CN116881952B

CN116881952B - Encryption and decryption method and system based on file stream

Info

Publication number: CN116881952B
Application number: CN202311147163.8A
Authority: CN
Inventors: 崔培升; 魏鹏飞; 朱贺军; 桂升; 宋春岭
Original assignee: BEIJING ESAFENET TECHNOLOGY DEVELOPMENT CO LTD
Current assignee: BEIJING ESAFENET TECHNOLOGY DEVELOPMENT CO LTD
Priority date: 2023-09-07
Filing date: 2023-09-07
Publication date: 2023-11-24
Anticipated expiration: 2043-09-07
Also published as: CN116881952A

Abstract

The invention discloses an encryption and decryption method based on a file stream, which comprises the following steps: the information system completes registration in the middleware device, acquires a unique authentication code called by a middleware interface, and calls a file stream encryption or decryption interface of the middleware device to transmit a segmented file stream of the secret-related file stream to the middleware device; the middleware device acquires an encryption mark in a request header of the segmented file stream, invokes an encryption or decryption algorithm from an algorithm library through the encryption mark to encrypt or decrypt a request body of the segmented file stream, generates a new segmented file stream, and returns the new segmented file stream to the information system; the global log interceptor of the middleware device asynchronously monitors the encryption and decryption interface calling conditions and asynchronously inserts the encrypted and decrypted calling log information into the database log table. The invention can realize the encryption or decryption requirement of the confidential document, and can realize the quick abnormal positioning when the middleware device service is abnormal or the encryption and decryption interface among the middleware is abnormal in the information system call.

Description

Encryption and decryption method and system based on file stream

Technical Field

The invention relates to the technical field of data security, in particular to an encryption and decryption method and system based on file streams.

Background

With the rapid development of enterprise informatization, the potential safety hazard problem of a core electronic document in an enterprise internal informatization system is increasingly prominent, and the information safety problem of an enterprise is increasingly emphasized. Electronic documents act as the primary carrier of enterprise information and once compromised, would compromise, or even immeasurably affect and lose, its benefits. The enterprise information system is one of main carriers of enterprise confidential documents, and how to realize efficient encryption protection, safe decryption and viewing of the confidential documents in the information system is important.

The existing encryption and decryption methods have the defects that:

1. the method can not be integrated with the efficient and safe butt joint of the enterprise information system, and realizes the encryption protection and the safe decryption check of the secret document in the enterprise information system.

2. The method can not realize compatibility with each system platform, and realize encryption and decryption compatibility of the secret-related files deployed in the information systems of different server platforms.

3. Encryption driving, keys and strategies cannot be flexibly configured according to the user environment, and seamless synchronous integration of encryption keys and strategies with an enterprise encryption system is realized.

4. A seat encryption island is formed among the secret files of each information system of the enterprise independently, so that the secret files of each information system cannot be encrypted, managed and controlled in a grading manner and mutually fused and mutually recognized. Keys and policies cannot be flexibly configured and the encryption method is linked with enterprise user enterprise organization and authority systems.

5. When encryption and decryption are wrong, the traditional encryption and decryption method is difficult for research personnel to quickly locate the cause of the problem.

Disclosure of Invention

The invention aims to provide an encryption and decryption method and system based on file streams, which are used for solving the problems in the background technology.

In order to achieve the above object, the present invention provides the following technical solutions: an encryption and decryption method based on file stream comprises the following steps:

the information system completes the registration in the middleware device and acquires a unique authentication code called by the middleware interface; the middleware interface comprises an encryption or decryption interface and a ciphertext processing interface; when the unique authentication code is registered, the middleware device generates according to the registration information of the information system;

step two, the information system calls a file stream encryption or decryption interface of the middleware device to segment the file stream related to the ciphertext, adds a unique authentication code and an encryption mark for each segment to obtain a segmented file stream, and transmits the segmented file stream to the middleware device; each segmented file stream comprises a request head and a request body;

step three, the middleware device analyzes the segmented file stream sent by the information system, obtains the unique authentication code, the encryption mark, the file stream size, the file block information and the document authority user information in the request header, and performs security authentication on the parameters obtained by analysis in the request header;

Step four, after the security authentication is passed, invoking a ciphertext processing interface of the middleware device to identify whether the encryption mark is encrypted or decrypted, invoking an encryption or decryption algorithm from an algorithm library according to the identification result to encrypt or decrypt the request body of the segmented file stream, generating a new segmented file stream, and returning the new segmented file stream to an information system;

and fifthly, the global log interceptor of the middleware device asynchronously monitors the calling conditions of the encryption and decryption interfaces, and asynchronously inserts the log information of the encrypted and decrypted calls into a database log table.

Optionally, in step four, the encryption or decryption processing is performed on the request body of the segmented file stream by calling an encryption or decryption algorithm from an encryption or decryption algorithm library through the identification result, a new segmented file stream is generated, and the new segmented file stream is returned to the information system, including:

when the encryption mark of the request head is encryption and the request body is plaintext stream, a file stream encryption interface of the middleware device calls a corresponding encryption algorithm library to encrypt and authorize the request body according to document authority user information, document security information, an authentication key, an encryption key and preset algorithm engine parameters of an enterprise organization structure associated with a current user of the information system in an encryption server, and then returns a segmented ciphertext stream obtained after encryption to the information system; after the information system receives all the segmented ciphertext streams, merging the segmented ciphertext streams in sequence to obtain a ciphertext file stream of the confidential document;

When the encryption mark in the request header is decryption, and when the request body is ciphertext stream, a file stream decryption interface of the middleware device invokes a corresponding decryption algorithm library to decrypt the request body according to document authority user information, document security information, an authentication key, an encryption key and preset algorithm engine parameters of an enterprise organization structure associated with the current user of the information system in an encryption server, and returns a decrypted segmented plaintext stream to the information system after successful decryption; after receiving all the segmented plaintext streams of the confidential document, the information system sequentially combines the segmented plaintext streams and converts the combined segmented plaintext streams into a plaintext file stream of the confidential document.

Optionally, in step four, the encryption or decryption algorithm is called from the encrypted or decrypted algorithm library through the identification result to encrypt or decrypt the request body of the segmented file stream, so as to generate a new segmented file stream, and the new segmented file stream is returned to the information system, and the method further includes:

when the encryption mark of the request head is encryption and the request body is ciphertext stream, the segmented file stream of the ciphertext-related file stream is directly used as the segmented ciphertext stream to return to the information system, and after the information system receives all the segmented ciphertext streams, the segmented ciphertext streams are sequentially combined and converted into ciphertext file streams.

when the encryption mark in the request header is decryption and the request body is a plaintext stream, the segmented file stream is directly returned to the information system as a segmented plaintext stream, and after the information system receives all the segmented plaintext streams, the segmented plaintext streams are sequentially combined and converted into a plaintext file stream.

Optionally, before the first step, the method further includes:

the information system synchronizes user information, document authority user information and enterprise organization structure information to the encryption server; the encryption server is preset with a plurality of encryption strategies, decryption strategies, a plurality of types of keys, a file authentication key and document security classification rules;

the encryption server binds different encryption strategies and decryption strategies for each department under the enterprise organization architecture according to the received enterprise organization architecture and document authority user information, and configures encryption and decryption keys, file authentication keys and document security information of the confidential documents for the encryption and decryption strategies to generate corresponding registration codes and registration keys;

The encryption server returns the registration code and the registration key to the information system, and synchronizes the encryption strategy, the decryption strategy, the encryption key, the decryption key, the file authentication key and the document security information of the confidential document to all middleware devices.

Optionally, in step four, before the ciphertext processing interface of the calling middleware device identifies whether the encryption flag is encrypted or decrypted, the method further includes:

invoking a ciphertext processing interface of the middleware device to identify whether the file type of the segmented file stream is a compressed file;

if the file is not compressed, the encryption or decryption algorithm is called from the encryption or decryption algorithm library through the identification result, the request body of the segmented file stream is subjected to encryption or decryption processing, a new segmented file stream is generated, and the new segmented file stream is returned to the information system;

if the file is the compressed file, performing compression package transmission; wherein:

the realization mode of compression package transmission encryption is as follows:

the middleware device combines the segmented file streams of the compressed package file streams to generate a complete compressed file, and stores the complete compressed file in a temporary folder;

according to the compression algorithm type of the file stream, a corresponding decompression algorithm is called to decompress the compressed file, and each specific file in the compressed file is obtained;

Encrypting each file obtained by decompression, and recompressing all the encrypted files to obtain a new compressed file;

encrypting the new compressed file, and generating a transparent encrypted temporary compressed file in the temporary folder;

converting the transmission encrypted temporary compressed file into a file stream, transmitting the file stream to an information system in sections, and removing the temporary file generated in the temporary folder after the transmission is completed;

the realization mode of compression package transmission decryption is as follows:

the middleware device combines the compressed file streams to generate a complete compressed file and stores the complete compressed file in a temporary folder;

decrypting the compressed file to obtain a decrypted compressed file;

after the compressed file is decrypted, a corresponding decompression algorithm is called according to the type of the compression algorithm of the compressed package to decompress the file, and each specific encrypted file in the compressed file is obtained;

each decompressed encrypted file is decrypted respectively, and all the decrypted files are recompressed and packaged after decryption is completed, so that compressed files after transparent transmission and decryption are obtained;

converting the compressed file after transparent decryption into a file stream, transmitting the file stream to an information system in a segmented mode, and removing temporary files generated in the temporary folder after the file stream is transmitted.

Optionally, before the first step, the method further comprises initializing a middleware device;

when the middleware device is initialized and started, the type of the current server operating system, the type of the container and jdk version are acquired in the starting class;

and loading different encryption and decryption algorithm drive libraries according to the type of the server operating system of the middleware device, and forming an encryption and decryption algorithm library.

Optionally, after the middleware device is started successfully, popping up a system configuration page, configuring a database ip, a user name, a password and a database type, completing configuration, clicking and storing;

after the storage is successful, the middleware device automatically restarts, and reads a preconfigured list building script in the restarting process, and creates a basic list and inserts basic data;

after the middleware device is successfully started, the information manager can log in the background by using the initial user name password to set parameters.

Optionally, in step five, the global log interceptor of the middleware device asynchronously monitors the encryption and decryption interface call conditions, and asynchronously inserts the encrypted and decrypted call log information into the database log table, including:

when the service log is carried out, detailed log information of the middleware interface is called through the real-time checking information system, and when the calling middleware interface is abnormal, an administrator or a developer can quickly position the problem according to the abnormal log;

When the service monitoring is carried out, the concurrent response request number of the middleware interfaces is counted, the operation and maintenance of the auxiliary system is carried out to judge the load condition of the middleware device, and a system administrator can expand the middleware device cluster conveniently according to the concurrent quantity condition and the maximum concurrent capacity of the middleware device.

In a second aspect, the present invention also discloses a system for encrypting and decrypting based on the file stream, which is used for implementing the method for encrypting and decrypting based on the file stream in the first aspect, and includes:

the encryption server binds different encryption strategies and decryption strategies for each department of the enterprise organization structure according to user information, user document authority user information, enterprise organization structure information and encryption strategies, decryption strategies, multiple key types, file authentication keys and document security levels which are input or imported in the encryption server, configures encryption keys, decryption keys, file authentication keys and document security level information for the encryption strategies and the decryption strategies, and generates corresponding registration codes and registration keys;

returning the registration codes and the registration keys to the information system, and synchronizing the secret key, the strategy information and the registration codes and the registration keys to all middleware devices; the key and the strategy information comprise an encryption strategy, a decryption strategy, an encryption key, a decryption key, a file authentication key and document security information of a confidential document;

The middleware device comprises a system setting module, an encryption or decryption management module and a system operation and maintenance module;

the system setting module is used for configuring a server ip and a service port of the encryption server for the middleware device, and synchronizing the synchronous frequency of the secret key and the strategy information to the encryption server;

the encryption or decryption management module; the method comprises the steps of obtaining a key and strategy information from an encryption server according to a synchronous frequency, synchronizing the key and the strategy information into a data table of a middleware server, registering an information system according to a registration code and a registration key input by the information system, generating a unique authentication code called by an interface, binding the unique authentication code with the corresponding key and strategy information, and returning the unique authentication code to the information system; and

when the information system is called by an encryption or decryption interface, a corresponding encryption or decryption algorithm is called from an algorithm library according to a corresponding secret key and strategy information to encrypt or decrypt the segmented file stream, and the encrypted or decrypted segmented ciphertext stream or segmented plaintext stream is returned to the information system;

the system operation and maintenance module comprises a global log interceptor, is used for service log and service monitoring, asynchronously monitors the calling condition of the middleware interface through the global log interceptor, and asynchronously inserts the encrypted and decrypted calling log information into a database log table.

Compared with the prior art, the invention has the beneficial effects that:

through a registration mechanism, the safe and efficient butt joint of each information system of an enterprise and the device is realized efficiently. The information system realizes encryption protection and decryption viewing of confidential documents in the information system in a file stream interface calling mode. The middleware device ensures the safety of the safety butt joint through the unique authentication code of each segmented stream and the safety check of each parameter field. Because the secret related file adopts the form of segmented file stream to realize transmission and butt joint, the temporary storage link of the secret related file is omitted, and the leakage risk of the secret related file is greatly reduced.

The middleware device loads an encryption driving algorithm library of a built-in corresponding platform according to the platform, and realizes compatibility, consistency and mutual recognition of encryption and decryption of secret-related documents in information systems deployed on different platforms.

An administrator can flexibly configure an encryption driving algorithm and a secret key through a device background, and synchronize the strategy and the secret key of the existing encryption system through timing task configuration, so that seamless butt joint integration of the encryption system is realized.

The device synchronizes enterprise organization structures and personnel authority systems of enterprise users, establishes connection between the enterprise organization structures and the authority systems and encryption strategies and encryption keys, and realizes classified encryption management and control encryption and mutual authentication of the confidential files of each information system.

The invention internally sets the early warning mail configuration, when the service between the middleware is abnormal or the encryption and decryption interface between the middleware is abnormal in the information system call, the invention sends error log early warning information, which is convenient for the information manager to quickly locate the problem, and the service log is set: the detailed log information of the encryption and decryption interfaces among the components in the enterprise information system call is checked in real time, and when the encryption or decryption interfaces are abnormal in the application system call, an information manager can quickly locate the problem according to the log.

Drawings

FIG. 1 is a diagram of a method of encrypting and decrypting according to the present invention;

FIG. 2 is a diagram of an enterprise information system, encryption server, middleware device deployment interaction;

FIG. 3 is a pop-up system configuration page after the middleware device of the present invention is successfully started;

FIG. 4 is a middleware services diagram of the present invention;

FIG. 5 is a diagram of an early warning mail configuration of the present invention;

FIG. 6 is a registration block diagram of the present invention;

FIG. 7 is a logic diagram illustrating a specific process for invoking a middleware decryption interface to decrypt a file stream in accordance with the present invention;

FIG. 8 is a logic diagram illustrating the specific processing of the encrypted file stream of the calling middleware encryption interface of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

In the description of the present invention, it should be noted that the terms "upper," "lower," "inner," "outer," "front," "rear," "both ends," "one end," "the other end" indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, merely to facilitate description of the present invention and simplify the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "provided," and "connected" are to be construed broadly, and may be either fixed, removable, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.

Referring to fig. 1, 2, 3, 4, 5, 6, 7 and 8, an embodiment of the present invention is provided: a method for encrypting and decrypting based on file stream,

firstly, an information system (enterprise information system) finishes registration in a middleware device, and obtains a unique authentication code called by a middleware interface (the middleware interface comprises an encryption or decryption interface, a ciphertext processing interface and other information systems in the encryption or decryption process of the middleware device); wherein the unique authentication code is generated in the middleware device according to information system registration information when the information system completes registration in the middleware device.

When the registered information system needs to encrypt or decrypt the secret-related file in the information system, the information system firstly converts the secret-related file into a secret-related file stream, then uses the unique authentication code to call a file stream encryption or decryption interface of the middleware device, the file stream encryption or decryption interface segments the secret-related file stream (the clear text stream or the secret text stream of the secret-related document) in the information system, then adds a segment file obtained by the unique authentication code and the encryption mark to each segment, and transmits all the obtained segment files to the middleware device; each segmented file stream comprises a request head and a request body.

Step three, the middleware device analyzes the received segmented file stream request header, acquires parameters such as an information system registration code, a unique authentication code, an encryption mark, the size of the file stream transmitted currently, file block information (such as the position of the initial value of the current block in the file stream, and the like), document authority user information, and the like in the request header, performs security authentication on the parameters, and executes step four after the security authentication is completely passed. The security authentication of the above parameters in the present embodiment includes, but is not limited to, the following:

(1) Verifying the validity of the system registration code, the unique authentication code obtained by analysis, the encryption mark, the file stream size, the file block information, the document authority user information and other parameters;

(2) And (3) comparing and authenticating the unique authentication code obtained by analysis in the step (III) with the unique authentication code generated for the information system in the middleware device (namely, whether the two unique authentication codes are consistent or not).

When the security authentication is carried out, only if one security authentication is passed, the next security authentication is started, and if the current security authentication is not passed, the risk is directly judged; for example, the registration code and the unique authentication code are compared and authenticated only if the validity check of all parameters passes (all legal).

And step four, after each segmented stream passes through the security authentication of the middleware device, starting to call a ciphertext processing interface of the middleware device, identifying whether an encryption mark is encrypted or decrypted through a dll driving algorithm library by the ciphertext processing interface, then calling a corresponding encryption or decryption algorithm from the algorithm library through the identified encryption mark to encrypt or decrypt a request body of the segmented file stream, generating a new segmented file stream (segmented ciphertext stream obtained after encrypting the segmented file stream or segmented plaintext stream obtained after encrypting the segmented file stream), and returning the new segmented file stream to an information system to complete the encryption and decryption process of the confidential document.

In this embodiment, the fourth step includes the following steps:

invoking a ciphertext processing interface of the middleware device, and identifying and judging whether an encryption mark in a request header of the segmented file stream is encryption or decryption and whether a request body is a plaintext stream or ciphertext stream through the ciphertext processing interface; the embodiment of the application does not limit the sequence of two judging flows of judging the encryption mark and judging the attribute of the file stream of the request body (the plaintext stream or the ciphertext stream);

if the encryption mark in the request header is encryption, the request body is plaintext stream, and the middleware device invokes a corresponding encryption algorithm from an algorithm library (encryption algorithm library) to encrypt and authorize the request body of the segmented file stream according to enterprise organization structure, document authority user information, document security information, an authentication key, an encryption key and preset algorithm engine parameters which are associated by a registration system user at an encryption server, and then returns the encrypted segmented ciphertext stream to an enterprise information system; and after receiving all the segmented ciphertext streams, the enterprise information system sequentially combines the segmented ciphertext streams and converts the combined segmented ciphertext streams into ciphertext file streams of the confidential document for encryption protection.

If the encryption mark in the request head is encryption, the request body is an encrypted file, the segmented file stream of the encrypted file stream is directly used as a corresponding segmented encrypted file stream to be returned to the information system, and after the information system receives all the segmented encrypted file streams of the encrypted file stream, the segmented encrypted file streams are sequentially combined and then converted into encrypted file streams, so that the encrypted protection of the encrypted file in the information system is realized.

If the encryption mark in the request header is decryption, when the request body is a ciphertext stream, the middleware device invokes a decrypted algorithm library from the algorithm library (decrypted algorithm library) to decrypt the request body according to the enterprise organization structure, the document authority user information, the document security information, the encryption key and the preset algorithm engine parameters which are associated by the registration system user at the encryption server, and then returns the decrypted segmented plaintext stream to the enterprise information system; and after the enterprise information system receives all the segmented plaintext streams of the confidential document, sequentially merging the segmented plaintext streams to obtain a plaintext file stream of the confidential document, so that the secure decryption viewing of the confidential document is realized.

If the encryption mark in the request head is decryption, when the request body is a plaintext stream, directly taking the segmented file stream of the ciphertext-related file stream as a corresponding segmented plaintext stream to return to the information system, and after the information system receives all the segmented plaintext streams of the ciphertext-related file stream, sequentially merging the segmented plaintext streams and converting the merged segmented plaintext streams into a plaintext file stream to realize encryption and check of the ciphertext-related file in the information system.

When the ciphertext-related file stream uploaded or checked by the user information system is a compressed file obtained by compressing a plurality of files (the plurality of files can be a plurality of plaintext stream files or a plurality of ciphertext stream files), compression and transmission are needed. Therefore, the middleware device needs to select whether to execute compression and transmission according to the file type (whether the file is compressed) of the segmented file stream identified by the ciphertext processing interface, and if the file is not compressed, the encryption mark judgment and the request body file stream attribute judgment are directly carried out.

The realization mode of compression and transmission encryption is that a middleware device firstly combines segmented file streams of a compressed file stream to generate a complete compressed file, the complete compressed file is stored in a temporary folder (all temporary files generated in the following process are stored in the temporary folder, such as all files obtained by decompression, files obtained by encrypting each file obtained by decompression, new compressed files obtained by recompression, temporary compressed files, stream files of the temporary compressed files and segmented stream files of the temporary compressed files), then a corresponding decompression algorithm is called according to the compression algorithm type of the file stream to decompress the compressed files, each specific file in the compressed files is obtained, then encryption processing is carried out on each file obtained by decompression, all files obtained by encryption are subjected to recompression processing, a new compressed file is finally encrypted, a transmission encrypted temporary compressed file is generated in the temporary folder, the transmission encrypted temporary compressed file is converted into a file stream, the transmission is transmitted to an information system of a calling system in a segmented mode, and the files generated in the temporary folder are removed after the transmission is completed.

The realization mode of the compressed package transparent transmission decryption is that a middleware device firstly combines the compressed package file streams to generate a complete compressed file, stores the complete compressed file in a temporary folder, decrypts the compressed package to obtain a decrypted compressed package, invokes a corresponding decompression algorithm according to the compression algorithm type of the compressed package to decompress the file after the compressed package is decrypted, obtains each specific encrypted file in the compressed package, then respectively decrypts each decompressed encrypted file, and then re-compresses and packages all decrypted files after decryption is completed to obtain the transparent transmission decrypted compressed file, finally converts the transparent transmission decrypted compressed file into a file stream, transmits the file stream to an information system of a calling system in a segmented mode, and clears the temporary file generated in the temporary folder after the file stream transmission is completed.

And fifthly, the global log interceptor of the middleware device asynchronously monitors the calling condition of the encryption and decryption interfaces of the middleware device, acquires the log information called by the encryption and decryption interfaces from the log table of the middleware device and asynchronously inserts the log information into the database log of the middleware device according to preset key fields (set according to the query, statistics and analysis requirements of users on stored data). In this embodiment, the log information called by the encryption and decryption interface includes, but is not limited to, request time, request header information, authentication information, call success flag, error information code and error detail information, and request completion time.

In an embodiment of the present application, before the first step, the method further includes:

and the information system synchronizes user information, document authority user information and enterprise organization structure information to the encryption server.

Common encryption strategies, decryption strategies, various types of keys, file authentication keys and document security classification rules are imported into the encryption server.

After receiving user information, document authority user information and enterprise organization structure information, the encryption server binds different encryption strategies and decryption strategies to each department of the enterprise organization structure according to the enterprise organization structure of the user and the document authority user information, and configures encryption and decryption keys and file authentication keys for the encryption and decryption strategies (one or more authentication keys are distributed to each department under the enterprise organization structure in the encryption server, and before decrypting the document, the encryption driver integrated by the middleware device needs to authenticate through the file authentication keys firstly, and can decrypt with the encryption keys after authentication is passed), and document security of the document is related to generate corresponding registration codes and registration keys; and returning the registration codes and the registration keys to the information system, and synchronizing the information such as the encryption strategy, the decryption strategy, the encryption key, the decryption key, the file authentication key, the document security of the confidential document and the like to all middleware devices.

When the information system registers with the middleware device, the middleware device generates a unique authentication code called by an interface according to a registration code, a registration key, a server ip where the information system is located and related hardware information input by the information system, binds the unique authentication code with corresponding information such as an encryption strategy, a decryption strategy, an encryption key, a decryption key, a file authentication key, a document security class of a secret-related document and the like, and returns the unique authentication code to the information.

The method comprises the steps that step one, a middleware device is initialized, when the middleware device is initialized and started, an encryption algorithm driving configuration module obtains the type of a current server operating system, the type of a container and jdk version in a starting class, and then different encryption algorithm driving link libraries and decryption algorithm driving link libraries are loaded according to the type of the server operating system of an encryption client so as to form an encryption algorithm library and a decryption algorithm library; when the server operates the linux system, the dynamic library file is loaded, and when the server is a windows server platform, the dynamic link library is loaded.

After the middleware device is successfully started, popping up a system configuration page, wherein an administrator needs to configure a database ip, a user name, a password, a database type, complete configuration, click and save, after the storage is successful, the middleware service device can be restarted automatically, and during the restarting process, the middleware service device can read a preconfigured list building script, and a basic list and inserted basic data are created;

After the middleware device is started successfully, the information manager can log in the background by using the initial user name password.

The embodiment of the application further provides a system for encrypting and decrypting based on the file stream, which comprises an encryption server and a middleware device.

Deploying a plurality of encryption servers, and supporting single-machine and cluster deployment; the encryption server synchronizes user information, document authority user information and enterprise organization structure information of an enterprise information system; common encryption strategies, decryption strategies, various types of keys (such as master keys), file authentication keys, document security and document security classification rules are imported into the encryption server;

after receiving user information, document authority user information and enterprise organization structure information, the encryption server binds different encryption strategies and decryption strategies to an information system corresponding to the user information according to the enterprise organization architecture of the user and the document authority user information, and configures information such as encryption, decryption keys, file authentication keys, document confidentiality of confidential documents and the like for the encryption and decryption strategies to generate corresponding registration codes and registration keys; and returning the registration codes and the registration keys to the information system, and synchronizing the secret key, the strategy information, the registration codes and the registration keys to all middleware devices. The key and the policy information comprise information such as an encryption policy, a decryption policy, an encryption key, a decryption key, a file authentication key, a document security class of a confidential document and the like.

In the embodiment of the application, when a certain department distributes the keys of all the sub departments under the enterprise organization architecture, the department owns the keys of all the sub departments, and at the moment, the user of the department has the keys of all the sub departments and also has a plurality of encryption or decryption keys (multiple keys), and the user of the department can encrypt or decrypt the confidential file streams of the user under all the sub departments. Meanwhile, the user with high authority level has the authentication keys of a plurality of sub departments, and each sub department is allocated with one or a plurality of authentication keys, so that the user with high authority level can encrypt or decrypt the confidential file streams of all the sub department users to which the user with high authority level belongs.

When encrypting or decrypting the confidential file stream (segmented file stream), firstly, the authentication key is used for colliding with the authentication key information stored in the confidential file stream, and if the collision verifies that the authentication key passes, the encryption or decryption key is called to encrypt or decrypt the segmented file stream.

Deploying a plurality of middleware devices, wherein the middleware devices support single-machine and cluster deployment; the middleware device comprises a system setting module, an encryption or decryption management module and a system operation and maintenance module.

The system setting module comprises database configuration management and early warning mail configuration:

(1) Database configuration management: the server ip of the encryption server and the synchronization frequency of the service port, the synchronization key and the strategy information can be configured;

(2) The mail configuration is pre-warned, when the middleware service is abnormal or the middleware encryption and decryption interface is called by the information system to be abnormal, error log pre-warning information is sent, so that an information manager or an information manager can conveniently and quickly locate the problem;

the encryption or decryption management module is used for acquiring the secret key and the strategy information from the encryption server according to the synchronous frequency, synchronizing the secret key and the strategy information into a data table of the middleware server, registering the information system according to the registration code and the registration key input by the information system, generating a unique authentication code called by the interface, binding the unique authentication code with the corresponding secret key and strategy information, and returning the unique authentication code to the information system; and

the encryption or decryption management module comprises a master key management module, a registration module, an encryption algorithm driving configuration module and an encryption or decryption module;

(1) The master key management module: the method mainly comprises the steps of maintaining and managing master key information, synchronizing a key and strategy information of an encryption server by a timing synchronization task interface of a middleware device according to configured synchronization frequency, and synchronizing the key and strategy information required by encryption and decryption into a data table of a middleware server; the synchronization of the secret key and the strategy information supports the manual addition and deletion of the secret key, and the change is synchronized to the encryption server;

(2) The registration module, the information system calls the encryption or decryption interface of the middleware device service, the system must be registered in the module, only after the registration of the system, the interface authentication can be carried out through the unique authentication code; the registration module inputs registration information of the information system and realizes that the information system finishes registration in the middleware device, the registration module comprises a registration code generation submodule, a system registration code of the information system in a registration process is generated through the registration code generation submodule, and the registration module generates a unique authentication code according to hardware information of a server where the registered information system is located and preset interface verification keys, the system registration code and registration time; the registration information of the information system input by the registration module comprises enterprise information, system names, server ip and system registration codes, and is stored after input.

(3) The encryption algorithm drives a configuration module: the security manager flexibly configures an encryption and decryption driving algorithm according to the encryption driving type of the encryption client and the algorithm library;

(4) And the encryption or decryption module is used for calling a corresponding encryption or decryption algorithm from the algorithm library according to the corresponding key and the strategy information when the information system is used for calling an encryption or decryption interface so as to encrypt or decrypt the segmented file stream, and returning the encrypted or decrypted segmented ciphertext stream or segmented plaintext stream to the information system.

The system operation and maintenance module asynchronously monitors the calling condition of the middleware interface through the global log interceptor and asynchronously inserts the encrypted and decrypted calling log information into a database log table; the method comprises the steps of service log and service monitoring;

(1) Service log: the detailed log information of the encryption and decryption interface call of the middleware of the enterprise information system is checked in real time, and when the encryption or decryption interface call of the application system is abnormal, an administrator can quickly locate the problem according to the log;

(2) Service monitoring: and counting the number of concurrent response requests of the middleware interfaces, and assisting the system operation and maintenance to judge the load condition of the middleware, so that a system administrator can expand the middleware service cluster conveniently according to the concurrency quantity condition and the maximum concurrency capacity of the middleware.

In the embodiment, an encryption driving algorithm in the middleware device system is written in a language c and integrates a rich encryption and decryption algorithm library engine, and the algorithm library is realized based on a national encryption algorithm;

in order to realize the cross-platform performance of the algorithm library, the algorithm engine is compiled into a dll dynamic engine algorithm library based on a windows platform and a so dynamic link algorithm library based on a linux platform;

the middleware device realizes the encryption and decryption operation of the file stream after the deployment of the window platform by using EstFileWindow class to realize the invocation of the encryption and decryption algorithm of the so dynamic link algorithm library, thereby realizing the encryption and decryption operation of the file stream after the deployment of the linux platform among the middleware;

the middleware device integrates a springboot framework, can be efficiently and conveniently deployed in each mainstream server container, and can also be independently operated and deployed in jar packages.

The middleware device is compatible with the interface call of the common protocol, and the information system only needs to call the encryption or decryption interface of the file stream of the device according to the interface protocol.

In a first embodiment, a secure viewing of a confidential encrypted document within an information system is performed.

The information system firstly registers in the middleware device, a registration code and a registration key are input, the server ip where the information system is located and related hardware information are stored, and a unique authentication code called by an interface is generated after the storage.

When an encrypted file related to secret is opened in an information system, the system firstly converts the encrypted file into a encrypted file stream, and then the encrypted file stream is assembled and transmitted to a middleware device in a sectionalized mode according to an interface protocol of the middleware;

after receiving the segmented ciphertext streams, the middleware device starts to analyze the request heads of the segmented ciphertext streams, and performs security verification and authentication on the request heads of the segmented streams, and checks the correctness of the parameters and the encrypted bodies of the encrypted heads;

if the verification process fails, the error code and the error information are sent to the calling system, and error log information is recorded in a log information table of the middleware;

and if the security authentication and the parameter information of the request head are checked to pass, starting to decrypt each segmented ciphertext stream, and returning the decrypted plaintext stream to the calling system. After receiving all returned plaintext streams, the calling system merges the plaintext streams according to the sequence numbers of the file streams and inputs the merged file streams to a document reader to realize safe viewing of the confidential encrypted document. If the decryption fails, the error code and the error reason of the decryption failure are recorded in a log information table of the middleware, so that research and development personnel can conveniently check and locate.

In the second embodiment, security encryption protection is performed on the confidential document in the information system.

The information system firstly registers in the middleware device, a registration code and a registration key are input, the server ip where the information system is located and related hardware information are stored, and a unique authentication code called by an interface is generated after the storage is completed.

Before the secret-related file in the information system is encrypted safely or the user downloads the secret-related file of the plaintext to the client, the system firstly converts the secret-related file into a file stream, and then the file stream is transmitted to the middleware device after being assembled in sections according to a file stream encryption interface protocol of the middleware device.

After receiving the segmented file stream, the middleware device starts to analyze the request header of each segmented ciphertext stream, and performs security verification and authentication on the request header of each segmented stream, and checks the correctness of each parameter of the encryption header and the encryption body;

if the verification process fails, the error code and the error information are sent to the calling system, and the error log information is recorded in a log information table of the middleware.

If the security authentication and the parameter information of the request head are checked to pass, the encryption interface is called to start encrypting the segmented stream, and the encrypted segmented ciphertext stream is returned to the calling system. After the calling system receives all the segmented ciphertext streams, the segmented file stream sequence numbers are combined, processed and converted into the ciphertext file storage protection of the ciphertext or provided for the client for safe downloading, and the safe transmission, encryption and downloading of the ciphertext file are ensured. If the encryption fails, error codes and error reasons of the encryption failure are recorded in a log information table of the middleware, so that research and development personnel can conveniently check and locate.

It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims

1. A method for encrypting and decrypting based on file stream is characterized in that:

step four, after the security authentication is passed, invoking a ciphertext processing interface of the middleware device to identify whether the encryption mark is encrypted or decrypted, invoking an encryption or decryption algorithm from an encryption or decryption algorithm library according to the identification result to encrypt or decrypt the request body of the segmented file stream, generating a new segmented file stream, and returning the new segmented file stream to an information system;

2. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: in step four, the encryption or decryption algorithm is called from the encryption or decryption algorithm library through the identification result to encrypt or decrypt the request body of the segmented file stream, a new segmented file stream is generated, and the new segmented file stream is returned to the information system, and the method comprises the following steps:

When the encryption mark of the request head is encryption and the request body is plaintext stream, a file stream encryption interface of the middleware device calls a corresponding encrypted algorithm library to encrypt and authorize the request body according to document authority user information, document security information, an authentication key, an encryption key and preset algorithm engine parameters of an enterprise organization structure associated in an encryption server by a current user of the information system, and then returns a segmented ciphertext stream obtained after encryption to the information system; after the information system receives all the segmented ciphertext streams, merging the segmented ciphertext streams in sequence to obtain a ciphertext file stream of the confidential document;

when the encryption mark in the request header is decryption, and when the request body is a ciphertext stream, a file stream decryption interface of the middleware device decrypts the request body by calling a corresponding decrypted algorithm library according to document authority user information, document security information, an authentication key, an encryption key and preset algorithm engine parameters of an enterprise organization structure associated with a current user of the information system in an encryption server, and returns a decrypted segmented plaintext stream to the information system after decryption is successful; after receiving all the segmented plaintext streams of the confidential document, the information system sequentially combines the segmented plaintext streams and converts the combined segmented plaintext streams into a plaintext file stream of the confidential document.

3. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: in the fourth step, the encryption or decryption algorithm is called from the encryption or decryption algorithm library through the identification result to encrypt or decrypt the request body of the segmented file stream, a new segmented file stream is generated, and the new segmented file stream is returned to the information system, and the method further comprises:

4. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: in the fourth step, the encryption or decryption algorithm is called from the encryption or decryption algorithm library through the identification result to encrypt or decrypt the request body of the segmented file stream, a new segmented file stream is generated, and the new segmented file stream is returned to the information system, and the method further comprises:

5. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: before the first step, the method further comprises:

6. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: in step four, before the ciphertext processing interface of the calling middleware device identifies whether the encryption flag is encrypted or decrypted, the method further includes:

decrypting the compressed file to obtain a decrypted compressed file;

7. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: the method further comprises the step of initializing a middleware device before the step one;

8. The method for encrypting and decrypting based on the file stream according to claim 7, wherein: after the middleware device is started successfully, popping up a system configuration page, configuring a database ip, a user name, a password and a database type, completing configuration, clicking and storing;

9. The method for encrypting and decrypting based on the file stream according to claim 1, wherein: in step five, the global log interceptor of the middleware device asynchronously monitors the encryption and decryption interface call conditions and asynchronously inserts the encrypted and decrypted call log information into the database log table, including:

10. A system for encrypting and decrypting based on a file stream, for implementing the method for encrypting and decrypting based on a file stream according to any of claims 1 to 9, comprising: