second terminals to perform negotiation, and the process of performing negotiation by the at least two second terminals includes:
at least two second terminals send negotiation information to the first terminal;
the first terminal appoints a second terminal to execute authority verification according to each negotiation information; and after the second terminal completes the file operation, the first terminal sends the access requests in other second terminals to the NAS device according to a set sequence and informs the corresponding second terminals.
7. The method for securely operating the NAS file with the participation of the multiple users according to claim 5, wherein the method for securely operating the NAS file further comprises closing all the rights verification channels if the result of any rights verification is abnormal.
8. A multi-user-participated NAS file security operating system comprising a processor and a memory, the memory having stored thereon a computer program which, when executed by the processor, carries out the steps of the multi-user-participated NAS file security operating method according to any one of claims 1 to 7.
9. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which when executed by a processor implements the steps of the multi-user participated NAS file security operation method according to any one of claims 1 to 7.
CN202210495586.8A 2022-05-09 2022-05-09 Multi-user-participated NAS file security operation method and system Active CN114599036B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210495586.8A CN114599036B (en) 2022-05-09 2022-05-09 Multi-user-participated NAS file security operation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210495586.8A CN114599036B (en) 2022-05-09 2022-05-09 Multi-user-participated NAS file security operation method and system

Publications (2)

Publication Number Publication Date
CN114599036A true CN114599036A (en) 2022-06-07
CN114599036B CN114599036B (en) 2022-08-05

Family

ID=81812437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210495586.8A Active CN114599036B (en) 2022-05-09 2022-05-09 Multi-user-participated NAS file security operation method and system

Country Status (1)

Country Link
CN (1) CN114599036B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389138A (en) * 2023-04-07 2023-07-04 深圳市众志天成科技有限公司 Information security protection method and device based on data transmission

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159572A1 (en) * 2011-12-16 2013-06-20 International Business Machines Corporation Managing configuration and system operations of a non-shared virtualized input/output adapter as virtual peripheral component interconnect root to multi-function hierarchies
CN104796261A (en) * 2015-04-16 2015-07-22 长安大学 Secure access control system and method for network terminal nodes
US9384200B1 (en) * 2012-12-21 2016-07-05 Emc Corporation Parallelizing backup and restore for network-attached storage
CN106778345A (en) * 2016-12-19 2017-05-31 网易(杭州)网络有限公司 The treating method and apparatus of the data based on operating right
US20180069631A1 (en) * 2016-09-08 2018-03-08 Nxgen Partners Ip, Llc Method for muxing orthogonal modes using modal correlation matrices
CN107819841A (en) * 2017-11-02 2018-03-20 郑州云海信息技术有限公司 Dynamic resource allocation method, device, equipment and the storage medium shared based on NAS
CN108604163A (en) * 2015-11-23 2018-09-28 Netapp股份有限公司 Synchronous for file access protocol storage is replicated
CN109711206A (en) * 2018-12-17 2019-05-03 杭州华澜微电子股份有限公司 A kind of safe hard disk of multi-user and its control method
CN109766687A (en) * 2018-12-19 2019-05-17 安徽典典科技发展有限责任公司 Multi-user authority distribution method
CN110032545A (en) * 2019-03-27 2019-07-19 远光软件股份有限公司 File memory method, system and electronic equipment based on block chain
CN111130841A (en) * 2019-11-21 2020-05-08 深圳壹账通智能科技有限公司 Block chain network deployment method, electronic device and computer readable storage medium
CN111478769A (en) * 2020-03-18 2020-07-31 西安电子科技大学 Distributed credible identity authentication method, system, storage medium and terminal
CN114428951A (en) * 2022-04-01 2022-05-03 北京时代亿信科技股份有限公司 Method and device for controlling access authority of network file system

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130159572A1 (en) * 2011-12-16 2013-06-20 International Business Machines Corporation Managing configuration and system operations of a non-shared virtualized input/output adapter as virtual peripheral component interconnect root to multi-function hierarchies
US9384200B1 (en) * 2012-12-21 2016-07-05 Emc Corporation Parallelizing backup and restore for network-attached storage
CN104796261A (en) * 2015-04-16 2015-07-22 长安大学 Secure access control system and method for network terminal nodes
CN108604163A (en) * 2015-11-23 2018-09-28 Netapp股份有限公司 Synchronous for file access protocol storage is replicated
US20180069631A1 (en) * 2016-09-08 2018-03-08 Nxgen Partners Ip, Llc Method for muxing orthogonal modes using modal correlation matrices
CN106778345A (en) * 2016-12-19 2017-05-31 网易(杭州)网络有限公司 The treating method and apparatus of the data based on operating right
CN107819841A (en) * 2017-11-02 2018-03-20 郑州云海信息技术有限公司 Dynamic resource allocation method, device, equipment and the storage medium shared based on NAS
CN109711206A (en) * 2018-12-17 2019-05-03 杭州华澜微电子股份有限公司 A kind of safe hard disk of multi-user and its control method
CN109766687A (en) * 2018-12-19 2019-05-17 安徽典典科技发展有限责任公司 Multi-user authority distribution method
CN110032545A (en) * 2019-03-27 2019-07-19 远光软件股份有限公司 File memory method, system and electronic equipment based on block chain
CN111130841A (en) * 2019-11-21 2020-05-08 深圳壹账通智能科技有限公司 Block chain network deployment method, electronic device and computer readable storage medium
CN111478769A (en) * 2020-03-18 2020-07-31 西安电子科技大学 Distributed credible identity authentication method, system, storage medium and terminal
CN114428951A (en) * 2022-04-01 2022-05-03 北京时代亿信科技股份有限公司 Method and device for controlling access authority of network file system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
姜宇健: "中小企业NAS安全访问的RBAC方案设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389138A (en) * 2023-04-07 2023-07-04 深圳市众志天成科技有限公司 Information security protection method and device based on data transmission
CN116389138B (en) * 2023-04-07 2023-11-24 深圳市众志天成科技有限公司 Information security protection method and device based on data transmission

Also Published As

Publication number Publication date
CN114599036B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
US8190919B2 (en) Multiple stakeholder secure memory partitioning and access control
US8407462B2 (en) Method, system and server for implementing security access control by enforcing security policies
US8407240B2 (en) Autonomic self-healing network
US7752320B2 (en) Method and apparatus for content based authentication for network access
US20010044904A1 (en) Secure remote kernel communication
US20080052755A1 (en) Secure, real-time application execution control system and methods
WO2018148058A9 (en) Network application security policy enforcement
EP3525127B1 (en) System for blocking phishing or ransomware attack
WO2015043131A1 (en) Wireless network authentication method and wireless network authentication apparatus
WO2006066604A1 (en) Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor
CN101986598B (en) Authentication method, server and system
US6725370B1 (en) Sharing data safely using service replication
KR20150053912A (en) Method and devices for registering a client to a server
CN114599036B (en) Multi-user-participated NAS file security operation method and system
US11863662B2 (en) Automatic network application security policy expansion
RU2546585C2 (en) System and method of providing application access rights to computer files
CN111131244B (en) Method and system for preventing malicious content from infecting website page and storage medium
JP2006260027A (en) Quarantine system, and quarantine method using vpn and firewall
US10104060B2 (en) Authenticating applications to a network service
CN105451225A (en) An access authentication method and an access authentication device
KR102554875B1 (en) Apparatus and method for connecting network for providing remote work environment
CN112565209B (en) Network element equipment access control method and equipment
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities
CN114039748A (en) Identity authentication method, system, computer device and storage medium
CN113438242A (en) Service authentication method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant