CN116244736A - File protection method and system based on environment detection - Google Patents
File protection method and system based on environment detection Download PDFInfo
- Publication number
- CN116244736A CN116244736A CN202211669541.4A CN202211669541A CN116244736A CN 116244736 A CN116244736 A CN 116244736A CN 202211669541 A CN202211669541 A CN 202211669541A CN 116244736 A CN116244736 A CN 116244736A
- Authority
- CN
- China
- Prior art keywords
- hash value
- server
- target file
- symmetric key
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 97
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004364 calculation method Methods 0.000 claims abstract description 34
- 230000007613 environmental effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000007726 management method Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a file protection method and a system based on environment detection, comprising the following steps: when a program is started on the terminal equipment, running environment detection is carried out; when the operation environment detection is passed, judging whether the registration is completed at the server side or not; when registration is completed at the server, presenting a graphical interface of the client, determining a target file to be protected based on the graphical interface, and sending a key acquisition request to the server; receiving a symmetric key returned by the server based on the key request, encrypting the target file based on the symmetric key, performing hash calculation on the encrypted target file, acquiring a first hash value, and sending the first hash value to the server; when triggering the operation of opening the encrypted target file, carrying out hash calculation on the target file to obtain a second hash value; and receiving a symmetric key returned by the server based on the second hash value, and decrypting the encrypted target file based on the symmetric key to obtain an unencrypted target file.
Description
Technical Field
The present invention relates to the field of file protection technologies, and in particular, to a method and a system for protecting a file based on environment detection.
Background
Along with the wide promotion of paperless office work, the method brings operation convenience, improves efficiency, saves paper, reduces cost, and can also generate some leakage events at intervals, and serious influence or serious loss can be caused after the leakage events happen. Analysis shows that the illegal copying of confidential documents from office equipment to other equipment (such as computers in families) by staff is an important reason for disclosure. Currently, there are many techniques and schemes to solve this problem, among which are "file transparent encryption technique", "password protection technique", "access control technique", and the like.
Transparent encryption technology is a file encryption technology which has been developed in recent years for enterprise file confidentiality requirements. Transparent means unknown to the user. When a user opens or edits a specified file, the system will automatically encrypt the unencrypted file and automatically decrypt the encrypted file. The file is ciphertext on the hard disk and plaintext in memory. Transparent encryption technology is a technology tightly combined with Windows, and works on the bottom layer of Windows. By monitoring the operation of the application program on the file, the ciphertext is automatically decrypted when the file is opened, and the plaintext in the memory is automatically encrypted and written into the storage medium when the file is written. Thereby ensuring that files on the storage medium are always in an encrypted state. Transparent encryption techniques are complex to implement, costly, and tightly coupled to a particular operating system.
Password protection is to set a "password" for a file, and the user needs to provide the password when he wants to access the file, and the system verifies whether the password is correct. Password protection has low implementation cost, but the password faces the complexity requirement, and has the pain points which are difficult to remember and easy to forget and leak.
The access control is to record the access rights of each user (or each group of users) to the file by using an access control table (ACL), and the access types to the file can be divided into: read, write, execute, delete, etc., the access control is flexible, and complex file protection functions can be realized. However, complicated rights control management needs to be performed on users and user groups, and the use is complicated.
Therefore, a method and a system for protecting a file based on environment detection are needed.
Disclosure of Invention
The invention provides a file protection method and system based on environment detection, which are used for solving the problem of how to protect files.
In order to solve the above problems, according to an aspect of the present invention, there is provided a file protection method based on environment detection, the method comprising:
when a program is started on the terminal equipment, running environment detection is carried out, and a detection result is obtained;
when the detection result indicates that the detection is performed through the operation environment, judging whether the terminal equipment finishes registration at a server side or not, and acquiring a judgment result;
when the judging result indicates that the registration is completed at the server, presenting a graphical interface of the client, determining a target file to be protected based on the graphical interface, and sending a key acquisition request to the server;
receiving a symmetric key returned by the server based on the key request, encrypting the target file based on the symmetric key, performing hash calculation on the encrypted target file, acquiring a first hash value, and transmitting the first hash value to the server;
when triggering the operation of opening the encrypted target file, carrying out hash calculation on the target file to obtain a second hash value, and sending the second hash value to a server;
and receiving a symmetric key returned by the server based on the second hash value, and decrypting the encrypted target file based on the symmetric key to obtain an unencrypted target file.
Preferably, the detecting the running environment to obtain the detection result includes:
and detecting hardware, software and network of the terminal equipment, wherein the method comprises the following steps: detecting whether the CPU is of a preset CPU type, contains a preset special hardware component, is a preset operating system and/or allows access to a public network so as to obtain a detection result; and if the CPU type is met, the CPU type comprises a preset special hardware component, the CPU type is met, and/or the CPU type cannot access the public network, the CPU type and the CPU type are met, and the CPU type detection method determines that the detection result passes the environment detection.
Preferably, wherein the method further comprises:
when the judging result indicates that the registration is not completed at the server, the registering of the terminal equipment is performed, which comprises the following steps:
acquiring a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number of the terminal equipment, and performing serial number splicing to acquire spliced data;
and carrying out hash calculation based on the spliced data, obtaining a third hash value, and sending the third hash value to a server so that the server receives the third hash value and completes automatic registration of the terminal equipment.
Preferably, wherein the method further comprises:
the server binds the first hash value and the symmetric key;
when the server receives the second hash value, a first hash value consistent with the second hash value is matched, a symmetric key corresponding to the first hash value consistent with the second hash value is determined based on the binding relation between the first hash value and the symmetric key, and the symmetric key is returned to the client.
Preferably, wherein the method further comprises:
and when the target file is modified, re-sending a key acquisition request to the server to re-determine the key, and performing encryption and hash calculation based on the re-determined key to re-perform encryption protection on the modified target file.
According to another aspect of the present invention, there is provided a file protection system based on environment detection, the system comprising:
the running environment detection unit is used for detecting the running environment when the program is started on the terminal equipment and obtaining a detection result;
the registration judging unit is used for judging whether the terminal equipment finishes registration at the server side or not when the detection result indicates that the detection is detected by the running environment, and acquiring a judgment result;
the key acquisition request sending unit is used for presenting a graphical interface of the client when the judgment result indicates that the registration is completed at the server, determining a target file to be protected based on the graphical interface, and sending a key acquisition request to the server;
the encryption unit is used for receiving a symmetric key returned by the server based on the key request, encrypting the target file based on the symmetric key, carrying out hash calculation on the encrypted target file, obtaining a first hash value, and sending the first hash value to the server;
the hash calculation unit is used for carrying out hash calculation on the target file when triggering the operation of opening the encrypted target file so as to obtain a second hash value, and sending the second hash value to the server;
and the decryption unit is used for receiving the symmetric key returned by the server based on the second hash value and decrypting the encrypted target file based on the symmetric key so as to acquire an unencrypted target file.
Preferably, the operation environment detection unit performs operation environment detection to obtain a detection result, and includes:
and detecting hardware, software and network of the terminal equipment, wherein the method comprises the following steps: detecting whether the CPU is of a preset CPU type, contains a preset special hardware component, is a preset operating system and/or allows access to a public network so as to obtain a detection result; and if the CPU type is met, the CPU type comprises a preset special hardware component, the CPU type is met, and/or the CPU type cannot access the public network, the CPU type and the CPU type are met, and the CPU type detection method determines that the detection result passes the environment detection.
Preferably, wherein the system further comprises: registration unit for
When the judging result indicates that the registration is not completed at the server, the registering of the terminal equipment is performed, which comprises the following steps:
acquiring a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number of the terminal equipment, and performing serial number splicing to acquire spliced data;
and carrying out hash calculation based on the spliced data, obtaining a third hash value, and sending the third hash value to a server so that the server receives the third hash value and completes automatic registration of the terminal equipment.
Preferably, wherein the system further comprises:
the binding unit is used for enabling the server to bind the first hash value and the symmetric key;
and the symmetric key acquisition unit is used for matching a first hash value consistent with the second hash value when the server receives the second hash value, determining a symmetric key corresponding to the first hash value consistent with the second hash value based on the binding relation between the first hash value and the symmetric key and returning to the client.
Preferably, wherein the system further comprises:
and the updating unit is used for retransmitting a key acquisition request to the server side when the target file is modified so as to redetermine the key, and performing encryption and hash calculation based on the redetermined key so as to re-perform encryption protection on the modified target file.
The invention provides a file protection method and system based on environment detection, comprising the following steps: when a program is started on the terminal equipment, running environment detection is carried out, and a detection result is obtained; when the detection result indicates that the detection is performed through the operation environment, judging whether the terminal equipment finishes registration at a server side or not, and acquiring a judgment result; when the judging result indicates that the registration is completed at the server, presenting a graphical interface of the client, determining a target file to be protected based on the graphical interface, and sending a key acquisition request to the server; receiving a symmetric key returned by the server based on the key request, encrypting the target file based on the symmetric key, performing hash calculation on the encrypted target file, acquiring a first hash value, and transmitting the first hash value to the server; when triggering the operation of opening the encrypted target file, carrying out hash calculation on the target file to obtain a second hash value, and sending the second hash value to a server; and receiving a symmetric key returned by the server based on the second hash value, and decrypting the encrypted target file based on the symmetric key to obtain an unencrypted target file. The client of the invention needs to perform environment detection, so that the client can only operate in limited software and hardware equipment and limited network environment; the key of the protection file is stored in the server, and must be obtained from the server when in use; the method is separated from limited software and hardware equipment and limited network, and the protected file cannot be used; the password is not required to be set and memorized manually, and the usability is good.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
FIG. 1 is a flow chart of a method 100 for protecting a file based on environmental detection according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of client-server interaction according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a file protection system 300 based on environment detection according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention can overcome the defect that the transparent encryption technology is complex to realize and has high cost; the password protection technology has high complexity requirement, is difficult to remember and easy to forget and leak; the access control technology has the defects of complex authority control management and the like, realizes the purpose that the protected file can be correctly used only on the limiting device and in the limiting environment, and is separated from the limiting device and the limiting environment, so that the protected file can not be used.
FIG. 1 is a flow chart of a method 100 for protecting a file based on environmental detection according to an embodiment of the present invention. As shown in fig. 1, in the file protection method based on environment detection provided by the embodiment of the invention, a client needs to perform environment detection to ensure that the client can only operate in limited software and hardware equipment and limited network environments; the key of the protection file is stored in the server, and must be obtained from the server when in use; the method is separated from limited software and hardware equipment and limited network, and the protected file cannot be used; the password is not required to be set and memorized manually, and the usability is good. The file protection method 100 based on environment detection according to the embodiment of the present invention starts from step 101, and when a program is started on a terminal device in step 101, running environment detection is performed, and a detection result is obtained.
Preferably, the detecting the running environment to obtain the detection result includes:
and detecting hardware, software and network of the terminal equipment, wherein the method comprises the following steps: detecting whether the CPU is of a preset CPU type, contains a preset special hardware component, is a preset operating system and/or allows access to a public network so as to obtain a detection result; and if the CPU type is met, the CPU type comprises a preset special hardware component, the CPU type is met, and/or the CPU type cannot access the public network, the CPU type and the CPU type are met, and the CPU type detection method determines that the detection result passes the environment detection.
The invention provides a file protection method and system based on environment detection, which are deployed in a limited device and network environment of closed management and consist of a client and a server. The client has the functions of environment detection, automatic registration and login, file encryption and decryption and the like, and the server has the functions of terminal management, key management, security audit and the like.
In the embodiment of the invention, when the client is started on the terminal equipment, the client program firstly performs environment detection, including detection on hardware, software and network of the terminal equipment, and mainly detects whether the terminal equipment is of a limited CPU type, contains a special hardware component, is a preset operating system and can access the public network. And if the CPU accords with the preset CPU type, comprises a special hardware component, accords with the preset operating system and cannot access the public network, judging that the environment detection is passed.
In step 102, when the detection result indicates that the detection is performed through the operation environment, it is determined whether the terminal device has completed registration at the server side, and a determination result is obtained.
Preferably, wherein the method further comprises:
when the judging result indicates that the registration is not completed at the server, the registering of the terminal equipment is performed, which comprises the following steps:
acquiring a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number of the terminal equipment, and performing serial number splicing to acquire spliced data;
and carrying out hash calculation based on the spliced data, obtaining a third hash value, and sending the third hash value to a server so that the server receives the third hash value and completes automatic registration of the terminal equipment.
In the embodiment of the invention, after the environment detection is passed, if the client of the system is used on the terminal equipment for the first time, an automatic registration link is entered. The client program collects the CPU serial number, the motherboard serial number, the hard disk serial number, the network card MAC address, the special hardware component serial number, and the like of the equipment, splices the serial numbers together, then carries out hash calculation to obtain a hash value, the hash value is used as a characteristic value of the terminal equipment to be sent to a server, and the server receives and records the characteristic value to finish the automatic registration of the terminal equipment.
In step 103, when the judgment result indicates that the registration is completed at the server, a graphical interface of the client is presented, a target file to be protected is determined based on the graphical interface, and a key acquisition request is sent to the server.
In step 104, the receiving server encrypts the target file based on the symmetric key returned by the key request, performs hash calculation on the encrypted target file, obtains a first hash value, and sends the first hash value to the server.
Preferably, wherein the method further comprises:
the server binds the first hash value and the symmetric key;
when the server receives the second hash value, a first hash value consistent with the second hash value is matched, a symmetric key corresponding to the first hash value consistent with the second hash value is determined based on the binding relation between the first hash value and the symmetric key, and the symmetric key is returned to the client.
In the embodiment of the invention, if the environment detection is passed and the terminal equipment is also registered, a graphical interface of a client is presented, a user selects a file to be protected through the interface, after the selection, the client requests a symmetric key to a server, the server generates the symmetric key and sends the symmetric key back to the client, the client encrypts the selected file by using the key after receiving the symmetric key to obtain a ciphertext file and stores the ciphertext file, the client performs hash calculation on the ciphertext file to obtain a first hash value and sends the first hash value back to the server, and the client deletes the original plaintext file; the server side binds the first hash value with the symmetric key generated before to form a one-to-one mapping relation, so that the server side can conveniently search for the first hash value in the future decryption process.
In step 105, when the operation of opening the encrypted target file is triggered, hash calculation is performed on the target file to obtain a second hash value, and the second hash value is sent to the server.
In step 106, the receiving server side decrypts the encrypted target file based on the symmetric key returned by the second hash value, so as to obtain the unencrypted target file.
Preferably, wherein the method further comprises:
and when the target file is modified, re-sending a key acquisition request to the server to re-determine the key, and performing encryption and hash calculation based on the re-determined key to re-perform encryption protection on the modified target file.
In the embodiment of the invention, when a user opens a protected encrypted target file (ciphertext file) through a client or directly drags the protected file to a client interface area, the client firstly calculates a second hash value of the file, sends the second hash value to a server, matches a first hash value consistent with the second hash value, determines a symmetric key corresponding to the first hash value consistent with the second hash value based on the binding relation between the first hash value and the symmetric key, and returns the symmetric key to the client. The client decrypts the protected file by using the key, and presents information such as the file name on the interface, and the user can open the file by double-clicking the file name by using the existing file editing tool in the operating system; if the user modifies and saves the file, the previous encryption process is repeated, and the modified file is subjected to re-encryption protection.
In the invention, the terminal management module of the server side mainly manages links such as terminal registration, starting, stopping, canceling and the like; key management is to manage the generation and use of keys; the security audit is to query and analyze the system log.
The method for protecting the file based on the environment detection comprises the following specific steps:
step 10, the client detects the runtime environment, and if the runtime environment is a Loongson, feiteng, megacore type CPU, kylin or system information OS type operating system, comprises a special safety hardware component and cannot access the Internet, the environment is detected to pass, and the running can be continued; otherwise, the environment detection is not passed, the operation cannot be continued, and the client program exits;
step 20, after detecting the environment, collecting a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number, splicing the serial numbers together, performing hash calculation by using an SM3 algorithm to obtain a hash value, sending the hash value to a server, receiving and recording the characteristic value by the server, and finishing registration or login of the terminal equipment;
step 30, a user selects a file to be protected through a client program, the client requests an SM4 key to a server, the client encrypts the file by using an SM4 algorithm by using the obtained key to obtain a ciphertext file, the ciphertext file is subjected to hash calculation by using an SM3 algorithm to obtain a hash value and is sent to the server, the client deletes the original plaintext file, and the server binds the original plaintext file with a symmetric key generated before receiving the hash value to form a one-to-one mapping relation;
step 40, when the user opens the ciphertext file through the client, firstly, calculating an SM3 hash value of the file and sending the SM3 hash value to the server, returning a corresponding SM4 key by the server, decrypting the ciphertext file by the client, presenting a file name on an interface, and opening the file by using an existing file editing tool in an operating system after the user double-clicks the file name; if the user modifies and saves the file, the process of "step 30" is repeated to re-encrypt the modified file.
The method can realize the safety protection of the office files in the limited office environment, the protected files can only be used in the limited equipment and limited network environment, and the files can not be used (opened, analyzed, read, modified and the like) when being separated from the limited equipment and limited network, thereby meeting the safety protection requirements of sensitive institutions on the office files. "defined devices" generally refer to dedicated PC devices that contain dedicated security hardware, and "defined networks" generally refer to private networks that are not interconnected to and interworking with the public Internet.
In the method, the client performs environment detection to ensure that the client can only operate in limited software and hardware equipment and limited network environment; the key of the protection file is stored in the server, and must be obtained from the server when in use; the method is separated from limited software and hardware equipment and limited network, and the protected file cannot be used. The method of the invention has the following advantages: 1. encrypting and protecting the file by using a password technology, wherein the file cannot be used when the file is separated from the limiting equipment and the limiting network; 2. the high-strength cipher algorithm is used, so that the safety strength is high and the method is not easy to crack; 3. the secret key is stored at the server, and the secret key is not stored in any place, so that the security is high; 4. the password is not required to be set and memorized manually, and the usability is good.
Fig. 3 is a schematic diagram of a file protection system 300 based on environment detection according to an embodiment of the present invention. As shown in fig. 3, the file protection system 300 based on environment detection according to the embodiment of the present invention includes: a running environment detecting unit 301, a registration judging unit 302, a key acquisition request transmitting unit 303, an encrypting unit 304, a hash calculating unit 305, and a decrypting unit 306.
Preferably, the running environment detecting unit 301 is configured to perform running environment detection when a program is started on a terminal device, and obtain a detection result.
Preferably, the running environment detecting unit 301 performs running environment detection, and obtains a detection result, including:
and detecting hardware, software and network of the terminal equipment, wherein the method comprises the following steps: detecting whether the CPU is of a preset CPU type, contains a preset special hardware component, is a preset operating system and/or allows access to a public network so as to obtain a detection result; and if the CPU type is met, the CPU type comprises a preset special hardware component, the CPU type is met, and/or the CPU type cannot access the public network, the CPU type and the CPU type are met, and the CPU type detection method determines that the detection result passes the environment detection.
Preferably, the registration determining unit 302 is configured to determine, when the detection result indicates that the detection is performed by the running environment, whether the terminal device has completed registration at the server side, and obtain a determination result.
Preferably, wherein the system further comprises: registration unit for
When the judging result indicates that the registration is not completed at the server, the registering of the terminal equipment is performed, which comprises the following steps:
acquiring a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number of the terminal equipment, and performing serial number splicing to acquire spliced data;
and carrying out hash calculation based on the spliced data, obtaining a third hash value, and sending the third hash value to a server so that the server receives the third hash value and completes automatic registration of the terminal equipment.
Preferably, the key obtaining request sending unit 303 is configured to present a graphical interface of the client when the determination result indicates that registration is completed at the server, determine, based on the graphical interface, a target file to be protected, and send a key obtaining request to the server.
Preferably, the encryption unit 304 is configured to receive a symmetric key returned by the server based on the key request, encrypt the target file based on the symmetric key, perform hash computation on the encrypted target file, obtain a first hash value, and send the first hash value to the server.
Preferably, the hash calculation unit 305 is configured to perform hash calculation on the target file when the operation of opening the encrypted target file is triggered, so as to obtain a second hash value, and send the second hash value to the server.
Preferably, the decryption unit 306 is configured to receive a symmetric key returned by the server based on the second hash value, and decrypt the encrypted target file based on the symmetric key, so as to obtain an unencrypted target file.
Preferably, wherein the system further comprises:
the binding unit is used for enabling the server to bind the first hash value and the symmetric key;
and the symmetric key acquisition unit is used for matching a first hash value consistent with the second hash value when the server receives the second hash value, determining a symmetric key corresponding to the first hash value consistent with the second hash value based on the binding relation between the first hash value and the symmetric key and returning to the client.
Preferably, wherein the system further comprises:
and the updating unit is used for retransmitting a key acquisition request to the server side when the target file is modified so as to redetermine the key, and performing encryption and hash calculation based on the redetermined key so as to re-perform encryption protection on the modified target file.
The environment detection-based file protection system 300 according to the embodiment of the present invention corresponds to the environment detection-based file protection method 100 according to another embodiment of the present invention, and is not described herein.
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed invention are equally possible within the scope of the invention, as defined by the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a/an/the [ means, component, etc. ]" are to be interpreted openly as referring to at least one instance of said means, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (10)
1. A method for protecting a file based on environmental detection, the method comprising:
when a program is started on the terminal equipment, running environment detection is carried out, and a detection result is obtained;
when the detection result indicates that the detection is performed through the operation environment, judging whether the terminal equipment finishes registration at a server side or not, and acquiring a judgment result;
when the judging result indicates that the registration is completed at the server, presenting a graphical interface of the client, determining a target file to be protected based on the graphical interface, and sending a key acquisition request to the server;
receiving a symmetric key returned by the server based on the key request, encrypting the target file based on the symmetric key, performing hash calculation on the encrypted target file, acquiring a first hash value, and transmitting the first hash value to the server;
when triggering the operation of opening the encrypted target file, carrying out hash calculation on the target file to obtain a second hash value, and sending the second hash value to a server;
and receiving a symmetric key returned by the server based on the second hash value, and decrypting the encrypted target file based on the symmetric key to obtain an unencrypted target file.
2. The method of claim 1, wherein performing the running environment detection to obtain the detection result comprises:
and detecting hardware, software and network of the terminal equipment, wherein the method comprises the following steps: detecting whether the CPU is of a preset CPU type, contains a preset special hardware component, is a preset operating system and/or allows access to a public network so as to obtain a detection result; and if the CPU type is met, the CPU type comprises a preset special hardware component, the CPU type is met, and/or the CPU type cannot access the public network, the CPU type and the CPU type are met, and the CPU type detection method determines that the detection result passes the environment detection.
3. The method according to claim 1, wherein the method further comprises:
when the judging result indicates that the registration is not completed at the server, the registering of the terminal equipment is performed, which comprises the following steps:
acquiring a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number of the terminal equipment, and performing serial number splicing to acquire spliced data;
and carrying out hash calculation based on the spliced data, obtaining a third hash value, and sending the third hash value to a server so that the server receives the third hash value and completes automatic registration of the terminal equipment.
4. The method according to claim 1, wherein the method further comprises:
the server binds the first hash value and the symmetric key;
when the server receives the second hash value, a first hash value consistent with the second hash value is matched, a symmetric key corresponding to the first hash value consistent with the second hash value is determined based on the binding relation between the first hash value and the symmetric key, and the symmetric key is returned to the client.
5. The method according to claim 1, wherein the method further comprises:
and when the target file is modified, re-sending a key acquisition request to the server to re-determine the key, and performing encryption and hash calculation based on the re-determined key to re-perform encryption protection on the modified target file.
6. A file protection system based on environmental detection, the system comprising:
the running environment detection unit is used for detecting the running environment when the program is started on the terminal equipment and obtaining a detection result;
the registration judging unit is used for judging whether the terminal equipment finishes registration at the server side or not when the detection result indicates that the detection is detected by the running environment, and acquiring a judgment result;
the key acquisition request sending unit is used for presenting a graphical interface of the client when the judgment result indicates that the registration is completed at the server, determining a target file to be protected based on the graphical interface, and sending a key acquisition request to the server;
the encryption unit is used for receiving a symmetric key returned by the server based on the key request, encrypting the target file based on the symmetric key, carrying out hash calculation on the encrypted target file, obtaining a first hash value, and sending the first hash value to the server;
the hash calculation unit is used for carrying out hash calculation on the target file when triggering the operation of opening the encrypted target file so as to obtain a second hash value, and sending the second hash value to the server;
and the decryption unit is used for receiving the symmetric key returned by the server based on the second hash value and decrypting the encrypted target file based on the symmetric key so as to acquire an unencrypted target file.
7. The system according to claim 6, wherein the operation environment detecting unit performs operation environment detection to obtain a detection result, and includes:
and detecting hardware, software and network of the terminal equipment, wherein the method comprises the following steps: detecting whether the CPU is of a preset CPU type, contains a preset special hardware component, is a preset operating system and/or allows access to a public network so as to obtain a detection result; and if the CPU type is met, the CPU type comprises a preset special hardware component, the CPU type is met, and/or the CPU type cannot access the public network, the CPU type and the CPU type are met, and the CPU type detection method determines that the detection result passes the environment detection.
8. The system of claim 6, wherein the system further comprises: registration unit for
When the judging result indicates that the registration is not completed at the server, the registering of the terminal equipment is performed, which comprises the following steps:
acquiring a CPU serial number, a motherboard serial number, a hard disk serial number, a network card MAC address and a special hardware component serial number of the terminal equipment, and performing serial number splicing to acquire spliced data;
and carrying out hash calculation based on the spliced data, obtaining a third hash value, and sending the third hash value to a server so that the server receives the third hash value and completes automatic registration of the terminal equipment.
9. The system of claim 6, wherein the system further comprises:
the binding unit is used for enabling the server to bind the first hash value and the symmetric key;
and the symmetric key acquisition unit is used for matching a first hash value consistent with the second hash value when the server receives the second hash value, determining a symmetric key corresponding to the first hash value consistent with the second hash value based on the binding relation between the first hash value and the symmetric key and returning to the client.
10. The system of claim 6, wherein the system further comprises:
and the updating unit is used for retransmitting a key acquisition request to the server side when the target file is modified so as to redetermine the key, and performing encryption and hash calculation based on the redetermined key so as to re-perform encryption protection on the modified target file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211669541.4A CN116244736A (en) | 2022-12-24 | 2022-12-24 | File protection method and system based on environment detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211669541.4A CN116244736A (en) | 2022-12-24 | 2022-12-24 | File protection method and system based on environment detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116244736A true CN116244736A (en) | 2023-06-09 |
Family
ID=86632140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211669541.4A Pending CN116244736A (en) | 2022-12-24 | 2022-12-24 | File protection method and system based on environment detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116244736A (en) |
-
2022
- 2022-12-24 CN CN202211669541.4A patent/CN116244736A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7890993B2 (en) | Secret file access authorization system with fingerprint limitation | |
| JP4902207B2 (en) | System and method for managing multiple keys for file encryption and decryption | |
| US7111005B1 (en) | Method and apparatus for automatic database encryption | |
| JP3516591B2 (en) | Data storage method and system and data storage processing recording medium | |
| US20030208686A1 (en) | Method of data protection | |
| US20050228994A1 (en) | Method for encryption backup and method for decryption restoration | |
| US20120017095A1 (en) | Software Service for Encrypting and Decrypting Data | |
| US8181028B1 (en) | Method for secure system shutdown | |
| TW200400434A (en) | Multi-token seal and unseal | |
| JP4662138B2 (en) | Information leakage prevention method and system | |
| JP2010517448A (en) | Secure file encryption | |
| KR20180010482A (en) | Method and apparatus for security of internet of things devices | |
| JP5601840B2 (en) | Information leak prevention device to network | |
| JP2008005408A (en) | Recorded data processing apparatus | |
| JP4471129B2 (en) | Document management system, document management method, document management server, work terminal, and program | |
| JPH11265317A (en) | Copyright protection system | |
| CN1559026A (en) | Method and apparatus for protecting information from unauthorised use | |
| US20080080717A1 (en) | Information processing apparatus, control method therefor and program | |
| CN107368749A (en) | Document handling method, device, equipment and computer-readable storage medium | |
| CN106650492B (en) | A kind of multiple device file guard method and device based on security catalog | |
| KR20060058546A (en) | Method and apparatus for providing database encryption and access control | |
| CN116244736A (en) | File protection method and system based on environment detection | |
| JP2004140715A (en) | System and method for managing electronic document | |
| JP2007004291A (en) | Fragility diagnostic method, fragility diagnostic device to be used for the same, fragility diagnostic program and recording medium with its program recorded, diagnostic report preparing device, diagnostic report preparing program and recording medium with its program recorded | |
| CN117938546B (en) | Verification and data access method of electronic account |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |