CN115470525A - File protection method, system, computing device and storage medium - Google Patents
File protection method, system, computing device and storage medium Download PDFInfo
- Publication number
- CN115470525A CN115470525A CN202211410857.1A CN202211410857A CN115470525A CN 115470525 A CN115470525 A CN 115470525A CN 202211410857 A CN202211410857 A CN 202211410857A CN 115470525 A CN115470525 A CN 115470525A
- Authority
- CN
- China
- Prior art keywords
- file
- user
- server
- protection
- protection strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000004044 response Effects 0.000 claims abstract description 14
- 230000015654 memory Effects 0.000 claims description 21
- 238000004891 communication Methods 0.000 claims description 15
- 230000004048 modification Effects 0.000 claims description 11
- 238000012986 modification Methods 0.000 claims description 11
- 238000007726 management method Methods 0.000 description 24
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 239000000969 carrier Substances 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention relates to the field of file information security, in particular to a file protection method, a system, a computing device and a storage medium, wherein the method comprises the following steps: in response to receiving a protection policy configured for a file, sending the protection policy and a file identifier to a server; responding to the received security parameters sent by the server, generating a public key according to the security parameters and the file identification, and encrypting the file according to the public key; responding to the received access request of the second user to the encrypted file, acquiring a protection strategy of the encrypted file, and judging whether the second user has the right to access the encrypted file; and if the access authority of the encrypted file is possessed, acquiring the private key and decrypting the encrypted file. According to the invention, a user does not need to set a secret key to encrypt the file by himself, and the computing equipment encrypts the file by himself according to the protection strategy and decrypts the file according to the protection strategy; meanwhile, under the condition of not sharing the key, the file sharing can be realized through a protection strategy, and the security of the file is ensured.
Description
Technical Field
The present invention relates to the field of file information security, and in particular, to a file protection method, system, computing device, and storage medium.
Background
With the development of computer technology, people increasingly process and store various files and data through computers. Therefore, security of storing data in a computer becomes increasingly important. Data is the most core asset in an information system consisting of computers, and files are the main carriers of data in the system. The file needs to have integrity and confidentiality to ensure that the file is not leaked and tampered illegally.
In the prior art, a user sets a key for a file to be protected, and inputs the key for decryption when the file needs to be read, so as to encrypt and decrypt the file. The encryption and decryption method is complex, each time encryption and decryption needs a user to provide a key, and the system also needs to manage the key of the user. When files need to be shared, keys need to be shared; the secret key belongs to user privacy data, mutual sharing is not allowed under general conditions, and once the secret key is shared, the risk of data leakage exists.
For this reason, a new file protection method is required.
Disclosure of Invention
To this end, the present invention provides a file protection method and system in an attempt to solve, or at least alleviate, the problems identified above.
According to a first aspect of the present invention, there is provided a file protection method adapted to be executed in a client, the client being in communication connection with a server, the method comprising: sending the protection strategy and the file identifier of the file to a server in response to receiving the protection strategy configured by the first user for the file, so that the server can store the protection strategy according to the file identifier; responding to the received security parameters sent by the server, generating a public key according to the security parameters and the file identification, and encrypting the file according to the public key to generate an encrypted file; in response to receiving an access request of a second user for the encrypted file, acquiring a protection strategy of the encrypted file from the server, and judging whether the second user can access the authority of the encrypted file according to the protection strategy; and if the second user is judged to have the authority of accessing the encrypted file, acquiring the private key from the server, and decrypting the encrypted file according to the private key.
Optionally, in the method according to the present invention, further comprising: generating a property configuration interface, wherein the property configuration interface comprises a user configuration item and an application configuration item; and displaying the attribute configuration interface to the first user so as to receive the protection strategy configured by the first user according to the user configuration item and the application configuration item.
Optionally, in the method according to the present invention, further comprising: when the protection strategy and the file identification of the file are sent to the server, the user identification of the first user is sent to the server, so that the server can verify whether the first user has the protection strategy of the authority configuration file or not according to the user identification.
Optionally, in the method according to the present invention, obtaining the protection policy of the encrypted file from the server includes: determining a file identifier of the encrypted file; sending the file identifier to a server so that the server can inquire a protection strategy of the encrypted file according to the file identifier; and receiving the protection strategy returned by the server.
Optionally, in the method according to the present invention, further comprising: and when the file identifier is sent to the server, sending the user identifier of the second user to the server so that the server can verify whether the second user has the right to acquire the protection strategy according to the user identifier.
Optionally, in the method according to the present invention, the protection policy includes a user permission list, and determining whether the second user has a right to access the encrypted file according to the protection policy includes: judging whether the user permission list comprises a second user or not; and if not, judging that the second user does not have the authority of accessing the encrypted file.
Optionally, in the method according to the present invention, the protection policy further includes an application permission list, and the method further includes: if the user permission list comprises the second user, judging whether the application permission list comprises the application used by the second user for accessing the encrypted file; and if so, judging that the second user has the authority to access the encrypted file.
Optionally, in the method according to the present invention, the private key is generated by the server from the file identification of the encrypted file and the public key.
Optionally, in the method according to the present invention, the method further comprises: in response to receiving a modification request of a third user for the protection policy, obtaining the protection policy of the encrypted file from the server; and responding to the received modified protection strategy configured by the third user for the encrypted file, and sending the modified protection strategy and the file identifier to the server so that the server stores the modified protection strategy according to the file identifier.
According to a second aspect of the present invention, there is provided a file protection system, the system comprising a server and one or more clients connected to the server; the client is suitable for responding to the protection strategy configured by the first user for the file, and sending the protection strategy and the file identification of the file to the server; the server is suitable for storing the protection strategy according to the file identifier and sending the security parameters to the client; the client is further suitable for generating a public key according to the security parameter and the file identification, encrypting the file according to the public key to generate an encrypted file, responding to a received access request of a second user for the encrypted file, obtaining a protection strategy of the encrypted file from the server, judging whether the second user has the authority of accessing the encrypted file according to the protection strategy, if the second user is judged to have the authority of accessing the encrypted file, obtaining a private key from the server, and decrypting the encrypted file according to the private key.
According to a third aspect of the invention, there is provided a computing device comprising: one or more processors; a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing the file protection method according to the present invention.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform a file protection method according to the present invention.
The invention discloses a file protection method which is suitable for being executed in computing equipment, wherein the computing equipment is in communication connection with a server, and the method comprises the following steps: sending the protection strategy and the file identifier of the file to a server in response to receiving the protection strategy configured by the first user for the file, so that the server saves the protection strategy according to the file identifier; responding to the received security parameters sent by the server, generating a public key according to the security parameters and the file identification, and encrypting the file according to the public key to generate an encrypted file; in response to receiving an access request of a second user for the encrypted file, acquiring a protection strategy of the encrypted file from the server, and judging whether the second user has the right to access the encrypted file according to the protection strategy; and if the second user is judged to have the authority of accessing the encrypted file, acquiring the private key from the server, and decrypting the encrypted file according to the private key. According to the invention, a user does not need to set a secret key to encrypt the file by himself, and the computing equipment encrypts the file by himself according to a protection strategy configured by the user and decrypts the file according to the protection strategy; meanwhile, under the condition of not sharing the key, the file sharing can be realized through a protection strategy, and the security of the file is ensured.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description when read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a file protection system according to an exemplary embodiment of the present invention;
FIG. 2 illustrates a block diagram of a computing device 200, according to an exemplary embodiment of the invention;
FIG. 3 illustrates a flowchart of a file protection method 300 according to an exemplary embodiment of the invention;
FIG. 4 illustrates a schematic diagram of generating an encrypted file according to an exemplary embodiment of the present invention;
FIG. 5 illustrates a schematic diagram of decrypting a file according to another exemplary embodiment of the present invention;
fig. 6 shows a schematic diagram of a modified protection strategy according to an exemplary embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. Like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a file protection system according to an exemplary embodiment of the present invention.
As shown in FIG. 1, the file protection system includes a client 110 and a server 120. In the present invention, the server 120 may be connected to one or more clients, and the connection manner between the server 120 and the client 110 shown in fig. 1 is only an example, and the present invention does not limit the number of clients connected to the server 120 and the specific connection manner.
As shown in fig. 1, the client 110 includes a file management module 113, and the file management module 113 includes a file encryption/decryption module 111 and an access control module 112. The server 120 includes an identity authentication module 121, a policy management module 122, and a key generation module 123.
The client sends the protection strategy and the file identification of the file to the server in response to receiving the protection strategy configured by the first user for the file; the server saves the protection strategy according to the file identifier and sends a security parameter to the client; the client also generates a public key according to the security parameter and the file identifier, encrypts the file according to the public key to generate an encrypted file, responds to the received access request of the second user to the encrypted file, acquires a protection strategy of the encrypted file from the server, judges whether the second user has the authority of accessing the encrypted file according to the protection strategy, acquires a private key from the server if the second user has the authority of accessing the encrypted file, and decrypts the encrypted file according to the private key.
According to one embodiment of the invention, in the file protection system, both the client and the server can be implemented as a computing device.
FIG. 2 illustrates a block diagram of a computing device, according to an exemplary embodiment of the invention. In a basic configuration, computing device 200 includes at least one processing unit 220 and system memory 210. According to one aspect, depending on the configuration and type of computing device, the system memory 210 includes, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read-only memory), flash memory, or any combination of such memories. According to one aspect, system memory 210 includes an operating system 211.
According to one aspect, the operating system 211, for example, is suitable for controlling the operation of the computing device 200. Further, the examples are practiced in conjunction with a graphics library, other operating systems, or any other application program, and are not limited to any particular application or system. This basic configuration is illustrated in fig. 2 by those components within dashed line 215. According to one aspect, computing device 200 has additional features or functionality. For example, according to one aspect, computing device 200 includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape.
As stated hereinabove, according to one aspect, program modules 212 are stored in system memory 210. According to one aspect, program modules 212 may include one or more applications, the invention not being limited to the type of application, e.g., applications further include: email and contacts applications, word processing applications, spreadsheet applications, database applications, slide show applications, drawing or computer-aided applications, web browser applications, and the like.
According to one aspect, examples may be practiced in a circuit comprising discrete electronic elements, a packaged or integrated electronic chip containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic elements or microprocessors. For example, an example may be practiced via a system on a chip (SOC) in which each or many of the components shown in fig. 2 may be integrated on a single integrated circuit. According to one aspect, such SOC devices may include one or more processing units, graphics units, communication units, system virtualization units, and various application functions, all integrated (or "burned") onto a chip substrate as a single integrated circuit. When operating via an SOC, the functions described herein may be operated via application-specific logic integrated with other components of the computing device 200 on a single integrated circuit (chip). Embodiments of the invention may also be practiced using other technologies capable of performing logical operations (e.g., AND, OR, AND NOT), including but NOT limited to mechanical, optical, fluidic, AND quantum technologies. In addition, embodiments of the invention may be practiced within a general purpose computer or in any other circuits or systems.
According to one aspect, computing device 200 may also have one or more input devices 231, such as a keyboard, mouse, pen, voice input device, touch input device, or the like. Output device(s) 232 such as a display, speakers, printer, etc. may also be included. The foregoing devices are examples and other devices may also be used. Computing device 200 may include one or more communication connections 233 that allow communication with other computing devices 240. Examples of suitable communication connections 233 include, but are not limited to: RF transmitter, receiver and/or transceiver circuitry; universal Serial Bus (USB), parallel, and/or serial ports. Computing device 200 may be communicatively connected to other computing devices 240 via communication connection 233.
Embodiments of the present invention also provide a non-transitory readable storage medium storing instructions for causing the computing device to perform a method according to an embodiment of the present invention. The readable media of the present embodiments include permanent and non-permanent, removable and non-removable media, and the storage of information may be accomplished by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of readable storage media include, but are not limited to: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technologies, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transitory readable storage medium.
According to one aspect, communication media is embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal (e.g., a carrier wave or other transport mechanism) and includes any information delivery media. According to one aspect, the term "modulated data signal" describes a signal that has one or more feature sets or that has been altered in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio Frequency (RF), infrared, and other wireless media.
It should be noted that although the computing device described above shows only processing unit 220, system memory 210, input device 231, output device 232, and communication connection 233, in particular implementations, the device may include other components necessary for proper operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
A file protection method in the invention is suitable for being executed in a client. FIG. 3 shows a flowchart illustrating a file protection method 300 according to an exemplary embodiment of the present invention.
As shown in fig. 3, step 310 is first performed: and responding to the received protection strategy configured by the first user for the file, and sending the protection strategy and the file identification of the file to the server so that the server saves the protection strategy according to the file identification.
According to one embodiment of the invention, when users (including a first user, a second user, a third user and the like) want to encrypt a file needing encryption, so as to protect the file, a protection policy can be set for the file so as to protect the file.
Then, step 320 is executed, in response to receiving the security parameter sent by the server, a public key is generated according to the security parameter and the file identifier, and the file is encrypted according to the public key to generate an encrypted file.
Fig. 4 is a diagram illustrating generation of an encrypted file according to an exemplary embodiment of the present invention.
According to one embodiment of the invention, the client can generate a property configuration interface, wherein the property configuration interface comprises a user configuration item and an application configuration item; the property configuration interface is then exposed to the first user to receive the protection policy configured by the first user according to the user configuration item and the application configuration item.
According to one embodiment of the invention, in the property configuration interface, a user may first select a file that needs to be protected. The file to be protected can be implemented as any type of file, and the invention does not limit the type of the file to be protected. And then, the file is configured for anti-leakage protection, and according to one embodiment of the invention, a user can realize the encryption configuration of the file by selecting the encryption option of the file in the attribute configuration interface. The invention does not limit the specific implementation mode of the encryption of the setting file.
The user can then set the protection policy through the user configuration items and the application configuration items.
According to one embodiment of the invention, the user configuration item comprises one or more selectable users, the first user can configure the users who are allowed to access the encrypted file generated by the file through the user configuration item, and the first user can configure the user permission list which is allowed to access the encrypted file according to the user configuration item by selecting the users, adding the users, deleting the users and the like.
According to an embodiment of the present invention, the application configuration item includes one or more selectable applications, the user can configure an application that allows access to the encrypted file generated from the file through the application configuration item, and the first user can configure an application permission list that allows access to the encrypted file according to the application configuration item by selecting an application, adding an application, deleting an application, and the like. The applications for accessing the encrypted file include applications used by the user to access the encrypted file, including an operating system, a file manager, a document editing application, and the like.
According to one embodiment of the present invention, a specific structure of the configured protection policy is as follows:
Policy DEFINITIONS AUTOMATIC TAGS ::= BEGIN
ACL ::= SEQUENCE {
version GeneralString, -- End by '\0'
uuid GeneralString, -- End by '\0'
signature GeneralString, -- End by '\0'
owner GeneralString, -- End by '\0'
policyItemLen INTEGER, -- 4 bytes
policyItemList SEQUENCE OF PolicyItem
}
PolicyItem ::= SEQUENCE {
id GeneralString, -- user or app id, end by '\0'
type PolicyType, -- 2 bytes, such as: TYPE_USER or TYPE_APP
flags PolicyFlag -- 8 bytes
}
PolicyType ::= CHOICE {
TYPE_USER INTEGER, -- 2 bytes
TYPE_APP INTEGER -- 2 bytes
}
PolicyFlag ::= CHOICE {
FLAG_FILE_RO INTEGER, -- 2 bytes
FLAG_FILE_RW INTEGER, -- 2 bytes
FLAG_POLICY_RO INTEGER, -- 2 bytes
FLAG_POLICY_RW INTEGER -- 2 bytes
}
END。
according to an embodiment of the invention, the attribute configuration interface can be realized by drawing of a file management module of the client, and the invention does not limit the specific implementation mode and style of the attribute configuration interface.
According to one embodiment of the invention, after a user completes configuration of a protection policy according to an attribute configuration interface, a client generates a file identifier of a file, and the file identifier is used for identifying the file and an encrypted file generated by the file. The file and the encrypted file generated from the file have the same file identification.
According to one embodiment of the invention, when the client sends the protection policy and the file identification of the file to the server, the client sends the user identification of the first user to the server, so that the server verifies whether the first user has the protection policy of the authority configuration file according to the user identification.
According to one embodiment of the invention, after the policy management module of the server receives the protection policy sent by the client, the identity authentication module verifies the authority of the first user, and then the verification result is sent to the policy management module. If the first user has the authority of the protection strategy of the configuration file, the strategy management module saves the protection strategy according to the file identification, and if the first user does not have the authority of the protection strategy of the configuration file, the strategy management module refuses to save the protection strategy. According to one embodiment of the present invention, the user's authority can be set in the identity authentication module in advance, and the present invention does not limit the specific manner of setting the authority for the user to access, set and modify the protection policy.
And after the protection strategy of the file is saved, the strategy management module sends the security parameters and the protection strategy configuration result to the client. The security parameters can be generated by the server in advance, or the server can generate the security parameters according to the file to be protected. According to one embodiment of the invention, the security parameter is a measure of how difficult an attacker can break a cryptographic mechanism. The larger the security parameter is, the greater the difficulty of correspondingly cracking the encryption system is. The security parameters include: calculating a safety parameter: determining the numerical value space size of defined calculation in an encryption mechanism and the associated calculation complexity; and (4) counting safety parameters: usually, an attacker has a certain probability of breaking the encryption mechanism under the circumstance that the attacker is unlimited in computation.
After receiving a result of successful configuration of the protection strategy, the client encrypts the file according to the received security parameters; specifically, the method comprises the following steps: the file management module can calculate a public key for encrypting the file according to the file identifier and the security parameter, and then encrypt the file by using the public key to generate an encrypted file.
According to one embodiment of the invention, after the client finishes encryption and generates the encrypted file, the encrypted file can be displayed to the user as an encryption result through the attribute configuration interface.
According to one embodiment of the present invention, the structure of an encrypted file is as follows:
File DEFINITIONS AUTOMATIC TAGS ::= BEGIN
FileInfo ::= SEQUENCE {
header Header,
cipherText GeneralString -- End by '\0'
}
Header ::= SEQUENCE {
version GeneralString, -- End by '\0'
uuid GeneralString, -- End by '\0'
magic INTEGER, -- 4 bytes
metaOffset INTEGER, -- 8 bytes
metaSize INTEGER, -- 8 bytes
metaSign GeneralString, -- End by '\0'
cipherTextOffset INTEGER, -- 8 bytes
cipherTextSize INTEGER, -- 8 bytes
cipherTextSign GeneralString, -- End by '\0'
clearTextSign GeneralString, -- End by '\0'
meta Metadata
}
Metadata ::= SEQUENCE {
version GeneralString, -- End by '\0'
mime GeneralString, -- End by '\0'
enconding GeneralString, -- End by '\0'
size INTEGER, -- 8 bytes
}
END。
the signature information includes an algorithm prefix and signature data. The algorithm prefix can determine what algorithm the signature data is computed with. If the prefix $6$ represents the algorithm sha512, the prefix $ SM2$ represents the SM2 algorithm. According to one embodiment of the invention, when the used default algorithm needs to be changed, the default algorithm can be changed conveniently by changing the prefix of the algorithm.
Please refer to fig. 3. Then, step 330 is executed to obtain the protection policy of the encrypted file from the server in response to receiving the access request of the second user for the encrypted file, and determine whether the second user has the right to access the encrypted file according to the protection policy.
According to one embodiment of the invention, when a protection strategy of an encrypted file is obtained from a server, a file identifier of the encrypted file is determined; sending the file identifier to a server so that the server can inquire a protection strategy of the encrypted file according to the file identifier; and receiving the protection strategy returned by the server.
Finally, step 340 is executed, if it is determined that the second user has the right to access the encrypted file, a private key is obtained from the server, and the encrypted file is decrypted according to the private key.
Fig. 5 illustrates a schematic diagram of decrypting a file according to another exemplary embodiment of the present invention. As shown in fig. 5, when a user triggers an access request for an encrypted file at a client, that is, wants to open the encrypted file for viewing, an access policy check flow of the file management module is triggered. The file management module firstly determines the file identification of the encrypted file which the user wants to access, and then sends the file identification to the server, so that the server can inquire the protection strategy of the encrypted file according to the file identification.
According to one embodiment of the invention, when the client sends the file identifier to the server, the client sends the user identifier of the second user to the server, so that the server verifies whether the second user has the right to acquire the protection policy according to the user identifier.
According to one embodiment of the invention, after the policy management module of the server receives the protection policy sent by the client, the identity authentication module verifies the authority of the second user, and then sends the verification result to the policy management module. If the second user has the right to acquire the protection strategy of the file, the strategy management module searches the protection strategy according to the file identifier and returns the protection strategy to the client, and if the second user does not have the right to acquire the protection strategy of the file, the strategy management module refuses to provide the protection strategy.
According to one embodiment of the invention, the protection policy includes a user permission list and an application permission list. After the file management module receives the protection strategy returned by the server, checking whether the current user allows to access the encrypted file; specifically, the method comprises the following steps: judging whether the user permission list comprises a second user or not; and if not, judging that the second user does not have the authority of accessing the encrypted file.
If the user permission list comprises a second user, continuously judging whether the current application is allowed to access the encrypted file; specifically, the method comprises the following steps: if the user permission list comprises the second user, judging whether the application permission list comprises the application used by the second user for accessing the encrypted file; and if so, judging that the second user has the authority to access the encrypted file.
Then, the file management module decrypts the encrypted file to obtain the file content; specifically, the method comprises the following steps: the key for decrypting the file is checked first, i.e. whether the private key exists in the computing device, if so, the private key is used to decrypt the encrypted file. According to an embodiment of the present invention, when determining whether the private key exists in the computing device, whether the private key exists in a key string (keyring) set by an operating system may be checked.
If the private key does not exist in the computing device, the private key is obtained from a key generation module of the server. According to one embodiment of the invention, the key generation module generates the key according to the file identification and the public key of the encrypted file. According to an embodiment of the present invention, when the key generation module generates the private key, the private key can be generated through the SM9 algorithm, and the present invention does not limit the specific way of generating the private key and the encryption algorithm used.
And finally, the file management module decrypts the encrypted file according to the acquired private key and displays the file content to the user through the application accessing the encrypted file.
According to an embodiment of the invention, the method of the invention further comprises: in response to receiving a modification request of a third user for the protection policy, obtaining the protection policy of the encrypted file from the server; and responding to the received modified protection strategy configured by the third user for the encrypted file, and sending the modified protection strategy and the file identifier to the server so that the server stores the modified protection strategy according to the file identifier.
Fig. 6 shows a schematic diagram of modifying a protection policy according to an exemplary embodiment of the invention. As shown in fig. 6: when a user needs to modify the protection strategy of the encrypted file, the encrypted file needing to be configured is selected through the attribute configuration interface, so that the protection strategy of the encrypted file is configured according to the attribute configuration interface; specifically, the method comprises the following steps: firstly, acquiring a protection strategy through an attribute configuration interface;
according to one embodiment of the invention, when a third user wants to change a protection policy, the client sends the file identifier of the encrypted file and the user identifier of the third user to the server when the protection policy is first acquired through the attribute configuration interface. After a policy management module of the server receives the file identifier, the identity management module verifies whether the third user has the right to acquire the protection policy according to the user identifier of the third user, if so, the protection policy is returned to the client, and if not, the protection policy is refused to be returned.
And then the attribute configuration interface displays the current protection strategy of the received encrypted file, receives the modification of the protection strategy by the user and applies the configuration. And the client sends the modified protection strategy and the user identification of the third user to the server. The server verifies whether the third user has the right to modify the protection strategy according to the user identification of the third user, and sends the verification result to the strategy management module.
And if the third user does not have the right of modifying the protection strategy, the strategy management module refuses to store the modified protection strategy. And returning the strategy modification result of the protection strategy modification failure to the client, and displaying the modification result on the attribute configuration interface.
If the third user has the right to modify the protection strategy, the strategy management module stores the modified protection strategy and returns a strategy modification result of successful protection strategy modification to the client, and the attribute configuration interface displays the modification result.
The invention realizes the convenient file encryption and decryption process and the strict control of file access by setting the file identification, the user authority and the access strategy. The invention uses the file identification to generate the public key, and obtains the private key through the file identification and the public key calculation, thereby not needing to exchange the secret key among users and managing the secret key of the users; and the file is always in an encrypted state when being stored in the hard disk so as to ensure the safety of an offline environment. According to the file access method and the file access system, the access strategy of the file is managed, when a user or an application accesses the file, the access strategy of the file is obtained, whether the user or the application has the authority or not is checked, and the user or the application is allowed to access only after the user or the application passes the check.
The file can be conveniently shared through the access strategy of the configuration file, and the access authority of the user and the application to the file is specified in the strategy. After the user sharing the file obtains the encrypted file, the operation of checking and decrypting the access authority can be completed.
The invention discloses a file protection method, which is suitable for being executed in computing equipment, wherein the computing equipment is in communication connection with a server, and the method comprises the following steps: sending the protection strategy and the file identifier of the file to a server in response to receiving the protection strategy configured by the first user for the file, so that the server can store the protection strategy according to the file identifier; responding to the received security parameters sent by the server, generating a public key according to the security parameters and the file identification, and encrypting the file according to the public key to generate an encrypted file; in response to receiving an access request of a second user for the encrypted file, acquiring a protection strategy of the encrypted file from the server, and judging whether the second user has the right to access the encrypted file according to the protection strategy; and if the second user is judged to have the authority of accessing the encrypted file, acquiring the private key from the server, and decrypting the encrypted file according to the private key. According to the invention, a user does not need to set a secret key to encrypt the file by himself, the computing equipment encrypts the file by himself according to a protection strategy configured by the user and decrypts the file according to the protection strategy; meanwhile, under the condition of not sharing the key, the file sharing can be realized through a protection strategy, and the security of the file is ensured.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects.
Those skilled in the art will appreciate that the modules or units or groups of devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or groups in embodiments may be combined into one module or unit or group and, in addition, may be divided into sub-modules or sub-units or sub-groups. All of the features disclosed in this specification, and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the means for performing the functions performed by the elements for the purpose of carrying out the invention.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the file protection method of the present invention according to instructions in said program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media stores information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to practitioners skilled in this art. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention.
Claims (12)
1. A file protection method, adapted to be executed in a client, the client being in communication with a server, the method comprising:
sending a protection strategy and a file identifier of a file to a server in response to receiving a protection strategy configured by a first user for the file, so that the server can store the protection strategy according to the file identifier;
responding to the received security parameters sent by the server, generating a public key according to the security parameters and the file identification, and encrypting the file according to the public key to generate an encrypted file;
responding to an access request of a second user for the encrypted file, acquiring a protection strategy of the encrypted file from the server, and judging whether the second user has the authority of accessing the encrypted file according to the protection strategy;
and if the second user is judged to have the authority of accessing the encrypted file, acquiring a private key from the server, and decrypting the encrypted file according to the private key.
2. The method of claim 1, wherein the method further comprises:
generating a property configuration interface, wherein the property configuration interface comprises a user configuration item and an application configuration item;
and displaying the attribute configuration interface to the first user so as to receive the protection strategy configured by the first user according to the user configuration item and the application configuration item.
3. The method of claim 2, wherein the method further comprises:
when the protection strategy and the file identification of the file are sent to a server, the user identification of the first user is sent to the server, so that the server can verify whether the first user has the protection strategy of the authority configuration file or not according to the user identification.
4. The method of claim 1, wherein the obtaining the protection policy for the encrypted file from the server comprises:
determining a file identifier of the encrypted file;
sending the file identification to a server so that the server can inquire the protection strategy of the encrypted file according to the file identification;
and receiving the protection strategy returned by the server.
5. The method of claim 4, wherein the method further comprises:
and when the file identifier is sent to a server, sending the user identifier of the second user to the server, so that the server can verify whether the second user has the right to acquire the protection strategy according to the user identifier.
6. The method of claim 1, wherein the protection policy includes a user permission list, the determining whether the second user has permission to access the encrypted file according to the protection policy comprising:
judging whether the second user is included in the user permission list or not;
and if not, judging that the second user does not have the authority of accessing the encrypted file.
7. The method of claim 6, wherein the protection policy further comprises an application permission list, the method further comprising:
if the user permission list comprises the second user, judging whether the application permission list comprises the application used by the second user for accessing the encrypted file;
and if so, judging that the second user has the authority to access the encrypted file.
8. The method of claim 1, wherein the private key is generated by the server from a file identification and a public key of the encrypted file.
9. The method of claim 1, wherein the method further comprises:
in response to receiving a modification request of the protection policy by a third user, acquiring the protection policy of the encrypted file from the server;
and responding to the received modified protection strategy configured by the third user on the encrypted file, and sending the modified protection strategy and the file identifier to the server so that the server can store the modified protection strategy according to the file identifier.
10. A file protection system, the system comprising a server and one or more clients connected to the server;
the client is suitable for responding to the protection strategy configured by the first user for the file, and sending the protection strategy and the file identification of the file to the server;
the server is suitable for saving the protection strategy according to the file identification and sending a security parameter to the client;
the client is also suitable for generating a public key according to the security parameter and the file identifier and encrypting the file according to the public key to generate an encrypted file; and responding to a received access request of a second user for the encrypted file, acquiring a protection strategy of the encrypted file from the server, judging whether the second user has the authority of accessing the encrypted file according to the protection strategy, if so, acquiring a private key from the server, and decrypting the encrypted file according to the private key.
11. A computing device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing the method of any of claims 1-9.
12. A computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211410857.1A CN115470525B (en) | 2022-11-11 | 2022-11-11 | File protection method, system, computing device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211410857.1A CN115470525B (en) | 2022-11-11 | 2022-11-11 | File protection method, system, computing device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115470525A true CN115470525A (en) | 2022-12-13 |
| CN115470525B CN115470525B (en) | 2023-03-10 |
Family
ID=84338246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211410857.1A Active CN115470525B (en) | 2022-11-11 | 2022-11-11 | File protection method, system, computing device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115470525B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100235649A1 (en) * | 2009-03-13 | 2010-09-16 | Microsoft Corporation | Portable secure data files |
| CN103220293A (en) * | 2013-04-23 | 2013-07-24 | 福建伊时代信息科技股份有限公司 | File protecting method and file protecting device |
| CN103561034A (en) * | 2013-11-11 | 2014-02-05 | 武汉理工大学 | Secure file sharing system |
-
2022
- 2022-11-11 CN CN202211410857.1A patent/CN115470525B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100235649A1 (en) * | 2009-03-13 | 2010-09-16 | Microsoft Corporation | Portable secure data files |
| CN103220293A (en) * | 2013-04-23 | 2013-07-24 | 福建伊时代信息科技股份有限公司 | File protecting method and file protecting device |
| CN103561034A (en) * | 2013-11-11 | 2014-02-05 | 武汉理工大学 | Secure file sharing system |
Non-Patent Citations (2)
| Title |
|---|
| 无: "《面向企业级应用的电子文档保护系统》", 《HTTPS://WENKU.BAIDU.COM/VIEW/11EA312CCFC789EB172DC8F4.HTML?_WKTS_=1670917860066&BDQUERY=%E7%94%B5%E5%AD%90%E6%96%87%E6%A1%A3%E4%BF%9D%E6%8A%A4%E7%B3%BB%E7%BB%9F》 * |
| 王博等: "一种网络文件安全存储系统的设计与实现", 《微型电脑应用》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115470525B (en) | 2023-03-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11475137B2 (en) | Distributed data storage by means of authorisation token | |
| US7320076B2 (en) | Method and apparatus for a transaction-based secure storage file system | |
| US11232222B2 (en) | Access management system, access management method and program | |
| US20110276490A1 (en) | Security service level agreements with publicly verifiable proofs of compliance | |
| KR102030858B1 (en) | Digital signing authority dependent platform secret | |
| US8181028B1 (en) | Method for secure system shutdown | |
| JP2014503909A (en) | Anti-tamper location service | |
| CN106233292B (en) | Synthesize document access | |
| US9824231B2 (en) | Retention management in a facility with multiple trust zones and encryption based secure deletion | |
| TW201337619A (en) | Systems and methods for using cipher objects to protect data | |
| US20150143107A1 (en) | Data security tools for shared data | |
| US10607025B2 (en) | Access control through data structures | |
| US10726104B2 (en) | Secure document management | |
| CN110914826A (en) | System and method for distributed data mapping | |
| US20230021749A1 (en) | Wrapped Keys with Access Control Predicates | |
| CN115470525B (en) | File protection method, system, computing device and storage medium | |
| Sri et al. | A Framework for Uncertain Cloud Data Security and Recovery Based on Hybrid Multi-User Medical Decision Learning Patterns | |
| US10043015B2 (en) | Method and apparatus for applying a customer owned encryption | |
| US20220092193A1 (en) | Encrypted file control | |
| Amamou et al. | Towards a Better Security in Public Cloud Computing | |
| JP2007011535A (en) | Data file protection apparatus | |
| Kościelny et al. | PGP systems and TrueCrypt | |
| CN115757310A (en) | Credit information sharing method and device, computer equipment and storage medium | |
| CN117677946A (en) | System and method for improving researcher privacy in a distributed ledger-based query logging system | |
| CN115795424A (en) | Port control method, system, computer device and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |