CN116866011A - Method for supporting data cross-domain safe use without modifying application - Google Patents
Method for supporting data cross-domain safe use without modifying application Download PDFInfo
- Publication number
- CN116866011A CN116866011A CN202310748354.3A CN202310748354A CN116866011A CN 116866011 A CN116866011 A CN 116866011A CN 202310748354 A CN202310748354 A CN 202310748354A CN 116866011 A CN116866011 A CN 116866011A
- Authority
- CN
- China
- Prior art keywords
- data
- application
- hook component
- user
- hook
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000006870 function Effects 0.000 claims abstract description 44
- 238000012986 modification Methods 0.000 claims description 6
- 230000004048 modification Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method for supporting data cross-domain safe use without modifying application, which comprises the following steps that a data user deploys a component with a Hook function; the Hook component establishes a secure connection with the data owner based on the user configuration parameter file; the data owner verifies the validity of the user information, sends the data to the Hook component based on the secure connection based on the user demand information, and simultaneously generates an encryption key K corresponding to the data and sends the encryption key K to the Hook component based on the secure connection; when a data user needs to call or read data, the functions are replaced by programs defined in the Hook assembly, and plaintext data in the memory is directly returned to the application to realize data call. On the basis of not changing the existing native application, the data secret state circulation and use are enabled, on the premise of not changing the existing use flow, the full life cycle secret state operation of the data is realized, and the data privacy is ensured to be controllable.
Description
Technical Field
The application belongs to the technical field of data cross-domain use, and particularly relates to a method for supporting data cross-domain safe use without modifying application.
Background
With the rapid development of the information technology industry, the use of interactive sharing of data across domains has become one of the main data sources of numerous application software. However, once the data is shared, the ownership of the data is conveniently lost, and the privacy of the data is not existed. The data user has generally deployed application software using data, the application software directly loads the data for use and operation, no safe encryption and decryption module exists, the data user can conveniently contact all plaintext data in and out of the application at extremely low cost by an operator when reading and writing the data in plaintext form, and therefore the data can be copied and disseminated, and more outstanding potential safety hazards exist.
In some scenarios with data encryption guarantee, the application of the data user needs to be re-customized, the deployed general application is modified to adapt to the secure receiving key, the data is decrypted and used in the memory, the application modification difficulty is high, and the operation cost of the application is greatly increased. Therefore, on the basis of not changing the existing native application, the data secret state circulation and use are ensured, on the premise of not changing the existing use flow, the full life cycle secret state operation of the data is realized, and the guarantee of the data privacy controllability is the current urgent problem to be solved.
Disclosure of Invention
Aiming at the defects of the prior art, the application provides a method for supporting data cross-domain safe use without modifying application, which enables data secret state circulation and use on the basis of not changing the prior native application, realizes data full life cycle secret state operation on the premise of not changing the prior use flow, and ensures controllable data privacy. The specific implementation mode is as follows:
a method for supporting data cross-domain secure use without modifying an application, comprising the steps of:
s1, deploying a component with a Hook function by a data user, and loading the Hook component when an application is started;
s2, the Hook component is connected with a data owner based on a user configuration parameter file to establish a secure connection, and user information and user demand information are sent;
s3, the data owner verifies the validity of the user information, and sends the data and an encryption key K corresponding to the data to a Hook component based on the safety connection based on the user demand information, and the Hook component encrypts and stores the received data based on the key K;
s4, when a data user calls a function for opening a data file or reading data, the function is replaced by a program defined in a Hook component, the Hook component loads the data stored in the encryption disc in the step S3 into a memory and decrypts the data based on a secret key K, and plaintext data in the memory is directly returned to an application to realize data calling;
s5, when the data user calls the function of the writing operation, the function is replaced by a program defined in the Hook component, and the Hook component encrypts the data to be written in the memory by using the encryption key K to put the data in the memory.
Hook programming (Hooking), also known as "Hooking," refers to various techniques for modifying or extending the behavior of an operating system, application, or other software component by intercepting function calls, messaging, event transfers between software modules. Code that handles intercepted function calls, events, messages is called hooks (hooks). Since the general application can be started based on the Hook, the user only needs to load the Hook when starting.
The application provides a method for supporting data cross-domain safe use without modifying application, which can integrate key pulling encryption and decryption functions by utilizing a hook component, provides an invisible operation method for data availability, ensures that the encrypted data can be decrypted and applied safely when the data flow is in an encrypted state in an application scene of data cross-domain interaction when the data flow is transferred to a data user, and ensures the safety privacy of the whole life cycle of the data without modifying general application.
In the method for supporting data cross-domain security use without modifying the application, the Hook component is a Hook plug-in or a stand-alone application Hook2 which can be installed on the client device.
The user of the application is a native application, and does not modify the code or recompile. When an application is started, the application can be started in a mode of loading the Hook, namely the application can be loaded with the Hook function either by the Hook plug-in or by independent application Hook2.
In the above method for supporting data cross-domain security use without modifying the application, in the step S1: the host computer used by the data consumer generates a uniquely identified machine code from the hardware information.
The user provides the appointed host computer to the data provider at the time of registration, and the prior art can generate the unique identification machine code based on the hardware information.
In the above method for supporting data cross-domain security use without modifying the application, the step S2 is: the Hook component calculates the machine code and establishes a secure connection with the data owner, and sends the machine code, the user information and the user requirement information generated by calculation based on the secure connection.
When the application is started, a function of safely pulling data in the Hook component is triggered, and based on user configuration parameter files stored under a catalog or under the same catalog as related files of the Hook component, the parameter files comprise but are not limited to information of a data provider, such as IP, port numbers and the like, and based on the parameter files, the Hook component knows how to connect with a data owner to pull the data.
In the above method for supporting data cross-domain security use without modifying the application, the step S3 is: the data owner verifies the validity of the machine code and the user information, the data is sent to the Hook component through the secure connection based on the user demand information, the encryption key K corresponding to the data and the operation mode are also sent to the Hook component based on the secure connection, and the Hook component encrypts and stores the received data in a disc mode based on the key K.
According to the method for supporting data cross-domain safe use on the premise of not modifying the application, under the condition that the developed native application does not have the capability of integrating remote data pulling, even if the application can only open and process the capability of copying local data, the data can be used in a dense state without modification, and the plaintext data is decrypted without falling down.
In the above method for supporting data cross-domain security without modifying the application, the operation MODE, i.e. MODE, may be any one of the following options: save_form inhibits writing any data; SAVE_DIRECT is to write plaintext data directly; save_encryption, i.e., all data write encryption; SAVE_AUTO is automatic intelligent judgment, automatically judges whether the suspicion of data leakage exists according to the input and output contents of the data, and automatically selects one of the three modes by a program;
in the step S5, the data user performs the data disc drop according to the operation mode determined by the data owner.
Typically, the data output of the application contains a chart that can be stored in plaintext form for return to the data consumer without compromise.
In the above method for supporting data cross-domain security use without modifying application, the method further includes step S6, which specifically includes the following steps:
and (3) restarting the APP, wherein the Hook component reestablishes the secure connection with the data owner based on the user configuration parameter file, and judges whether the data needs to be pulled remotely or the encrypted data which is written in the local last time is read based on the Hook configuration file.
In the above method for supporting data cross-domain secure use without modifying the application, step S6 further includes, if the Hook configuration file determines that the encrypted data written in the local last time is read as the data source used this time, when the user invokes the function of opening the data file or reading the data, the Hook component loads the local encrypted data into the memory and decrypts the local encrypted data based on the key K in the memory, and the decrypted plaintext data is directly returned to the application to implement data retrieval.
If the APP is restarted, the secure connection with the data owner is re-established, the K is pulled remotely, and whether the data needs to be pulled remotely or the encrypted data which is written last time can be read is judged based on the Hook configuration file. If the encrypted data written in the local last time is read as the data source used at this time, the operations of reading and pulling the data are replaced by the following programs defined in the Hook assembly, namely, the encrypted data on the disk is loaded into the memory and decrypted based on the key K, and the decrypted plaintext data in the memory is directly returned to the data reading function of the native application.
In the method for supporting data cross-domain safe use on the premise of not modifying application, the Hook component comprises a dynamic library function replacement method, and specific implementation of data reading, pulling and writing functions can be replaced by functions defined in the Hook component.
In the method for supporting data cross-domain security use on the premise of not modifying the application, the Hook assembly further comprises a data monitoring program, and the application used data size and the data information are sent to the data owner after being analyzed.
The data monitoring program is used for monitoring information when the related function is called when the data is used by the native application, using the data quantity, the data information and the data analysis, and sending the data to the data user, so that the remote data has real-time monitoring of the data use condition on the premise of protecting the data privacy, and whether illegal and illegal use exists or not.
Compared with the prior art, the application has the beneficial effects that:
(1) The application provides a method for supporting data cross-domain safe use without modifying application, which utilizes a Hook component to integrate key pulling encryption and decryption functions, provides an invisible operation method for data availability, ensures that the data can be in an encryption state when the data flow is transferred to a data user in an application scene of data cross-domain interaction, can reliably and safely decrypt and be applied to the encrypted data without modifying general application, and ensures the safety privacy of the whole life cycle of the data.
(2) According to the method for supporting data cross-domain safe use on the premise of not modifying the application, under the condition that the developed native application does not have the capability of integrating remote data pulling, even if the application can only open and process the capability of copying local data, the data can be used in a dense state without modification, and the plaintext data is decrypted without falling down.
(3) The data monitoring program is used for monitoring information when the related function is called when the data is used by the native application, the data quantity is used, the data information is simply analyzed, and the data is sent to a data user, so that the remote data has real-time monitoring of the data use condition on the premise of protecting the data privacy, and whether illegal and illegal use exists or not.
Drawings
FIG. 1 is a general flow chart of a method for supporting data cross-domain secure use without modifying an application of the present application.
Detailed Description
The technical scheme of the present embodiment is described in further detail below with reference to the accompanying drawings and detailed description.
Example 1
As shown in fig. 1, the present embodiment provides a method for supporting data cross-domain security use without modifying an application, including the following steps:
s1, deploying a Hook component with a Hook function by a data user, and loading the Hook component when an application is started;
the data user provides the designated host computer for use during registration, and the host computer related hardware information is provided to the data provider, based on which a unique identified machine code can be generated, and how the machine code is generated is not described in detail herein. In this embodiment, the data consumer deploys a Hook plug-in on the client device (e.g., PC), which contains a similar dynamic library function replacement method.
The data consumer starts the native application without any modification, but the starting mode needs to be able to load the Hook function. It must be ensured that the application launch can load the Hook function, otherwise it will be known from the following steps that if the user does not launch in the load Hook mode, no remote data of the data owner is obtained.
S2, the Hook component establishes a safe connection with a data owner based on a user configuration parameter file, and sends user information and user demand information;
when the application is started, a function for safely pulling data in the Hook plug-in is triggered. Based on the user configuration parameter file saved under the directory, the parameter file includes, but is not limited to, data provider information such as IP, port number, etc., and the data owner pulls data based on the parameter file Hook plug-in.
The Hook plug-in calculates the machine code, establishes a TLS secure connection with the data owner, and sends the machine code and user information (such as a user name, a password and the like for pulling remote data) based on the secure connection, wherein the user demand information is information that the user wants to pull the data.
S3, the data owner verifies the validity of the user information, and sends the data and an encryption key K corresponding to the data to a Hook component based on the safety connection based on the user demand information, and the Hook component encrypts and stores the received data based on the key K;
the data owner verifies the validity of the machine code and the user information, and sends the data to the Hook plug-in based on the secure connection based on the user requirement information, and simultaneously generates an encryption key K and an operation MODE (MODE) corresponding to the data to be sent to the Hook plug-in based on the secure connection.
If the data owner confirms that the machine code is not true or the user information is invalid or verified, the connection with the data user is canceled, and the data cannot be acquired by a third party in the circulation process.
S4, when a data user calls a function for opening a data file or reading the data, the specific implementation of the function is replaced by a program defined in a Hook component, the Hook component loads the data stored in the encryption disc in the step S3 into a memory and decrypts the data based on a secret key K, and plaintext data in the memory is directly returned to an application to realize data calling;
when a user invokes a function that opens a data file or reads data, such as fopen (), fread (), etc., such a function would be replaced by a program implementation defined in the Hook plug-in; and directly returning the plaintext data in the memory to the data calling of the native application. Or encapsulates the relevant plaintext data directly into a return handle of a function such as fopen (), fread (), etc., and returns to the native application. So that the native application does not have to be modified and still be used as normal.
S5, when the data user needs to call the function of the writing operation, the function is replaced by a program defined in the Hook component, and the Hook component encrypts the data to be written in the memory by using the encryption key K to drop.
Functions such as fwrite () that are also replaced by programs defined in the Hook plug-in, which encrypts the data to be written with K and then drops the data.
The data user performs data disc dropping according to the operation mode determined by the data owner. The MODE of operation, MODE, may be selected from any of a number of options: save_form inhibits writing any data; SAVE_DIRECT is to write plaintext data directly; save_encryption, i.e., all data write encryption; SAVE_AUTO is automatically and intelligently judged, whether the suspicion of data leakage exists or not is automatically judged according to the input and output contents of data, and one of the three modes is automatically selected by a program.
S6, if the APP is restarted, the Hook component reestablishes the secure connection with the data owner based on the user configuration parameter file, and judges whether the data needs to be pulled remotely or the encrypted data which is written last time is read based on the Hook configuration file.
If the Hook plug-in judges that the encrypted data written in the local last time is read as the data source used at this time, when a user calls a function for opening a data file or reading the data, the Hook plug-in loads the local encrypted data into the memory and decrypts the local encrypted data based on the key K, and the decrypted plaintext data in the memory is directly returned to the applied data calling function to realize data calling.
According to the embodiment, the data secret state circulation and use are enabled on the basis of not changing the existing native application, the data full life cycle secret state operation is realized on the premise of not changing the existing use flow, the data privacy is ensured to be controllable, and the safety privacy of the data full life cycle is realized.
Application example 1
The specific application scenario of the method for supporting the data cross-domain security use without modifying the application provided in embodiment 1 is as follows:
certain applications of B units require the use of confidential data about homeland resources in the a unit section. Because the data is confidential, when the data is provided to the B unit for use, the corresponding data needs to be in a usable invisible state. Meanwhile, the application of the B unit is used as a developed standardized application and cannot be modified. At this time, the A unit uses the method provided by the embodiment 1, can use the full life cycle of the homeland resource data in a dense state under the condition of not modifying the application, and can monitor the application use state supervision of the B unit (water conservancy department) at the same time, so as to prevent the time of cross-domain use of the homeland sensitive data from being stolen.
The specific embodiments described in this application are merely illustrative of the spirit of the application. Those skilled in the art may make various modifications or additions to the described embodiments or substitutions thereof without departing from the spirit of the application or exceeding the scope of the application as defined in the accompanying claims.
Claims (10)
1. A method for supporting cross-domain secure use of data without modification of an application, comprising the steps of:
s1, deploying a Hook component with a Hook function by a data user, and loading the Hook component when an application is started;
s2, the Hook component establishes a safe connection with a data owner based on a user configuration parameter file, and sends user information and user demand information;
s3, the data owner verifies the validity of the user information, and sends the data and an encryption key K corresponding to the data to a Hook component based on the safety connection based on the user demand information, and the Hook component encrypts and stores the received data based on the key K;
s4, when a data user calls a function for opening a data file or reading data, the function is replaced by a program defined in a Hook component, the Hook component loads the data stored in the encryption disc in the step S3 into a memory and decrypts the data based on a secret key K, and plaintext data in the memory is directly returned to an application to realize data calling;
s5, when the data user calls the function of the writing operation, the function is replaced by a program defined in the Hook component, and the Hook component encrypts the data to be written in the memory by using the encryption key K to put the data in the memory.
2. The method of claim 1, wherein the Hook component is a Hook plug-in that can be installed on a client device or a stand-alone application Hook2.
3. The method for supporting data cross-domain security without modifying application according to claim 1, wherein in step S1: the host computer used by the data consumer generates a uniquely identified machine code from the hardware information.
4. A method for supporting data cross-domain security without modifying applications according to claim 3, wherein the step S2 is: the Hook component calculates the machine code and establishes a secure connection with the data owner, and sends the machine code, the user information and the user requirement information generated by calculation based on the secure connection.
5. The method for supporting data cross-domain security without modifying application according to claim 4, wherein the step S3 is: the data owner verifies the validity of the machine code and the user information, the data is sent to the Hook component through the secure connection based on the user demand information, the encryption key K corresponding to the data and the operation mode are also sent to the Hook component based on the secure connection, and the Hook component encrypts and stores the received data in a disc mode based on the key K.
6. The method of claim 5, wherein the operating MODE is MODE, and any one of the following options is selected without modifying the application: save_form inhibits writing any data; SAVE_DIRECT is to write plaintext data directly; save_encryption, i.e., all data write encryption; SAVE_AUTO is automatic intelligent judgment, automatically judges whether the suspicion of data leakage exists according to the input and output contents of the data, and automatically selects one of the three modes by a program;
in the step S5, the data user performs the data disc drop according to the operation mode determined by the data owner.
7. The method for supporting data cross-domain security according to claim 1, further comprising step S6, specifically comprising:
and (3) restarting the APP, wherein the Hook component reestablishes a secure connection with the data owner based on the user configuration parameter file, and judges whether the data needs to be pulled remotely or the encrypted data which is written in the local last time is read based on the Hook configuration file.
8. The method according to claim 7, wherein the step S6 further comprises, if the Hook configuration file determines that the encrypted data written in the local last time is read as the data source of the current use, when the user invokes the function of opening the data file or reading the data, the Hook component loads the local encrypted data into the memory and decrypts the local encrypted data based on the key K in the memory, and the decrypted plaintext data is directly returned to the application to implement the data retrieval.
9. The method for supporting data cross-domain security without modifying application according to claim 1, wherein the Hook component comprises a dynamic library function replacement method, and specific implementation of data reading, pulling and writing functions can be replaced by functions defined in the Hook component.
10. The method for supporting data cross-domain security without modifying an application according to claim 1, wherein the Hook component further comprises a data monitoring program, and the size of the application usage data and the data information are analyzed and then sent to the data owner.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310748354.3A CN116866011A (en) | 2023-06-21 | 2023-06-21 | Method for supporting data cross-domain safe use without modifying application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310748354.3A CN116866011A (en) | 2023-06-21 | 2023-06-21 | Method for supporting data cross-domain safe use without modifying application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116866011A true CN116866011A (en) | 2023-10-10 |
Family
ID=88226034
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310748354.3A Pending CN116866011A (en) | 2023-06-21 | 2023-06-21 | Method for supporting data cross-domain safe use without modifying application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866011A (en) |
-
2023
- 2023-06-21 CN CN202310748354.3A patent/CN116866011A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107220083B (en) | Method and system for installation-free operation of application program in android system | |
| WO2019105290A1 (en) | Data processing method, and application method and apparatus of trusted user interface resource data | |
| US10268827B2 (en) | Method and system for securing data | |
| US20150081644A1 (en) | Method and system for backing up and restoring a virtual file system | |
| CN104331644A (en) | Transparent encryption and decryption method for intelligent terminal file | |
| US7992084B2 (en) | Document management apparatus, document management method, document management program, and storage medium | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN105912353B (en) | Application program packaging method and device | |
| JP2012517047A (en) | Clipboard security system and method | |
| US20140281499A1 (en) | Method and system for enabling communications between unrelated applications | |
| CN104462997A (en) | Method, device and system for protecting work data in mobile terminal | |
| CN111460516A (en) | Non-invasive data protection method, device, terminal and storage medium | |
| CN112307528A (en) | Electronic document security processing method and device | |
| JP6164508B2 (en) | Data processing system security apparatus and security method | |
| JP6256781B2 (en) | Management device for file security to protect the system | |
| CN109657490B (en) | Transparent encryption and decryption method and system for office files | |
| WO2008018310A1 (en) | Application execution device, method, and program | |
| US10140431B2 (en) | File management system and user terminal in file management system | |
| CN116866011A (en) | Method for supporting data cross-domain safe use without modifying application | |
| CN107426151B (en) | File decryption method and device | |
| CN113014545B (en) | Data processing method and device, computer equipment and storage medium | |
| CN113938890B (en) | Data sharing method and terminal equipment | |
| CN111338899B (en) | Monitoring method, terminal and storage medium | |
| CN112115492B (en) | User data encryption and isolation method and system based on Linux operating system | |
| CN104954223B (en) | Data processing method and device based on Virtual Private Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |